Re: [security-services] SSTC/SAML concall Draft Minutes Tue 2-Jun-2009

[Tom Scavo <tscavo@ncsa.uiuc.edu>]

Comments inline.

On Tue, Jun 2, 2009 at 2:18 PM, =JeffH <Jeff.Hodges@kingsmountain.com> wrote:
> comments to the list please.
>
> =JeffH
>
> ============================================================================
> SSTC/SAML concall Tue Jun  2 09:12:38 PDT 2009
> ----------------------------------------------------------------------------
>
> Hal Lockhart presiding
>
> Minutes by Jeff Hodges (=JeffH)
>
> NOTE: next TC concall/meeting is Tue 30-Jun-2009
>
>
>
> AI summary
> ------------
>
> AI -- Scott Cantor to post affirmation to list of no comments in public
> review on those docs
>
> AI -- Tom Scavo to assemble list of comments from PR on the two HOK docs and
> begin processing them
>
> AI -- Charis to make request noted in Motion 2.
>
> AI -- Dwayne to add a page for the XSPA page in the SAML wiki
>
>
>
> Motions Passed
> --------------
>
> 1. Moved to re-affirm these specs as CD due to passing public review with no
> comments..
>    SAML V2.0 Attribute Extensions Version 1.0
>    SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
>    SAML V2.0 Metadata Interoperability Profile Version 1.0
>
> 2. Moved to request TC Admin to launch an electronic ballot to move the docs
> from Motion 1 to CD maturity level.
>
> 3. Moved to move modified XSPA profile to CD
>
> 4. Moved to have a 15-Day review of revised XSPA profile
> (xspa-saml-1.0-pr02.doc version 1) due to there being no substantive
> changes.
>
> 5. Moved to sstc-saml-approved-errata-2.0-draft-49 to CD, confirmed changes
> therein are not substantive, and to proceed to 15-Day public review.
>
>
>
>
>
>> Proposed Agenda SSTC Conference Call
>> June 2, 2009, 12:00pm ET
>>
>> Dial in info: +1 215 446 3648
>> Access code 270-9441#
>>
>> Roll Call & Agenda Review
>>
>> Need a volunteer to take minutes
>>
>> 1. Minutes
>>
>> 1.1 Minutes from SSTC/SAML conference call May 5, 2009:
>>
>> http://lists.oasis-open.org/archives/security-services/200905/msg00018.html
>>
> http://lists.oasis-open.org/archives/security-services/200906/msg00005.html
> (with corrected meeting attendance)
>
>
> prior minutes duly approved by unan consent.
>
>
>
>
>
>
>> 2. Announcements
>>
>>
>> 2.1 Public Review of SAML 2.0 Profiles has closed.
>>
>>
>> http://lists.oasis-open.org/archives/security-services/200903/msg00062.html
>>
>> Question to Scott regarding last action item (Scott to talk to Mary about
>> getting a Jira instance for SSTC.)
>
> Scott Cantor (sc): did talk to her, she said "no problem, you don't do
> anything, I just create it...".  So SC will tug her sleeve again.
>
>
> Nate Klingenstein (nk): wrt pub review, had long disc wrt changes they
> could/should make to HOK, how does that affect ? review, did I miss
> anything?
>
> Tom Scavo (ts): didn't miss anything, need to compile comments on the docs,
> yes?
>
> Hal Lockhart (hl): ques is whether we need to do short or long subsequent
