revised minutes for OASIS SSTC conf call, 2005-03-01

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

Revised numbers for the vote (some ballots were found in an old suitcase) 
and attendance.

  - RL "Bob"

---

minutes for OASIS SSTC conference call, 2005-03-01
scribe:  RL "Bob" Morgan

---

Summary:

  - vote taken to proceed with OASIS standardization of SAML 2.0 doc set
    despite "no" vote from one OASIS member; result: passed

  - RobP and Eve will make final doc edits for becoming standard

  - focus now on supplemental materials, esp tech overview and exec
      overview, so as to publish along with 2.0 standard announcement
    all TC members are encouraged to provide comments on tech-overview and
      exec-overview docs before next call (March 8)

  - discussion of other outstanding docs:  errata, metadata-1x, X509 authn

  - action item status changes:  none

  - new action items:
    * Prateek will propose next steps for conformance based on broader
      deployments

---

Full minutes:

38 of 43 voting members present (attendance below), quorum achieved

minutes approved for 2005-01-18 and 2005-02-15 calls, no objections

OASIS member vote on SAML 2.0 standard was  85 yes, 1 no
   fujitsu was the no, raised issue about IPR claims from two Liberty
     contributors, citigroup and catavault
question for TC:  approve anyway despite the one No vote?
   motion made:  proceed with standardization despite objection
   discussion:
   TonyN:  need proper response to fujitsu
   Hal:  would be good to get statement from these contributors
   RobP:  catavault seems to have gone out of business, not clear who
     would give a statement
     also claims were about ID-FF 1.0, not 1.1 or 1.2
   Prateek:  there were two responses from the chairs, yes?
   Scott:  AOL IPR statement seems not to have made it to web site?
   Conor:  Liberty rules don't require RF license, just RAND
   Irving:  worry about IPR specialists buying patents from companies that
     have gone out of business
   Scott:  there are lots of patents and claims out there, why are we
     worrying about these here?  citigroup material isn't even published
   RobP:  but citi and catavault statements were preparing for RAND
     licensing
     but Liberty implementations are out there, with these issues already
   RobP:  on the motion, objections to unanimous consent?
   TonyN:  yes
   vote taken:  31 yes, 0 no, 4 abstain, 3 present but no response,
     5 not present; so motion passes
RobP and Eve will make final edits
RobP and Prateek will notify TC list and OASIS

TC response to Gross re security issues
   Prateek:  link to response doc sent to him, he acknowledged,
     no responding comments yet
   Maryann:  will ask for him to comment, before next voting call

tech overview document

JohnH had to leave call
draft 3 posted
Eve:  would like to have outreach material ready by time of SAML 2
     standards announcement, when would that be?
Hal:  XACML announcement not yet out, and it's a month ahead ...
Mary:  that's about to go out
Eve:  OK, let's say end of March deadline for finishing
    and focus our attention on getting these docs done
RLBob:  what constitutes outreach material?
Eve:  tech overview, exec overview
     implementor's guide?  doesn't have owner?
     1.x to 2.0 delta material?  where does it go?
     also FAQ on SSTC website, tho exec overview is in FAQ format ...
     ask for comments on overviews before call on Mar 08

errata document

Jahan:  go thru errata items for final disposition
Scott:  process?  very hard to read errata out of context
RobP:  OK, will commit to having red-lined version of 2.0 spec
   with changes based on errata
RobP:  note that there isn't proposed text on E1
Jahan:  will move E1 to Proposed Errata section, publish new draft

metadata doc

Prateek:  comments re SSO and logout, making them more recommended
Scott:  will modify text as requested
Prateek:  also change recommendation on use of SSL
Scott:  while we're talking metadata, Shib group is interested in
   having metadata representation of indirect key validation
   ie use of X.509 CAs and path validation rather than embedding keys
   limitations of ds-keyinfo relate
   may require metadata extensions
   so asking whether others are interested in this approach
Scott:  also note that this is first profile that has come outside
   of protocol release, hence may be issues about profile naming eg
   so please review (will send note to list on this point)

issue from TomW:  SLO after NMI termination
   Scott:  may turn into an errata item, will send note

X509 authn doc

Rick:  approach is based on customer requirements, so not debatable
     re confirmation method, couldn't find much about bearer, will remove
     will get new draft out by end of week, hope to get vote next call
   Scott:  why restrict to HTTP?  wouldn't this apply to other
     TLS-protected protocols, and be more general?
   Rick:  sure, will check with customer
   Rick:  re wildcarding, will look more closely at suggestion
   (exit Rick)
   Scott:  encryption requirement also a problem
     seems to cross line from implementation to deployment
     SSTC profile should be more generally applicable
   RobP:  maybe this can just be a registered profile, not TC output
   Irving:  customers want named profile with knobs set how they want
     maybe could have "plain option" and "most secure option" in this spec
   Scott:  will ask Rick

SAML 2.0 interop event at RSA conference
   RobP:  demonstrated mandatory and optional SSO, SLO, federation, etc
     also USGov GSA e-auth demo
   future interops?  tbd
   Prateek:  want to take conformance material further as SAML 2.0 deploys
     hoping SSTC will have a role in this

AIs

#166 wiki:
   Scott:  wiki up for Shib project, will add new section for SAML
     will be plastered with notifications about IPR,
       ie don't post material that is IPR-encumbered
   Mary:  OASIS working on wikis for TCs, are "pretty close"
     likely after mid-April
   Scott:  will proceed with this wiki anyway

#205 MIME type registration:
   Jeff:  will work on this week, need to nail down site URLs

#207 AuthnRequestsSigned metadata setting:
   still open

#208 check issues with deflate encoding:
   still open


---

Attendance

Voting members (38 of 43):

Conor P. Cahill AOL, Inc.
John Hughes     Atos Origin
Hal Lockhart    BEA Systems, Inc
Rebekah Metz    Booz Allen Hamilton
Rick Randall    Booz Allen Hamilton
Ronald Jacobson         Computer Associates
Thomas Wisniewski       Entrust
Carolina Canales-Valenzuela     Ericsson
Irving Reid     Hewlett-Packard Company
Heather Hinton  IBM
Maryann Hondo   IBM
Anthony Nadalin IBM
Nick Ragouzis   Individual
Scott Cantor    Internet2
Bob Morgan      Internet2
Peter Davis     NeuStar
Jeff Hodges     NeuStar
Frederick Hirsch        Nokia
Senthil Sengodan        Nokia
Abbie Barbir    Nortel
Scott Kiester   Novell
Cameron Morris  Novell
Paul Madsen     NTT USA
Ari Kermaier    Oracle
Vamsi Motukuru  Oracle
Darren Platt    Ping Identity
Prateek Mishra  Principal Identity
Jim Lien        RSA Security
John Linn       RSA Security
Rob Philpott    RSA Security
Dipak Chopra    SAP
Jahan Moreh     Sigaba
Bhavna Bhatnagar        Sun Microsystems
Eve Maler       Sun Microsystems
Ron Monzillo    Sun Microsystems
Emily Xu        Sun Microsystems
Mike Beach      The Boeing Company
Greg Whitehead  Trustgenix

Prospective members (1 of 3):

Hans Granqvist  VeriSign

Observers (2):

Mary McRae      OASIS
Scott Tomilson  Entrust


---------------------------------------------------------------------
To unsubscribe, e-mail: security-services-unsubscribe@lists.oasis-open.org
For additional commands, e-mail: security-services-help@lists.oasis-open.org