Proposed Minutes for September 16 SSTC Call

[Nate Klingenstein <ndk@internet2.edu>]

2. Need a volunteer to take minutes.

Nate volunteered to take minutes.

Participants:

Frederick

Hal

Mohammad

Nate

Scott

3. Approval of minutes from previous meeting(s): N/A

  - Presentation from Alex DeJong / Siemens (PDF)

  - Minutes from September 2nd (TBD).

The minutes from the September 2nd call had not been completed for review by this call, but will be circulated prior to the call on September 30th.

 (d) Conceptual/overview of Metadata (Rainer Hoerbe)
     - SSTC review is requested.

Rainer was not present.

 (e) XSPA updates (Mohammad Jafari)
    - Any updates.

Nothing to mention.  There has been some progress in addressing comments received during the public review, but nothing to report specifically to the SSTC.

6. Other items:

Scott mentioned an ISOC workshop held a few weeks ago that had spawned further work that could be relevant to the SSTC.  NIST had been planning to open 800-63 to further commentary, and Scott gave some feedback on the structure and approach.  There's an opportunity to reconvene a larger group to discuss assurance more broadly.  A mailing list to begin discussing requirements for assurance more generally has been established at the IETF under the title "Vectors of Trust", effectively a conversation about the criteria that IdP's and SP's are interested in from an identity assurance perspective.

That may end up with implications for SAML and other federated identity protocols from a profiling standpoint, although changes to specifications themselves are unlikely.  Conversations about whether to continue using AuthnContext or Attributes and how to capture attribute assurance are going to occur as well.

The announcement from the IETF Secretariat is copied below.

From: IETF Secretariat <ietf-secretariat@ietf.org>
Subject: New Non-WG Mailing List: vot -- Vectors of Trust discussion list
Date: September 11, 2014 at 3:29:02 PM MDT
To: IETF Announcement List <ietf-announce@ietf.org>
Cc: <leifj@sunet.se>, <olshansky@isoc.org>, <vot@ietf.org>
Reply-To: <ietf@ietf.org>

A new IETF non-working group email list has been created.

List address: vot@ietf.org
Archive: http://www.ietf.org/mail-archive/web/vot/
To subscribe: https://www.ietf.org/mailman/listinfo/vot

Purpose:

Since the publication of RFC 2527 there have been several attempts to
standardize technology-independent frameworks for describing the 
concerns that go into a determination of inter-organizational and 
transactional trust.

Notable examples include NIST SP 800-63, The Kantara Identity Assurance
Framework (historically originating from the Liberty Alliance and
Electronic Authentication Partnership) and ISO 29115. These documents 
have been profiled and reworked a number of times in the last few years.

The vot@ietf.org list is for discussion of a common set of baseline
"vectors of trust": common, orthogonal aspects of organization, 
technology and policy that help to determine the level of assurance that 
can be placed in a deployment of digital identity technology. Work will 
draw on deployment experience related to web identity technology (eg 
SAML, OAUTH and OpenID Connect) as well as experience with current state 
of the art in identity assurance. 

For additional information, please contact the list administrators.

7. Next SSTC Call:
  - Tuesday 30 September 2014.

We look forward to speaking with you then.