Re: [security-services] Minutes for SSTC Conference Call (November17th, 2009)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

On 11/17/2009 12:08 PM, ARI KERMAIER wrote:
> Proposed Agenda SSTC Conference Call
> November 17, 2009, 12:00pm ET
>
> Dial in info: +1 408-774-4073
> Conference code: 4480739
> Password: 72657265 (SAMLSAML)
>
>
> 1. Roll Call&  Agenda Review
>    
Voting Members :-
==============
Rob Philpott EMC Corporation
John Bradley Individual
Scott Cantor Internet2
Thomas Hardjono M.I.T.
Frederick Hirsch Nokia Corporation
Thinh Nguyenphu Nokia Siemens Networks GmbH & Co. KG
Paul Madsen NTT Corporation
Ari Kermaier Oracle Corporation
Anil Saldhana Red Hat
David Staggs Veterans Health Administration

Members :-
========
George Fletcher  AOL
Joshua Howlett Individual
Bob Morgan Internet2
Peter Davis Neustar, Inc.
Joerg Abendroth Nokia Siemens Networks GmbH & Co. KG

Quorum: Achieved: 10 out of 18 Members (55%)
Status: Lost Voting Status: Kyle Meadors (Drummond Group)
         Gained Voting Status: None

> 2. Need a volunteer to take minutes
>
> 3. Approval of minutes from last meeting (Nov 3, 2009):
>
> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200911/msg00022.html
>
> Rob moved to accept minutes. Ari seconded the motion.
>
> 4. AIs&  progress update on current work-items:
>
>    (a) Current electronic ballots:
>          - Condition Delegation Restriction (1.0) as Committee Spec. (Ballot closes Nov 14th)
>             http://www.oasis-open.org/apps/org/workgroup/security/ballot.php?id=1798
>
> Announcement that the ballot measure had passed. No comment from attendees.
>
>    (b) Status/notes regarding past ballots:
>
>         (i) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
>             SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>               - AI: Create CD in three forms [Tom/Nate]
>               - AI: Chairs to request ballot to make into CS status. [Hal/Thomas]
>
> Hal and Nate absent, no comment on AI status.
>
>    (c) sstc-saml-approved-errata-2.0-draft-49:
>               - AI: Scott/Bob to provide text changes for the Errata doc [Scott/Bob]
>
> Scott needs to talk to Bob about what must be done to get IANA registration changed. Scott knows little about the process, and it may not even be possible to change the existing registration. Bob doesn't know either, but guesses a new registration would be needed.
>
> Scott also needs to produce new draft errata document; no progress on PEs.
>
>    (d) Progress on getting Jira instance for SSTC:
>               - AI: chairs to get accounts on JIRA [Hal/Thomas]
>
> Issue creation permissions for accounts still outstanding. Hal's AI.
>
>    (e) Kerberos related items. [Josh/Thomas]
>               - AI: Josh/Thomas to prepare CD version in three formats.
>
> [Ari's call was dropped - need notes from Thomas.]
>
> Josh has worked through data model ambiguities, and will produce new versions soon. Josh's AI.
>
>               - AI : Look into updating XML signatures 1.1 (in W3C) to
>                        include Kerberos-mechanism. [Scott/Thomas/Josh]
>
> Josh thinks this is the right thing to do in the long term. In the shorter term, if we were to have a Kerberos/XML-DSIG dependent spec, we'd be waiting for a while.
>
> Scott says 1.1 is pretty much closed, so we'd have to wait for 2.0 in any case. But isn't this just an HMAC signature, anyway? Then we don't really need to update XML-DSIG to support Kerberos signatures.
>
> Josh is thinking about encoding rules for principal names and the like for Kerberos XML signatures.
>
> Scott doesn't think specifying that is very important for the spec.
>
>    (f) Expressing Identity Assurance profile for SAML2.0 (LOA)  [Bob Morgan]
>         - AI: Produce CD version of Identity Assurance profile and update the wiki.
>
> Bob still hasn't produced the CD version yet. Will try to produce in the next couple weeks.
>
>    (g) Delegation Condition Extension Profile (Scott)
>         - AI: Hal to check on progress of request to make electronic ballot (for CD to go to CS).
>
> Scott isn't sure if 13/19 on the ballot meets the required super-majority for passage.
> Rob will look up the process rules and report. Done: 2/3 majority passes, which was reached.
> AI is on chairs to notify Mary to finalize publication.
> (Scott will add an attestation if needed.)
>
>    (h) Port the SSTC Work Summary to the wiki [Hal]
>
> Hal absent; no report.
>
>    (i) CS version of Text-based Challenge/Response profile [Anil]
>
> Anil has uploaded ODT, PDF, HTML formats. No change to schema, but still needs to be uploaded. Anil's AI.
>
> Ballot for CS was completed in April, so once the docs are uploaded the TC needs to review and notify Mary, who will do formal publication.
>
> 5. New work items:
>
> N/A
>
> 6. Assorted threads on saml-dev/comment list
>     - IIW event
>
> Paul M.: Sent email to list about developments in that community on MS OpenID selector. May drive effort to develop multi-protocol selector, though current focus is on OpenID. Question for SSTC is whether we want to ensure SAML requirements are addressed from the start. Is such a selector of interest to the SAML community?
>
> Bob: How to include MS in discussions about how to handle RPs cleanly?
>
> Discussion seems to agree that SSTC is interested in selector as a WAYF substitute for SAML. If MS will do a selector that supports both IMI and OpenID, maybe it can handle SAML as well. But until an appropriate venue materializes for discussion with the requisite parties, we'll just wait and see.
>
>     - OAUTH and SAML (consent&  authentication discussion) - from Paul Madsen
>
> Paul: At IIW had discussion on how SAML could work with OAuth. How are SAML/OAuth roles distributed, how to extend/profile SAML, etc. Welcome participation by anyone who's interested.
> Consent: Surprising number of IdP deployments that ask for consent in practice. What does consent mean in the OAuth and OpenID flows?
> MS Web Resource Authorization Profile - alternative to OAuth protocol, submitted to IETF OAuth WG for harmonization.
> [Bulk of discussion not recorded intelligibly.]
>
> 7. Next Call: Tue 1 December, 2009
>
> 8. Other: Plans for SSTC calls during Holiday season (mid-December and early January)
>
> Thomas: Must decide on next call.
>
> Thomas adjourned the call at 1:05pm EST.