Minutes and Action Items from the SSTC Conference Call (3 Nov 2009)

[Nate Klingenstein <ndk@internet2.edu>]

SSTC Conference Call Minutes
November 3, 2009, 12:00pm ET

1)  Procedural: Quorum was achieved.  Thomas will modify the minutes  
slightly to reflect that the votes taken did include updates of  
designated cross-references for the Holder-of-Key specification moves  
to Committee Draft, with no objections, and the minutes as such were  
approved.  Prateek's slides were added to the agenda, as was the  
planned Face-to-Face meeting for next year.

2)  Celebration was held for the XSPA SAML Standard for Healthcare,  
which has been approved as an OASIS Standard.  Mike and David will be  
speaking at RSA in March '10, including a little bit about the Standard.

http://lists.oasis-open.org/archives/security-services/200911/msg00001.html

3)  All three of Scott's documents remain waiting for attestations  
before they can proceed to OASIS Standard.  They won't pass CS state  
unless these attestations are received, but they can remain as CS  
indefinitely.  Scott suggested this item be removed from future agendas.

4)  The updated CD's for the Holder-of-Key profiles have been uploaded  
by Tom Scavo, and they are now ready to go to balloting by the group  
for approval as CS.  [AI] Hal will create the ballots.

http://lists.oasis-open.org/archives/security-services/200911/msg00014.html

5)  Hal made an inquiry to Mary about whether we can remove a non- 
normative appendix as part of an errata, but Mary would prefer that we  
mark it as removed or non-operative.  She also noted that the SSTC's  
communications with IANA should proceed through her.  As either Scott  
or Bob comes up with the changes we'd like to propose for our MIME  
type registration, we'll contact them through Mary, but there is no  
rush since there's a minimum of six months before the next errata can  
be issued.  We'll strike the appendix as soon as possible in  
accordance with Mary's email.

http://lists.oasis-open.org/archives/security-services/200911/msg00016.html

6)  The Jira process has been slowed down because there's a manual  
issuance of usernames which are not integrated with the rest of OASIS'  
systems.  A new individual is taking over the process, and there are  
hopes this will be faster in the future.  We do have an instance, and  
Scott was able to log into it.  [AI] He believes the chairs need to  
assign access permissions, as he could only create issues.  He'd like  
to see it used as a substitute for the errata working document in the  
future.

7)  Discussion of the Kerberos holder-of-key profile work occurred.   
XSD's should be uploaded alongside the main documents to Kavi, and  
they're considered the main authority document.  Scott prefers to re- 
upload a fresh copy of the XSD just to have it next to the documents  
in the repository.  Anything that is part of a standard must be placed  
into the official OASIS repository to ensure availability and  
compliance with IPR rules.

There was less certainty about what an OASIS standard was able to  
reference normatively, in particular whether a piece of a Kerberos  
Holder-of-Key profile could be standardized through the Kerberos  
consortium.

This arose because Josh couldn't find a way to do XML signing using a  
Kerberos-based mechanism, and there's a window to get it included in  
XML Signature 1.1.  Scott believes it can be done, but he doesn't know  
the technical details.  Thomas and Scott will discuss whether there's  
a need to go to the W3C directly, or whether something could be  
published by the consortium.  [AI] Hal received an Action Item to  
check into that.

8)  Bob wasn't on the call to discuss the Identity Assurance profile.

9)  Hal didn't check on the progress of the Delegation Condition  
Extension profile, but he'll make sure we get it going on the next  
call.  It was sent to Mary on 16 October.  She asked for corrections,  
and Scott issued those corrections, which Mary suggested be placed in  
the repository as CD-02, the same name.  He sent her the links and  
that's the last he's heard, so we believe this will progress shortly.

10)  Hal's porting of the Work Summary to the wiki is "in progress."

11)  Anil says the CS version of the Text-based Challenge/Response  
profile will be ready by next meeting.

http://lists.oasis-open.org/archives/security-services/200911/msg00019.html

12)  Attribute Update functionality:

http://lists.oasis-open.org/archives/security-services/200911/msg00000.html

Nokia-Siemens had earlier suggested that we add attribute update  
functionality to SAML.  Phil Hunt investigated the possibility and has  
a high-level proposal that was formulated in a PowerPoint set that  
they published yesterday.  They're building on the Nokia-Siemens use  
cases, which are moving beyond single sign-on into the desire of  
applications to be able to update attributes.  The slides have a  
variety of use cases that are a little more complex than just set/get,  
e.g. where a principal is added to a group, or values must be  
manipulated.

There are different approaches, including some WSDL specs in ID-WSF;  
the question really is whether this should become a first-order SAML  
protocol, rather than exist as a protocol built around SAML in another  
space.  The slide deck describes a full capability that would help  
SAML move from single sign-on to full attribute exchange at a protocol  
level.

Reporting, e.g. returning a set of information on a query, would be  
desirous as well.  The scenario they think of is phone books, or  
credential recovery, where the specific subject being searched for is  
not known.

