[Concordia] Notes from 26 Aug 2008 Concordia community call (next call Sep 23!)

Eve Maler Eve.Maler at Sun.COM
Tue Aug 26 11:43:46 EDT 2008 



> == Attending ==
>
> Eve Maler (Sun), Mike Jones (MSFT), Patrick Harding (Ping), Steve
> Coplan (451 Group), Paul Madsen, Bill Young (NZ), Conor Cahill
> (Intel), Lena Kannappan, Mario Lischka (NEC Europe), Mary Ruddy
> (Parity), Eric Tiffany (Liberty), Scott Cantor (Internet2), Britta
> Glade (Liberty), John Bradley, Brett McDowell (Liberty), Colin Wallis
> (NZ SSC)
>
> == Logistics ==
>
> We won't meet on Sep 9 because that's DIDW (in fact, it's the very day
> of the Concordia talk!).  Our next call will be on Sep 23.
>
> '''After DIDW and the discussion that happens there:''' On our next
> cell let's do a fresh Concordia use-case roundup, and see what's
> highest priority.  Maybe it's time for another interop (ideally
> coordinated with OSIS!) and a subsequent drive towards more profiles
> and other spec work in appropriate venues.
>
> == SIG-WSH input ==
>
> The Liberty Web Services Harmonization SIG has had a [http://wiki.projectliberty.org/index.php/SIG-WSH_Aug_08_Redmond_F2F
>  meeting].
>
> The NZ SSC has some use cases in this general area, going by the name
> GOAAMS.  There are eight use cases so far, which are generalizations
> of the same basic thing.  ID-WSF is the main architecture, and a
> number of other web services (perhaps using WS-* or other
> technologies) will need to plug in around the edges, particularly to
> integrate legacy systems.  The all-singing all-dancing super-use cases
> involves an individual who applies for a student loan, and in the
> process has to contact the Ministry of Education and other agencies.
> Bill will try to package this up for general consumption and review.
>
> Eric asked if Danish government representatives have been involved in
> this SIG; they haven't, to date.
>
> Scott mentioned interest in InfoCard-based active clients interacting
> with services; bootstrapping is only one use case in this scope.  Eve
> mentioned knowing some folks who are building "active-client requestor
> profiles" that ''aren't'' InfoCard-based, and she'll see if they are
> able to share their rationale for choosing this direction.  Patrick
> has also been seeing this being done, particularly around rich client
> app plugins.
>
> == DIDW check-in ==
>
> The Concordia-themed [http://public.cxo.com/conferences/agenda.html?conferenceID=24
>  speaking session] will be held as a breakout on the Tuesday at
> 4:15pm.  The title is '''Bootstrapping Identity Protocols: A Look At
> Integrating OpenID, ID-WSF, WS-Trust And SAML'''.
>
> Paul is going to introduce Concordia, and then they'll segue into
> "Concordic" use case examples.  Paul's use case of interest is mixing
> SAML and OpenID, and the interop challenge around assurance, PAPE, and
> authn context.  After DIDW, Paul is planning to package the ideas he
> presented into a Concordia "submission".
>
> Mary will speak second, on information cards bootstrapping to ID-WSF.
> She'll talk about an [http://www.fc2consortium.org/index.html
> organization in Europe] that is putting together a system that has
> this use case.  She's been working with Asa Hardcastle on
> OpenLiberty.org approaches to this.
>
> Patrick is the last speaker, and will discuss using SAML2 to bootstrap
> into OAuth based on feedback from Ping's customers.  There are ways to
> optimize the flow better compared to a naive approach.  Scott has that
> use case as well, but isn't looking at OAuth.  Shib has looked at
> transient IDs essentially as bearer tokens for something like this,
> though the security implications are scary.  Patrick commented that
> OAuth has a narrow scope, and it's fairly obvious to those of us on
> this call where ID-WSF does a superset of that job, and how WS-Trust
> could be profiled to do the same job.  (Brett mentioned that the
> OpenLiberty.org library is being built out to complete the ID-WSF
> framework, which might contribute to people's understanding of how
> easy it can be to do a more fully secured job.)
>
> == Authn context and LoA ==
>
> Authn context is, according to Eric, a "multi-ring circus".  Levels of
> assurance have become very interesting to a number of parties.  LoA is
> being used in different embodiments (different numbering schemes)
> around the world.  There is an interesting feedback loop between
> saying you've done level ''n'', and conveying this fact in a technical
> system (protocol, and assertion format, federation model, etc.) that
> belies or degrades that level!  (Paul recently [http://connectid.blogspot.com/2008/08/openid-pape-nist-800-63-level-4.html
>  commented] on that.)
>
> Here's a summary of what's being done right now.
>
> * The Liberty IAF work is attempting to harmonize and codify the
> procedures you need to observe to obtain a certification at a certain
> level (specifically for the NIST 800-63 LoA system).  This has more to
> do with "meatspace" than technical systems.
>
> * The work of recommending how to encoding LoAs as a SAML authn
> context is being undertaken in the SSTC.  Currently, The E-Auth
> program uses attributes to carry this information, but depending on
> your needs, another way might be more appropriate.  This remains an
> interop sore-point since some people do it one way, some people do it
> another, we don't see this changing, and the reuse of SAML assertions
> in other protocols has an impact on which one you might want to do.
> This sounds like prime Concordia territory; Eve will send out a
> message summarizing an earlier discussion among some random folks on
> this topic.
>
> * NIST has prohibited "assertions" of any sort in their definition of
> Level 4, which is overly broad; the problem is really with bearer
> tokens.  The SSTC is working with NIST to craft language.  The SSTC's
> new holder-of-key assertion profile work will probably help here.
>
> * We anticipate a Concordia proposal from Paul about a OpenID PAPE/
> SAML authn context proposal.
>
>
> Eve Maler                                         +1 425 947 4522
> Principal Engineer                            eve.maler @ sun.com
> Business Alliances group                    Sun Microsystems, Inc.
> _______________________________________________
> Community mailing list
> Community at projectconcordia.org
> http://lists.projectconcordia.org/mailman/listinfo/community

More information about the Community mailing list