Minutes:Joint XRI & XDI TC Telecon 10AM PT Thursday 2007-08-23

["Drummond Reed" <drummond.reed@cordance.net>]

Following are the minutes for the joint unofficial telecon of the XRI and
XDI TCs at:

Date:  Thursday, 23 August 2007 USA
Time:  10:00AM - 12:00PM Pacific Time

Event Description:
Weekly unofficial joint call of the XRI and XDI Technical Committees.

ATTENDING

Wil Tan
Gabe Wachob 
Drummond Reed


AGENDA

1) RESOLVER BEHAVIOUR FOR SAML TRUSTED RESOLUTION ERRORS

In working on his action item for ED03 Section 6.2.2., Wil had several
question about how SAML signatures were incorporated into XRDs. This turned
into a very long investigation of the requirements for XML digital
signatures as constrained by section 5.4 of SAML Core
(http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf). 

The result was that we clarified the following:

* SAML constrains the use of XML Dsig to enveloped signatures, and says you
SHOULD NOT perform any transforms (such as excluding elements from the XML
document to be signed) other than: a) the "enveloped signature" transform,
which allows you to exclude the signature itself, and b) a standard XML
canonicalization transform specified in XML Dsig. (We made some minor
wording changes in ED03 section 8.2.2.2 to clarify this.)

* This means that when saml=true in a resolution request, and a signed XRD
is returned, the Status element will be part of the signed information and
thus cannot be changed without breaking the signature.

* We then discussed what behaviour a resolver should implement if the SAML
signature does not validate. If the resolver overrides the Status code to
indicate a failed signature, and then returns the XRD to the consuming
application, the consuming application does not have the original data
necessary to know the original status or do its own check on the signature
(which may be useful for debugging).

* Our conclusion was to solve this problem by having the resolver add two
new attributes to the Status element: originalcode and originalcontent. The
rule would be that: a) *anytime* a resolver needs to override the
server-provided Status code, the resolver MUST add the originalcode
attribute with the original server-supplied status code, and b) *anytime* a
resolver needs to override the server-provided content of the Status
element, the resolver MUST add the originalcontent attribute with the
original server-supplied content.

# DRUMMOND to make this change in ED04.


2) SYNONYMS AND CID VERIFICATION IN XRI RESOLUTION 2.0 WD11 ED04

Considerable discussion on the email list resulted in two updated
proposals for ED04:

	http://wiki.oasis-open.org/xri/XriCd02/CanonicalIdVerification
	http://wiki.oasis-open.org/xri/XriCd02/SynonymSemantics 

We only had time for a short discussion of this topic. Key points:

* Wil would prefer not to need both EquivID and MapToID/MapFromID synonym
elements, but does not have an answer as to how else to handle the different
use cases.
* Drummond agrees with Wil, but has yet to come up with a better solution. 
* Gabe does not currently have a strong preference.
* In email to the list, Steve suggested replacing MapToID/MapFromID with
UseCID/AllowUseCID. This would provide very explicit semantics regarding
identifier mappings that may be preferable to the current MapToID/MapFromID
proposal. 

# DRUMMOND to study this option and report back to the list.

* There is consensus that it is preferable to have an explicit status code
for CID_NOT_PRESENT when cid=true but a CanonicalID element is not present
in an XRD.
* There is also consensus that CanonicalID verification should be orthogonal
to service endpoint selection and reference processing, and thus that
cid=true should never change the XRDs that are returned; it should only
affect the status messages returned for each XRD.

It was concluded that we need another call on this topic, when Les can
attend (he was sick today).

# WIL AND DRUMMOND to schedule the call, ideally for Friday 8/24.


3) ACTION ITEMS AND SCHEDULE FOR ED04

The following page has been updated for current action items:

	http://wiki.oasis-open.org/xri/Xri2Cd02/ResWorkingDraft11

For ED04, the remaining action items are for Drummond and Wil (with one
small one for Gabe). Wil agreed to send his action items to Drummond by next
Monday morning, and Drummond will attempt to complete ED04 during a long
plane trip on Monday.


4) XDI, SOCIAL NETWORK PORTABILITY, AND THE DATA SHARING SUMMIT

Interest is skyrocketing in social network portability. A Data Sharing
Summit "camp" is being held in Richmond CA on this topic on Sept 7 & 8:

	http://datasharingsummit.com/

Gabe is attending, as is XDI TC member Andy Dale. Drummond explained that
he, Markus Sabadello, and Paul Trevithick planned to attend and show an
alpha community dictionary service based on the XDI RDF model that will be
contributed to the Identity Commons Identity Schemas Working Group
(http://idschemas.idcommons.net/). Further details will be posted there and
to the XRI and XDI mailing lists/wikis as soon as they are available.