RE: Proposed Minutes for SSTC Telecon (21 January 2014)

[Thomas Hardjono <hardjono@MIT.EDU>]

Adding Roll-Call (21 Jan 2014)

Scott Cantor
Thomas Hardjono
Mohammad Jafari
Nathan Klingenstein
Chad La Joie
Hal Lockhart
Anil Saldhana
Ian Young

Quorum was achieved.

________________________________________
From: Nate Klingenstein [ndk@internet2.edu]
Sent: Tuesday, January 21, 2014 12:30 PM
To: OASIS SSTC
Cc: Thomas Hardjono
Subject: Proposed Minutes for SSTC Telecon (21 January 2014)

> 3. Approval of minutes from previous meeting(s):
>
>   - Minutes from SSTC Call on 7 January 2013:
>
> https://lists.oasis-open.org/archives/security-services/201401/msg00002.html

Mohammad moved for the approval of these minutes.  Hal seconded and there were no objections.  The minutes were adopted.

>
> 4. AIs & progress update on current work-items:
>
>  (a) Current electronic ballots: None.
>
>  (b) Status/notes regarding past ballots: None.
>
>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki:
>        https://wiki.oasis-open.org/security/SAML2Revision
>
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
>
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol
>
>      - AI for everybody:  please review SSO profile draft & give feedback.
>        (This will part of a multi-part specification).
>
>      - Thematic profiles from Chad:
> https://lists.oasis-open.org/archives/security-services/201312/msg00004.html
>
>      - Scott to own non-browser authentication document

No updates from Chad, who had not sent the question to TC admin about document renaming and refactoring.  He did send out that question this morning but has not received word back.

Scott had nothing to add; this is a future action that is contingent on development of the Web Browser SSO document.

>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Further Steps thread. Any updates?
>
> https://www.oasis-open.org/apps/org/workgroup/security/document.php?document_id=50362

Rainer was not on the call, but he uploaded a new revision of the conceptual overview of metadata.  We'll keep this on the agenda and ask people to review the new version for the next call.

>  (e) XSPA updates (Mohammad Jafari)
>     - Any updates?

There was a meeting on the past Friday that included a motion that work begin on some profiles.  One of those profiles is the SAML profile for XSPA.  Right now, the decision to undertake the work is all that has been done, but Mohammad will share drafts with the SSTC once there has been enough substantive progress.

Most of the work will be on attribute vocabulary, which is not really impacted by the edition of SAML from 2.0 to 2.1.  SAML profiles don't define any particular attributes; SAML's primary philosophy was to recommend how attributes from other specifications such as LDAP should be represented as SAML attributes.

>  (f) Folding SAML.XML.ORG material into SAML/SSTC site.
>      - Scott has created updated front page.
>
> https://wiki.oasis-open.org/security/FrontPage

Scott has already notified OASIS staff that this work is done, but Thomas will follow up with another message to encourage progress.


Colin Wallis from the Government of New Zealand forwarded an email from Jamie Clark of OASIS that had a set of slides from a recent IDESG meeting in which the NSTIC-funded pilots reported back on their progress to date.  There were a few slides in one of the presentations that contrasted the behavior of SAML and OpenID Connect, such as where attribute requests are determined and how relationships are established.

The question Hal has is whether there are any recommendations in those slides that would encourage us to improve SAML.  There would be analysis of the slides' contents to see if we can find any suggestions that would be acceptable that could improve SAML.

Thomas would like everyone to review the Daon slides in which these comparisons and recommendations occur, linked to in the earlier email., in preparation for this discussion.  Scott feels that the slides focus more on policy and business issues rather than technical issues.  Chad wasn't clear what they were trying to say with the distinction between the credential provider/verifier "thing" and the identity provider/verifier service.  Chad would like to better understand the intended roles of those things.

> 7. Next SSTC Call:
>   - Tuesday 4 February 2014

We look forward to speaking to you then.