RE: [security-services] Proposed Agenda for SSTC Call (Tue 10 July 2012)

[Thomas Hardjono <hardjono@MIT.EDU>]

Adding the list of attendees:

Chad La Joie
Ian Young
Rainer Hoerbe
Nate Klingenstein
Scott Cantor
Anil Saldhana
Duane Decouteau
Thomas Hardjono


> -----Original Message-----
> From: Nate Klingenstein [mailto:ndk@internet2.edu]
> Sent: Tuesday, July 10, 2012 12:44 PM
> To: Thomas Hardjono
> Cc: OASIS SSTC
> Subject: Re: [security-services] Proposed Agenda for SSTC Call (Tue 10
> July 2012)
>
> > 1. Roll Call & Agenda Review.
>
> Quorum was achieved.
>
> > 2. Need a volunteer to take minutes.
>
> Nate volunteered to take minutes.
>
> > 3. Approval of minutes from previous meeting(s):
> >
> >   - Minutes from SSTC Call on 26 June 2012:
> >
> > https://lists.oasis-open.org/archives/security-
> services/201206/msg0001
> > 7.html
>
> Anil moved to approve the minutes, and Scott seconded.  Nobody objected
> to the minutes' approval, and the motion passed with the adoption of
> the minutes.
>
> > 4. AIs & progress update on current work-items:
> >
> >  (a) Current electronic ballots: (none)
> >
> >  (b) Status/notes regarding past ballots: (none)
> >
> >  (c) SAML 2.X and Security Considerations doc
> >      - Status: SSTC agrees to proceed on this in 2012.
> >      - AIs:
> >        o Check NAPTR metadata (Scott -- done).
> >        o Scott will send proposals to the list for schema cleanup.
> >
> > https://wiki.oasis-open.org/security/SAML2Revision
>
> Neustar is indeed using the NAPTR support in metadata and would like to
> keep it in as normative material and part of the specification suite as
> a result.  The question as to whether to migrate it to an independent
> document or an appendix is open.  The main goal is to improve the
> readability and usability of the specifications for new adopters and
> readers.  The downside to separate documents is the boilerplate and
> maintenance burden.
>
> Scott's going to specifically try to draft some statements with
> metadata verbiage for the next edition of the specification, but hasn't
> found the time to do so yet.
>
> >   (d)  SSTC Webinar:
> >      - Proposed topic: scope of work for the 2.0.1 spec.
> >      - Status: group is close having enough to present.
> >      - Status: Hal offers to work on first-cut slides for this.
>
> Hal was not able to attend the call today.  There is no fixed date for
> the webinar yet, so Nate suggested that the review of the slides be
> postponed until the next call so that Hal would be able to participate
> and respond to any feedback.
>
> >   (e) Asynchronous Single Logout Protocol Extension (Chad)
> >
> > https://lists.oasis-open.org/archives/security-
> services/201207/msg0000
> > 1.html
> >
> > https://lists.oasis-open.org/archives/security-
> services/201206/msg0001
> > 9.html
>
> Scott and Chad have, for a number of years, noted the challenges of
> accomplishing federated single-logout within the R&E community, but the
> need to implement "something" has been increasing.  This extension just
> relaxes one of the rules in the existing SLO protocol and should allow
> for the implementation of something that we believe will work at scale
> but still nearly comply with the existing standard.
>
> The extension also addresses a lingering interop issue around logout in
> that, in front channel logout, there's no way to signal which party
> maintains control of the user interface during the logout sequence.
> If the protocol offered the SP to indicate their expectations in terms
> of the interface, it would be more explicit what should happen and
> better interoperability would result.  The protocol will allow the SP
> to signal that it doesn't want to be a part of the logout sequence
> after sending the logout request.
>
> Committee members are asked to review this document and bring questions
> to the next call.
>
> >  (f) XSPA - any updates?  (David S. & Duane)
>
> David was traveling today, so Duane offered an update.  He had a
> conversation with the voting members of the XSPA TC about advancing the
> current document that's been progressing within the XSPA TC to a
> working draft that can proceed through the OASIS SSTC.  This will be
> version 2 of the XSPA profile for SAML.  He's still working on
> assembling a high-level overview of what is changing within the
> profile.
>
> He's migrating some of the vocabulary from some older references to
> more authoritative references, e.g. HL-7.  They'll also be adding
> attributes to the standard that will allow for the enforcement and
> signaling of policies such as non-redisclosure, and so forth.  There
> will also be stronger typing of the attribute values.
>
> The goal is to try to accommodate some of the requirements for data
> segmentation of patient clinical records in support of US privacy laws,
> Title 38, CFR42Part2, that require more controls over sensitive health
> care data. These requirements are being reviewed, tested, demonstrated
> as part of pilot project by ONC S&I Framework Data Segmentation for
> Privacy (DS4P) workgroup members.  Eventually, Duane anticipates this
> will be migrated towards a committee specification.
>
> Duane will try to track all the significant changes that have been made
> in a spreadsheet.  Right now, revision tracking in the document itself
> is being used and that's resulted in document that's difficult to read.
> The wiki will also need to be updated at some point.
>
> > 6. Other items:
> >   - IETF in July.
>
> Kitten won't be meeting at this IETF, so Scott won't be attending.
>
> There will be a revision of the new ECP profile soon, and there may be
> revisions to the Channel Binding document.  He has a reference to XML
> Encryption 1.1, which isn't done yet, and that may force the delay of
> these documents.  Worse yet, the IETF drafts depend on the SSTC drafts
> having proceeded beyond draft.  There are many hold-ups and
> interdependencies and the TC salutes Scott's willingness to brave
> several standards processes in parallel.
>
> > 7. Next SSTC Call:
> >   - Tuesday 24 July 2012.
>
> We look forward to speaking with you then.