Fwd: Minutes, SSTC Concall, Feb 12, 2008

["Tom Scavo" <trscavo@gmail.com>]

Roll call + minutes

On Feb 12, 2008 12:46 PM, Anil Saldhana <Anil.Saldhana@redhat.com> wrote:
> Voting Members:
> Hal Lockhart    BEA Systems, Inc.
> Rob Philpott    EMC Corporation
> Scott Cantor    Internet2
> Bob Morgan      Internet2
> Eric Tiffany    Liberty Alliance Project
> Tom Scavo       National Center for Supercomputing Applica...
> Frederick Hirsch Nokia Corporation*
> Paul Madsen     NTT Corporation*
> Ari Kermaier    Oracle Corporation
> Brian Campbell  Ping Identity Corporation*
> Anil Saldhana   Red Hat
> Emily Xu        Sun Microsystems
> Kent Spaulding  Tripod Technology Group, Inc.
> David Staggs    Veterans Health Administration
>
> Quorum Achieved: 14 out of 21 voting members.
>
> Non Voting Members:
> George Fletcher         AOL*
>
> Observer:
> Sampo Kellomki  Symlabs, S.A.
>
> Lost Voting Status
> Steve Anderson, BMC


---------- Forwarded message ----------
From: Tom Scavo <trscavo@gmail.com>
Date: Feb 12, 2008 1:14 PM
Subject: Minutes, SSTC Concall, Feb 12, 2008
To: OASIS SSTC <security-services@lists.oasis-open.org>


On Feb 11, 2008 6:24 PM, Hal Lockhart <hlockhar@bea.com> wrote:
> Proposed Agenda SSTC Concall, Feb 12, 2008
>
> Dial in info: +1 865 673 6950
> Access code: 270-9441#
>
> Roll Call & Agenda Review

Anil took roll (for the first time!).

Hall asked if there were any additions/corrections to the Agenda.
There were none.

> Need a volunteer to take minutes

Tom Scavo volunteered.

> 1. Approve minutes from Jan 29, 2008
> http://lists.oasis-open.org/archives/security-services/200802/msg00001.html

Minutes approved unanimously by SSTC.

> 2. Administrative
>
> 2.1 SAML XML.org Focus Area
>
> Question posted
> http://lists.oasis-open.org/archives/security-services/200802/msg00002.html

Encourage members to respond to questions on saml.xml.org.  How does
this compare to saml-dev mailing list?  Should we bridge the two
mailing lists somehow?

> 3. Document Status
>
> 3.1 Public Review of Five specifications ended on February 9th
> http://lists.oasis-open.org/archives/security-services/200712/msg00040.html
>
> I can find no comments posted. Next Step?

No public comments.  Some internal comments.  Another round of CDs is
not necessary.  Next step is Committee Specification?  Can't vote
until after 7 days.  Do nothing until next meeting.

> 3.2 Technical Overview
> http://www.oasis-open.org/committees/download.php/25411/sstc-saml-tech-overview-2.0-draft-14.pdf
>
> Ready for CD vote?

The Tech Overview has been dormant since last fall.  Brian recently
posted some comments:

http://www.oasis-open.org/archives/security-services/200802/msg00005.html

Discussion regarding Brian's comments should be redirected to the mailing list.

Frederick H. also has some comments.  He will post them to the mailing list.

Action regarding the Tech Overview is deferred until the next call.
SSTC members are encouraged to read the document and provide feedback
on the mailing list.

> 3.3 Subject-based Profiles for SAML V1.1 Assertions
> http://lists.oasis-open.org/archives/security-services/200801/msg00003.h
> tml
> and definition of "strongly matches"
> http://lists.oasis-open.org/archives/security-services/200801/msg00025.h
> tml
>
> Awaiting further discussion.

No substantive discussion has occurred on the mailing list.  Scott has
read the document and is fine with it as long as other folks agree
that it's okay to tweak some ambiguous definitions in the SAML V1.1
spec in the interest of interoperability?  Prime example is
SubjectConfirmation.  As long as conformance to the Subject-based
Profiles is optional, such alternative definitions should be okay.

Hal suggested we let this document stand for the time being.  No
action will be taken today.

> 4 Errata
>
> Errata: namespace prefix not defined in [SAML2Prof]
> http://lists.oasis-open.org/archives/security-services/200802/msg00000.h
> tml

Moving forward, has Abby agreed to be responsible for errata?  [Hal
thinks so.  Does Abby agree?]  It would be good if all outstanding
errata were summarized, perhaps on the mailing list.  [Will Abby do
this?  Is this an Action Item?]

Scott has a PE assigned to him, but not sure why.  Will be discussed below.

> 5 Other business

SSTC observer Sampo Kellomki (Symlabs, S.A.) has a question.  The SSTC
has agreed to give informal advice to Sampo.

Sampo:  There are gaps in deployments, which SAML addresses.
E-governments are developing local profiles.  How do we identify these
third-party profiles in SAML so that relying parties interpret the
SAML appropriately?

Scott:  Identify the profiles, yes, but avoid the versioning problem.

Rob:  Specifying attributes in an AuthnRequesst bloats the request and
makes it difficult to use the redirect binding, e.g.

Hal: Don't we have attribute query that can be used in this case?

Scott: One possibility is to write and propose an extension document.

Hal: Better yet, begin with an e-mail that defines the problem and its
proposed solution.  If sufficient buy-in is not obtained in this
manner, then by all means write a document.

Sampo: Should I go through Liberty?  (That's one possible avenue, but
the consensus seems to be:  no, it may be easier to go one of the
routes suggested above.)

> 6 Action Items (Report created 11 February 2008 06:20pm EST)
>
> #0311: Propose specific document changes required for PE-65
> Owner: Scott Cantor
> Status: Open
> Assigned: 2007-10-23
> Due: 2007-12-01

PE-65 involves documentation regarding second-level status codes.  The
specs should make it clear that second-level status codes are optional
and consistent throughout.  Scott doesn't know how he ended with that,
perhaps the PE number wrong?

After some discussion, Scott agreed to carry this AI forward in any event.

> #0322: Bring Anil up to speed as secretary
> Owner: Hal Lockhart
> Status: Open
> Assigned: 2008-01-29
> Due: 2008-02-10

Closed.

> #0323: Make errata on orig spec with correct reference in place of
> draft-mealling-uuid-urn-05.txt
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2008-02-11
> Due: ---

JeffH not on the call.  To provide actual errata text.  This AI remains open.

> #0324: Update doc with correct reference in place of
> draft-mealling-uuid-urn-05.txt
> Owner: Scott Cantor
> Status: Open
> Assigned: 2008-02-11
> Due: ---

Closed (duplicate).

Meeting adjourned.  Next call in two weeks (Feb 26, 2008)

> Hal

Respectfully submitted,

Tom Scavo
NCSA