Submission of SAML updates to ITU: questions

[James Bryce Clark <jamie.clark@oasis-open.org>]

Summary:  We must pass on some estimates to ITU about likely
availability of updated SAML related/profile material.  See questions
(a) & (b) below.

As you know, SAML v2 was submitted to and approved by ITU-T in 2006 as
ITU Recommendation X.1141.  (See
http://lists.oasis-open.org/archives/security-services/200605/msg00000.html)
 This included all elements then part of the 2005 OASIS Standard.

ITU-T's Study Group 17 on Security, the host panel for the 2006
submission who now has reorganized for its next multi-year study
period, formally has asked us to submit relevant updates of SAML, for
similar transposition.  OASIS' Liaison Policy
(http://www.oasis-open.org/committees/liaison_policy.php#submitwork)
suggests that we consult with the TC about this.

As you probably know, generally we send only artifacts approved under
the TC Process at the "OASIS Standard" and "Approved Errata" levels up
to the global de-jure SSOs.  Currently, I am aware of a number of SAML
items which may be the basis for a submission to ITU, but have not yet
reached those approval levels:

1.  Errata to SAML core v2, Oct 2009. See
http://docs.oasis-open.org/security/saml/v2.0/sstc-saml-approved-errata-2.0.pdf
 (Was this given OASIS "Approved Errata" status under the TC Process?)

2.  Subject Based Profiles for SAML v1.1 assertions from June 2008,
see http://lists.oasis-open.org/archives/tc-announce/200806/msg00009.html

3.  SAMLv2.0 HTTP POST "SimpleSign" Binding from Dec 2008, see
http://lists.oasis-open.org/archives/tc-announce/200812/msg00003.html

4.  The Mar 2009 set of SAML v2 profiles, see
http://lists.oasis-open.org/archives/tc-announce/200903/msg00006.html
(Includes Holder-of-Key Web Browser SSO Profile, Attribute Extensions,
Condition for Delegation Restriction, Holder-of-Key Assertion Profile,
Metadata Extension for Entity Attributes & Metadata Interoperability
Profile.)

(Other related work is not mentioned here becauea it is hosted by
other TCs:  the SAML Profile of XACML by the XACML TC, and the XSPA
profiles by the XSPA TC.)

In responding to ITU, we would like to:

(a) explain whether the recent v2 errata are at a level that ought to
be Approved Errata (and thus automatically sent to ITU), or why not,
and if so, propose a schedule;  and
(b) offer a comment on the likelihood of the post-2005 SAML profiles
and ancillary material, and any other contemplated maintenance
activity, being rolled up into a submission.

Giving the ITU panel a reasonable view into our plans and timing,
based on the TC's expected progress, is a necessary part of our
interorganizational collaboration.

When and if we make formal submissions, they can be done at the
request of the TC, under Section 1(d) of our Liaison Policy, by a
Special Majority Vote of the TC.  Alternatively, if we have committed
to ITU to send future major versions (as often is requested, and I
believe we did in the 2006 submission), Section 5(b) of the Liaison
Policy also permits the OASIS executive to direct the submission,
subject to appeal.  Errata also are subject to a special expedited
rule, once finalized.

For now, though, our need is to compose an answer to the two questions
(a) and (b)  above, with the help of this TC's experts.  Feedback
welcome on this list or individually.

Thanks for your attention and happy holidays.

~ James Bryce Clark
~ General Counsel, OASIS
~ http://www.oasis-open.org/who/staff.php#clark