Proposed Minutes for SSTC Telecon (19 March 2013)

[Nate Klingenstein <ndk@internet2.edu>]

> 1. Roll Call & Agenda Review.

There were no changes to the agenda.

> 2. Need a volunteer to take minutes.

Nate volunteered.

> 3. Approval of minutes from previous meeting(s):
> 
>   - Minutes from SSTC Call on 19 February 2013:
> 
> https://lists.oasis-open.org/archives/security-services/201303/msg00000.html
> 
> 
>   - Minutes from SSTC Call on 5 March 2013:
> 
> https://lists.oasis-open.org/archives/security-services/201303/msg00003.html

Scott moved to approve both sets of minutes and Chad and Hal both seconded.  There were no objections and the minutes were adopted.

> 4. AIs & progress update on current work-items:
> 
>  (c) SAML 2.1 work (Chad)
>      - SAML2.1 wiki: 
>        https://wiki.oasis-open.org/security/SAML2Revision
> 
>      - Chad's list:
>        https://wiki.oasis-open.org/security/SAML21
> 
>      - Sample ToC for an SSO Profile:
>        https://wiki.oasis-open.org/security/SAML21ExampleProtocol

Chad didn't have any updates to add for this call.

> 
>  (d) Conceptual/overview of Metadata (Rainer Hoerbe)
>      - Any updates?
> 
>        http://files.hoerbe.at/daunlod/eadocx-quickdoc.pdf

Rainer sent his regrets and was not able to join this call.

>  (e) SAML ECP (Scott)
>      - Any updates?

Scott wasn't at IETF, so there's not much of an update to deliver yet.  He's still looking at getting a revision to the specifications published with language cleanups, but not much in the way of technical changes.

They also appear to be churning GSS again rather heavily, and Scott expressed his frustration at seeing many mechanisms reach RFC when there are issues with them.

>  (f) XPA updates (Mohammad Jafari)
>     - Any updates?

Mohammed didn't have any updates for the TC.

>  (g) Updating SAML.org
>      - Thomas to contact Robin Cover

Thomas will be calling Chet at the OASIS office to see if they can expedite a response from Robin, leaving this as an outstanding action item.

>  (h) OASIS InterOp Demonstrations at RSA 2014:
> 
>    https://lists.oasis-open.org/archives/security-services/201303/msg00005.html

We typically only do new interop demonstrations when there are new specifications that people want to test or demonstrate and most recent specifications have each been adopted by a limited number of SAML 2.0 implementers.  Also, actual interop testing can be performed any time.

The specification update(SAML 2.1) is also explicitly not intended to be a breaking change, so interoperability testing involving it is not meaningfully different.  Chad wondered whether it would be worthwhile to attempt demonstration of the use of metadata for configuration exchange as would be mandatory in SAML 2.1.  This is the primary differentiator between SAML 2.0 and the Kantara e-Gov profiles.

There are a number of aspects of the Kantara e-Gov 2.0 profile, but there isn't a compelling need for OASIS to host an interop event for it.

Given the costs associated with hosting this sort of event, the cost benefit ratio may not be in favor of hosting an interop demonstration.  Nate suggested that the SSTC respond that we'd be able to make use of the slot, but that we don't have any strong need for an interop event.  However, given the steep costs of participating, the SSTC reconsidered participating and Thomas will respond to OASIS suggesting we don't need to host an event for SAML.

> 7. Next SSTC Call:
>   - Tuesday 2 April 2013.

We look forward to speaking with you then.