Re: [security-services] draft minutes for SSTC conf call 7 Sep 2010

[Anil Saldhana <Anil.Saldhana@redhat.com>]

  On 09/20/2010 12:28 PM, RL 'Bob' Morgan wrote:
>
> I never got attendance info from anyone, but here are meeting minutes.
>
>  - RL "Bob"
>
> ---
>
> SSTC Conference Call
> Tuesday 7 Sept 2010, 12:00pm ET
>
>
> AGENDA:
>
> 1. Roll Call & Agenda Review.
Voting Members:

Rob Philpott      EMC Corporation
John Bradley     Individual
Scott Cantor     Internet2
Nathan Klingenstein     Internet2
Thomas Hardjono     M.I.T.
Anthony Nadalin     Microsoft Corporation
Frederick Hirsch     Nokia Corporation
Thinh Nguyenphu     Nokia Siemens Networks GmbH & Co. KG
Ari Kermaier     Oracle Corporation
Hal Lockhart     Oracle Corporation
Emily Xu     Oracle Corporation
Anil Saldhana     Red Hat
David Staggs     Veterans Health Administration

Members:
Bob Morgan     Internet2
Federico Rossini     Telecom Italia S.p.a.

Quorum: 13 out of 17 Voting Members (76%). Achieved.
Status: Phil Hunt (Oracle) lost voting rights.
              Bob Morgan regains voting rights.

>
> 2. Need a volunteer to take minutes.
>
> **  Your humble scribe:  RL "Bob" Morgan
>
> 3. Approval of minutes from last meetings:
>
> Minutes from SSTC Call on 24 August 2010:
>
> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201008/msg00061.html 
>
>
> **  motion to approve from Nate, second JohnB, no objections.
>
>
> 4. AIs & progress update on current work-items:
>
>   (a) Current electronic ballots: None.
>
>   (b) Status/notes regarding past ballots: None.
>
>   (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
>       - Status: Thomas has asked Mary for CS edition to be
>                 created and published. (2 Sept)
>
>   (d) SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>       - Status: Thomas has asked Mary for CS edition to be
>                 created and published. (2 Sept)
>
> **  AI:  Nate will update wiki to reflect current state of these 
> documents.
>
>   (e) Kerberos related items. [Josh/Thomas]
>       - Kerberos Attribute Profile:
>       - AI: Josh/Thomas will suggest additions to Attribute Profile.
>
> Item still outstanding to deal with reference to Internet Draft document,
> this is still TBD.
>
>   (f) SAML V2.0 Identity Assurance Profiles, Version 1.0
>       - Status: Now in 15-day review. (Closes 10 Sept)
>
>   (g) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0:
>       - Status: now in 60-day public review. (Closes 13 October)
>       - Any updates?
>
>   (h) Service Provider Request Initiation Protocol and Profile Version 
> 1.0
>       - Status: now in 60-day public review. (Closes 13 October)
>       - Any updates?
>
> No comments observed so far.  Scott says there are errors in examples in
> one of the docs, he will fix.
>
>   (i) NSN Attribute Management proposal (Thinh/Phil) - any updates?
>
> Discussion:
> Thinh:  [explains telephony use case]
> Scott:  still don't understand use case from security point of view,
>   seems to compromise security of SSO
> Thinh:  what if IdP doesn't want to give federated ID to SP?
> Scott:  then it's an error, or use some other ID as an attr or nameID
>   doesn't seem like there's a unique requirement here
>   raised before as "SP lite" scenario, ie no state maintained at SP
> GeorgeF:  SP doesn't want federated ID, but why?
> Thinh:  could be just a limitation of SP, an old architecture
> [more discussion of use case ...]
> GeorgeF:  seems like NameIdentifier Management Protocol covers this case
> Scott:  though this still doesn't remove mapping burden from SP
> Ari:  if the SP is really proxying IdP, this case could apply ...
> Ari:  could SP send persistent opaque nameID in request?
> Scott:  sure, not typically done, but OK
>   this is more about changing what IdP implementations do than creating
>     new protocol
> GeorgeF:  as an IdP implementor, this would be a change ...
> Scott:  could be possible use for AllowCreate flag in request ...
> [more discussion ...]
> Thinh:  will look at these suggestions, will modify draft with Phil
>
>   (j) SOA-TEL Token Correlation Profile  (Federico/TI) - any updates?
>
> Federico:  new version uploaded today, with several modifications
>   and a use case in appendix to better motivate profile
>   also contains some embedded questions ...
> Thomas:  let's discuss new version on next call
> Scott:  seems like this is just delegation, handled by existing protocol
>   so no new feature needed
>   this is the delegation-condition specification, which includes
>     motivating cases
> Federico:  some constraints in the stated case ...
> Scott:  end result is the same, if it's going to be secure
> Federico:  can we discuss on list?
> Scott:  sure
>
> 5. New work items:
>    - Project Moonshot (potential new work item)
>
> Josh not on call to discuss
>
> 6. Next Call: Tuesday 14 September, 2010.
>
> **  Actually 21 September, not 14.