[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Use Case & Requirements Doc Strawman 1 Issues List
The Use Case & Requirements Group has boiled down a list of major issues related to the content of the requirements doc. We will be working our way through the issues in groups over the next few weeks, and the purpose of this message is a sort of 'last call' for your input on the first group before we attempt to resolve them. Please direct any relevant comments to the security-use@lists.oasis-open.org list. Please try to structure any comment as a suggested requirement, rather than a suggested implementation. Here is a list of the primary issues. The notation directs you to the related use case from the requirements doc (the first four characters). These four characters are followed by an issue number and an issue name. ISSUE[UC-1-01:Shibboleth] Which requirements of the Shibboleth security system for Internet 2 (http://middleware.internet2.edu/shibboleth/index.shtml) are to be included? In particular, how to address the requirements for anonymity and privacy that Shibboleth makes? Should an additional use case scenario explicitly using Shibboleth be added to the use case and requirements document? ISSUE[UC-1-02:ThirdParty] Use case scenario 3 (single sign-on, third party) describes a scenario in which a Web user logs in to a particular 3rd-party security provider which returns an authentication reference that can be used to access multiple destination Web sites. Is this different than Use case scenario 1 (single sign-on, pull model)? If not, should it be removed from the use case and requirements document? ISSUE[UC-1-03:ThirdPartyDoable] Questions have arisen whether use case scenario 3 is doable with current Web browser technology. An alternative is using a Microsoft Passport-like architecture or scenario. What is the difference? Should this be done? ISSUE[UC-1-04:ARundgrenPush] Anders Rundgren has proposed on security-use an alternative to use case scenario 2 (single sign-on, push model). The particular variation is that the source Web site requests an authorization profile for a resource (e.g., the credentials necessary to access the resource) before requesting access. Should this scenario replace the existing use case scenario 2? Should it be made an additional scenario? ISSUE[UC-3-01:UserSession] AuthXML includes an entity called a "session" that is not specified by any of the use cases in Straw Man 1. What is a session, and what use case scenarios should be developed to specify the need for sessions and their use? ISSUE[UC-3-02:ConversationSession] Is the concept of a session between security authorities separate from the concept of a user session? If so, should use case scenarios or requirements supporting security system sessions be supported? ISSUE[UC-5-01:AuthCProtocol] Straw Man 1 explicitly makes challenge-response authentication a non-goal. Is specifying which types of authc are allowed and what protocols they can use necessary for this document? If so, which types and which protocols? Regards, Darren Platt Principal Technical Evangelist Securant Technologies 1 Embarcadero Center, Floor 5 San Francisco, CA 94111 tel - (415) 315-1529 fax - (415) 315-1545 http://www.securant.com/ -----------------------------
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC