[security-services] Minutes for Telecon, Tuesday 29 October 2002

[Steve Anderson <sanderson@opennetwork.com>]

Minutes for SSTC Telecon, Tuesday 29 October 2002
Dial in info: +1 334 262 0740 #856956
Minutes taken by Steve Anderson

======================================================================
                              Summary
======================================================================

  Votes:
  
    - Minutes from 15 October 2002 call accepted
    - Motion to approve Eve's fragment ID recommendations for 1.1 as
      described in
      < http://lists.oasis-open.org/archives/security-services/
        200210/msg00026.html >
  
  New Action Items:
  
    - Hal to get a proposal crafted to make this schema change for 
      "Standardize Issuer Name Format" needed by XACML
    - Editors to update documents with Eve's fragment ID 
      recommendations
    - Jeff & Eve to add parts of Eve's fragment ID recommendation to 
      2.0 item list
    - Hal to propose specific schema changes for proposed DoNotCache
      condition
    - Irving to consult w/ Merlin Hughes on current XMLDSig issues

  Previous Action Items Still Open:
  
    - Jeff to determine if conformance language around the notions
      of profiles vs. extensions is really an issue
    - Prateek & Jeff to look at Liberty provider metadata's 
      applicability for SAML specs
    - Jeff to solicit comment on draft-sstc-xmlsig-guidelines-0{2|3}
      from Liberty arena
    - Eve, Rob and Jeff to draft amended SSTC charter
    - Prateek to draft analysis of use of XML Encryption in SAML

======================================================================
                             Raw Notes
======================================================================

> 
> Agenda:
> 
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

> 
> 2. Accept minutes from previous meeting
>    < http://lists.oasis-open.org/archives/security-services/
>      200210/msg00028.html >
>

- [VOTE] unanimous consent, accepted

>
> 3. Review of open Action Items (AIs)...
>
>    AI-2. Carlisle Adams to take the "Standardize Issuer Name Format"
>          back to the XACML for more clear requirements and/or 
>          proposal. 
> 
>          [security-services] XACML Change request to SAML...
>          < http://lists.oasis-open.org/archives/security-services/
>            200209/msg00015.html >
> 

- done
- Jeff: this would be a schema change
- do we want to do this in v1.1 or v2.0?
    - will it be backward-compatible?
    - Hal: XACML would prefer it sooner
- [ACTION] Hal to get a proposal crafted to make this schema change

> 
>    AI-6. Jeff to determine if conformance language around the notions
>          of profiles vs. extensions is really an issue
> 
> [still in progress (will try to before next meeting)]
>

> 
>    AI-7. Prateek & Jeff to look at Liberty provider metadata's
>          applicability for SAML specs
> 
> [in progress - can discuss on the call]
> 

- Jeff: seems the notion and format is useful, but Liberty schema 
  wouldn't map directly over
- Jeff and Prateek will post message after further analysis
- Prateek: has separate question of whether Liberty AuthN Context is
  relevant, but will address in separate posting

> 
>    AI-8. Jeff to solicit comment on 
>          draft-sstc-xmlsig-guidelines-0{2|3} from Liberty arena.
> 
> [in progress - have commitment from Jonathan Sergent to review the
>  -03 rev of the guidelines. Good news is that Liberty folk and SAML 
>  folk are on same wavelength wrt to xmldsig. ]
>

- Rob: also asking his Liberty reps to review

> 
>    AI-9. Scott to rev the draft-sstc-xmlsig-guidelines-02 doc to -03.
> 
>          [security-services] Third draft of Signature document
>          < http://lists.oasis-open.org/archives/security-services/
>            200210/msg00034.html >
>

- posted and closed
- please review & comment

>
>    AI-10. Eve, Rob and Jeff to draft amended SSTC charter
>

- will try to do before next call

>
>    AI-11. Eve to send mail msg that wraps up resolution on fragment
>           identifiers
> 
>           [security-services] Motion to approve fragment ID 
>           recommendations for1.1
>           < http://lists.oasis-open.org/archives/security-services/
>             200210/msg00026.html >
>

- Jeff: should add to agenda
- Jeff: have folks reviewed?
- Rob: yes, seems reasonable
- motion to accept motion as posted in above reference
- [VOTE] accepted
- [ACTION] editors to update documents
- Hal: note that part of her proposal is deferred to v2.0, so it needs
  to be remembered somehow
- [ACTION] Jeff & Eve to add this to 2.0 item list

>
>    AI-12. Prateek to draft analysis of use of XML Encryption in SAML.
>

- Prateek: has done some work, will send to Hal for review
- should have something posted to list before next call

>
>    AI-13. Hal to write up proposal on expressing that assertions are
>           not to be cached
> 
>           [security-services] Proposed DoNotCache Condition
>           < http://lists.oasis-open.org/archives/security-services/
>             200210/msg00035.html >
>

- done
- resolution includes change to spec & schema
- Hal: schema change is adding and optional element, which is 
  inherently backward compatible
- implementation aspects were somewhat arbitrary, but mainly cares
  about semantics
- Jeff: posting needs review & comments
- we will shoot for vote on next call
- [ACTION] Hal to propose specific schema changes

> 
> 4. SAML v1.0 OASIS-wide vote
>
>    tally can be monitored here..
>
>    < http://lists.oasis-open.org/archives/tc-voting/ >
>
>    Have 49 Yes votes, 3 abstains, no "No"s.
>

