Proposed Minutes for SSTC Telecon (28 May 2013)

[Nate Klingenstein <ndk@internet2.edu>]

> 1. Roll Call & Agenda Review.

There were no changes to the agenda suggested, but the call was extremely well attended.

> 2. Need a volunteer to take minutes.

Nate volunteered to take minutes.

> 3. Approval of minutes from previous meeting(s):
> 
>   - Minutes from SSTC Call on 14 May 2013:
> 
> https://lists.oasis-open.org/archives/security-services/201305/msg00006.html

Chad moved to approve the minutes and Mohammed seconded.  There were no objections and the minutes were adopted.

> 
> 4. AIs & progress update on current work-items:
> 
>  (a) Current electronic ballots: (none)
> 
>  (b) Status/notes regarding past ballots: (none)
> 
>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki: 
>        https://wiki.oasis-open.org/security/SAML2Revision
> 
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
> 
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol

Chad hasn't received any additional feedback from the email that he sent out, so he's assuming that people are comfortable with the way he divided the profile into what will be a set of separate documents.

Chad believes the next step is to get document templates for 2.1 created by TC Admin so that Chad can begin writing.  He'll send out an email shortly outlining the documents he believes need to be requested and TC participants can add documents or strike others from the list.

>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Any updates?
> 
>        http://files.hoerbe.at/daunlod/eadocx-quickdoc.pdf

Rainer has no updates on this overview and won't have the opportunity to start working on it actively again until July or August.

>  (e) SAML ECP (Scott)
>      - In 30-Day Public Review
> 
> https://lists.oasis-open.org/archives/security-services/201305/msg00017.html

No public comments have been received on this draft to date.

>  (f) Channel Binding Ext (Scott)
>      - In 30-Day Public Review
> 
> https://lists.oasis-open.org/archives/security-services/201305/msg00016.html

No public comments have been received on this draft to date.

Thomas was curious whether the channel binding work would be relevant to Moonshot, but Scott doesn't think so.  The group to review it would be ietf-kitten, and Thomas will forward the OASIS message to the Kitten working group to further solicit their feedback.

Thomas will send the other public review to ietf-kitten as well because the work is potentially of interest to them if they do review specs.

>  (g) XPA updates (Mohammad Jafari)
>     - Any updates?

The TC has been revived with a chair and a co-chair and they've resumed work on updating the profiles.

There is a SAML profile and it would be very helpful to Mohammed to have as much SSTC representation as possible when they move to review the security assertion portions of the specification.  Mohammed will notify the SSTC when the XPA moves on to that specific work.


(h) Thomas solicited any other work that the SSTC might want to take on.

Scott has been getting a lot of questions recently around compliance requirements for encryption algorithms because NIST is sunsetting SHA-1.  We don't expect that 2.1 would necessarily be done in time.  XML-Signature has had a review about algorithms fairly recently and added discussion, but there are poor understandings by implementers and deployers of which cryptographic suites are considered appropriate, permissible, or illegal.  The only thing published under OASIS' header was the 2.0 conformance document from 2005 which called out a modest minimal implementation.  If there hadn't been the RSA patent, we probably wouldn't have said anything then.

We can punt to XML-Signature, but there are a lot of implementers that look to the conformance document as the only things they need to implement.  It's unlikely that any actual deployments would run into problems with alternatives to SHA-1 because most deployments are moderately recent.  There isn't a really good alternative because of procedural rules within OASIS; we have no flexibility in updating any individual part of a broader specification suite without updating everything, so the final fix will have to wait for 2.1, which may be a ways off.

The best we could do immediately might be to, as the SSTC, say that the existing algorithm guidance should be ignored and that deployments and implementers should refer to what XML-Signature has said and to come up with their own guidance.  It may also be possible to just to a quick and dirty 2.0.1 that revs the conformance section and incorporates errata, and leave the SAML 2.1 work to the broader rework of the structure of the specification.

The problem is that none of the 2.0 documents fits the modern OASIS templates, but updating them to match the templates is a substantial amount of doc work, which would slow down 2.0.1 significantly.  Scott doesn't see how that's in the interest of SAML or OASIS.  Scott will ping TC-Admin to seek an exemption to allow for important maintenance to happen in the context of the broader specification rework.

2.0.1, if we can swing it, would be submitted to our liaisons from other standards organizations.

> 7. Next SSTC Call:
>   - Tuesday 11 June 2013.

It's thrilling to have such strong participation on these calls and we look forward to speaking to you on the next call.