[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Proposed Minutes for SSTC Telecon (Tuesday 3 May 2011)
With a number of identity meetings concurrent with this call, quorum was not achieved.
Nate volunteered to take the minutes.
Bob Morgan reported that he's lost the file that contained the minutes for this call. Nobody was sure what the correct path of action was in such an event, but Hal thought it was best to try to recreate the minutes from the memories of individuals. If that was not successful, then Abbie recommended at least noting that the minutes were lost. [AI] Thomas will try to spearhead this recreation.
Without quorum, no vote was possible on these minutes.
Hal updated the token profile after the review closed and only Paul Knight commented on the document. A response was posted to him on the comments list and Hal uploaded a new working draft including a diff with all the changes. Paul's changes all involved typos or clarification to existing text. He also placed the current voting membership into the draft, and was missing a slash in the schema. He had hoped to vote for a CD and public review, but since there was no quorum, he had to wait.
Rather than wait for quorum, Hal suggested an electronic ballot(single or multiple, not clear) might be a better path, but the SSTC couldn't vote for the chairs to create such a ballot anyway. Hal believed there was a procedure adopted long ago allowing chairs to create substantive ballots for the SSTC to vote on. A 7-day ballot for a CSD and a 15 day public review would be of value because it would be able to close prior to the next call. Thomas wanted to move things along, so he will go ahead and post an electronic ballot asking for those two procedural motions in a single vote.
[AI] Hal will write up the text for that motion and send it to the SSTC mailing list, and then Thomas will use the text to create a ballot.
Franz-Stefan split the original document sent to the SSTC, extracting the SAML-specific part and placing it in the template he received from Robin. The format is now correct. Less comments have been received from the SSTC and its lists, but more comments have been received from the XACML working groups. He's now integrating those comments into the text.
The changes proposed in the XACML TC were, again, to not allow multiple predicates in a single statement, instead issuing multiple queries for each attribute.
They also suggested that, rather than applying to a predicate query with a statement that contains the exact predicate again, a flag should be available in the request indicating whether the entire predicate should be repeated or not. Otherwise, just a yes/no as to whether the predicate still holds will be sent.
Finally, there are status codes described in the response from the SAML authority in different outcomes for a predicate query. If a predicate does hold, a standard SAML success response code is returned. However, it's not clear what should be returned if the IdP or other authority does know all the attributes in the query, but the predicate doesn't hold. SAML's current status codes do not include an appropriate code for that, so they intend to introduce a new status code. Franz-Stefan was curious which namespace should be used, and Hal recommended an OASIS namespace be used in the existing URN-style pattern.
In situations where the IdP/SAML authority has the information to know whether or not a predicate holds, and it knows the predicate doesn't hold, it's unclear how much information should be returned to the authority issuing the predicate request. Is there a response that it doesn't hold, or a response that it's indeterminate, or are errors specifically reported, or is no response returned at all? They could introduce new status codes for all those situations, or they could define only a success code. This is intended to limit the amount of information available for improper inference by attackers. SAML core allows authorities to suppress information that may be considered leaking of privacy or security information, so no matter how the codes are defined, authorities should be free to decide whether to release the codes. Having the codes defined could still be of use for debugging, or for authorities that do want to provide this information. Advice could be given here, or in the conformance section, or in the security considerations section.
There's a section at the end of the document called "conformance", and Franz-Stefan is curious what conformance would entail. First, sectors and chapters need to be labeled normative or non-normative, including RFC 2119-style language. If this is done well, then the conformance section can be written as, "A conforming application of so-and-so implements all of the mandatory features of the normative sections." It also needs to be decided whether there's only one way to conform, or whether there are different ways to conform for different actors in the flows, etc.
All these changes will be integrated into new drafts that Franz-Stefan hopes to upload a conforming WD-01 prior to the next call. The OASIS TC process describes which attributes a document is allowed to have, and there are materials with checklists that can help Franz-Stefan understand the procedural side of the OASIS world. Generally, though, it's good to fix as much as possible prior to moving to CSD.
The attribute profile also needs a quorum vote, like the Session Token Profile, but there are no imminent time pressures. Thomas will wait for the next SSTC meeting to see whether quorum is achieved, and if not, he will submit an electronic ballot then.
Thinh has received only one comment which involves mostly editorial changes to the document itself. Thinh will post the comment resolution and an updated version of the document to the Post-2.0 Committee Draft folder. He'll do so as soon as the public review closes.
When this draft was created as a CSD, there were numerous images included in the document in the ZIP file for the HTML version. These need to be included in the ZIP file in the future. Hal prefers to post the editable form and PDF as individual documents, with a separate zip file for the HTML version. Also, as a public review requires that a ZIP contain everything, a second, enclosing ZIP for everything should be created then.
Scott wasn't on the call.
Chad hasn't received any word from Robin on the status of the CSD creation request. [AI] Thomas will check Robin's to-do list.
Scott posted a new SECURITY-11 item that is fairly trivial. Nobody had any comments on the additional proposed errata, but without quorum, no vote could be made to approve it.
Hal received an email that he forwarded to the SAML and XACML groups, wherein the ITU-T has decided to adopt some of the SAML and XACML documents and assign them identifiers in the ITU-T nomenclature. Abbie can probably provide more information, but had dropped off from the call by this point.
We look forward to talking to you then.