Re: [security-services] Re: Proposed Agenda SSTC Conference Call(Tue 6 April 2010)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

On 04/06/2010 11:43 AM, Nate Klingenstein wrote:
>> 1. Roll Call & Agenda Review.
>
Voting Members:
John Bradley      Individual
Scott Cantor     Internet2
Thomas Hardjono     M.I.T.
Anthony Nadalin     Microsoft Corporation
Frederick Hirsch     Nokia Corporation*
Hal Lockhart     Oracle Corporation
Anil Saldhana     Red Hat

Members:
Joshua Howlett     Individual
Paul Madsen     NTT Corporation*
Nathan Klingenstein     Internet2

Quorum: 7 out of 15 voting members (46%)
Status: Nate obtained voting rights. (sorry, Nate did not gain voting 
rights after March 23rd call).

> Quorum was not achieved, and the agenda was held to be fine.  Item 7 
> was omitted, as a new co-chair was already selected.
>
>> 2. Need a volunteer to take minutes.
>
> Nate volunteered to take the minutes.
>
>> 3. Approval of minutes from last meetings:
>>
>> Minutes from SSTC Call on 9 March 2010:
>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201003/msg00037.html 
>>
>>
>> Minutes from SSTC Call on 23 March 2010:
>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201004/msg00005.html 
>>
>
> As these minutes were sent to the list late, Anil had to compile a 
> list of attendees.  However, this call failed to reach quorum anyway, 
> so this was deferred.  Intensive minute approval will occur on the 20 
> April call.
>
>> 4. AIs & progress update on current work-items:
>
> Thomas has heard no responses from Mary in response to any of the 
> profiles awaiting her actions, including no responses to the 
> voice-mail that he left.  Other working groups have had public review 
> periods initiated on documents recently and received recent private 
> emails from Mary, so the reasons for this delay on the below items 
> from the SSTC are unclear.  Thomas will call her again.
>
> Thomas also suggested it might be appropriate to communicate concerns 
> about the pipeline problems to OASIS administration in hopes that 
> additional resources could be allocated if necessary.  Outside groups, 
> such as the US Government's ICAM work, and the Kantara Initiative, 
> intend to rely on the documents currently in the pipeline, increasing 
> the urgency of this appeal.  Frederick offered to make mention of this 
> later.
>
>>  (a) Current electronic ballots: None open.
>>
>>  (b) Status/notes regarding past ballots: (none)
>>
>>  (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
>>       - Status: Thomas has formally asked Mary for new Ballot. (3/11th)
>>       - Status: Still awaiting Mary.
>>
>>  (d)  SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>       - Status: Thomas has formally asked Mary for an 
>> Announcement-email for success of ballot. (3/11th)
>>       - Status: Still awaiting Mary.
>>
>>  (e) Kerberos related items. [Josh/Thomas]
>>        - Kerberos Web Browser SSO Profile:
>>              - Want to move to CD, but waiting for reformatting of doc
>>        - AI: Thomas to prepare CD doc and send to Mary to start 
>> 60-day review.
>
> The profile has been voted to public review, but Thomas has not yet 
> prepared the document in formal OASIS livery and submitted it to Mary.
>
>>  (f) Expressing Identity Assurance profile for SAML2.0 (LOA)
>>       - Status: Thomas has formally asked Mary for new Ballot. (3/11th)
>>       - Status: Left voicemail for Mary last week. No response yet.
>>
>>  (g) Older docs: Thomas has formally asked Mary to post these 4 docs 
>> (3/11th)
>>        (I) Protocol Extension for Third-Party Requests (CS-01)
>>       (II) Protocol Extension for Requested Authentication Context 
>> (CS-01)
>>       (III) Shared Credentials Authentication Context Extension and 
>> Related Classes (CS-01)
>>       (IV) Text-based Challenge/Response (CS-01)
>>
>>
>>  (h) Errata doc:
>>       - Scott working on publishing updated "Approved Standard with 
>> Approved Errata".
>>       - AI: Scott to go ahead and prepare the doc. Files uploaded 
>> 4/4/2010.
>
> Scott looked at the TC process to see if there were any procedural 
> requirements for approved errata finalization, but he couldn't find 
> any requirements, so he put together his best effort.  The name 
> contains an -02, as it's the second iteration of the approved errata 
> document for the spec.  Some documents that refer to the errata may 
> utilize the link in Kavi, which is also persistent, rather than 
> pointing at the Doctree.
>
> SECURITY-6 in the JIRA instance is an issue that came up in the 
> Kantara profiling work.  There have been many requests regarding 
> making IdP's respond better to SP's with SAML status errors, rather 
> than holding up the user at the IdP.  There is questionable language 
> in the specs that is somewhat mutually contradictory, and Scott wants 
> to clean up the language with a little more guidance for implementers 
> to encourage developers to get the user back to the SP.  This would 
> better reflect the intent of the original specification.
>
> Bob Sunday had some wording that Scott softened in order to make sure 
> it didn't introduce new normative requirements.  Unless there are any 
> objections to that text, Scott will consider the errata accepted, and 
> it will make its way into the next errata working draft.
>
> http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel 
>
>
>>  (i) NSN Attribute Update proposal (Thinh) - update
>
> Thinh was not present on the call, nor was any other representative 
> from Nokia-Siemens.
>
>>  (j) Metadata Interop profile (Scott) - update
>
> Scott is fairly satisfied with the material right now, but he's 
> waiting response from the U.S. Government's ICAM to see if they have 
> any other questions or concerns about the profile as worded.
>
>>  (k) SSO initiation draft (Scott) - files uploaded 4/4/2010.
>
> Scott wanted to take this draft to Committee Draft, but as quorum was 
> not reached on this call, he was content to leave it as a working 
> draft for now.  There is no hurry on the finalization of this profile, 
> as there are many more pressing issues before the TC at present.
>
>> 5. New work items: none.
>
> Oracle may have some new work items to submit before the next SAML call.
>
>> 6. Assorted threads on saml-dev/comment list:
>>    - OAUTH related.
>
> OAuth 2.0, currently wending its way through the IETF, will likely 
> have a standardized binding for SAML tokens, on request by Google, 
> Microsoft, Salesforce.com, and IBM.  As the SAML token format is 
> finalized, there is probably little need for the input of the SSTC on 
> this.  However, the SSTC stands ready to communicate and participate 
> if the need arises.
>
> http://www.ietf.org/mail-archive/web/oauth/current/msg01439.html
> http://www.ietf.org/mail-archive/web/oauth/current/msg01546.html
>
>> 8. Next Call: Tuesday 20 April, 2010. Note SOA-TEL presentation.
>>    Plan:  12noon to 12:45pm SOA-TEL presentation
>>              12:45pm to 1:30pm SSTC business.
>
> Any SSTC members who are not interested in the presentation are 
> welcome to join the call at 12:45 PM to enjoy only standard SSTC fare.