Minutes of SSTC Conference call on Sep 12, 2006

["Jahan Moreh" <jmoreh@sigaba.com>]

Attendance - see the end of this message.


ACTION: Ari will take draft 10 of Attribute Sharing Profile and in
consultation with Tom (and others) will produce a draft 10a for SSTC review.


ACTION: Tom will retract draft 11 of Profiles for X.509 Subjects and create
a new deployment profile. 

ACTION: Chairs to move Metadata docs to public review.

ACTION: Asish and Paul to make editorial changes to Shared Credentials
document to make the document look like CD. 

ACTION: Eve to CDize errata based on draft 35.



1. Roll Call & Agenda Review, Appoint Secretary
Quorum achieved.

2. Approve minutes from August 29 con-call
Approved by unanimous consent.

3. Follow up on NZ Government Authentication Standards Launched

Hal: NZ is eager to hear feedback. Chairs have received private
communication from the leaders and it's OK to send comments to the list.

Prateek: Has indicated to the leader that they could publish a draft to the
SSTC repository. 

Hal: We can comment on the list or directly to them. They will be watching
the list.


4. New documents published

a. X.509 Profiles

SAML V1.1 Profiles for X.509 Subjects
http://www.oasis-open.org/archives/security-services/200608/msg00120.html
This is the identical to SAML 2.0 profiles for X.509 Subjects (see below)
except for encryption. 



SAML V2.0 Profiles for X.509 Subjects
http://www.oasis-open.org/archives/security-services/200608/msg00124.htm

Tom Scavo: this is an evolution of draft 11 of the attribute sharing
profile. The primary purpose of this refactoring is a SAML attribute profile
for X.509 subjects. Believes that the deployments that meets the attribute
sharing profile will also meet the X.509 Subjects profile with the exception
of the metadata specification. In short, this is a repackaging of attribute
sharing profiles. 

Discussion of the way forward
http://www.oasis-open.org/archives/security-services/200608/msg00127.htm

Tom Scavo: There are two options to proceed:
1.	If refactoring is too drastic we can choose one of the earlier
drafts (e.g., draft 10).
2.	Stick with draft 11.

Prateek observes that the proposal is to generalize the original draft.

Scott Cantor: The refactoring is consistent with a number of comments that
were posted to the list. Also, all the submissions appear unnecessary in
light of the original SAML attribute Query profile. I.e., there appears to
be nothing new. This seems to be a deployment scenario. For example, the
Subject profile does not add anything beyond using the DN. 

Rob Philpott: There was a requirement for referring to a profile for RFPs. 

Prateek: The question is if this a profile or a new kind of document entity
such as deployment note.

Scott: Not particularly concerned with the entity that captures this. Though
he believes these are more appropriately "deployment profiles". The issue is
that there are not enough normative "MUST"s in the document to get an
end-to-end agreement.

Tom Scavo: An end-to-end profile was purposely avoided because the
non-normative section of the Attribute Query profile does not include an
X.509 example. The last draft separates out the profiling of SAML assertion.
This is important because the SAML assertion can be bound to a SOAP message
or an X.509 certificate. 

Tom Scavo: The language could be changed to "basic" and "enhanced".

Greg Whitehead: the RFP process appeared to be requiring a single document
that could be referred to.

Prateek: suggests that there is a difference between profiles and deployment
notes. 

Hal: The argument may be that Attribute Query-compliant products might find
the deployment note useful. 

Hal: Are there objections to the document as is before we can proceed.

Prateek: If the current CD is a "deployment profile" then the issue of
generalizing it is somewhat misplaced. The "grid" community could publish
its deployment profile/note and that would be useful.

Rob Philpott: agrees.

Hal: Need to get a specific course of action.

Ari: Take CD02 and incorporate a number of comments that are improvements
and corrections and republish. 

Tom: Most of these were done in drafts 9 and 10.

Greg: The SSTC encourages the development of a deployment scenario that
meets the requirements of the "grid".

Hal: We have not had a CD vote since the public review. 

Prateek: Nothing has happened beyond the closing of the CD review. We have
not moved beyond.

Rob: We can respond to the comments that were received during the public
review and change the CD (as long as there are not normative).

Hal: Let's table any discussions regarding other deployment notes/profiles.
If Tom and a couple of other active folks can work on a new version of the
Attribute Query profile then we can move this forward. 

Prateek: Asks Ari if he can take ownership.

Ari: How large of a change would be acceptable to the process. In other
words, if the new CD makes changes to the document's structure, would that
be a problem

Prateek: start from CD02 and make changes with "track changes" on. 

Tom: most (if not all) of the comments during public review are captured in
drafts 9 and 10. Draft 11 is a different document with normative changes.

ACTION: Ari will take draft 10 and in consultation with Tom (and others)
will produce a draft 10a for SSTC review. 

ACTION: Tom will retract draft 11 and create a new deployment profile. 

b. Text Based Challenge Response AC
http://www.oasis-open.org/archives/security-services/200609/msg00005.htm

Sharon: Incorporates all of the comments Tom had made. All are editorial in
nature. 

