security-services message

Subject: [security-services] RE: [saml-dev] Questions on SAML interoperability
From: Krishna Sankar <ksankar@cisco.com>
To: security-services@lists.oasis-open.org
Date: Mon, 06 May 2002 08:19:43 -0700
Matan,

    Good questions. Your e-mail is welcome and raises important points.

    1.    As far as I know, there is neither a SAML conformance program
nor a certification authority for SAML conformance. Organizations like
NIST are taking leadership in this area and so it is not out of the
question to have some form of a conformance authority/program.

    2.    But that does not mean SAML implementations are *not*
interoperable. The goal of specifications, which also specify
conformance clauses, is to be interoperable if the conformance clauses
are followed. Usually the goal would be 99% achieved and still there
will be holes :o(

    3.    This is where the conformance testing comes in. Conformance
testing and compliance report are a good indication that two
independently developed software would interoperate. One can perform
these tests in one's own environment as well. Really the question is,
would the software be interoperable for the domain and the sub set of
specification one is interested in.

    4.    Interoperability improves over time. The Burton event, for
which a lot of discussions are happening in this list, is the first
interoperability event for SAML. The feedback from such interoperability
opportunities would make the specification less ambiguous, more crisp
and clear.

    5.    Also remember that interoperability is a multi dimensional
concept. 
          For example interoperability, as demonstrated by such events,
still does not guarantee implementation instance interoperability. The
way one organization implements a system need not be interoperable with
another organization's implementation. Mundane stuff like firewalls,
certificate infrastructures, even the information contained in the
assertions themselves like namespaces could break interoperability. This
is where the best practices come in the picture.

    6.    I have one question for you (actually more than one :o)). 

          What would you like to see in this area ? What are the real
world conditions you are thinking of ? i.e. what is the general usage
pattern you want to be addressed in the interoperability realm and what
are the implications for you ?

    Sorry for the long answer to a short question. Hope it helps. 

cheers
-----Original Message-----
From: Matan Safriel [mailto:msafriel@precise.com] 
Sent: Saturday, May 04, 2002 11:26 AM
To: saml-dev@lists.oasis-open.org
Cc: Matan Safriel
Subject: [saml-dev] Questions on SAML interoperability


Hello dear SAML contributors,

I happen to be watching this very well thought of list. Please ignore my
email in case it violates this list's rules and/or conventions, and let
me know if that's the case please, in which case I would feel very
regretful. 
My questions are the following.
What's the forum's vision and philosophy for interoperability in this
future market ? 
Is an assertion producer protected from being banned by: assertion
consumers, assertion consuming proxies, assertion consuming proxy
commercial providers, Given that both producer and consumer are
certified by the SAML conformance program ?

the terms used above: assertion consuming proxies, assertion consuming
proxy commercial providers, are loosly defined, but I assume you get the
drift of them.


Sorry again if this communication is in violation of this list's rules
or spirit, and good luck on the Burton Catalyst interop event. 
 



      Matan