Draft minutes from 16 Dec 2008 SSTC telecon [roll to be added]

[Eve Maler <Eve.Maler@Sun.COM>]

>
> Roll Call & Agenda Review

Logistics note: Hal is canceling the 30 December 2008 call.  Our next  
call will be 13 January 2009.

> Need a volunteer to take minutes

Eve volunteered.

> 1. Minutes
>
> 1.1 Minutes from SSTC/SAML conference call November 18, 2008
> http://lists.oasis-open.org/archives/security-services/200812/msg00010.html

APPROVED by unanimous consent.

> 1.2 Minutes from SSTC/SAML conference call December 2, 2008
> http://lists.oasis-open.org/archives/security-services/200812/msg00017.html

APPROVED by unanimous consent.

> 2. Announcements
>
> 2.1 Draft SP 800-63 Revision 1: E-Authentication Guideline is  
> available for a second public comment period (Assertions are in for  
> Level 4)
> http://lists.oasis-open.org/archives/security-services/200812/msg00036.html

Eric Tiffany noted this news recently.  Our attempt to "raise NIST's  
consciousness" has resulted in this new guideline, which is good  
news.  Please do review it to ensure it's accurate.

> 2.2 xspa-saml-profile-cd-01 for public review
> Bounced back by TC Admin for changes to meet OASIS Requirements

Mary McRae asked us to fix a few formatting issues to bring it into  
alignment with OASIS requirements.  It's in process.

> 3. Document Status
>
> 2.1 sstc-saml-attribute-ext-cd-01.pdf uploaded
> http://lists.oasis-open.org/archives/security-services/200812/msg00019.html

Scott Cantor has posted the CD version (voted to this status last  
time).  We anticipate packaging up a number of items for public  
review, including this.

> 2.2 HoK Assertion Profile (draft-07)
> http://lists.oasis-open.org/archives/security-services/200812/msg00030.html
>
> 2.3 HoK Assertion Request Profiles (draft-01)
> http://lists.oasis-open.org/archives/security-services/200812/msg00031.html

Tom, holder of the pen on these to date, notes:

Draft 07 of the HoK assertion profile had some changes to the  
NotBefore and NotOnOrAfter bits, as requested in some (unsolicited!)  
public comments that came in.  He believes it's ready to move to CD,  
but it can also sit and wait for the HOK browser SSO profile (Nate's  
profile).  Hal will plan for a CD vote after the holidays, with a  
packaging of related specs for public review when they're all ready  
for that.

The HoK assertion request profile is still new so it's a bit rough,  
and the requirements are very conservative.  Please take a look.

> 2.4 sstc-saml-holder-of-key-browser-sso-draft-10.pdf (sstc-saml- 
> holder-of-key-browser-sso-draft-10.pdf) uploaded
> http://lists.oasis-open.org/archives/security-services/200812/msg00033.html

Nate, holder of the pen on this to date, notes:

This draft clarifies which assertions should be bundled with the  
response.  Tom will pick this up going forward, with some changes he's  
got planned.  Tom can have draft 11 ready by the 13 Jan 2009 meeting,  
including all changes/cleanup already planned and also changes  
suggested by the comments that have come in.

> 3.  Discussion Threads
>
> 3.1 PE78: Reassignment of persistent identifiers
> http://lists.oasis-open.org/archives/security-services/200812/msg00012.html

Tom, who started the thread, summarizes: The bottom line is that if  
the SSTC believes that non-reassignability was intended in the  
original spec, then we're free to add this clarification as an  
erratum.  Otherwise we need to consider spinning off a new  
identifier.  Scott feels the original intent was close to this, and  
the opposite proposition is nonsensical, so an erratum would be  
reasonable.  Hal is concerned that the proposition isn't testable.

Option 2, "A given value, once associated with a principal, MUST NOT  
be assigned to a different principal at any time in the future.",  
isn't testable but it's the intended sense of the committee.

Scott moves, and JeffH seconds, TO accept option 2 on PE78.  PASSED by  
unanimous consent.

Scott suggests that we dispose of PE75, PE76, and PE77 on the next call.

> 3.2 2.3 SAMLv2.0 HTTP POST "SimpleSign" Binding
> http://lists.oasis-open.org/archives/security-services/200812/msg00005.html
> Ready for Public Review?

And if it's ready, how do we want to bundle specs?  Eve suggests  
putting it out to public review separately from others, to ensure it  
gets sufficient attention from communities that are starting to use it  
in interesting ways.  JeffH agrees.  That means XSPA would be on its  
own too.  It turns out they can't be packaged together anyway, so  
never mind. :-)

We had thought a 15-day review on SimpleSign would be sufficient, but  
with the holidays, either starting a 30-day review now or deferring  
the start to after the holidays would be best.  Tom sent a diff to  
JeffH, and he will add it to the document repository.

Eve moves (and JeffH seconds) that we move SimpleSign to a public  
review, of at least 15 days in length, ending no sooner than January  
9.  Motion PASSED by unanimous consent.  (The point of the motion is  
to ensure that Mary can tackle the request soonish, ideally this  
week.)  Hal will work with Mary on the request.

> 4. Other business

4.1

Scott notes that the other profile he submitted last week (for tagging  
metadata: the Metadata Extension for Entity Attributes Profile) had  
some comments from Brian.  We should tackle that next time.  He's  
looking for comments on the list prior to then.

4.2

Eve asks about the InfoCard Profile work.  Scott says it's tabled  
until the IMI group figures out its schedules; it's likely to pick up  
that work, though John B. notes that there isn't much appetite for  
taking on additional work until the initial ISIP wave of work is  
done.  Hal wonders if the scenario documents used in the RSA '08  
Concordia workshop would make good work items for the SSTC, or at  
least get them submitted so they're more "official".  Eve thinks they  
might indeed be useful as guidelines.  The scenario Scott had written  
is fully encapsulated in the InfoCard token profile he's already  
written, he feels.

Eve will bring this up as a discussion topic in the Concordia call  
later today.

4.3

Eric notes that Liberty is changing its staffing, and he'll no longer  
be on staff in the new year.  Joni Brennan is taking over his staff  
responsibilities at least in the interim.  The Level of Assurance  
profile document that he wrote a while back is due for a revision;  
he'll make a small edit but he hopes others will pick up that work  
item and he'll reach out to them.

> 5. Action Items (Report created 15 December 2008 09:15pm EST)
>
> #0332: Revise Query Extension for SAML AuthnReq
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---
>
> #0333: Publish a new revision of Profile for Use of DisplayName in  
> OASIS template
> Owner: Sampo Kellomki
> Status: Open
> Assigned: 2008-05-19
> Due: ---


These are still open.


Eve Maler                                         +1 425 947 4522
Principal Engineer                            eve.maler @ sun.com
Business Alliances group                    Sun Microsystems, Inc.