Proposed Minutes for SSTC Telecon (26 November 2013)

[Nate Klingenstein <ndk@internet2.edu>]

> 1. Roll Call & Agenda Review.
> 
> 2. Need a volunteer to take minutes.

Nate volunteered.

> 3. Approval of minutes from previous meeting(s):
> 
>   - Minutes from SSTC Call on 29 October 2013:
> 
> https://lists.oasis-open.org/archives/security-services/201311/msg00001.html

Chad moved for approval of the minutes and Mohammad seconded.  There were no objections and the minutes were adopted.

>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki:
>        https://wiki.oasis-open.org/security/SAML2Revision
> 
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
> 
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol

The only document in the folder that SSTC members should care about right now is the SSO profile document, which contains simply cut-and-pasted material from the 2.0 Core and 2.0 Profiles documents.  The goal is simply to get a feel for what the new profiles as individual documents would look like.  There's a lot of wording that needs to be cleaned up, de-duplicated, and so forth.

The feedback that Chad is looking for is whether the SSO profile first draft roughly "feels right" and whether it feels as if it would generalize cleanly to handle other profiles such as logout and attribute query.  It's also important to consider whether it would feel right to a fresh implementer looking at the drafts for the first time.

As a working draft, it's fine to upload files however you want, but beyond working draft it's likely that they will require that the multipart specification be bundled as a single .zip file.  That fits with what Chad and the SSTC prefer as well.

>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Further Steps thread. Any updates?
> 
> https://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=50362

Rainer has no updates yet and it will take him a few weeks to get to it, but he would like to retain the agenda item.

>  (e) XSPA updates (Mohammad Jafari)
>     - Any updates?

There is nothing new to report from XSPA for the SSTC.  Mohammad doesn't see any updates coming down the pipe in the near future, but he's happy to keep the item on the agenda as a bookmark for future progress.

>  (f) SAML Token Profile for ebMS (Ian Otto / Australia)
>      - Currently 30-day Public Review for SAML Conformance Clause for AS4/ebMS V1.0.
>      - SSTC members please review.
> 
> https://lists.oasis-open.org/archives/security-services/201310/msg00002.html

Ian didn't make the call.

>  (g) AuthN Context (Rob Philpott)
>      - Deprecation issue
>      - chairs to ping Rob.

Rob will be pinged again to see if he wants to continue to flog this particular horse.  If he isn't interested, then this agenda item will be removed.

>  (h) Folding SAML.XML.ORG material into SAML/SSTC site.

Thomas did email Robin a couple times about this issue but never got a response.  Something was done about the spam filter in response to that, but Scott wants to look at shutting saml.xml.org down completely and moving the content to the SSTC wiki and the proper OASIS site.  A redirect would be placed from saml.xml.org to the Wiki.

Nobody was in favor of the site remaining as it is and Hal suggested the chairs write to Carol, Dee, and Chet expressing our preference for a single authoritative place where we can store correct, up-to-date information.

> 6. Other items:
>  - Amazon AWS now supports SAML-based SSO:
> 
> http://aws.typepad.com/aws/2013/11/aws-identity-and-access-management-using-saml.html

Huzzah.  We look forward to Amazon evolving their implementation for maximum interoperability.

> 7. Next SSTC Call:
>   - Tuesday 10 December 2013.
>   - Propose we cancel SSTC call on 24 December due to Christmas.

Everyone agreed that the SSTC call on 24 December should be cancelled.  We'll speak to you on December 10, and then early next year.  Happy holidays.