[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [iam-discuss] Comments to date on initial draft IAM TC submission
Many thanks Martin
On 3), there is complete flexibility AFAIK. There's more process/voting rigour around a Spec than a Note of course. My sense is have the Spec tight and compact, with one or more Notes as supporting guidance. Chet, Peter, others may have different views of course. On 4), I suggest making it more explicit in the out of scope piece, that the work will assume identity proofing to a confidence level, binding credentials, and the user in possession of the token and authentication has been successful at a given level of assurance. Then it's clear the TC is picking up the flow at the Authz stage (to the extent that in some deployments these are not so clearly delineated). Cheers Colin Date: Tue, 9 Jun 2015 13:33:28 -0400 From: bfc.mclean@gmail.com To: colin_wallis@hotmail.com CC: iam-discuss@lists.oasis-open.org; john.tolbert@queraltinc.com Subject: Re: [iam-discuss] Comments to date on initial draft IAM TC submission Colin--thanks for the helpful comments. Responses in-line below . . . . Martin On Mon, Jun 8, 2015 at 11:30 PM, Colin Wallis <colin_wallis@hotmail.com> wrote:
I think we are in agreement. Given the high level and work-in-progress nature of NSTIC/IDESG (and FICAM) I think the best we can do is to use the NSTIC Principles as high-level requirements or constraints, and be able to trace how those requirements are satisfied by some configuration of IAM Framework components that meet a specified business case. (Or if not, what technology or standards gap exists that makes satisfying the requirement impossible.) Granted that as the IDESG progresses there may be specific requirements developed which our proposed effort would have to take into account as possible; be the alternative is waiting until everything stops moving, which is probably never.
The level of test specification we're shooting for is what SE best practice says should be done at the time a functional requirement is defined in order to support later verification and validation. That is, we would answer the question: "how will we know if a component meets the functional requirement?" (Likewise for interface specs, BTW.) We anticipate that testing firms would develop the detailed test suites and tooling, and conduct testing to provide independent certification of conformance and interoperability. I think this is more or less what IDESG hope to do eventually; I think the NSTIC Trustmark pilot is developing something similar as part of their trustmark definitions.
The target is certainly ambitious, and depends on adequate resources participating in the TCs work. You raise another good point in the distinction between Committee Note and Committee Spec. Do we have flexibility in which process to aim for?
I admit I am far more interested in developing the AuthZ part of the Framework as I think AuthN has gotten far more attention for a long time. Obviously, AuthN is a necessary anchor for access control. I would welcome advice on how to include AuthN in some way without letting that function dominate the overall effort.
Thanks--will have a look . . .
Martin F Smith, Principal BFC Consulting, LLC McLean, Va 22102 703 506-0159 703 389-3224 mobile |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]