Re: [security-services] Minutes for Telecon, Tuesday 7 Dec 2004, V2

[Anthony Nadalin <drsecure@us.ibm.com>]

Another correction ... Either I misspoke or the items below were captured wrong, IBM has brought IPR issues up to OASIS Management, in particular to Jamie

Tony: have taken issue to the OASIS board
- people from Liberty have submitted material with known IPR
- pointers to Liberty about the IPR may change
- applicability of IP claims to TC output isn't obvious
- Conor: Liberty requires disclosure of *pending* IPR and OASIS
does not
- Tony: Board has not responded yet
- Frederick: this has not been raised at the OASIS Board to my
knowledge


Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Steve Anderson" <sanderson@opennetwork.com>

"Steve Anderson" <sanderson@opennetwork.com>

12/08/2004 02:39 PM

To	<security-services@lists.oasis-open.org>
cc
Subject	[security-services] Minutes for Telecon, Tuesday 7 Dec 2004, V2

NOTE: At his request, updated comment by Frederick in Agenda item 7.


Minutes for SSTC Telecon, Tuesday 7 Dec 2004
Dial in info: +1 865 673 6950 #351-8396
Minutes taken by Steve Anderson

======================================================================
Summary
======================================================================

Votes:

- Minutes from 23 Nov 2004 call accepted

Action Items Status Changes:

- none

New Action Items:

- Chairs to create 3 electronic ballots (CD, promote to OASIS,
30 day review)

======================================================================
Raw Notes
======================================================================

>
> Agenda:
>
> 1. Roll call
>

- Attendance attached to bottom of these minutes
- Quorum achieved

>
> 2. Accept minutes from previous meeting, 23 Nov
> http://lists.oasis-open.org/archives/security-services/200411/msg00119.html
>

- [VOTE] unanimous consent, accepted

>
> 3. New updates to documents (not previously discussed)
>
> Fixes for authn-context schema errors
> http://lists.oasis-open.org/archives/security-services/200412/msg00017.html
>

- JohnK: someone reported validation problem
- discovered that many tools we had been using for validation
weren't checking certain things
- resulted in broad change for new approach
- no normative text change
- Tony: but these were normative changes against the schema
- Prateek: there was a technology problem with the schema, and
John & Scott instituted a change
- Eve: amounts to a big bug fix
- Scott: definitions of classes haven't changed
- JohnK: semantics are the same
- Rob: we'll talk in a few minutes about significance of this
wrt to our process
- Rob: what is status of files?
- JohnK: files are all done, and was about to upload
- Rob: then, suggest we skip agenda #4 for now, and go on to #5
- [**** SKIPPING TO AGENDA ITEM #5 ****]

>
> 4. Re-affirm CD status for document set and schemas
>
> (a) Specifications
>
> Glossary: -cd-02a http://www.oasis-open.org/apps/org/workgroup/security/download.php/9360/sstc-saml-glossary-2.0-cd-02a.pdf
>
> Bindings: -cd-02f http://www.oasis-open.org/committees/download.php/10337/sstc-saml-bindings-2.0-cd-02f.pdf
>
> Conformance: -cd-02a http://www.oasis-open.org/apps/org/workgroup/security/download.php/10269/sstc-saml-conformance-2.0-cd-02a-diff.pdf
>
> Core: -CD-02G http://www.oasis-open.org/committees/download.php/10390/sstc-saml-core-2.0-cd-02g.pdf
>
> Metadata: -cd-02f http://www.oasis-open.org/committees/download.php/10219/sstc-saml-metadata-2.0-cd-02f.pdf
>
> Profiles: -cd-02g http://www.oasis-open.org/committees/download.php/10418/sstc-saml-profiles-2.0-cd-02g.pdf
>
> Authn-context: -cd-02b
> <To appear in repository>
>
> (b) Schema
>
> Metadata http://www.oasis-open.org/apps/org/workgroup/security/download.php/10035/sstc-saml-schema-metadata-2.0.xsd
>
> DCE Attribute data http://www.oasis-open.org/apps/org/workgroup/security/download.php/9051/sstc-saml-schema-dce-2.0.xsd
>
> Protocol http://www.oasis-open.org/apps/org/workgroup/security/download.php/9783/sstc-saml-schema-protocol-2.0.xsd
>
> Core http://www.oasis-open.org/apps/org/workgroup/security/download.php/9782/sstc-saml-schema-assertion-2.0.xsd
>
> X500 http://www.oasis-open.org/apps/org/workgroup/security/download.php/9185/sstc-saml-schema-x500-2.0.xsd
>
> LDAP http://www.oasis-open.org/apps/org/workgroup/security/download.php/8652/sstc-saml-schema-ldap-2.0.xsd
>
> Authn-context (core)
> <To appear in repository>
>
> Authn-context (classes)
> <To be updated in V2.0 Working Specifications>

