2011-04-07

Attendees: Chris Bongaarts, Scott Cantor, Daniel Fisher, Nate Klingenstein, Chad La Joie, Rod Widdowson, Tom Zeller

IdP v2.3 Update: Chad La Joie

IdP v3.0 Update: Chad La Joie

Attribute Resolver and Filtering Engine
- working copies checked in
- architecture documentation to up be updated/written next week
- outstanding issue with the attribute resolver: Plugin conditions currently use Spring expressions which ties the resolver to Spring. Chad investigating use of Java Unified Expression Language instead.
Chad did some more evaluation work with Spring WebFlow, in particular it's conversation mechanism. All the tests looked good, he feels there is a good chance this can be used in IdPv3 to build up the profile handlers.

MDA v0.5: Chad La Joie

Testing Frameworks and Methods in OpenSAMLv3, IdPv3, MDA, etc.: Chad La Joie, Rod Widdowson

v2 code uses JUnit 3 and XMLUnit (for XML document comparison)
Rod and Brent are discussing whether XMLUnit is really doing what it should be when performing comparisons
New v3 code is moving to TestNG
XMLUnit could be used with TestNG as well, Brent will look in to this further

Use of Hudson/Jenkins Continuous Integration Servers : Daniel Fisher

Daniel asked if the Shib project had considered using Hudson/Jenkins?
Yes, we have but to date, our current development model doesn't really necessitate, nor would it benefit much from, the use of such a service. So, for now, we're not using it.

Updates from IETF: Scott Cantor

Moonshot Updates
- Moonshot has made significant progress over the last few weeks
- Use of SAML may change over time
- Most applications that support GSS/SASL are able to accept new mechanisms fairly easily
  - there had been significant concerns that this might not be the case
  - Cyrus SASL needs to get GSSv2 support before it can accept new mechanisms easily
- Scott is looking to get support for his new channel binding work on to the Shib roadmap
- Scott is looking to get Holder of Key support in to the SP sooner rather than later
DANE
- The DANE project is focused on putting key/certs in DNS
- One camp within the project views this as a way of indicating which CA a services end entity certificate should be rooted in (to prevent use of certs improperly issued from other CAs)
- The other camp views this is a more SAML metadata-like way of binding end-entity certs to a service
- This work, if it gains acceptance, may impact the way in which the Shib software looks up entity certs

xmlsectool Packaged as an RPM

xmlsectool identified as a good first candidate for packaging up Java code as RPMs
Peter Schober has provided an RPM spec file
Scott will look in to this more in the coming weeks

Scott commented that a lot of the work that fueled the initial Shibboleth development was the failure of various federated LDAP projects, in particular the inability to put in place good release policies
this is X.500 all over again
the Australian people picker, often held up as an example of this type of service, failed
email addresses, as a personal identifier used to look up user data across systems, is the winning method currently but has obvious privacy implications
the underlying question that really needs to be answered is "Is the ability to enumerate all of a particular type of data object (e.g., person record, group record) behavior that should be expected within a federation or is the lack of such a feature one of the tradeoffs in moving to a federated model?"

Embedded DS Packaging

Scott has requested feedback on how the Embedded DS will be packaged as an RPM; no real feedback from sysadmins yet
CSS will be removed from the minification process