Re: Proposed Agenda SSTC Conference Call (Tue 6 April 2010)

[Nate Klingenstein <ndk@internet2.edu>]

> 1. Roll Call & Agenda Review.

Quorum was not achieved, and the agenda was held to be fine.  Item 7  
was omitted, as a new co-chair was already selected.

> 2. Need a volunteer to take minutes.

Nate volunteered to take the minutes.

> 3. Approval of minutes from last meetings:
>
> Minutes from SSTC Call on 9 March 2010:
> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201003/msg00037.html
>
> Minutes from SSTC Call on 23 March 2010:
> http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201004/msg00005.html

As these minutes were sent to the list late, Anil had to compile a  
list of attendees.  However, this call failed to reach quorum anyway,  
so this was deferred.  Intensive minute approval will occur on the 20  
April call.

> 4. AIs & progress update on current work-items:

Thomas has heard no responses from Mary in response to any of the  
profiles awaiting her actions, including no responses to the voice- 
mail that he left.  Other working groups have had public review  
periods initiated on documents recently and received recent private  
emails from Mary, so the reasons for this delay on the below items  
from the SSTC are unclear.  Thomas will call her again.

Thomas also suggested it might be appropriate to communicate concerns  
about the pipeline problems to OASIS administration in hopes that  
additional resources could be allocated if necessary.  Outside groups,  
such as the US Government's ICAM work, and the Kantara Initiative,  
intend to rely on the documents currently in the pipeline, increasing  
the urgency of this appeal.  Frederick offered to make mention of this  
later.

>  (a) Current electronic ballots: None open.
>
>  (b) Status/notes regarding past ballots: (none)
>
>  (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as  
> a CS
>       - Status: Thomas has formally asked Mary for new Ballot.  
> (3/11th)
>       - Status: Still awaiting Mary.
>
>  (d)  SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>       - Status: Thomas has formally asked Mary for an Announcement- 
> email for success of ballot. (3/11th)
>       - Status: Still awaiting Mary.
>
>  (e) Kerberos related items. [Josh/Thomas]
>        - Kerberos Web Browser SSO Profile:
>              - Want to move to CD, but waiting for reformatting of doc
>        - AI: Thomas to prepare CD doc and send to Mary to start 60- 
> day review.

The profile has been voted to public review, but Thomas has not yet  
prepared the document in formal OASIS livery and submitted it to Mary.

>  (f) Expressing Identity Assurance profile for SAML2.0 (LOA)
>       - Status: Thomas has formally asked Mary for new Ballot.  
> (3/11th)
>       - Status: Left voicemail for Mary last week. No response yet.
>
>  (g) Older docs: Thomas has formally asked Mary to post these 4 docs  
> (3/11th)
>        (I) Protocol Extension for Third-Party Requests (CS-01)
>       (II) Protocol Extension for Requested Authentication Context  
> (CS-01)
>       (III) Shared Credentials Authentication Context Extension and  
> Related Classes (CS-01)
>       (IV) Text-based Challenge/Response (CS-01)
>
>
>  (h) Errata doc:
>       - Scott working on publishing updated "Approved Standard with  
> Approved Errata".
>       - AI: Scott to go ahead and prepare the doc. Files uploaded  
> 4/4/2010.

Scott looked at the TC process to see if there were any procedural  
requirements for approved errata finalization, but he couldn't find  
any requirements, so he put together his best effort.  The name  
contains an -02, as it's the second iteration of the approved errata  
document for the spec.  Some documents that refer to the errata may  
utilize the link in Kavi, which is also persistent, rather than  
pointing at the Doctree.

SECURITY-6 in the JIRA instance is an issue that came up in the  
Kantara profiling work.  There have been many requests regarding  
making IdP's respond better to SP's with SAML status errors, rather  
than holding up the user at the IdP.  There is questionable language  
in the specs that is somewhat mutually contradictory, and Scott wants  
to clean up the language with a little more guidance for implementers  
to encourage developers to get the user back to the SP.  This would  
better reflect the intent of the original specification.

Bob Sunday had some wording that Scott softened in order to make sure  
it didn't introduce new normative requirements.  Unless there are any  
objections to that text, Scott will consider the errata accepted, and  
it will make its way into the next errata working draft.

http://tools.oasis-open.org/issues/browse/SECURITY-6?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel

>  (i) NSN Attribute Update proposal (Thinh) - update

Thinh was not present on the call, nor was any other representative  
from Nokia-Siemens.

>  (j) Metadata Interop profile (Scott) - update

Scott is fairly satisfied with the material right now, but he's  
waiting response from the U.S. Government's ICAM to see if they have  
any other questions or concerns about the profile as worded.

>  (k) SSO initiation draft (Scott) - files uploaded 4/4/2010.

Scott wanted to take this draft to Committee Draft, but as quorum was  
not reached on this call, he was content to leave it as a working  
draft for now.  There is no hurry on the finalization of this profile,  
as there are many more pressing issues before the TC at present.

> 5. New work items: none.

Oracle may have some new work items to submit before the next SAML call.

> 6. Assorted threads on saml-dev/comment list:
>    - OAUTH related.

OAuth 2.0, currently wending its way through the IETF, will likely  
have a standardized binding for SAML tokens, on request by Google,  
Microsoft, Salesforce.com, and IBM.  As the SAML token format is  
finalized, there is probably little need for the input of the SSTC on  
this.  However, the SSTC stands ready to communicate and participate  
if the need arises.

http://www.ietf.org/mail-archive/web/oauth/current/msg01439.html
http://www.ietf.org/mail-archive/web/oauth/current/msg01546.html

> 8. Next Call: Tuesday 20 April, 2010. Note SOA-TEL presentation.
>    Plan:  12noon to 12:45pm SOA-TEL presentation
>              12:45pm to 1:30pm SSTC business.

Any SSTC members who are not interested in the presentation are  
welcome to join the call at 12:45 PM to enjoy only standard SSTC fare.