Draft Minutes for SSTC Telecon (20 August 2013)

["La Joie, Chad" <Chad.LaJoie@covisint.com>]

> AGENDA:
> 
> 1. Roll Call & Agenda Review.

TBD

> 2. Need a volunteer to take minutes.

Chad taking notes

> 3. Approval of minutes from previous meeting(s):
> 
>    - Minutes from SSTC Call on 6 August 2013:
> 
> https://lists.oasis-open.org/archives/security-
> services/201308/msg00010.html

Mohammad moves to accept, Scott seconds.  No objections, motion passed.

> 4. AIs & progress update on current work-items:
> 
>   (a) Current electronic ballots: None.

Ballot to approve SAML 2.0 Enhanced Client or Proxy Profile V2.0 is open at:
https://www.oasis-open.org/committees/ballot.php?id=2478

Everyone who hasn't, please vote.

>   (b) Status/notes regarding past ballots: None.
>
>   (c) SAML 2.1 work (Chad)
>       - SAML2.1 wiki:
>         https://wiki.oasis-open.org/security/SAML2Revision
> 
>       - Chad's list:
>         https://wiki.oasis-open.org/security/SAML21
> 
>       - Sample ToC for an SSO Profile:
>         https://wiki.oasis-open.org/security/SAML21ExampleProtocol

Nothing to report.  Templates have been generated. 
> 
>   (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>       - Further Steps thread. Any updates?

New document has been uploaded:
https://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=50362

Changes made in this version: cross-reference added to the end

Comments are welcome at this point.

Hoping to have it included in the SAML 2.1 technical overview document.  This document is not expected to become a standalone committee document.  

There may be an effort to rewrite the technical overview independent of SAML 2.1.  The document may need to be split into two documents; one for deployers and one for implementers.

[AI] Rainer to work on incorporating his material into existing SAML 2.0 Technical Overview

>   (e) XSPA updates (Mohammad Jafari)
>      - Any updates?

XSPA plans on delay while work IHE XUI work, which has a similar focus as XSPA, is evaluated.  XSPA group thinking about how the two groups might work together or possibly harmonize their specs.
 
>   (f) SAML Token Profile for ebMS (Ian Otto / Australia)
>       - Any updates?
> 
> https://lists.oasis-open.org/archives/security-
> services/201307/msg00024.html

Another draft is available at the ebMS TC site.  Work is progressing in that TC.

Some changes cover how SAML token are used for authn/z.

>   (g) SAML ECP and CB (Scott)
>       -  SAML Channel Binding CS01 published
> 
> https://lists.oasis-open.org/archives/security-
> services/201308/msg00007.html

Once the two documents are published, Scott will finalize the IETF docs and get them submitted.

>    (h) AuthN Context (Rob Philpott)
>       - Deprecation issue

Thomas is mostly concerned with backwards compatibility.

Rob: Marking them as deprecated doesn't affect compatibility.

Scott: Marking them as deprecated doesn't actually help you as it doesn't help convey the technical requirements of the tokens that initiated this discussion.  If the existing classes don't do the job, you still have to create more classes.

Hal: Best approach would be to make a specific proposal.

Scott: Authn Classes are not related; no sub-typing of classes.  This confusion seems to be the root of the confusion.

[AI] Rob to get additional information from the person who brought this up with him.

> 5. Assorted mail items:

None

> 6. Other items:

Hal: OASIS is trying to organize a call on security and identity in the cloud as it related to Healthcare.  If people wish to attend, contact Carol or look for his posting on the OASIS site.

Ian: Some SAML SPs are rejecting metadata with WS-Fed role descriptors.  They are rejecting any "foreign" role descriptors.  Is this normal?
Scott: This is allowed in the SAML spec.  Without seeing a specific example it would be hard to say which side is really at fault.  But conceptually there is no problem doing this.
Hal: This type of question is best posted to the list for discussion.
 
> 7. Next SSTC Call:
>    - Tuesday 3 September 2013.