- as long as we don't get any "no"s, we are on track to pass

> 
> 5. where are we at with a SAML v1.1?
>
>    todo list from item [A] of..
>
>    [security-services] Proposed, categorized To-Do list for SAML 1.x 
>    and2.0 (SAMLng/SAML.next)
>    < http://lists.oasis-open.org/archives/security-services/
>      200208/msg00010.html >
>
>    [A] Feasible Near-term high-priority items, and bug fixes
> 
>       - Bugs that are backwards-compatible (targeted to 1.1)
>       - Functionality that's backwards-compatible/orthogonal and
>         high-priority
>       - The list as a whole can be completed in 3-6 months
>       - Any decision that needs to be made in the short term
>       - the below items are in no particular order (ie unprioritized)
> 
>    [A.1] - Formalizing operational agreements between sites (see
>            Liberty provider metadata schema (section 4 of [1]) and 
>            the saml-dev work [2], for examples; this is
>            guidance/facilitation work rather than protocol work)
>
>  - above will be initiated w/ AI-7
>
>  - who will take those results and fold-in what was learned from the 
>    SAML interop event?
>

- progress under way

>
>    [A.2] - WS-Security profile ([3], possibly to go to WSS TC)
>
>  - done.
>

>
>    [A.3] - Figure out versioning of modularly published profile and
>            binding specs
>
>  - TBD.
>
>  - this one has to do with how do we define and version SAML as a
>    whole?
> 
>  - don't need to answer the below scenarios on this call, but need
>    someone to sign up to consider the question and write a proposal
> 
>    - presently we refer to the "SAML v1.0 specification set", and 
>      have "version" elements in assertions, request msg, and 
>      response msg. 
> 
>      what should we do if we eg rev the bindings and profiles spec 
>      in the future, w/o making changes to -core ?  
> 
>      what should we do if we write a separate b2b profile spec -- 
>        what's the version of that spec once approved as a OASIS std,
>        say?

- Jeff: need either a champion or someone to justify why we don't need
  to worry about it
- Prateek: challenges this, each profile/binding is connected to a 
  unique URI that identifies it
    - as new ones are published, versioning is implicitly addressed
- Rob: had made some comments in the past in this area, and will go
  back and review them
          
>
>    [A.4] - Sharpen conformance language around the notions of
>            profiles vs. extensions
>
>  - this is AI-6, in progress
>

>
>    [A.5] - Express that an assertion should not be cached
>
>  - proposal on the table
>

>
>    [A.6] - Fix fragment identifier gaffe [4]
>
>  - motion on the "email floor" to close this. 
>

- Voted on moments ago
- will be folded into spec

>
>    [A.7] - Standardize issuer name formats (request came from XACML)
>
>  - this is AI-2
>

>
>    [A.8] - Fix xmldsig issues (might turn out to be a [B] item) [5]
>
>  - for 1.1, this will be addressed by Scott's dsig doc (yes?)
>

- Jeff: for 2.0, the plan is to make normative changes to tighten this
  up?
    - RonM: So 1.1 won't say anything further normatively?
    - Jeff: that's what's on the table
    - Scott's doc (essentially a 'best practices' doc) will attempt to
      improve interop
    - Discussion of listing in our specs of C14N as SHOULD vs. MUST
        - appears to be a SHOULD in current spec
    - Discussion of whether the current problem is one where
      verification would succeed when it shouldn't or whether the 
      verification would fail when it shouldn't
        - general uncertainty
        - [ACTION] Irving to consult w/ Merlin Hughes on this
    - Ron: sounds like whatever is recommended in the spec currently
      doesn't preclude anyone from doing the right thing, but it does
      recommend doing the wrong thing
    - Jeff: section 4 in doc is about sig verification, and it doesn't
      seem to address this aspect, and arguably it should
    - we need to get this sorted out and added to the doc
- Jeff: exhorting people to review this so we can get it resolved

> 
> 6. Discussion of xmldsig guidelines
>

- (generally done in previous agenda item)
- Jeff: the door may be more open in 1.1 to change this problematic
  SHOULD into the more suitable MUST 

> 
> 7. Discussion of credentials collection (?)
>

- no discussion

> 
> 8. any other business?
>

- Jeff: Specification editing duties
   - Eve has previously indicated some availability
   - need to double check with Phill on his availability
   - Prateek can also commit some time
   - Jeff: not a burning issue for a couple more weeks yet
   - we're making good progress toward 1.1 and we should be able to 
     start editing soon

> 
> 9. Adjourn
>

- Adjourned


-----------------------------------------------------------------------

Attendance of Voting Members:

  Irving Reid Baltimore
  Ronald Jacobson Computer Associates
  Mingde Xu CrossLogix
  Hal Lockhart Entegrity
  Carlisle Adams Entrust
  Robert Griffin Entrust
  Jason Rouault HP
  Prateek Mishra Netegrity
  Charles Knouse Oblix
  Steve Anderson OpenNetwork
  Rob Philpott RSA Security
  Jahan Moreh Sigaba
  Bhavna Bhatnagar Sun
  Jeff Hodges Sun
  Emily Xu Sun
  Simon Godik (individual)


Attendance of Observers or Prospective Members:

  (none)


Membership Status Changes:

  Robert Standefer EDS - Lost voting status due to inactivity
  Aravindan Ranganathan Sun - Lost voting status due to inactivity

--
Steve