> reviews, but in any case need to compile all the comments w/sources and such
>
>
> sc: at least two or three docs didn't rec any comments..
>
> hl: docs need to be re-affimed as CDs
>
> sc: next step is to ask for vote for CS, yes?
>
> hl: yes
>
> sc: let's do that today since calls are infrequent?
>
>  don't recall any comments on any but the delegation restriction one. that
> one is on hold until can produce new WD of it
>
>  wrt #2, 5, 6 in the above-referenced message -- no comments on them?
>    SAML V2.0 Attribute Extensions Version 1.0
>    SAML V2.0 Metadata Extension for Entity Attributes Version 1.0
>    SAML V2.0 Metadata Interoperability Profile Version 1.0
>
> sc motion: move to reaffirm above as CD modulo received no comments on them
>
> Jeff Hodges (jh): second
>
> [no objection to unanimous consent to motion -- passed]
>
> AI -- SC to post affirmation to list of no comments in public review on
> those docs
>
>
> AI -- ts to assemble list of comments from PR on the two HOK docs and begin
> processing them
>
>
> sc motion: req tc admin to conduct elec ballot to move the 3 docs to CS
> maturity level
>
> ts: 2nd
>
> [pass w/unan consent]
>
> AI -- chairs, begin process on above listed docs
>
>
>
>> 2.2 Comment requested on removing DTD definitions from XML Signature 1.1
>> and on elliptic curve
>> http://lists.oasis-open.org/archives/security-services/200904/msg00012.html
>>
>> Feedback requested.
>
>
> hl: still not too late to comment.
>
> sc: dtds are gone
>
> hl: still debating elliptic curve, thus not to late to comment.
>
>
>>
>> 2.3 Reminder - Meetings will be every four weeks - Next call July 7.
>
>
> hl: nope, next call is 30-Jun  (!!)
>
>
>>
>> 2.4 Announcement: Upcoming SAML 2.0 IOP event, July 14-Sept. 4
>>
>> http://lists.oasis-open.org/archives/security-services/200905/msg00020.html
>>
>>
>
> Kyle of drummond group: nxt IOP for SAML is 14-Jul-2009, registration is
> still open
>
>
>> 3. Discussion
>>
>> 3.1 Review of planned work. Discuss future work plans and indication of
>> specs in the pipeline and approximate date for first drafts.
>
> [worked down SAML Wiki page: <http://wiki.oasis-open.org/security>]
>
> ts: noted general request that someone add a page for the XSPA page in the
> wiki,
>
> AI -- Dwayne to add a page for the XSPA page in the SAML wiki
>
>
> hl: OASIS BoD have debated at length non-implementable (informational?)
> docs, so have to work in framework, this applies to Tech Overview -- any
> objection to putting the latter into Pub Review at any point?  will leave in
> case anyone wants to champion it, can attach to future pub review...
>
> jh: what about simplesign?
>
> sc: there's comments in queue on it,   no cycles for it now.
>
>
> sc: impl'd by two as-specificed, not sure about AOL's impl, not aware of
> other impls
>
> hl: so no intent to progress at this time, not
>
>
> hl: wrt token card profile
>
> sc: on hold for IMI TC work
>
>
> hl: SAML V2.0 Holder-of-Key Assertion Request Profiles
>
> sc: active & moving fwd. there's a opengroup doc that depends on it