Hal: Suggest that the SSTC review and take a CD vote in the next call unless
there are lots of changes/questions. 

c. Metadata updates

http://www.oasis-open.org/archives/security-services/200609/msg00010.htm

http://www.oasis-open.org/archives/security-services/200609/msg00012.htm

http://www.oasis-open.org/archives/security-services/200609/msg00014.htm

Prateek: These are docs that being prepared for a second public review.

Scott: There are ready for a short 15 day public review.

Scotts makes motion to put these three docs for short review. Eve seconds.
No objections.

ACTION ITEM: Chairs to move these docs to public review.

d. Shared Credentials

RequestedAuthnContexts Extension
http://www.oasis-open.org/archives/security-services/200609/msg00020.htm


SharedCredential Authn Context Extension
http://www.oasis-open.org/archives/security-services/200609/msg00021.htm


Discussion
http://www.oasis-open.org/archives/security-services/200609/msg00025.htm


Paul Madsen: these docs address schema issues. Hoping to have a vote on this
call.

Hal: No difference in terms of time between voting today or next time. 

Paul: makes motion to accept these as CD.

Ashish: Seconds the motion.

No objections. Motion passes. 

ACTION: Asish and Paul need to make editorial changes to make the document
look like CD. 

e. HTTP POST Simple Sign Profile
http://www.oasis-open.org/archives/security-services/200609/msg00027.htm


Jeff Hodges: Various editorial changes have been made. Primary technical
change is to convey KeyInfo from XML DSIG. The diagram and description on
page 10 was updated to make it more accurate. Clarified language to indicate
that the binding is for a one-way message exchange.

Hal: where does this stand?

Scott: Will make some suggestions and possibly produce another draft.
 

5. Errata Review
http://www.oasis-open.org/archives/security-services/200609/msg00030.htm

Jahan: No changes since last time. All errata items have been addressed.

Eve: Will make first attempt to CD'izing draft 35 of errata.

6. Open AIs

#0264: Comment on "attribute-based federation" section
Owner: Prateek Mishra
Status: Open
Assigned: 2006-08-28
Due: ---

Eve: Put on the agenda and discuss it next time. 

#0263: NameID and the use of SPProvidedID
Owner: Jahan Moreh
Status: Open
Assigned: 2006-07-18
Due: ---
Status: Jahan will review and will inform chair of status.

#0262: Creation of the "new" LDAP/X.500 profile
Owner: Scott Cantor
Status: Open
Assigned: 2006-07-18
Due: ---
Status: Still pending


#0261: Chairs to contact GUIDE for follow-up
Owner:
Status: Open
Assigned: 2006-07-18
Due: ---
Staus: Closed.
Eve: Could we have a discussion on this?
Hal: Please post questions.

#0240: Status of SAML 2.0 submission to ITU T
Owner: Abbie Barbir
Status: Open
Assigned: 2005-11-08
Due: ---

Status: Pending. Should wrap up in the next 2-4 weeks.


Meeting adjourned at 13:20 EDT.


  Steve Anderson BMC Software
  Bhavna Bhatnagar Sun Microsystems
  Brian Campbell Ping Identity
  Scott Cantor Internet2
  Heather Hinton IBM
  Frederick Hirsch Nokia
  Jeff Hodges NeuStar
  John Hughes PA Consulting
  Ari Kermaier Oracle
  Hal Lockhart BEA Systems, Inc
  Paul Madsen NTT Corporation
  Eve Maler Sun Microsystems
  Prateek Mishra Oracle
  Jahan Moreh Sigaba
  Bob Morgan Internet2
  Ashish Patel France Telecom
  Rob Philpott RSA Security
  Tom Scavo National Center for Supercomputing Applications
  David Staggs Veteran's Health Admin
  Eric Tiffany IEEE Industry Standards
  Greg Whitehead Hewlett-Packard Company
  Thomas Wisniewski Entrust
    
    
Attendance of Non-Voting Members
 
  Sharon Boeyen Entrust
  Carolina Canales-Valenzuela Ericsson
  Peter Davis NeuStar
  Chris Laskowski Booz Allen Hamilton
  Rebekah Metz Booz Allen Hamilton
  Anthony Nadalin IBM
    
    
Attendance of Observers
 
  Michael Bowman Booz Allen Hamilton
  Greg Desmarais Sigaba

Membership Status Changes
 
  Peter Davis NeuStar - Lost voting status after 8/29/2006 call
  Anthony Nadalin IBM - Lost voting status after 8/29/2006 call
  Chris Laskowski Booz Allen Hamilton - Granted TC Membership 8/30/2006
  Andrew Sliwkowski RSA Security - Removed from TC 9/12/2006
  Sharon Boeyen Entrust - Granted voting status after 9/12/2006 call
  Carolina Canales-Valenzuela Ericsson - Granted voting status after
9/12/2006 call


Thanks,
Jahan
------------------------
Jahan Moreh
Chief Security Architect
310.288.2141