Re: [security-services] Minutes for SSTC Conference Call (November17th, 2009)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

On 11/17/2009 01:51 PM, Anil Saldhana wrote:
> On 11/17/2009 12:08 PM, ARI KERMAIER wrote:
>> Proposed Agenda SSTC Conference Call
>> November 17, 2009, 12:00pm ET
>>
>> Dial in info: +1 408-774-4073
>> Conference code: 4480739
>> Password: 72657265 (SAMLSAML)
>>
>>
>> 1. Roll Call&  Agenda Review
> Voting Members :-
> ==============
> Rob Philpott EMC Corporation
> John Bradley Individual
> Scott Cantor Internet2
> Thomas Hardjono M.I.T.
> Frederick Hirsch Nokia Corporation
> Thinh Nguyenphu Nokia Siemens Networks GmbH & Co. KG
> Paul Madsen NTT Corporation
> Ari Kermaier Oracle Corporation
> Anil Saldhana Red Hat
> David Staggs Veterans Health Administration
     Emily Xu, Sun Microsystems
>
> Members :-
> ========
> George Fletcher  AOL
> Joshua Howlett Individual
> Bob Morgan Internet2
> Peter Davis Neustar, Inc.
> Joerg Abendroth Nokia Siemens Networks GmbH & Co. KG
>
> Quorum: Achieved: 11 out of 18 Members (61%)
> Status: Lost Voting Status: Kyle Meadors (Drummond Group)
>         Gained Voting Status: None
>
>> 2. Need a volunteer to take minutes
>>
>> 3. Approval of minutes from last meeting (Nov 3, 2009):
>>
>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/200911/msg00022.html 
>>
>>
>> Rob moved to accept minutes. Ari seconded the motion.
>>
>> 4. AIs&  progress update on current work-items:
>>
>>    (a) Current electronic ballots:
>>          - Condition Delegation Restriction (1.0) as Committee Spec. 
>> (Ballot closes Nov 14th)
>>             
>> http://www.oasis-open.org/apps/org/workgroup/security/ballot.php?id=1798
>>
>> Announcement that the ballot measure had passed. No comment from 
>> attendees.
>>
>>    (b) Status/notes regarding past ballots:
>>
>>         (i) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 
>> 1.0 as a CS
>>             SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>               - AI: Create CD in three forms [Tom/Nate]
>>               - AI: Chairs to request ballot to make into CS status. 
>> [Hal/Thomas]
>>
>> Hal and Nate absent, no comment on AI status.
>>
>>    (c) sstc-saml-approved-errata-2.0-draft-49:
>>               - AI: Scott/Bob to provide text changes for the Errata 
>> doc [Scott/Bob]
>>
>> Scott needs to talk to Bob about what must be done to get IANA 
>> registration changed. Scott knows little about the process, and it 
>> may not even be possible to change the existing registration. Bob 
>> doesn't know either, but guesses a new registration would be needed.
>>
>> Scott also needs to produce new draft errata document; no progress on 
>> PEs.
>>
>>    (d) Progress on getting Jira instance for SSTC:
>>               - AI: chairs to get accounts on JIRA [Hal/Thomas]
>>
>> Issue creation permissions for accounts still outstanding. Hal's AI.
>>
>>    (e) Kerberos related items. [Josh/Thomas]
>>               - AI: Josh/Thomas to prepare CD version in three formats.
>>
>> [Ari's call was dropped - need notes from Thomas.]
>>
>> Josh has worked through data model ambiguities, and will produce new 
>> versions soon. Josh's AI.
>>
>>               - AI : Look into updating XML signatures 1.1 (in W3C) to
>>                        include Kerberos-mechanism. [Scott/Thomas/Josh]
>>
>> Josh thinks this is the right thing to do in the long term. In the 
>> shorter term, if we were to have a Kerberos/XML-DSIG dependent spec, 
>> we'd be waiting for a while.
>>
>> Scott says 1.1 is pretty much closed, so we'd have to wait for 2.0 in 
>> any case. But isn't this just an HMAC signature, anyway? Then we 
>> don't really need to update XML-DSIG to support Kerberos signatures.
>>
>> Josh is thinking about encoding rules for principal names and the 
>> like for Kerberos XML signatures.
>>
>> Scott doesn't think specifying that is very important for the spec.
>>
>>    (f) Expressing Identity Assurance profile for SAML2.0 (LOA)  [Bob 
>> Morgan]
>>         - AI: Produce CD version of Identity Assurance profile and 
>> update the wiki.
>>
>> Bob still hasn't produced the CD version yet. Will try to produce in 
>> the next couple weeks.
>>
>>    (g) Delegation Condition Extension Profile (Scott)
>>         - AI: Hal to check on progress of request to make electronic 
>> ballot (for CD to go to CS).
>>
>> Scott isn't sure if 13/19 on the ballot meets the required 
>> super-majority for passage.
>> Rob will look up the process rules and report. Done: 2/3 majority 
>> passes, which was reached.
>> AI is on chairs to notify Mary to finalize publication.
>> (Scott will add an attestation if needed.)
>>
>>    (h) Port the SSTC Work Summary to the wiki [Hal]
>>
>> Hal absent; no report.
>>
>>    (i) CS version of Text-based Challenge/Response profile [Anil]
>>
>> Anil has uploaded ODT, PDF, HTML formats. No change to schema, but 
>> still needs to be uploaded. Anil's AI.
>>
>> Ballot for CS was completed in April, so once the docs are uploaded 
>> the TC needs to review and notify Mary, who will do formal publication.
>>
>> 5. New work items:
>>
>> N/A
>>
>> 6. Assorted threads on saml-dev/comment list
>>     - IIW event
>>
>> Paul M.: Sent email to list about developments in that community on 
>> MS OpenID selector. May drive effort to develop multi-protocol 
>> selector, though current focus is on OpenID. Question for SSTC is 
>> whether we want to ensure SAML requirements are addressed from the 
>> start. Is such a selector of interest to the SAML community?
>>
>> Bob: How to include MS in discussions about how to handle RPs cleanly?
>>
>> Discussion seems to agree that SSTC is interested in selector as a 
>> WAYF substitute for SAML. If MS will do a selector that supports both 
>> IMI and OpenID, maybe it can handle SAML as well. But until an 
>> appropriate venue materializes for discussion with the requisite 
>> parties, we'll just wait and see.
>>
>>     - OAUTH and SAML (consent&  authentication discussion) - from 
>> Paul Madsen
>>
>> Paul: At IIW had discussion on how SAML could work with OAuth. How 
>> are SAML/OAuth roles distributed, how to extend/profile SAML, etc. 
>> Welcome participation by anyone who's interested.
>> Consent: Surprising number of IdP deployments that ask for consent in 
>> practice. What does consent mean in the OAuth and OpenID flows?
>> MS Web Resource Authorization Profile - alternative to OAuth 
>> protocol, submitted to IETF OAuth WG for harmonization.
>> [Bulk of discussion not recorded intelligibly.]
>>
>> 7. Next Call: Tue 1 December, 2009
>>
>> 8. Other: Plans for SSTC calls during Holiday season (mid-December 
>> and early January)
>>
>> Thomas: Must decide on next call.
>>
>> Thomas adjourned the call at 1:05pm EST.