The Open Grid Forum's AuthZ-WG is preparing to rev a profile based on
this draft document.

> have public comments on it, intend to move forward

http://lists.oasis-open.org/archives/security-services/200906/msg00004.html

> hl: Level of Assurance Authentication Context Profiles for SAML 2.0
> status of draft 2 from march?
>
> [no answer]
>
> sc: is this one that's on agenda as another doc? is this one Paul just
> posted?
>  that's paul's doc
>
> hl: this is actively being progressed..
>  sounds like we have 3 or 4 that will be ready for pub rev "soon"
>
> any other profiles to propose soon?
>
> fredrick hirsch (fh): there might be something more, can't say just yet....
>
>
>> 3.2 XSPA Profile updated
>>
>> http://lists.oasis-open.org/archives/security-services/200905/msg00022.html
>
>
> david staggs (ds): public comment period on this doc ended on 13-Mar,
> analyzed all comments, made approp updates, discussed cmts at last meeting,
> have spreadsheet for all 34 comments, have changes for comments, there's
> lots of interest in XSPA (calling from Healthcare SOA comments and will be
> talking about the spec on Thu this week)
>
> want to propose a motion to move doc forward. last update was recently
> posted.
>
> would be helpful to do vote today due to infrequent TC calls these days.
>
> ds: motion to move modified XSPA profile to CD (would be CD2 rev)
>
> dwayne: 2nd
>
> hl: any objs
>
> [motion passed by unan consent]
>
> hl: can get by w/short pub review. 15-day
>
>
> ds: is cd2 a "major change" from cd1 ?
>
> hl: term is "substantive changes"....
>
> ds: don't believe made "substantive changes"....
>
> hl: [eads process para on this]
> e.g. schema changes are substative, else judgement call
>
> will entertain motion to have 15-day review, comments are limited to the
> changes only, and is judgement of tc that haven't made substan changes
>
> so moved by DS, 2nd Dwayne
>
> hl: any obj's ?
>
> [motion passed by unan consent]
>
>
> hl: expectation is that you create a diff -- do CD version, and diff with
> prev CD
> let hl know when done that. then hl will contact Mary.
>
> enumeration of changes may be sufficient. e.g. just put spreadsheet in
> repository, send hl links to new CD version and spreadsheet.
>
>
> ds: have source file with "tracking" turned on....
>
>
>
>> 3.3 Any more comments to on saml-loa-authncontext-profile:
>>
>> - remove 800-63 schemas
>> http://lists.oasis-open.org/archives/security-services/200904/msg00013.html
>>
>> - Paul to remove specific references to NIST LOA values in a new draft.
>
> hl: paul not on call ... any comments on above?
>
>
> RLBob Morgag (rlm): propsal on email in last week or so, add to this doc a
> new notion that in addition to being able to express LOA using AC, a
> metadata publisher say can express that an IDP has been "vertified" to use a
> particular profile, using attrs from the attrs-for-metadata draft
>
> see..
>
> http://lists.oasis-open.org/archives/security-services/200905/msg00013.html
>
>
> have heard from other members of their federation that this would be a good
> thing.
>
>
> john bradley (jb): this isi the "why should i trust you" problem...
>
> rlm: yes, essentially. metadata signing addresses this, but folks wishing
> for more explicit attestation
>
> hl: how does this work?
>
> sc: have an assnertion (assn) about entity, has attribute (attr) in it,
> attestation, can do anything you want with assn of course, is just a common
> claim one can reference. this would be another saml-tc-defined attr
>
> hl: a reg attr statement can refer to any system entity. this one is
> particular to an entity that issues assns
>
> sc: yes, not a big deal
>
> rlm: paul supported it on list
>
>
> jb: provides for IC and other RPs to adopt it (by doing it here)
>
>
> rlm: usual nitpicking wrt actual attr name...
>
> sc: may want to do something similar to orig saml attr work.  sc is fine
> with this proposal
>
>
>
>> 3.4 Assorted threads on saml-dev/comment list
>>
>>
>
>> 3.6 Draft Approved Errata posted
>>
>> http://lists.oasis-open.org/archives/security-services/200905/msg00023.html
>
>
> sc: anyone doing errata shud do all this in parallel, rather than waiting to
> end.  tried to emulate ELM's example, hopefully essentially equivalent
>
> used 49 as increment number to try to keep it consistent
>
> removed refs to non-normative redlined spec
>
> altered lang that there _may_ be redlined specs available
>
> otherwise is just a sync up with working draft.
>
>
> hl: can put info wrt errata in wiki?
>
> AI - SC to put in wiki info wrt making errata process easier
>
>
> hl: do you have list of what orig specs are being altered by this errata?
>
> sc: every normative doc we pub'd as orig spec...
>
> hl: tc process reqs us to supply doc that proposes changes, and optionally
> provide mod'd specs incorp'g errata
>
> sc: doing the latter is burdensome
>
> hl: need to formulate motion to see that boiler plate fixes are made...  in
> order to proc approved errata, need doc w/ "corrections".  we would need to
> vote -49 to CD, 2nd vote to confirm that corrections do not constitute
> substan change, 3d vote to 15-day pub review, 4th  full-majority vote to
> replace the existing errata doc
>
> today, can do first 3 things.
>
> entertain motion to do all first three things (noted above). all these
> errata items we process
>
> sc: so moved
>
> jh: 2nd
>
> hl: any obj's?
>
> [motion passed by unan consent]
>
>
>
>
>> 3.5 SAML simplesign useful in practice?
>>
>> http://lists.oasis-open.org/archives/security-services/200905/msg00015.html
>
> hl: any more to be said on this?
>
> sc: trying to get the xmlsec wg to do a simplesign-like thing, that's where
> question comes in
>
>
>>
>>
>> 4. Other business
>
> hl: any discussion wrt recent threads on saml-dev and comments@ lists?
>
> [silence, none]
>
>
>
>> 5. Action Items
>> none open
>
> [see summary at beginning of these minutes for AIs opened during this
> meeting]
>
>
> [meeting adjourned]
>
>
> ============================================================================
>
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>