Concordia telecon 17 Jun 2008
From Project Concordia
Contents |
Attending
Eve Maler (Sun), Ari Kermaier (Oracle), Eric Tiffany (Liberty), Paul Madsen (NTT), Mario Lischka (NEC Europe), Scott Cantor (Internet2), Colin Wallis (NZ SSC), Mike Jones (Microsoft), Britta Glade (Liberty)
DIDW session opportunity
DIDW has a session slot tentatively booked on the subject of "bootstrapping between identity systems" -- it's reserved specifically for Concordia.
Paul M. is already on the docket for this, talking about OpenID->SAML; he suggests that folks who have been working recently on InfoCard->ID-WSF, or OpenID->ID-WSF (Asa? ooTao guys?) should send mail to the Concordia list and alert Britta ASAP! Eric Norlin needs speaker bio forms very soon.
Policy/entitlements workshop updates
Don't forget to register (for free) for this workshop on the Burton Catalyst site, and to add your name to Policy and Entitlements Management workshop register if you're planning to attend. See Main Page for the agenda details.
Eve and Britta are suggesting that we dedicate most or all of the July 1 telecon to a review and summary of the Catalyst workshop. Everyone is agreed.
OSIS/Concordia liaison setup
See OSIS's steering committee notes on this.
Eve will ask John Bradley, who indicated to her earlier that he sits on this OSIS committee, if he's willing to take on this role.
MikeJ notes that joint coordination around events has already been established as a great idea.
Scenario 1 profiling status
Scott is starting to collect data in prep for doing this. He'd thought encryption was the main issue, but since CardSpace encrypts all tokens, maybe this isn't a concern. What do other identity selectors do? Just like in SAML, all the necessary data has to be present at the protocol layer anyway, so it shouldn't matter -- his profile can safely state that the WS-Trust layer needs to do this. Mike asks: What about self-issued tokens? They agree that it's always up to the IdP.
Eve notes that the SSTC is about to put out a "call for profiling intentions", so we can sweep this work up into that.
OpenID+SAML use case status, and LoA/authn context discussion
Paul says "Keep holding your breath" on the use case doc. :-)
Eve proposes that Concordia can usefully take a proactive role in defining use cases for authentication context and related levels-of-assurance interop, since otherwise the discussion will be too diffuse -- there are five or six places we could be discussing this!
Eric notes that his LoA proposal will be publicly reviewable soon, and that should help.
Colin is concerned that a number of the parties need to get on the same page before bringing the use case discussion to Concordia. Perhaps we're ahead of our time a little bit! Various use cases have to account for out-of-band agreements already made, access to a variety of government agency RPs that have different requirements, etc.
The Liberty eGov SIG is starting to get organized around this matter. Their next step would be to comment on Eric's paper. Then we'll be closer to having a Concordia-style discussion, since it will be a target for a variety of protocols to aim at.
Scott notes that often two broad classes of use cases get conflated around this. One is on influencing protocols to give you the LoA you want (dynamic requesting of an assertion with a certain LoA), and one is on how to convey the relevant LoA in an assertion or equivalent (could apply to a static scenario as well as a dynamic request scenario). Scott suspects the former is too theoretical, but Colin's architecture definitely anticipates needing it, so as to avoid doing step-up authn. But rather than a dynamic in-band approach, an out-of-band approach could be used instead. Colin acknowledges that this is true.
Scott suggests that Concordia could have a role to play in the dynamic-request scenario where multiple protocols are being used and need some gatewaying semantics. And Eve notes that since URIs are used heavily in all known systems for naming LoAs and other authn contexts (such as SAML assertions and OpenID PAPE), "gatewaying" isn't really needed at this level; it's a largely trivial mapping.
Bootstrapping bucket status, and Liberty WS Harmonization SIG
To a first approximation, we have completed the AIs on this, as noted in Concordia telecon 20 May 2008.
A new Liberty SIG called Web Services Harmonization is about to start up, focusing on use cases that join the WS-*-based ID-WSF-based worlds, and it's planning to include some obvious bootstrapping topics. It's designed to be a short-lived group. Consider this an invitation to join the SIG (anyone can join whether they're Liberty members or not); we'll track their progress from here.
