Subject: Corrected Minutes for SSTC Telco (June 25th, 2013)
SAML TC Call Meeting Minutes Tuesday June 25, 2013 1. Roll Call & Agenda Review. No changes suggested. Company Name ascending Role Internet2 Scott Cantor Secretary Individual Rainer Hoerbe Member Internet2 Nathan Klingenstein Chair Covisint, a Compuware Company Chad La Joie Voting Member Oracle Hal Lockhart Secretary Red Hat Anil Saldhana Secretary Internet2 Ian Young Observer Voting Members: 5 of 9 (55%) (used for quorum calculation) Quorum Achieved. 2. Need a volunteer to take minutes. - Rainer takes minutes. 3. Approval of minutes from previous meeting(s): - Minutes from SSTC Call on 11 June 2013: Chad moved, Anil seconded, no objections. Approved. 4. AIs & progress update on current work-items: (a) Current electronic ballots: (none) (b) Status/notes regarding past ballots: (none) (c) SAML 2.1 work (Chad) Chad discusses the responses to the mail on the structure for 2.1. Scott’s response regarding Security & Privacy considerations. It is not included in the list because the discussion on previous calls had gone back and forth on how the representation should look like. Incorporated in other docs, separate docs, not at all. Should it be completely redone? Scott: I support the idea to put the information into the actual sections in the profiles, because it is difficult to evaluate the considerations on a more abstract level. There may be a few exceptions, e.g. signature and encryption. Nate: Some deployers are interested in the security considerations, and that would be more useful in the context, not in an overarching document. Chad agrees with that view, Sal asking for clarification. Chad: The ide is to get rid of the current document and move its contents plus new stuff into the other documents. A big recipient would be the profiles documents, but some could go to core or bindings. Locate security issues near definition of relevant components of the spec. Sal: Would like to see a review. I have a sense that there are a lot of overarching issues. Chad: Scott, would you be willing to do this, because I know that you have a number of concerns and thoughts about the current security considerations document. Scott: Do not know how much time I can afford, but I could probably do the review of what goes where. (Nate quickly assigned an AI) Chad: Next item from Scott’s list. Should we continue maintaining it, move XACML binding to the XACML group, or kick it out all together? Nate: We do not have procedures for cooperating with specific specs. I would prefer to move it somewhere, as otherwise I see stuff like OAuth2 SAML binding etc. would come up to be added. Chad: Agree. What if the XACML TC does not want to take it over, shall we keep it. Sal: do we have any revisions pending? Chad: I have no idea, and we are not necessarily the people to decide that. Sal: I doubt that the XACML TC has to do a lot with the document. SAML compatibility beyond what already exists might not be their priority. Let me take a look at the document and put the item on the agenda next time (Nate assigned AI). Chad: Next item in Scott’ list: Put in some wording about practical use of Authentication Context in the SSO document. Seeing the dev list this makes sense. Next: Rainer’s question about MD extensions: There is a list on the wiki with extensions that are planned to be included, like IOP. When we start editing the documents we can discuss what shall be in and out. Nate: I like the idea to pull in extensions: Are any of these mandatory? Chad: In the aim of backwards compatibility these extensions will stay optional, no MUST. In particular extensions will remain in their existing XML namespaces, so no existing products will break. No other comments about the proposed list of documents. Is the TC OK to request an initial set of templates to TC Admin, except the security considerations, which might be done later. Nate agrees, no objection. Chad will request the templates. Sal: About the AI I just accepted: Is this chapter 8.5 of the profile document? The XACML text is a sub chapter of the profile doc? Do you have plans for the other chapters like X.500. UUID. Chad: XACML stood out, there is an OASIS TC. Moving other items did not appear appropriate. (d) Conceptual/overview of Metadata (Rainer Hoerbe): No updates. (e) SAML ECP (Scott) - In 30-Day Public Review https://lists.oasis-open.org/archives/security-services/201305/msg00017.html (f) Channel Binding Ext (Scott) - In 30-Day Public Review No further comments have been received. Scott: There is an insignificant issue in the schema file, I see no need to take care. I would be fine to ask for a ballot to approve going from working draft to committee spec. Do we have to do a full ballot? Nate: No idea. Sal: will check... It looks like that it is sufficient to have a single majority vote if there was no change from WD to CS. Scott moved, Chad seconded, no objections. Scott moved to request ballots to move the following CSDPR drafts to Committee Spec: http://docs.oasis-open.org/security/saml/Post2.0/saml-channel-binding-ext/v1.0/csprd01/saml-channel-binding-ext-v1.0-csprd01.zip http://docs.oasis-open.org/security/saml/Post2.0/saml-ecp/v2.0/csprd01/saml-ecp-v2.0-csprd01.zip No comments were recieved during the review period for either document set, per: https://lists.oasis-open.org/archives/security-services/201306/msg00013.html Chad seconded, no objections, motion passes. Scott will request the ballots. (g) XPA updates (Mohammad Jafari) Mohammad: No update. Nate: Item 4g: Update on XSPA? Mohammed not on the call, we will keep it on the agenda. (h) SAML Token Profile for ebMS (Ian Otto / Australia) Ian: Working on an updated draft with some clarification information, contents of document is basically the same. Will post it to the list. 5. Assorted mail items: - Error in TimeSyncToken authn context class schema https://lists.oasis-open.org/archives/security-services/201306/msg00006.html Sal: If we cannot fix it, we can put it in errata. Scott: It is not impossible to do, but I do not know the use case. It does not prevent you from overwriting the property. Nate: can it be fixed on 2.1? Scott: No. Only with a new AutnContextClass. That would create more confusion than it would fix. Nate: Invite Rob to a call and discuss the options. Sal: Would prefer to discuss it on the list.