Re: [security-services] Draft Minutes for June 30 2009 SSTC Call

[Anil Saldhana <Anil.Saldhana@redhat.com>]

Anil Saldhana wrote:
> Frederick Hirsch wrote:
>> Draft Minutes, Frederick Hirsch
>> SSTC Conference Call
>> June 30, 2009, 12:00pm ET
>>
>> 1. Roll Call & Agenda Review
>>
> Voting Members
> ==============
> Rob Philpott    EMC Corporation
> Scott Cantor   Internet2
> Nathan Klingenstein  Internet2
> Bob Morgan  Internet2
> Thomas Hardjono  M.I.T.
> Tom Scavo  NCSA
> Frederick Hirsch  Nokia Corporation
> Paul Madsen  NTT Corporation
> Ari Kermaier  Oracle Corporation
> Hal Lockhart  Oracle Corporation
> Anil Saldhana  Red Hat
> Kent Spaulding  Skyworth TTG Holdings Limited
> Eve Maler  Sun Microsystems
> Emily Xu  Sun Microsystems
> Duane DeCouteau  Veterans Health Administration
> David Staggs  Veterans Health Administration
>
> Members
> =======
> Kyle Meadors Drummond Group
> George Fletcher AOL
> Richard Franck  IBM
> Joshua Howlett  Individual
>
> Quorum Achieved: 16 out of 20 voting members
>
> Status Change:  Kyle Gains Voting Rights.
>
>>  
>>
>> 2. Need a volunteer to take minutes
>>
>> Frederick Hirsch volunteered to take minutes.
>>
>> 3. Approval of minutes from last meeting (2 June 2009)
>>
>> Motion: Approve minutes from 2 June 2009
>> Moved by Eve, seconded by Nate.
>> Motion passed - Minutes approved without objection.
>>
>> 4. AIs & progress on current work-items:
>>
>> (a) Request TC Admin to launch an electronic ballot.
>>
>> All documents are now in CD format. In progress, open action for 
>> chairs.  Hal Lockhart took action item on this.
>>
>> (b) 15-Day review of revised XSPA profile.
>>
>> David Staggs will put comments into spreadsheet for committee, for 
>> discussion on next teleconference.
>>
>> (c) 15-Day review of sstc-saml-approved-errata-2.0-draft-49.
>>
>> Hal Lockhart will take action to start formal review.
>> Scott Cantor has action to produce redline drafts, but this is not in 
>> critical path for starting public review. He noted the document for 
>> review is ready.
>>
>> (d) Progress on getting Jira instance for SSTC (Scott).
>>
>> Scott Cantor will contact Mary McRae again, this item was deferred 
>> earlier
>>
>> (e) Dwayne to add a page for the XSPA page in the SAML wiki.
>>
>> This remains open.
>>
>> (f) SAML V2.0 Holder-of-Key Assertion Request Profiles.
>>
>> Tom Scavo noted draft uploaded to Kavi. Some comments received on 
>> SAML dev list. Considering comment regarding need for TLS.
>> Planning to produce a  third draft.
>>
>> (g) SAML LOA Assurance profile.
>>
>> Bob Morgan is working on this document with regards to authentication 
>> context, how to express certified assurance levels to metadata. Still 
>> working on this, planning to provide before the next teleconference.
>>
>> (i) Discuss comments received on HoK Profile (Tom/Nate):
>>
>> http://lists.oasis-open.org/archives/security-services/200906/msg00009.html 
>>
>>
>> http://lists.oasis-open.org/archives/security-services/200906/msg00019.html 
>>
>>
>> http://lists.oasis-open.org/archives/security-services/200906/msg00023.html 
>>
>>
>> a) SAML V2.0 Holder-of-Key Web Browser SSO Profile
>>
>> Tom Scavo noted thread initiated by Mark Stern during public review, 
>> leading to a number of significant comments, also comment by Scott 
>> Cantor, producing four comments. He has documented these comments in 
>> the wiki ( 
>> http://wiki.oasis-open.org/security/PublicComments20090326-20090525 )
>>
>> Reverted the document back to draft, draft 12. Lines 416-421 in diff 
>> show the most important changes in response to the comments, 
>> emphasizing dependency on assertion profile to address man in middle 
>> concerns. Relaxing TLS requirement not easy to do so did not address 
>> comment #2, all others have been addressed.
