draft minutes for SSTC conf call 7 Sep 2010

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

I never got attendance info from anyone, but here are meeting minutes.

  - RL "Bob"

---

SSTC Conference Call
Tuesday 7 Sept 2010, 12:00pm ET


AGENDA:

1. Roll Call & Agenda Review.

2. Need a volunteer to take minutes.

**  Your humble scribe:  RL "Bob" Morgan

3. Approval of minutes from last meetings:

Minutes from SSTC Call on 24 August 2010:

http://www.oasis-open.org/apps/org/workgroup/security/email/archives/201008/msg00061.html

**  motion to approve from Nate, second JohnB, no objections.


4. AIs & progress update on current work-items:

   (a) Current electronic ballots: None.

   (b) Status/notes regarding past ballots: None.

   (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
       - Status: Thomas has asked Mary for CS edition to be
                 created and published. (2 Sept)

   (d) SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
       - Status: Thomas has asked Mary for CS edition to be
                 created and published. (2 Sept)

**  AI:  Nate will update wiki to reflect current state of these documents.

   (e) Kerberos related items. [Josh/Thomas]
       - Kerberos Attribute Profile:
       - AI: Josh/Thomas will suggest additions to Attribute Profile.

Item still outstanding to deal with reference to Internet Draft document,
this is still TBD.

   (f) SAML V2.0 Identity Assurance Profiles, Version 1.0
       - Status: Now in 15-day review. (Closes 10 Sept)

   (g) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0:
       - Status: now in 60-day public review. (Closes 13 October)
       - Any updates?

   (h) Service Provider Request Initiation Protocol and Profile Version 1.0
       - Status: now in 60-day public review. (Closes 13 October)
       - Any updates?

No comments observed so far.  Scott says there are errors in examples in
one of the docs, he will fix.

   (i) NSN Attribute Management proposal (Thinh/Phil) - any updates?

Discussion:
Thinh:  [explains telephony use case]
Scott:  still don't understand use case from security point of view,
   seems to compromise security of SSO
Thinh:  what if IdP doesn't want to give federated ID to SP?
Scott:  then it's an error, or use some other ID as an attr or nameID
   doesn't seem like there's a unique requirement here
   raised before as "SP lite" scenario, ie no state maintained at SP
GeorgeF:  SP doesn't want federated ID, but why?
Thinh:  could be just a limitation of SP, an old architecture
[more discussion of use case ...]
GeorgeF:  seems like NameIdentifier Management Protocol covers this case
Scott:  though this still doesn't remove mapping burden from SP
Ari:  if the SP is really proxying IdP, this case could apply ...
Ari:  could SP send persistent opaque nameID in request?
Scott:  sure, not typically done, but OK
   this is more about changing what IdP implementations do than creating
     new protocol
GeorgeF:  as an IdP implementor, this would be a change ...
Scott:  could be possible use for AllowCreate flag in request ...
[more discussion ...]
Thinh:  will look at these suggestions, will modify draft with Phil

   (j) SOA-TEL Token Correlation Profile  (Federico/TI) - any updates?

Federico:  new version uploaded today, with several modifications
   and a use case in appendix to better motivate profile
   also contains some embedded questions ...
Thomas:  let's discuss new version on next call
Scott:  seems like this is just delegation, handled by existing protocol
   so no new feature needed
   this is the delegation-condition specification, which includes
     motivating cases
Federico:  some constraints in the stated case ...
Scott:  end result is the same, if it's going to be secure
Federico:  can we discuss on list?
Scott:  sure

5. New work items:
    - Project Moonshot (potential new work item)

Josh not on call to discuss

6. Next Call: Tuesday 14 September, 2010.

**  Actually 21 September, not 14.