RE: [security-services] Proposed Agenda for SSTC Call on 5 October 2010

["Scott Cantor" <cantor.2@osu.edu>]

> AGENDA:
> 
> 1. Roll Call & Agenda Review.

George Fletcher	 AOL*	 Group Member	 
John Bradley	 Individual	 Group Member	 
Scott Cantor	 Internet2	 Group Member	 
Nathan Klingenstein	 Internet2	 Group Member	 
Bob Morgan	 Internet2	 Group Member	 
Thomas Hardjono	 M.I.T.	 Group Member	 
Thinh Nguyenphu	 Nokia Siemens Networks GmbH & Co. KG	 Group Member	 
Phil Hunt	 Oracle Corporation	 Group Member	 
Ari Kermaier	 Oracle Corporation	 Group Member	 
Hal Lockhart	 Oracle Corporation	 Group Member	 
Emily Xu	 Oracle Corporation	 Group Member	 
Federico Rossini	 Telecom Italia S.p.a.	 Group Member	

> 2. Need a volunteer to take minutes.

Scott volunteers.

> 3. Approval of minutes from last meetings:
> 
> Minutes from SSTC Call on 21 Sept 2010:
> 
> http://www.oasis-
> open.org/apps/org/workgroup/security/email/archives/201009/msg00051.html

Deferred, no attendance available.

> 4. AIs & progress update on current work-items:
> 
>   (a) Current electronic ballots: None.

Request for CS of LOA spec is in, no ballot yet.

>   (c) SAML V2.0 Holder-of-Key Web Browser SSO Profile Version 1.0 as a CS
>       - Status: CS created and published.
> 
>   (d) SAML V2.0 Holder-of-Key Assertion Profile Version 1.0
>       - Status: CS created and published.

Nate updated the wiki to reflect the latest versions. Will remove from
agenda.

>   (e) Kerberos related items. [Josh/Thomas]
>       - Kerberos Attribute Profile:
>       - AI: Josh/Thomas will suggest additions to Attribute Profile.

No updates, hopefully next week. Still working on the IETF side.

>   (f) SAML V2.0 Identity Assurance Profiles, Version 1.0
>       - Status: 15-day review closed on 10 Sept.
>       - Update: CS-Ballot was requested to Mary (Fri 1 Oct)

Ballot requested.

>   (g) SAML V2.0 Metadata Profile for Algorithm Support Version 1.0:
>       - Status: now in 60-day public review. (Closes 13 October)
>       - Any updates?
> 
>   (h) Service Provider Request Initiation Protocol and Profile Version 1.0
>       - Status: now in 60-day public review. (Closes 13 October)
>       - Any updates?

No comments as of yet. Should be covered by old TC process, so may be able
to skip review for (g) despite needing some fixes to examples.

>   (i) NSN Attribute Management proposal (Thinh/Phil) - any updates?

New draft 03 posted.
Thinh: focused on cleaning up SSO profile material in both SP and IdP
initiated cases (sec 4.1). Clarified use of the request/response messages
and required/optional content.

Also clarified assumptions in section 2.3. Some schema changes
or protocol material in this draft.

Still need work done on the back-channel flows.

Scott asked about the underlying use case for the SSO integration. An error
in the text on page 17 was noted, where it mentions an AuthnRequest and
should talk about an unsolicited response. Phil attempted to outline some
uses for signaling ahead of SSO. One that seemed mutually understandable was
to signal whether a full set of "initial" data would be needed by indicating
in the response from the IdP whether the user was already "known".

Phil notes that the ModifySubject flows cover the reverse flow where an SP
pushes data back into an IdP, not just the IdP->SP direction.

Phil also explained the need for a stronger notion of RetireSubject over and
above the defederation idea.

More discussion on possible use cases for combining NewSubject with SSO also
took place. There was definitely interest in use case discussion to help
people understand the business scenarios.

>   (j) SOA-TEL Token Correlation Profile  (Federico/TI) - any updates?

Federico still looking for a way to manipulate assertion content without
breaking the signature. He proposed a way to do this using XPath filtering
transforms, but Scott noted this is not allowed by SAML. Federico believes
this limitation is a problem for various use cases, but at the moment thinks
he can't solve his problem as a result.

>   (k) Channel binding proposal -- Scott.

No updates.

>   (l) Metadata extension for Login/Discovery -- Scott.

Shibboleth project is working on code for this, the Kantara ULX group has
been reviewing the work but has a broader mandate. Still some open issues
around relationship of new extensions to older metadata elements.

>   (m) Profile for Mandatory Credentials -- Federico.

Will be discussed on future call.

> 5. Assorted mail items:
>   - Enhancements to SAML for attribute assurance.

No discussion other than on list.

> 6. Other items:
>   - Any news from Oasis conference and IIW

No discussion.

> 7. Next Call: Tuesday 19 October 2010.