They also want to see a redirect capability, so if the IdP can't do  
the update, but knows a service that can do the update, the requester  
can be redirected to that service.  A managed subject request, where  
subjects are added or modified, is another feature.  There is no  
additional delete because they believe the ManageNameIDRequest  
terminate function will suffice for that need.

They see this as a stepping stone towards ID-WSF, which can handle  
discovery and routing to many providers at a higher level of  
functionality, but the limited adoption of ID-WSF is a drawback for  
them.  SAML might also be able to offer greater simplicity to use of  
ID-WSF or any other suite of standards.

Phil also thinks that, in a federated environment, governance needs to  
be more strongly documented.  This includes some of the work Liberty/ 
Kantara did on privacy constraints that accompany data.  He would like  
to see the trust information layered in a privacy constraints added to  
requests and responses.  The payload is small normally, generally as  
just a CARML declaration, which is relatively lightweight because most  
of the information is static.  The goal is to allow a provider to use  
this data for access controls.  Dynamic constraints could also be  
used, such as, "I'm allowing my Social Security Number to be  
exchanged, but you're not permitted to send it on further."  These  
could also be WS-Policy rules documenting business-level constraints  
that need to be documented in the transaction, which are very  
different from the protocol-level constraints we've dealt with to date.

Prateek would like to continue the dialog and get feedback on what the  
SSTC believes are appropriate next steps.  They would also propose to  
try to put together a draft with some of these messages combining  
Phil's proposal with Nokia-Siemens' proposal and publish it to the  
SSTC as a draft submission.

Scott holds that profiling ID-WSF is a lot more fruitful than coming  
up with a new stack of standards, believing things like the messaging  
model, security framework, and discovery are orthogonal in ID-WSF and  
can be easily chopped out.  He thinks updates will immediately run  
into ways of needing to represent the user's role in the transaction,  
ensuring they can be a participant in such a transaction; he doesn't  
think cart-blanche allowing services to do anything they want to a set  
of data is permissible.  This requires a much richer security  
framework than server-to-server security, but can be facilitated by ID- 
WSF.

Prateek says that in many of their use cases, user involvement is not  
essential, though he can see that there's a natural set of use cases  
where users granting some form of delegated rights is important.  Phil  
wonders whether it's possible to build the core protocol work of the  
other operations to SAML, then allow things like ID-WSF actually build  
on top of that effort to provide things like the user involvement.

Scott agrees there's some duplication between SAML and ID-WSF, but the  
separate layer is how exchanges are secured, particularly over a SOAP  
binding.  In ID-WSF, those are all over the SOAP security layer, which  
has minimal adoption and problems.  The alternative, though, is  
reinvention of a different secure messaging framework on which to  
layer the exchanges, which doesn't appeal to Scott very much.

The key question is scoping and drawing the boundary to determine  
which problems people need to address.  Since Scott sees people trying  
to address similar problems using e.g. OAuth supporting user  
involvement, he thinks we need to ensure that what we build is at  
least that capable.

It's also a sufficiently large piece of work in Scott's mind that it  
needs several participants involved to justify all effort, so he'd  
like to see many vendors and interested parties working with it.   
Scott thinks this is easily as much work as SAML 1.0, and Phil shares  
those concerns.

We'll approve this as a work item today, but we need to agree on the  
scope and develop sufficient participation to get this going  
somewhere.  A paper spec is not the objective.

[AI] Nokia-Siemens and Oracle will consult with one another, and will  
develop a working draft or a proposal that captures some of the use  
cases of interest and circulate that informally.  But to make progress  
beyond that, they would need to recruit some more people and add  
clarity about scope and forward direction, and the relationship to ID- 
WSF would need to be carefully explored.  They'll report back on their  
discussions on the next call.

13) Face-to-Face meetings have been held on an as-needed basis, and if  
there are some good materials for discussion that would make a meeting  
valuable, we may recruit hosts and determine some dates.  The  
attribute management protocol may be sufficient motive to have one, so  
long as we can get a reasonable number of people together.

There are no OASIS annual conferences to attach such a face-to-face  
to.  It could be done in conjunction with another Identity Management  
industry event, but our experience is that if you go to a corporation,  
they have good white boards, speakerphones, and meeting rooms, and  
it's far cheaper than using bad infrastructure at a hotel.

The chairs are open to offers to host such an event, if the hosts have  
topics they would like discussed.


Next meeting will be on November 17, 2009.


ACTION ITEMS:

[AI] Hal will create the ballots.

[AI] Thomas and Hal will investigate the assignment of permissions  
within the SSTC Jira instance.

[AI] Hal will check the rules for normative references in  
specifications issued by the SSTC; particularly, whether they can  
reference standards issued by e.g. the Kerberos Consortium.

[AI] Nokia-Siemens and Oracle will consult with one another about next  
steps for an attribute management protocol, and will develop a working  
draft or a proposal that captures some of the use cases of interest  
and circulate it.