- [**** DISCUSSED AFTER AGENDA ITEM #5 ****]
- [MOTION by Conor] Accept documents (pending AuthN Context
change) as CD
- second by Jeff
- Tony: don't have web access currently
- can't vote on what I can't see
- happy with intent of fixing problem
- happy with rest of spec
- Frederick: can't treat this fix as errata?
- no
- Scott: if you had reviewed it before and were happy with it
before, you'll be happy with it now
- Prateek: we'll still have 30 days to look it over
- Steve: are you assuming we'll repeat the public review
- Eve: even the OASIS std process gives us opportunity to make
editorial changes
- Scott: if we repeat the review, there are some changes I'd like
to make
- Mike: are people suggesting not doing another 30 day review?
- Prateek: first considering reaffirming as CD
- Mike: but less comfortable voting CD if there won't be another
review
- Jamie: can table this and vote on review vs. OASIS ballot
- Mike: could do electronic vote
- Eve: could hold meeting in 1 week to vote
- Steve: delaying for a week leaves no time for changes after
review before submitting for OASIS ballot by Jan 15
- Conor withdraws motion
- Conor: concerned about staying in loop of 30 day reviews
- Prateek: proposal is to do one week ballots for reaffirming
CD status AND submit to OASIS for voting
- Jamie: fine to combine into one vote
- Eve: but we need to have fallback ballot (if vote to go to
OASIS fails) to immediately start 30 day review
- Rob: planned electronic ballots are
- re-confirm CD status
- promote to OASIS for vote
- if vote to go to OASIS fails, start 30 day review immediately
- [ACTION] Chairs to create 3 electronic ballots (CD, promote to OASIS,
30 day review)
- Rob: means we don't need quorate meeting next Tuesday
- [**** SKIPPING TO AGENDA ITEM #6 ****]

>
> 5. Discussion:
>
> Should we proceed to vote on OASIS standardization ?
>
> OR
>
> Does the magnitude of changes of authn-context schema
> suggest another 30 day review period ?
>

- Rob: we do have a timing issue
- we may be comfortable proceeding to OASIS std, or may desire
another public review
- if want we proceed to OASIS std, we need to re-approve CD status
- if we go thru another review, we would need to start immediately
to be able to submit by 15 Jan, to have them approved by 1 Mar
- docs on authN context aren't on website yet
- JohnK: uploading now
- Rob: people obviously weren't looking at these, as the authN
context was sort of secondary
- Rob: so how do folks feel about voting these as CD, pending JohnK's
post?
- Jamie: was a member of a TC 2 years ago that had a similar
situation
- can vote to CD, vote for another review, and after that there
must be yet another vote to confirm as CD
- Scott: for me, CD question isn't a question, specs are stable
- editorial changes need to be merged in
- the question is whether to proceed to OASIS ballot
- also notes a change in latest Profiles draft concerning what an
IdP can do in response to an AuthN request in ECP
- Tony: so this is a semantic change
- Scott: yes, the text was overly restrictive, and change loosens it
- attestations shouldn't be affected, because if they were compliant
already, they still should be
- Prateek: do we go back to agenda #4 now?
- Scott: my vote on #4 doesn't depend on #5
- [**** RETURNING TO AGENDA ITEM #4 ****]

>
> 6. Attestations: we now have three statements of use !
>
> (a) Trustgenix attestation of successful use of SAML 2.0
> http://lists.oasis-open.org/archives/security-services/200412/msg00014.html
>
> (b) Entrust attestation of SAML 2.0 implementation
> http://lists.oasis-open.org/archives/security-services/200411/msg00042.html
>
> (c) Sun Microsystems attestation of successful use of SAML V2.0
> http://lists.oasis-open.org/archives/security-services/200411/msg00105.html
>

- no comments

>
> 7. Other e-mail threads:
>
> (a) IPR Question from Fujitsu and discussion thread
> http://lists.oasis-open.org/archives/security-services/200411/msg00126.html
>

