Draft Minutes for SSTC Conference Call Tuesday 14 May 2013, 12:00pm ET

["Mr. Mark Lambiase" <mLambiase@gosecureauth.com>]

Draft Minutes for SSTC Conference Call
Tuesday 14 May 2013, 12:00pm ET

> AGENDA:

> 1. Roll Call & Agenda Review.

Scott Cantor
Thomas Hardjono
Mohammad Jafari
Chad La Joie
Mark Lambiase
Anil Saldana

Quorum achieved.


> 2. Need a volunteer to take minutes.

Mark volunteers.


> 3. Approval of minutes from previous meeting(s):
>   - Minutes from SSTC Call on 16 April 2013:
>   - Minutes from SSTC Call on 30 April 2013:
> https://lists.oasis-open.org/archives/security-services/201305/msg00000.html

Chad moves to accept the minutes for both meetings, Mohamed seconds.  No objections.
Motion to approve both meetings minutes is approved.


> 4. AIs & progress update on current work-items:
>  (a) Current electronic ballots: (none)

None.


>  (b) Status/notes regarding past ballots: (none)

None.


>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki:
>        https://wiki.oasis-open.org/security/SAML2Revision
>
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
>
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol

Chad:  The email contains recommendation on how to take the current and new profiles and basically split them up in a way that (hopefully) lumps like things together.  A couple of statements at the end inviting discussion or comment.
Thomas:  Will SAML core stay?
Chad:  Yes.  Basic processing rules that will cut across everything will stay in core.  Section 3, beginning of the protocol section, a number of those items that are profile specific will move to a profile document.  All of the things that cut across profiles will remain in the core.
Scott:  Would it make sense to move some of that stuff in to the binding documents.  And turn the core documents in to assertions.
Chad:  The goal was for someone trying to implement to be able to pick up the relevant document and have a complete source of information, rather than having to parse multiple documents to get a full picture of how to implement.
Does it make sense to have it as a separate document, and have the ability to update it separately.  Rather than having to update the core specification, or write errata.
Scott: based on the history of limited updates, it may make sense to keep in core.


>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Any updates?
>        http://files.hoerbe.at/daunlod/eadocx-quickdoc.pdf

Rainer is not on the call.  Topic deferred.


>  (e) SAML ECP (Scott)
>      - Scott seeking CD approval for SAML ECP.
>      - Note:  WD has been uploaded
> https://lists.oasis-open.org/archives/security-services/201304/msg00007.html

Scott:  uploaded a new version.  ECP assumes not knowing the IdP ahead of time.  Added a feature to allow requesting of delegation.  Otherwise the other material was not touched, except for some cleanup.  A typo is noted, but it is not normative and does not warrant a new draft.
Channel binding extensions, working draft 6, uploaded April 8.
ECP 2.0 draft 8, uploaded last night.
Scott:  Motion to move those to committee draft.
Chad seconds.
No discussion or objections.  Motion passes.
Scott made a motion to move the drafts to initial public review (30 days).
Chad seconds.
No discussion or objections.  Motion passes.


>  (f) XPA updates (Mohammad Jafari)
>     - Any updates?

Mohammad: Meeting tomorrow at 1pm EDT.  All are invited to join XPA.
No other items.


>  (g) Updating SAML.org
>      - Thomas to contact Chet


>  (h) Sending "hints" about subject name in SAML AuthN Request
>      - IIW Discussion

Thomas:  Mike Jones (Microsoft) convened a session on how to provide 'hints'; user hitting RP, when RP asks for username it may be the case that the user is using a different name than the subject (maybe an alias).  How do you simulate this when using SAML.
Chad:  Isn't that the point of the name/ID mapping, to keep track of those things?
Scott:  Not sure I understand what they are wanting.  
Thomas:  If the IdP returns the wrong name...
Scott:  They don't want that to be an error.  They are speaking of personas.  The subject matching rules are not what they are in SAML.
Thomas + Scott:  this could be solved in an extension.
Scott:  Either the feature exists or an extension is required...  There seemed to be some talk that extensions break backward compatibility, but then how to you move forward and add functionality?


> 5. Assorted mail items:
None.

> 6. Other items:
>    - IIW in May.
Scott noted that implementers should be aware of work being done in the XML signature space.

> 7. Next SSTC Call:
>   - Tuesday 28 May 2013.