Re: [security-services] Proposed Agenda for Nov 4 SSTC Conference Call - V 2

["Tom Scavo" <trscavo@gmail.com>]

[Minute taker's note: I was drawn into the ensuing conversation, so
some details of the discussion may be missing from these notes.
Please feel free to contribute any details I may have missed.]

On Tue, Nov 4, 2008 at 9:41 AM, Hal Lockhart <hal.lockhart@oracle.com> wrote:
> Proposed Agenda SSTC Conference Call
> November 4, 2008, 12:00pm ET
>
> Dial in info: +1 215 446 3648
> Access code 270-9441#
>
> Roll Call & Agenda Review

Roll call (by Anil Saldhana)
========

Voting Members
============
George Fletcher      AOL
John Bradley     Individual
Scott Cantor     Internet2
Bob Morgan     Internet2
Eric Tiffany     Liberty Alliance Project
Tom Scavo     NCSA
Frederick Hirsch     Nokia Corporation
Ari Kermaier     Oracle Corporation
Hal Lockhart     Oracle Corporation
Anil Saldhana     Red Hat
Eve Maler     Sun Microsystems
Emily Xu     Sun Microsystems
Duane DeCouteau     Veterans Health Administration
David Staggs     Veterans Health Administration

Members
=======
Nathan Klingenstein     Internet2

Quorum Achieved:  14 out of 22 voting members

Status:  Nathan (Gained Voting);  Peter Davis, Paul Madsen , Brett
Burley (Lost Voting)

> Need a volunteer to take minutes

Tom Scavo volunteered to take minutes.

> 1. Minutes from SSTC/SAML concall October 21, 2008
> http://lists.oasis-open.org/archives/security-services/200810/msg00048.html

October 21, 2008 minutes approved unanimously

> 2. Document Status
>
> 2.1 SAML V2.0 Attribute Extensions Draft 1 uploaded
> http://lists.oasis-open.org/archives/security-services/200810/msg00061.html

This document is an indirect result of Microsoft's recent announcement
to support the SAML protocol in future products.  Microsoft has a
requirement for extended XML attributes in the SAML Attribute element.
 Currently Microsoft is using a proprietary namespace to define these
XML attributes.  Scott suggests we bring these new attribute
definitions under the OASIS namespace.

One such XML attribute holds the unique identifier of the IdP.  Using
this new XML attribute, the source of the claim (which is what
Microsoft calls an attribute) carries through to proxy IdPs, for
example.

This document will carry whatever extended XML attributes prove to be
useful, by Microsoft and others.  It will be an ongoing, living
document.  Extended XML attributes will be added to this document over
time, not unlike the SAML errata document.

Hal asks if there any comments regarding the chosen namespace or the
extended attributes themselves?  There are no comments, so the
conclusion is that the SSTC will accept the document as is.  Committee
members are encouraged to review the document and provide feedback on
the mailing list.

> 2.2 SAML V2.0 Holder-of-Key Web Browser SSO Profile
> http://lists.oasis-open.org/archives/security-services/200811/msg00001.html

Nate has posted a new revision of this document that incorporates
recent comments made on the mailing list.  The most significant change
in the current revision is the renaming of an XML attribute
(hoksso:ProtocolBinding) used in metadata to signal support of this
profile.

There was lengthy discussion regarding the use and interpretation of
<saml:SubjectConfirmation> in an AuthnRequest.  In particular, it was
pointed out that the strongly matching requirement discussed in Core
is applicable in this case (and that a reference to same would be
appropriate).  Also, the SP's signature over an AuthnRequest
containing a <saml:SubjectConfirmation> element is probably not
necessary.  Nate has taken these comments under advisement.

There was also some discussion regarding the WantsAssertionSigned
attribute in metadata.  Initially, Tom recommended that this attribute
be profiled in this document, but arguments by Nate and Scott have
convinced him (Tom) that this is misguided.  Therefore Tom retracts
his suggestion regarding WantsAssertionSigned.

Hal wonders if there is general agreement with respect to the
outstanding issues?  Nate thinks there is.  Additional comments and
concerns should be directed to the mailing list.

