minutes for SSTC conf call, 2004-11-23

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

minutes for SSTC conf call, 2004-11-23
scribe:  RL "Bob" Morgan

---

Summary:

  - No votes taken.
  - Discussion of many small clarifications, primarily to core spec.
  - Add text regarding requester requirements to conformance doc.

  - Action item status changes:  none
  - New action items:
     - Prateek to update conformance doc with requester requirements,
         also change "Responder" to "Authority"
     - Hal to provide text on XACML and WSS for tech overview.

---


  * Roll taken (attendee list below), quorum achieved.

  *  1. Approve minutes from Nov 9 Concall
http://lists.oasis-open.org/archives/security-services/200411/msg00059.html

Approved.

  *  Reminder: SSTC plans CD and OASIS submission vote on December 7
     (please mark your calendars, we need a 2/3rds vote for
     reaffirming CD status).

Prateek:  noted.

  *  Implementation attestation: we need one more attestation before
     December 15

     Entrust attestation of SAML 2.0 implementation

http://lists.oasis-open.org/archives/security-services/200411/msg00042.html
     Sun Microsystems attestation of successful use of SAML V2.0

http://lists.oasis-open.org/archives/security-services/200411/msg00105.html

Prateek:  seeking more attestions ...

  *  Call for participation in RSA 2005 Interop

http://lists.oasis-open.org/archives/security-services/200411/msg00106.html
     Contact Andy by 12/3 with required information

Rob:  need to get started on defining interop scenarios soon.
Prateek:  Andy is contact point for logistics?
   Rob:  yes
Rob:  there will be lists set up, not publicly archived.

  *  Updated SSTC web page

http://lists.oasis-open.org/archives/security-services/200411/msg00104.html

Eve:  please check for mistakes and comment.

  *  Document Updates
     core-02 f (scott) :

http://lists.oasis-open.org/archives/security-services/200411/msg00109.html
     bindings-02 e (scott) :

http://lists.oasis-open.org/archives/security-services/200411/msg00111.html
     metadata-02 f (scott):

http://lists.oasis-open.org/archives/security-services/200411/msg00113.html
     authn-context-02 a (prateek) :

http://lists.oasis-open.org/archives/security-services/200411/msg00107.html
     authn-context-context-2.0.xsd (prateek):

http://lists.oasis-open.org/archives/security-services/200411/msg00115.html

core:
Scott:  in response to Rebekah's comments, mostly
   modified subject text a little
Rob:  reviewed changes, look OK

bindings:
Eve:  trying to make sure Appendices appear in ToC
Scott:  still awaiting MIME text finalization

metadata:
Scott:  clarifications re ... ?

authn-context:
Prateek:  small capitalization change


  *  Recent discussion threads and comments:

     (a)  Comments and Questions on Core-02 (Rebekah Metz)

http://lists.oasis-open.org/archives/security-services/200411/msg00100.html

524-6 : resolved
533-5 :
   Scott:  advice is supposed to be optional, clarified that it is
     optional in all cases, line 611
687 :
   Scott:  clarify IPv4 address printable format
     shouldn't we specify IPv6 text form too?
   Rob:  normative reference for dotted-quad format?
   RLBob:  will send a note to ietf list asking if there is ref for both
732-3:
   Scott:  clarified that type extensions can be used
   Conor:  only want to say "can't" when ordinarily might think you could
   Scott:  if someone wants to add wildcard back they can define type
     so OK as is
840-1 :
   Scott:  made change to AudienceRestriction condition, clarify format
   Rebekah:  OK
866-96 :  re oneTimeUse and intermediaries
   Scott:  key point here is SAML intermediaries, not any random ones
   Conor:  should use short validity period if intermeds are concern
   Rebekah:  OK, if multiple audience members, is it once for all?
   Conor:  would have to be once per recipient, since it's constraint
     on recipient
   Rebekah:  need to clarify this?
   Hal:  seems to mostly be useful for authz-decision statements ...
   Prateek:  seems to be clear enough already, no change to be made
944-5 :
   Scott:  just removed sentence rather than replicating
973-4 :
   Scott:  removed "identity provider" term
     "authenticating authority" is any one that plays that role
       as distinguished from issuer
   Rebekah:  OK
1031, 1045-83 :
   Prateek:  addressed
1090-1105 :
   Scott:  might like to see minOccurs=0, but no others seem to support ...
     if recipient does attr filtering, may end up with invalid statement
   Rebekah:  any way to assert that nothing has been returned?
   Scott:  no, just send nothing
1673 :
   Scott: rewrote to clarify status of activity ...
1710:
   Rebekah:  have some use cases where requester might want to get
     all assertions from authority, in small-scale authority case,
     so is it intentional that requester has to know all assertion IDs?
   Rob:  request based on assertionIDRef is that way by its nature
     could use another kind of request if want a collection back
1941-3 :
   Scott:  modified to use S1/S2 language (line 2016 in new draft f)
2897 :
   Scott:  modified to clarify
2922-3 :
   Scott:  moved sentence from signing section to section 2 line 644
3063-93 :
   Scott:  can't think of any restrictions ...
     maybe add sentence permitting simultaneous use of different features
3334-50 :
   OK, no other change needed

