Provisional Minutes for SSTC Call (15 November 2011)

[Nate Klingenstein <ndk@internet2.edu>]

Via Gregory and Franz-Stefan and slightly touched up by yours truly, here are the provisional minutes for the 15 November 2011 SSTC Conference Call.  Thanks to them for taking the minutes, and thanks to all for attending.

> AGENDA:
>
> 1. Roll Call&  Agenda Review.
>
> 2. Need a volunteer to take minutes.

Gregory Neven was volunteered.

> 3. Approval of minutes from last meetings:
>
>     Minutes from SSTC Call on 18 October 2011:

Hal moved to accept the minutes, Scott seconded. No objections. Minutes approved.

> http://lists.oasis-open.org/archives/security-services/201110/msg00012.html
>
>     Minutes from SSTC Call on 1 November 2011:

Hal moved to accept the minutes, Scott seconded. No objections. Minutes approved.

> http://lists.oasis-open.org/archives/security-services/201111/msg00010.html
>
>
>
> 4. AIs&  progress update on current work-items:
>
>    (a) Current electronic ballots: (none)
>    (b) Status/notes regarding past ballots: (none)
>
>    (c) Session Token Profile (Hal)
>        - Status: Hal already submitted request for CSD and 15-day PR.
>        - Status: 15-day PR ended.  Two minor comments received.
>        - Status: CS Ballot Request done (#744)

Thanks for voting, please vote on next ballot.
Anil will check to make sure whether roster is correct.

> http://lists.oasis-open.org/archives/security-services/201111/msg00022.html
>
>
>    (d) Attribute Predicate Profile (Gregory/Franz-Stefan)
>        - Status: 30-day PR from 15 Oct to 14 Nov 2011.
>        - Any updates?
>
> http://lists.oasis-open.org/archives/security-services/201110/msg00008.html
>

Franz-Stefan: 30-day public review just closed without comments.

Franz-Stefan makes a motion to create a CS ballot to advance the Attribute Predicate Profile CSPRD01 to CS status.
Hal seconds. No objections. Motion approved.
Franz-Stefan and Gregory will create the ballot request.

Hal: You need to post a summary of comments and changes (i.e., none) to the list and reference that in the TC admin request.

>    (e) Kerberos Web browser SSO Profile (Josh/Thomas)
>        - Status: CS publication delayed due to error found in normative
>          reference and in schema file.
>        - AI:
>          o Fix schema and normative reference.
>          o Need to obtain approval as Committee Spec Draft.
>          o Then will start new 15-day PR.

Thomas:
Two documents published, third stuck because xsd file is empty/blank.
Didn't change since Feb 2010.
Will pull back this draft and resubmit to sstc.

Scott: Schema is part of spec, so cannot have a normative reference, as maturity level would be wrong.  Also, you may need to update the acknowledgements.

>    (f) Change Notify Protocol Version 1.0 (Thinh/Phil)
>        - Status: Committee Specification creation requested.
>        - Status: Tickets TCADMIN-696 - in process.

Thinh: Nothing to add.

>    (g) Channel binding proposal (Scott)
>        - Status: awaiting other items in other groups.
>        - Any updates?
>
>
>    (h) Enhanced Client or Proxy Profile (Scott)
>        - Status: work waiting for items in IETF Kitten WG.
>        - Any updates?

Scott: Both being held in draft for more experience being gained in implementation projects going forward.

 

>    (i) Metadata Extensions for Documentation/Registration (Chad)
>        - Status: 15-day PR from 3 Oct to 2 Nov 2011.
>        - Status: one comment was received during PR period.
>        - AI: will revise document.
>
>

http://wiki.oasis-open.org/security/PublicComments20111003-20111102.

Chad:
Public review closed.
Some minor comments and typos.
Will fix and upload new WD.
Currently in limbo, may decide to keep it there for a while to get implementation experience, or may decide to press ahead with publication.

>    (j) Metadata Extensions for Login and Discovery User (MDUI) (Scott)
>        - Status: 30-day PR from 14 Oct to 13 Nov 2011.
>        - Status: One comment has already been received.
>
> http://wiki.oasis-open.org/security/PublicComments20111014-20111113

Scott:
Changes in response to comments.
Some implementations already out there in the field, which is a practical constraint on the magnitude of changes we can easily make now.
Try to have a revised edition done in near future.
Next step will be WD with the changes.

>    (k) SAML2.0 Approved Errata
>         - Status: wd-54 uploaded (Scott).

Scott:
Received couple more errata, will add those before going back through review.
Intend to move this forward before or around end of year, especially in light of possible security vulnerabilities in existing implementations.
Red lines are getting crowded; would we want to go to SAML 2.1 in 2012?
May be better than piling up errata.

Nate: Not sure we want to change the actual minor version in the protocol, but makes sense to make it easier for implementers to read spec & errata.  Prefers SAML 2.0.1.

Scott: Compatibility is a must.  Security considerations also needs considerable revision, somewhat out of date.  We might also want to significantly revise conformance requirements, and that may take some time and thought.

Hal: Would be useful to have a security considerations markup document (without official status) with sections that need fixing.

Nate: I'd like to offload as much potential 2.0.1 work as possible from Scott, and that's one way to do it.

> 5. Assorted mail items:
>
> 6. Other items:

New agenda item: Clock Skew

Scott:
Periodically receive complaints of implementations that don't allow clock skew.
Personally feel this is implementation guidelines material, but e.g. Kerberos mentions it in standard.
Suggest to propose errata to address this.
Opened issue and proposed resolution adding text to beginning of document about dates and times, plus callback into Conditions and SubjectConfirmation.

Nate: Change proposed text to include "should be configurable." Give people 2 weeks to comment on that.

http://tools.oasis-open.org/issues/browse/SECURITY-15

> 7. Next SSTC Call:
>     - Tue 29 November 2011.