Notes from 29 Jul 2008 Concordia community call

Tue Jul 29 11:43:07 EDT 2008


> I apologize in advance for missing anyone on the attendance list;  
> please help me out with corrections.  I promise I'll never try to  
> take notes directly on the wiki ever again. :-)
>
>
> == Attending ==
>
> Eve Maler (Sun), Britta Glade (Liberty), Eric Tiffany (Liberty),  
> Sampo Kellomaki (Symlabs), Lena Kannappan (FuGen Solutions), Paul  
> Madsen (NTT), John Bradley (ooTao), Charles Andres (Parity), Mary  
> Ruddy (Social Physics), Ashish Jain (Pind Identity), Patrick Harding  
> (Ping Identity), Rick Levinson (Oracle), Scott Cantor (Internet2)
>
>
> == Activities in the DIDW timeframe ==
>
> [http://public.cxo.com/conferences/index.html?conferenceID=24 DIDW  
> conference 8-10 Sep 2008 in Anaheim]
>
>
> === Concordia-themed speaking slot ===
>
> Paul M. is scheduled to speak.  Patrick and Mary are interested to  
> contribute content to his talk; Patrick may even be interested in  
> formally joining as a co-speaker.  Britta will help field bio  
> submissions and the like with these three folks.
>
> The topic is generally focused on bootstrapping between different  
> technologies (which Eve is labeling "heterogeneous bootstrapping").   
> This has at least a couple of interesting components:
>
> * Preserving the authentication context across systems (e.g., OpenID  
> PAPE + SAML authentication context)
> * Preserving the interpretation of attributes/claims across systems  
> (e.g., OpenID attributes, InfoCard self-issued claims, some of the  
> standardized SAML attribute profiles if they're commonly used, and  
> maybe even Liberty Personal Profile service info?)
>
> While these topics came up in last year's Concordia workshop at  
> DIDW, they didn't get prioritized highly enough for us to begin work  
> on them.  Perhaps their time has come...
>
>
> === OSIS workshop coordination ===
>
> [http://osis.idcommons.net/wiki/I4_User-Centric_Identity_Interop_through_Digital_ID_World_2008 
>  OSIS I4 interop workshop]
>
> Charles reports that OSIS is thinking of structuring the time as  
> more of a workshop vs. an interop demo in the style of previous  
> events.  9am-11am would likely be an OSIS meeting, and 11am-3pm  
> might be more "public", with various talks to be given each hour.
>
> John Bradley has added some placeholder matrix cells for a few  
> likely combinations, and seeks information on who wants to interop  
> on the basis of these.
>
> OSIS and Concordia folks generally are interested to get more  
> specific about the use cases driving the need.  Here are some  
> questions we have:
>
> * Is it interesting to deployers to allow for using infocards  
> directly for OpenID login, bypassing the redirect process for  
> security reasons?
>
> * Do any deployers actually want OpenID and/or infocard  
> bootstrapping to ID-WSF (with an EPR) right now?  (We anticipate  
> getting more input from the NZ SSC in a few months when they really  
> dig into this.)
>
> * To what extent is SAML-to-OAuth interesting among deployers?
>
> Netting this all out, does it make sense to offer a "Concordia input  
> session" during the public portion of the OSIS workshop, sort of  
> embedded in it?  We'd have to round up a solid group of deployers  
> interested to offer substantive feedback, which is a pretty resource- 
> intensive job.  Eve is willing to facilitate such a session if she  
> can attend, which is not certain at this point!  Britta can help a  
> bit with logistics, but will be attending the Liberty Identity  
> Assurance workshop 1-3pm on the Monday so probably couldn't attend  
> this sub-session.
>
> Eve and Charles will follow up on the idea of a bootstrapping use- 
> case gathering sub-session, and will contact Britta if it's a go.
>
>
> == SAML authn context/LOA encoding issues ==
>
> Where is the Liberty eGov SIG in its deliberations?  Does it make  
> sense for Concordia to finally develop some overall use cases here?   
> Colin and Eric weighed in on the list preparatory to this call.  It  
> seems there's a variety of considerations around this, only some of  
> which are multi-protocol in the Concordia sense:
>
> * "Semantic": NIST levels, the work being done in the Liberty  
> Identity Assurance group, etc.
> * "Syntactic": what are the URL names for the levels in the  
> different technologies such as PAPE and SAML? etc.
> * "Messaging": if you use SAML attributes to hold levels, how can an  
> SP dynamically request the level they want? etc.
> * What else?  "Security" considerations (such as the recent flap  
> about Level 4 and its problems with bearer assertions)?
>
> We don't know exactly who owns which pieces and how much Concordia  
> should get involved at this point.  So the question remains  
> unresolved.
>
> 	Eve
>
> Eve Maler                                         +1 425 947 4522
> Principal Engineer                            eve.maler @ sun.com
> Business Alliances group                    Sun Microsystems, Inc.