Re: [security-services] Re: Proposed Agenda SSTC Conference Call(Tue 6 April 2010)

[Anil Saldhana <Anil.Saldhana@redhat.com>]

On 04/06/2010 12:12 PM, Anil Saldhana wrote:
> On 04/06/2010 11:43 AM, Nate Klingenstein wrote:
>>> 1. Roll Call & Agenda Review.
>>
> Voting Members:
> John Bradley      Individual
> Scott Cantor     Internet2
> Thomas Hardjono     M.I.T.
> Anthony Nadalin     Microsoft Corporation
> Frederick Hirsch     Nokia Corporation*
> Hal Lockhart     Oracle Corporation
> Anil Saldhana     Red Hat
>
> Members:
> Joshua Howlett     Individual
> Paul Madsen     NTT Corporation*
> Nathan Klingenstein     Internet2
>
> Quorum: 7 out of 15 voting members (46%)
> Status: Nate obtained voting rights. (sorry, Nate did not gain voting 
> rights after March 23rd call).  Paul Madsen also became a voting member.

>
>> Quorum was not achieved, and the agenda was held to be fine.  Item 7 
>> was omitted, as a new co-chair was already selected.
>>
>>> 2. Need a volunteer to take minutes.
>>
>> Nate volunteered to take the minutes.
>>
>>> 3. Approval of minutes from last meetings:
>>>
>>> Minutes from SSTC Call on 9 March 2010:
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201003/msg00037.html 
>>>
>>>
>>> Minutes from SSTC Call on 23 March 2010:
>>> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201004/msg00005.html 
>>>
>>
>> As these minutes were sent to the list late, Anil had to compile a 
>> list of attendees.  However, this call failed to reach quorum anyway, 
>> so this was deferred.  Intensive minute approval will occur on the 20 
>> April call.
>>
>>> 4. AIs & progress update on current work-items:
>>
>> Thomas has heard no responses from Mary in response to any of the 
>> profiles awaiting her actions, including no responses to the 
>> voice-mail that he left.  Other working groups have had public review 
>> periods initiated on documents recently and received recent private 
>> emails from Mary, so the reasons for this delay on the below items 
>> from the SSTC are unclear.  Thomas will call her again.
>>
>> Thomas also suggested it might be appropriate to communicate concerns 
>> about the pipeline problems to OASIS administration in hopes that 
>> additional resources could be allocated if necessary.  Outside 
>> groups, such as the US Government's ICAM work, and the Kantara 
>> Initiative, intend to rely on the documents currently in the 
>> pipeline, increasing the urgency of this appeal.  Frederick offered 
>> to make mention of this later.
>>
>>>  (a) Current electronic ballots: None open.
>>>
>>>  (b) Status/notes regarding past ballots: (none)
>>>
>>>  (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as 
>>> a CS
>>>       - Status: Thomas has formally asked Mary for new Ballot. (3/11th)
>>>       - Status: Still awaiting Mary.
>>>
>>>  (d)  SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>>>       - Status: Thomas has formally asked Mary for an 
>>> Announcement-email for success of ballot. (3/11th)
>>>       - Status: Still awaiting Mary.
>>>
>>>  (e) Kerberos related items. [Josh/Thomas]
>>>        - Kerberos Web Browser SSO Profile:
>>>              - Want to move to CD, but waiting for reformatting of doc
>>>        - AI: Thomas to prepare CD doc and send to Mary to start 
>>> 60-day review.
>>
>> The profile has been voted to public review, but Thomas has not yet 
>> prepared the document in formal OASIS livery and submitted it to Mary.
>>
>>>  (f) Expressing Identity Assurance profile for SAML2.0 (LOA)
>>>       - Status: Thomas has formally asked Mary for new Ballot. (3/11th)
>>>       - Status: Left voicemail for Mary last week. No response yet.
>>>
>>>  (g) Older docs: Thomas has formally asked Mary to post these 4 docs 
>>> (3/11th)
>>>        (I) Protocol Extension for Third-Party Requests (CS-01)
>>>       (II) Protocol Extension for Requested Authentication Context 
>>> (CS-01)
>>>       (III) Shared Credentials Authentication Context Extension and 
>>> Related Classes (CS-01)
>>>       (IV) Text-based Challenge/Response (CS-01)
>>>
>>>
>>>  (h) Errata doc:
>>>       - Scott working on publishing updated "Approved Standard with 
>>> Approved Errata".
>>>       - AI: Scott to go ahead and prepare the doc. Files uploaded 
>>> 4/4/2010.
>>
>> Scott looked at the TC process to see if there were any procedural 
>> requirements for approved errata finalization, but he couldn't find 
>> any requirements, so he put together his best effort.  The name 
>> contains an -02, as it's the second iteration of the approved errata 
>> document for the spec.  Some documents that refer to the errata may 
>> utilize the link in Kavi, which is also persistent, rather than 
>> pointing at the Doctree.
>>
>> SECURITY-6 in the JIRA instance is an issue that came up in the 
>> Kantara profiling work.  There have been many requests regarding 
>> making IdP's respond better to SP's with SAML status errors, rather 
>> than holding up the user at the IdP.  There is questionable language 
>> in the specs that is somewhat mutually contradictory, and Scott wants 
>> to clean up the language with a little more guidance for implementers 
>> to encourage developers to get the user back to the SP.  This would 
>> better reflect the intent of the original specification.
>>
>> Bob Sunday had some wording that Scott softened in order to make sure 
>> it didn't introduce new normative requirements.  Unless there are any 
>> objections to that text, Scott will consider the errata accepted, and 
>> it will make its way into the next errata working draft.
>>
>> http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel 
>>
>>
>>>  (i) NSN Attribute Update proposal (Thinh) - update
>>
>> Thinh was not present on the call, nor was any other representative 
>> from Nokia-Siemens.
>>
>>>  (j) Metadata Interop profile (Scott) - update
>>
>> Scott is fairly satisfied with the material right now, but he's 
>> waiting response from the U.S. Government's ICAM to see if they have 
>> any other questions or concerns about the profile as worded.
>>
>>>  (k) SSO initiation draft (Scott) - files uploaded 4/4/2010.
>>
>> Scott wanted to take this draft to Committee Draft, but as quorum was 
>> not reached on this call, he was content to leave it as a working 
>> draft for now.  There is no hurry on the finalization of this 
>> profile, as there are many more pressing issues before the TC at 
>> present.
>>
>>> 5. New work items: none.
>>
>> Oracle may have some new work items to submit before the next SAML call.
>>
>>> 6. Assorted threads on saml-dev/comment list:
>>>    - OAUTH related.
>>
>> OAuth 2.0, currently wending its way through the IETF, will likely 
>> have a standardized binding for SAML tokens, on request by Google, 
>> Microsoft, Salesforce.com, and IBM.  As the SAML token format is 
>> finalized, there is probably little need for the input of the SSTC on 
>> this.  However, the SSTC stands ready to communicate and participate 
>> if the need arises.
>>
>> http://www.ietf.org/mail-archive/web/oauth/current/msg01439.html
>> http://www.ietf.org/mail-archive/web/oauth/current/msg01546.html
>>
>>> 8. Next Call: Tuesday 20 April, 2010. Note SOA-TEL presentation.
>>>    Plan:  12noon to 12:45pm SOA-TEL presentation
>>>              12:45pm to 1:30pm SSTC business.
>>
>> Any SSTC members who are not interested in the presentation are 
>> welcome to join the call at 12:45 PM to enjoy only standard SSTC fare.