[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes:Joint XRI & XDI TC Telecon 10AM PT Thursday 2007-08-23
Following are the minutes for the joint unofficial telecon of the XRI and XDI TCs at: Date: Thursday, 23 August 2007 USA Time: 10:00AM - 12:00PM Pacific Time Event Description: Weekly unofficial joint call of the XRI and XDI Technical Committees. ATTENDING Wil Tan Gabe Wachob Drummond Reed AGENDA 1) RESOLVER BEHAVIOUR FOR SAML TRUSTED RESOLUTION ERRORS In working on his action item for ED03 Section 6.2.2., Wil had several question about how SAML signatures were incorporated into XRDs. This turned into a very long investigation of the requirements for XML digital signatures as constrained by section 5.4 of SAML Core (http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf). The result was that we clarified the following: * SAML constrains the use of XML Dsig to enveloped signatures, and says you SHOULD NOT perform any transforms (such as excluding elements from the XML document to be signed) other than: a) the "enveloped signature" transform, which allows you to exclude the signature itself, and b) a standard XML canonicalization transform specified in XML Dsig. (We made some minor wording changes in ED03 section 188.8.131.52 to clarify this.) * This means that when saml=true in a resolution request, and a signed XRD is returned, the Status element will be part of the signed information and thus cannot be changed without breaking the signature. * We then discussed what behaviour a resolver should implement if the SAML signature does not validate. If the resolver overrides the Status code to indicate a failed signature, and then returns the XRD to the consuming application, the consuming application does not have the original data necessary to know the original status or do its own check on the signature (which may be useful for debugging). * Our conclusion was to solve this problem by having the resolver add two new attributes to the Status element: originalcode and originalcontent. The rule would be that: a) *anytime* a resolver needs to override the server-provided Status code, the resolver MUST add the originalcode attribute with the original server-supplied status code, and b) *anytime* a resolver needs to override the server-provided content of the Status element, the resolver MUST add the originalcontent attribute with the original server-supplied content. # DRUMMOND to make this change in ED04. 2) SYNONYMS AND CID VERIFICATION IN XRI RESOLUTION 2.0 WD11 ED04 Considerable discussion on the email list resulted in two updated proposals for ED04: http://wiki.oasis-open.org/xri/XriCd02/CanonicalIdVerification http://wiki.oasis-open.org/xri/XriCd02/SynonymSemantics We only had time for a short discussion of this topic. Key points: * Wil would prefer not to need both EquivID and MapToID/MapFromID synonym elements, but does not have an answer as to how else to handle the different use cases. * Drummond agrees with Wil, but has yet to come up with a better solution. * Gabe does not currently have a strong preference. * In email to the list, Steve suggested replacing MapToID/MapFromID with UseCID/AllowUseCID. This would provide very explicit semantics regarding identifier mappings that may be preferable to the current MapToID/MapFromID proposal. # DRUMMOND to study this option and report back to the list. * There is consensus that it is preferable to have an explicit status code for CID_NOT_PRESENT when cid=true but a CanonicalID element is not present in an XRD. * There is also consensus that CanonicalID verification should be orthogonal to service endpoint selection and reference processing, and thus that cid=true should never change the XRDs that are returned; it should only affect the status messages returned for each XRD. It was concluded that we need another call on this topic, when Les can attend (he was sick today). # WIL AND DRUMMOND to schedule the call, ideally for Friday 8/24. 3) ACTION ITEMS AND SCHEDULE FOR ED04 The following page has been updated for current action items: http://wiki.oasis-open.org/xri/Xri2Cd02/ResWorkingDraft11 For ED04, the remaining action items are for Drummond and Wil (with one small one for Gabe). Wil agreed to send his action items to Drummond by next Monday morning, and Drummond will attempt to complete ED04 during a long plane trip on Monday. 4) XDI, SOCIAL NETWORK PORTABILITY, AND THE DATA SHARING SUMMIT Interest is skyrocketing in social network portability. A Data Sharing Summit "camp" is being held in Richmond CA on this topic on Sept 7 & 8: http://datasharingsummit.com/ Gabe is attending, as is XDI TC member Andy Dale. Drummond explained that he, Markus Sabadello, and Paul Trevithick planned to attend and show an alpha community dictionary service based on the XDI RDF model that will be contributed to the Identity Commons Identity Schemas Working Group (http://idschemas.idcommons.net/). Further details will be posted there and to the XRI and XDI mailing lists/wikis as soon as they are available.