SSTC Telecon Agenda: September 18

["PATO,JOE (HP-PaloAlto,ex1)" <joe_pato@hp.com>]

Agenda for SSTC Telecon, 18 September 2001
Dial in number: +1 334 262 0740 Meeting ID#856956.

Agenda

* Attendance

* Ratification of minutes from F2F#4

* ratification retry for "green issues" in Hal's issues-to-be-closed doc
(e-mail: RE: Issues to be closed at the Sept 4 Concall (revised list)
31-aug-01)

* sponsorship of issues in saml-issues doc
  - issues need sponsors to stay on to-resolve for 1.0 list (extended to
9/28)
  - another week to raise hands & sponsor issues

* workload balancing
  - JeffH needs to pass on some tasks

* uncovered tasks
  - DSIG profile (any takers?)

* a SAML/Kerberos integration discussion group will be created - send mail
to Joe to join him (by 9/14) => extended to 9/21


* "whiteboard issues" from F2F#4
  - which are closed?
  - Issue owners, please be prepared to discuss status
  - need to prioritize (on the call? yes?) - owner will assert priority, TC
can comment. (for each issue/action a want resolved by date will be assigned
during the call)

[Action - Bob B & Marlena]: <Subject> in Core doc to correspond to Artifact

[Action - Bob B.]: Return of not current valid assertions to RP (e.g. post
dated)

[Action - Charles]: To write a concrete proposal that would allow
Authorities to provide helpful info about why certain requests failed. This
would be really helpful during initial deployment when you can't figure out
why things aren't working. This could/should be turned off in production.

[Action - Chris McClaren]: will champion the sec-consider-xx issues and
drive this subprocess.

[Action - Chris]: to write-up versioning strategy and distribute to mailing
list [done Aug 30]

[Action - Don]: Smart client profile - develop a proposal

[Action - Don]: to elaborate the number of 1-1 relationships and propose how
to fix the resulting scaling issues.

[Action - Gil]: [DS-6-01:Nested Attributes] Not sure how SAML could address
this

[Action - Gil]: To make a proposal on the mandatory use of HTTPS

[Action - Hal & Bob B]: Artifacts are bearer instruments, Assertions are not

[Action - Hal]: Agrees to create a proposal that indicates why we should
minimize the number of profiles, specifically "Form POST".

[Action - Hal]: to take all the proposed closed issues (green) and send them
out for ratification at the next concall. [Completed 8/31 - ratification
awaiting next concall with quorum]

[Action - Hal]: to write scenarios (and / or provide definitions) for how
NameIdentifier is used (e.g., when it is in SubjectConfirmation to identify
an assertion vs. when it is used to represent the assertion referent) 

[Action - Irving]: Multiple NameIdentifiers are dangerous - Irving to write
up proposal.

[Action - Irving]: to investigate and write up WAP limits

[Action - Jeff]: threat model discussions to be removed from the bindings
doc - but rationale preserved somewhere in SAML documents.

[Action - Marlena]: SHIB desires 00-02 artifact type (anonymous user &
attribute assertions - non personal identifiable info) core design issue.

[Action - Marlena]: to write a proposal to create another Web Browser
profile that retrieves an Attribute Assertion rather than an Authentication
Assertion.

[Action - Marlena]: to write up use of artifacts for queries

[ACTION - Phil]: agreed, the core spec will state that all elements need to
explicitly call out the SAML namespace. Phil to make changes.

[Action - Phil]: Will produce a core-16 that just contains the notional and
twiddles before any major changes to schema and protocols.

[Action - Prateek]: "Security properties of Assertion Handle" (Bob Blakley
to act as reviewer).

[Action - Prateek]: Lookup by artifact: Agreed that he should submit a
detailed proposal to the Core outlining specific changes to specific
sections. Includes new request-response protocol not currently defined in
HTTP binding

[Action - Prateek]: Oracle attacks WRT SOAP Profile

[Action - Prateek]: Push profile / use case to be dropped from document
(Paul Leach's claim that this would assist SAML/Kerberos integration was
never developed - Paul to present this case if he wishes to re-instate this
profile)

[Action - Prateek]: Should the Bindings Group select either the HTTP or SOAP
protocol bindings for inclusion in the final spec?

[Action - Prateek]: Should the SOAP binding address the issue of
intermediaries - generate proposal for how

[Action - Prateek]: This is an editorial issue about the names of profiles.
Prateek to revise current document.

[Action - Simon]: write a concrete proposal that outlines the change to the
nature of the authorization query.

[Action - Tim]: First Contact - will write up what can be done with the
current design.