Scott:  public comment a while ago, that authz decision actions for HTTP
   should probably have "delete", but that TC has frozen this material
   so change won't be made, correct?
Prateek:  yup


  *  Open AIs relevant to SAML 2.0 specification set

0204: Final text for subject and subject confirmation
Owner: Bob Morgan

Bob:  will propose by Nov 24 or will close with no proposal.


0203: Analyze/correct usage of SAML entity terminology
Owner: Eve Maler

Eve:  still working on this, report back by Monday
   harmonize use of "asserting party" and "SAML authority"?
     decide on one or the other?
     use "asserting party" when also use "relying party"?


0199: Glossary updates
Owner: Jeff Hodges

Jeff:  not on call


0123: Obtain MIME type registration for HTTP lookup of SAML
Owner: Jeff Hodges

Jeff:  not on call
Scott:  will ping Jeff


  * other business

Hal:
   tech overview has placeholders for text about WSS, XACML, Shibboleth
   is someone going to do this?
   he'll offer text on WSS and XACML
Prateek:  the aux docs will be advanced somewhat after normative ones

new list comment (Salz):  is requester not listed in conformance doc by
     design?
   Prateek:  seems so
   Scott:  maybe something is needed?
     eg requester has to implement SOAP binding?
   Rob:  if responder MUST implement SOAP, then requester has to also,
     right?
   Nick:  spec for responder refers to queries, does it not?
   Scott:  just means you have to respond to them
     maybe named item should be "foo profile", not "foo"
   Prateek:  may need to clarify that doc is only discussing responders
   Rob:  some discussion of requests in SP/IdP roles
   (more discussion)
   Prateek:  maybe change "Responder" to "Authority" in matrix?
     Rob:  OK
   Prateek:  and then add "SAML requester" role
     with all optional features?
   Rob:  useful if all is optional?
   Scott:  yes, since it drags in conformance to profiles if they're used
   Prateek:  will take action to update conformance doc based on this
   Nick:  how about just adding column to table, not new table
   Prateek:  OK


---

Attendance of Voting Members

   Conor P. Cahill AOL, Inc.
   John Hughes Atos Origin
   Hal Lockhart BEA
   Rebekah Metz Booz Allen Hamilton
   Paul Madsen Entrust
   Paula Austel IBM
   Michael McIntosh IBM
   Anthony Nadalin IBM
   Nick Ragouzis Individual
   Scott Cantor Internet2
   Bob Morgan Internet2
   Prateek Mishra Netegrity
   Frederick Hirsch Nokia
   Abbie Barbir Nortel
   Scott Kiester Novell
   Charles Knouse Oblix
   Steve Anderson OpenNetwork
   Ari Kermaier Oracle
   Vamsi Motukuru Oracle
   Darren Platt Ping Identity
   Jim Lien RSA Security
   John Linn RSA Security
   Rob Philpott RSA Security
   Dipak Chopra SAP
   Jahan Moreh Sigaba
   Bhavna Bhatnagar Sun Microsystems
   Jeff Hodges Sun Microsystems
   Eve Maler Sun Microsystems
   Ron Monzillo Sun Microsystems

Attendance of Prospective Members or Observers

   Emily Xu Sun Microsystems
   Senthil Sengodan Nokia
   Carolina Canales-Valenzuela Ericsson
   Gavenraj Sodhi Computer Associates

Membership Status Changes

   Senthil Sengodan Nokia - Requested membership on 11/9/2004
   Carolina Canales-Valenzuela Ericsson - Requested membership on
     11/10/2004
   Maryann Hondo IBM - Requested membership on 11/10/2004
   Emily Xu Sun Microsystems - Granted voting status after 11/23/2004
     call
   Partha Panda Entrust - Lost prospective status after 11/23/2004
     call
   Alistair Young UHI Millennium Institute - Lost prospective status
     after 11/23/2004 call
   John Linn RSA Security - LOA 11/23/2004 through 1/3/2005