>>
>> Scott Cantor noted that if hard to do then could leave it as is, 
>> noting it is a web browser profile, so therefore it is reasonable to 
>> keep. Bob Morgan agreed.
>>
>> Hal Lockhart asked if commenter had a suggestion for alternative 
>> approach, answer was to allow alternate secure channels.
>>
>> Tom Scavo noted draft 12 is not substantive change, since changes 
>> were only clarifications, since TLS change not made.
>>
>> b) Holder of Key Assertion profile had comments
>>
>> http://wiki.oasis-open.org/security/PublicComments20090326-20090525
>>
>> Some were requests for clarification. Question of SAML NameID was not 
>> clear, so added paragraph in lines 258-260 draft 10 diff to clarify 
>> by referencing constrained delegation profile. Draft 10 had minor 
>> changes and has been uploaded to Kavi.
>>
>> Hal Lockhart suggested committee respond to commenters with 
>> resolutions of actions (link to wiki) indicating no action on 
>> suggested TLS change.
>>
>> Hal Lockhart noted that if the changes are non-substantive no 
>> additional public review needed.
>>
>> Tom Scavo noted that the latest drafts include all changes.
>>
>> Motion: Draft 12 of  Holder -of-Key Web Browser SSO Profile and  
>> Draft 10 of HOK assertion profile be moved to Committee Draft
>> Moved by Tom Scavo, Second by Bob Morgan
>> Motion passed -No objection to unanimous consent
>>
>> Action: to Tom Scavo to produce CDs of Holder -of-Key Web Browser SS 
>> Profile and Holder of Key Assertion Profile
>>
>> Motion:  Hold electronic ballot of Holder -of-Key Web Browser SSO 
>> Profile and Holder of Key Assertion Profile
>> Moved by Scott Cantor
>> Second by Bob Morgan
>> Motion passed - No objection to unanimous consent.
>>
>> 5. New work items:
>>
>> (i) Kerberos HOK profile  (Josh/thomas):
>>
>> http://www.oasisopen.org/apps/org/workgroup/security/email/archives/200906/msg00027.html 
>>
>>
>> Josh Howlett gave some background on Kerberos Holder of key and 
>> attribute query profiles, noted that shared proposals by email. Also 
>> noted that shared high level architecture document on list (PDF).
>>
>> Three protocols proposed for (i) encapsulating Kerberos service 
>> ticket, (ii) how to use attribute query to ask for attribute, and 
>> (iii) use holder of key assertion protocol to obtain confirmation 
>> using Kerberos. Plan to define fourth protocol for composition of 
>> these for SSO.
>>
>> Request for comment, some questions are also noted in the documents 
>> themselves.
>>
>> Scott Cantor suggested combining two profiles into one single 
>> attribute profile. Scott Cantor has additional comment on the XML, 
>> such as requests for multiple attributes (e.g. tickets). He will send 
>> message to list with details.
>>
>> Josh Howlett plans to have update before the next teleconference. He 
>> asks committee that if Kerberos HoK Assertion Profile is based on 
>> X.509 HoK profile would it be confusing due to duplicate material.  
>> Tom Scavo asked if X.509 and Kerberos profiles could be unified, in a 
>> clear manner. He also noted that this would need to happen if Web 
>> Browser SSO Profile is not unnecessarily delayed. Tom, Josh and Nate 
>> agreed it would be good to unify the documents into a single 
>> document. The committee noted this would be a substantive change, 
>> requiring a new CD.
>>
>> Hal Lockhart suggested editors work offline to produce a combined 
>> document.  The editors noted this will probably not be ready for the 
>> next call.
>>
>> Hal Lockhart will delay request for Committee Specification  ballot 
>> for Holder of Key Assertion Profile and not have one if decision is 
>> reached on email list to have combined document ( to avoid confusion).
>>
>> ii) Attribute Query profile (Josh/thomas):
>>
>> http://www.oasisopen.org/apps/org/workgroup/security/email/archives/200906/msg00027.html 
>>
>>
>> Josh Howlett asked question of whether to support requests for 
>> multiple service tickets at one time. Not clear if use cases exist.
>>
>> iii) Encapsulating service ticket document
>>
>> Josh Howlett noted this is a very simple profile that defines 
>> attribute - will wait for comments from Scott Cantor.
>>
>> Meeting adjourned.
>>
>> regards, Frederick
>>
>> Frederick Hirsch
>> Nokia