Note: Next phone call with be Jan 8th. Will try to have SAML document ready for WG final review. Possibly Attribute document as well depending on some feedback from VOMS architects. Attending: Von Welch Andrew McNabb Mary Thompson Takuya Mori Markus Lorch David Chadwick Sassa (briefly) Rebekah Lepro New Attribute document from Mary & Markus: Section 3: Distinction between priv and subj attributes Section 5: A lot of the changes here. Privilege attributes name in separate section Specified default type would be variable UTF-8 string with case sensitive comparison Minor additions to AC Has passed along to Vincenzo who has done AC support in VOMS VW: Bob's summary was pretty much on the mark. SAML Authz work seems to be dead end and will end up being done by some combination of XACML and SAML. I suggest this group go ahead with current path understanding it is short term. MT: Could work on XACML enveloping instead? RL: XACML has never focused on protocol. Should use SAML as it is curent stanard for protocol DC: Sassa and I agree that should continue SAML work. We have SAML 1.1 and OGSA working with PERMIS. RL: That is most logical and reasonable. DC: Seems like you could plug XACML stuff into SAML RL: Yes, but the issue is making it native SAML so that you don't have to use extensions DC: Are there other extensions to SAML besides ours? RL: There are lots of extensions to SAML. That is the reason for the extension points. DC: WSDL parameters defined as ANY is a problem, would preferred to be defined as a string. VW: Need to go refresh myself on this issue. DC: Extensions in opensaml working fine. Reached general concensus to keep going with SAML path understanding it is a short-term solution. VW: Will add test to intro explaining this. Corrections from Rebekah. Unless people have major gripes, since it is short-term document I'm not going to lose sleep. ML: Could one use Condition case to contain Obligation? DC: There are conceptually different. I wouldn't suggest it. ML: I have a use case for obligations. RL: Could go into Advice ML: But Advice is optional and can be ignored. RL: Conditions in SAML are related to assertion and not other conceptual entities like a job. [Long Obligations vs Conditions discussion] RL: SAML has abstract type for conditions, we need to define concrete type. VW: Since we are exending Authz decisions already, could easily enough add a Obligation element. Markus, does that sounds reasonable and will you be willing to take first pass. ML: Yes, by when. VW: Try by have done by 8th. ML: Obligation has to be evaluated? DC: Yes ML: What about Obligations with a Deny decisions? VW: Think we need think about semantics with DENY decisions very carefully. DC: Obligations shouldn't be tied into the decisions, just the response. E.g. for use in IDS. DC: Can we eliminate Indeterminate in simple response? General discussion follows, group decided "no" as Indeterminate useful for a number of use cases. MT: SAML document 5.1.1 and 5.1.2 titles confused AN: What is the status of policy documents? VW: Nothing has happened. Suspect Frank doesn't have time, if we don't see progress should we drop from our scope? AN: Will gather requirements in LCG - already using GACL for this. VW: Will wait on Vincenzo to see if attribute doc is ready for WG last call on the 8th. Adjourn.