Nate offers Tom the opportunity to guest edit the next revision of
this document.

> 2.3 Cross-Enterprise Security and Privacy Authorization (XSPA) Profile of SAML uploaded
> http://lists.oasis-open.org/archives/security-services/200811/msg00004.html

Duane reports that a recent revision of this document incorporates
Scott's comments from September.

Generally speaking, this document is focused on developing a minimum
vocabulary describing access control between health care enterprises.
Thus the document is heavy on language involving SAML attributes.  A
vocabulary that is standard to the health-care industry is used.

Duane believes the current revision is in pretty good shape.  He also
notes that the document content has been discussed within the HITSP
group.

David reiterates Duane's assessment that the document is ready to go.
David makes a motion that the current document revision be accepted as
a Committee Draft.  The motion is seconded by Duane.

As a point of discussion, Scott notes that the prefix used for
defining attribute names presumes the existence of a corresponding
OASIS TC.  David notes that there is indeed a TC by that name, and in
fact we are invited to participate.  So the concern about the prefix
name is in fact a non-issue.

Motion carries by unanimous consent.

The document editors are reminded that the CD version of this document
must be submitted in multiple formats, including ODT, PDF, and HTML.

> 3.  Discussion Threads
>
> 3.1 Status of Simple Sign Profile
> http://lists.oasis-open.org/archives/security-services/200810/msg00024.html

Jeff is not on the call but Scott believes this document should in
fact be a Working Draft.

Assuming that the document is meant to be a Working Draft (despite its
name), Scott makes a motion to approve the document as a Committee
Draft.  If the document is approved as a CD, the document editors will
of course take the document to CD format.

The motion is approved by the SSTC unanimously.  Hal will contact Jeff
and ask him to produce the CD version of this document.

> 3.2 Broken Links
> http://lists.oasis-open.org/archives/security-services/200810/msg00025.html

It was concluded that certain links to CS documents are broken because
the documents the links refer to do not exist.  Hal will ask Mary
about the missing CS documents.

> 3.3 Discussion on whether to specify use of DER to encode certificates
> http://lists.oasis-open.org/archives/security-services/200810/msg00049.html

Hal summarizes the debate as follows:

1) On the one hand, everybody uses DER encoding, the RFC requires it
(to compute a signature), and therefore the Holder-of-Key Assertion
Profile should require DER as well.

2) On the other hand, any decent library should be able to inspect the
certificate, determine the encoding used, and act accordingly, so
there's no point in specifying a particular encoding.

This issue has been simultaneously presented to the XML Signature WG.
Members of the XML Signature WG are investigating this issue.

Tom questions whether or not the encoding used can be (easily)
determined on-the-fly.  Is this true?

One approach is to make DER a recommended encoding in SAML Core (via errata).

Hal suggests this issue be deferred until the next call.

> 3.4 Discussion on Metadata Interoperbility Profile
> http://lists.oasis-open.org/archives/security-services/200810/msg00051.html

Scott reports that he has not yet responded to a previous set of
comments regarding the current revision of this document.  That said,
he does not believe this profile is a deployment profile.  He agrees,
however, that the title may suggest that any metadata use outside of
this profile is by definition not interoperable.  Thus suggestions for
a better title are welcome.

> 3.5 More good OAuth reference material
> http://lists.oasis-open.org/archives/security-services/200810/msg00055.html

Links to OAuth-related material (some authored by Jeff Hodges) are noted.

> 3.6 InterOp Demo Proposal | HIMSS 2009 -- REVISED PROPOSAL
> http://lists.oasis-open.org/archives/security-services/200810/msg00059.html

Please take note of this revised proposal, especially the lower cost
required for participation.

> 4. Other business
>
>
> 5. Action Items
>
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

Sampo is not on the call.  AI is still open.

> #0333: Publish a new revision of Profile for Use of DisplayName in OASIS template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---

Sampo is not on the call.  AI is still open.

> #0342: revise and re-publish XSPA SAML Profile doc
> Owner: David Staggs
> Status: Open
> Assigned: 2008-10-13
> Due: ---

Closed.

> Hal

Next call is in two weeks (18 Nov 2008).