Draft Minutes for SSTC Telecon (Tue 21 Aug 2012)

["Cantor, Scott" <cantor.2@osu.edu>]

>AGENDA:
>
>1. Roll Call & Agenda Review.

Anil Saldana
Thomas Hardjono
Nate Klingenstein
Hal Lockhart
Frederick Hirsch
Scott Cantor
David Staggs
John Bradley

>
>2. Need a volunteer to take minutes.

Scott volunteers.

>3. Approval of minutes from previous meeting(s):
>
>   - Minutes from SSTC Call on 7 August 2012:
>
>https://lists.oasis-open.org/archives/security-services/201208/msg00014.ht
>ml

Hal moves to accept.
Frederick seconds.
No objections, motion passed.

>4. AIs & progress update on current work-items:
>
>  (a) Current electronic ballots: (none)
>
>  (b) Status/notes regarding past ballots: (none)
>
>  (c) SAML 2.1 work:
>      - Status: SSTC agrees to proceed on this in 2012.
>      - AIs:
>        o Thomas to ask Admin about template doc
>
>      - https://wiki.oasis-open.org/security/SAML2Revision

Scott will request new documents, and he'll propose new filenames if
needed before doing so. He will transfer the boilerplate and properties
into the old docs and rename them to produce new drafts.

>  (d)  SSTC Webinar:
>      - Proposed topic: scope of work for the 2.0.1 spec.
>      - AI: Decide webinar date.
>      - AI: collect data on SAML2.0 deployments
>
>https://lists.oasis-open.org/archives/security-services/201207/msg00004.ht
>ml

Scheduled for Sep 20th. Not posted yet.

Hal asked about a NASA deployment, Thomas provided some info. Nate also
provided some material.

Scott mentioned apparent use of SAML by the OnStar system, but we don't
have contacts at GM to confirm that.

>  (e) Asynchronous Single Logout Protocol Extension (Chad)
>
>https://lists.oasis-open.org/archives/security-services/201207/msg00001.ht
>ml
>https://lists.oasis-open.org/archives/security-services/201206/msg00019.ht
>ml

Scott will post a new WD after he gets the latest files from Chad.

>  (f) XPA updates (David S. & Duane)
>
>https://lists.oasis-open.org/archives/security-services/201208/msg00010.ht
>ml

David said Duane will update on next call.

>  (g) Issue tracker: SECURITY-21

Just tracking this for work in 2.1.

>  (h)  SAML in JSON
>     - Continue discussion from last telecon.

Discussion around possible ue of JOSE for signature/encryption, and the
benefits of its newer features in light of all the papers attacking XML
Encryption (and less to Signature).

Hal: We could definitely see leverage from JOSE that we could then map
back to XML Encryption. Alludes to new attacks, still confidential,
involving maintaining support for CBC mode and that creating
vulnerabilities. Tough to fix when you have wide deployment.

John: That's why we're trying to focus on these attacks up front in JOSE
before we have wide deployment.

All: Remains worth looking at benefits of JOSE mechanisms once that
settles a bit more.

Hal: Also want to discuss the Breaking SAML paper. Do we need to craft a
TC message around this, or post something to the xml.org site?

Scott: Had significant problems getting edits made to the xml.org site
because of its spam protection.

Action to chairs: Contact Robin about the site.

Discussion about the issue and whether it's worth addressing publicly.
Thomas will craft a draft internally with Hal/Scott, and we'll circulate.

Thomas: Should we address it in the webinar?

Hal: Maybe a slide on it, but not the focus certainly.

John: Worth doing that much, but should focus on the fact that the
community is robust and attentive to these issues and they got addressed.

Hal: Worth asking for statements from the implementations mentioned in the
paper?

Scott/John: Probably not, we think all of them were confirmed by the
authors as fixed before they published.

>5. Assorted mail items:
>
>   - OASIS IDtrust Member Section Steering Committee Elections
>
>https://lists.oasis-open.org/archives/security-services/201208/msg00015.ht
>ml

Thomas: Anybody on the TC on the committee?

John: We'd have to have the TC join that member section. Historically it
was the PKI group, so SAML wasn't involved.

Hal: The TC joining is independent of how member dues are assessed to
members that join.

John: I think to join you have to be a member of a TC that is itself a
member.

Some debate over this point.

John: I'm sure we could do this if we wanted.

Discussion about IPR mode compatibility. No issues identified.

John: I'm all for it. It's much less PKI-centric than it used to be.

Hal: If you want it, propose the TC join in a future meeting after doing a
bit of research into the pros/cons, if any.

John: I'll do some checking and speak to Anil.

>6. Other items:
>   - Oasis sponsor at the International Cloud Symposium
>     https://www.oasis-open.org/events/cloud/2012
>
>   - NSTIC Identity Ecosystem meeting (Chicago, Aug 16-17, 2012)
>     http://www.idecosystem.org

John: Went as well as it could. Still work to do on bylaws. No IPR policy
initially, so that needs work. Several WGs are starting up. Several at the
Standards WG objected to it becoming a new SDO and instead should work
with the ones we have.

Participants self-selected into various categories and then voted for
people within those categories. John is in a run-off in the IT category
with an Oracle person.

Oracle, Microsoft were in attendance plus some less usual suspects, people
attending trying to learn how things related to their work.

E-mail John for more info.

Hal: What is this? ;-)

John: The Oracle attendees were more the legal/policy/govt folks, not the
techies.

Thomas: What's the next steps for this?

John: 90 day period to get bylaws/charter done. WGs spinning up, usual
rationalization amongst themselves and other groups. I'm working with the
secretariat to help get infrastructure going.

Other Business:

Scott will send something to the list about the metadata work that was
outlined in the wiki to try and get consensus.

Will also be working to incorporate some of the schema suggestions sent to
the list, but invites additional comment on that.

>7. Next SSTC Call:
>   - Tuesday 4 September 2012.