- Rob: we have had discussions on the side to ensure that we're
following OASIS procedure
- have spoken with AOL and Fidelity about stating claims
- RSA will be posting on this shortly as well
- Tony: have taken issue to the OASIS board
- people from Liberty have submitted material with known IPR
- pointers to Liberty about the IPR may change
- applicability of IP claims to TC output isn't obvious
- Conor: Liberty requires disclosure of *pending* IPR and OASIS
does not
- Tony: Board has not responded yet
- Frederick: this has not been raised at the OASIS Board to my
knowledge
- Jeff: Liberty mgmt board granted us rights to their specs, and
they're the ultimate authority
- Jeff: why are we wasting TC time on this? This is a board matter.
- Prateek: we are following current OASIS rules, and that is all we
can do now

>
> (b) Days late and dollars short, comments on "entity" terminology
> http://lists.oasis-open.org/archives/security-services/200412/msg00013.html
>

- Eve: haven't finished, but looks pretty good so far
- created descriptions of how terms are used, which may be useful in
tech overview or other ancillary docs
- Jeff: will help with clean up
- Ron: question about "asserting party" overlapping "authority"
- Eve: almost synonyms
- confusion on "confirming entity", some prefer "attesting entity"
- Eve: is compiling these edits, but not applying them yet
- Rob: let's let Eve work with Editorial team to ensure terms are
consistent

>
> 8. Open AIs relevant to SAML 2.0
>
> #0204: Final text for subject and subject confirmation
> Owner: Bob Morgan
> Status: Open
> Assigned: 2004-11-23 06:20:46
> Due:
>

- RLBob not on call
- Rob: expected to be editorial changes, right?
- Scott: thinks he was unhappy with it over all, but this is what
we're going with unless people speak up

>
> #0203: Analyze/correct usage of SAML entity terminology
> Owner: Eve Maler
> Status: Open
> Assigned: 2004-10-31 19:56:49
> Due:
>

- Eve: this is under way

>
> #0199: Glossary updates
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2004-10-25 20:14:40
> Due:
>

- Jeff: will work on it this week
- will be deriving definitions from the specs and put in glossary
- will coordinate with editorial clean up of terminology

>
> #0123: Obtain MIME type registration for HTTP lookup
> of SAML
> Owner: Jeff Hodges
> Status: Open
> Assigned: 2004-02-13 20:18:48
>

- Jeff: needs to double check
- one was approved, not sure on the other one

>
> 9. Any other business
>

- none

>
> 10. Adjourn
>

- Adjourned


----------------------------------------------------------------------

Attendance of Voting Members:

Conor P. Cahill AOL, Inc.
John Hughes Atos Origin
Hal Lockhart BEA
Rebekah Metz Booz Allen Hamilton
Rick Randall Booz Allen Hamilton
Ronald Jacobson Computer Associates
Paul Madsen Entrust
Dana Kaufman Forum Systems
Michael McIntosh IBM
Anthony Nadalin IBM
Nick Ragouzis Individual
Scott Cantor Internet2
Peter Davis NeuStar
Jeff Hodges NeuStar
Frederick Hirsch Nokia
John Kemp Nokia
Abbie Barbir Nortel
Scott Kiester Novell
Cameron Morris Novell
Charles Knouse Oblix
Steve Anderson OpenNetwork
Vamsi Motukuru Oracle
Darren Platt Ping Identity
Prateek Mishra Principal Identity
Jim Lien RSA Security
Rob Philpott RSA Security
Jahan Moreh Sigaba
Bhavna Bhatnagar Sun Microsystems
Eve Maler Sun Microsystems
Ron Monzillo Sun Microsystems
Emily Xu Sun Microsystems
Mike Beach The Boeing Company
Greg Whitehead Trustgenix


Attendance of Observers or Prospective Members:

Senthil Sengodan Nokia
Carolina Canales-Valenzuela Ericsson
Jamie Clark OASIS
James Vanderbeek Vodafone
Gavenraj Sodhi Computer Associates
Mary McRae OASIS


Membership Status Changes:

Tim Alsop CyberSafe - Withdrew 11/23/2004
Forest Yin Netegrity - Lost voting status after 12/7/2004 call
Maryann Hondo IBM - Lost prospective membership after 12/7/2004 call

--
Steve Anderson
OpenNetwork