[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [security-services] SAML Testing Referral Program Proposal for SSTC Review & 30 Day Feedback - Response to SSTC Feedback
SSTC Members:
I am currently at the OASIS Symposium and using the event as an opportunity
to have F2F discussions about the issues raised by Frederick, Greg, and
others with OASIS Staff, Members, and Board Members that are in attendance.
We appreciate the issues/concerns that have been raised about the SAML
Testing Referral Program Proposal and would like to ensure you that the
feedback is being reviewed by OASIS Staff and Board in order to determine
next steps.
I have requested an agenda item on the next SSTC conference call to discuss
the status of this program proposal.
Andy
Andy Moir
412-213-0338 Work
978-761-1648 Cell
andy.moir@oasis-open.org
-----Original Message-----
From: Frederick.Hirsch@nokia.com [mailto:Frederick.Hirsch@nokia.com]
Sent: Tuesday, April 26, 2005 2:57 PM
To: grw@trustgenix.com; andy.moir@oasis-open.org
Cc: security-services@lists.oasis-open.org
Subject: RE: [security-services] SAML Testing Referral Program Proposal for
SSTC Review & 30 Day Feedback - Response to SSTC Feedback
Andy
Nokia agrees with the concerns raised in this message and strongly supports
that changes be made to the current as well as future conformance testing
programs.
Nokia is concerned about the use of a vendor to provide such
interoperability testing and the concerns that have been voiced regarding
potential conflicts of interest, early access to competitor's products, and
unequal marketing opportunities. We appreciate the efforts taken to reduce
the risks, but believe there is an inherent problem in such an arrangement.
Thus we recommend disallowing vendors of products based on a standard to
offer such programs, or finding another solution such as allowing multiple
providers of a defined service.
I also note that it may be harder to make the distinction between referral
and branding than it might appear, since such a referral mechanism may be
easily viewed as an endorsement, regardless of disclaimers.
Despite the statement in the OASIS response ("The purpose of SSTC review,
per the OASIS Adoption Service Referral Program, is to review technical
merits of the testing program."), we believe it is entirely appropriate for
the SSTC members to raise business concerns, which should be addressed.
We are also looking forward to answers to Tony and Greg's questions as well
as the issues noted.
Thank you
regards, Frederick
Frederick Hirsch
Nokia
-----Original Message-----
From: ext Greg Whitehead [mailto:grw@trustgenix.com]
Sent: Sunday, April 24, 2005 5:59 AM
To: Andy Moir
Cc: security-services@lists.oasis-open.org
Subject: Re: [security-services] SAML Testing Referral Program Proposal for
SSTC Review & 30 Day Feedback - Response to SSTC Feedback
Andy,
I haven't seen an answer to Tony's question about the process going forward.
If you've replied privately, would you please post the answer to the list?
Trustgenix has been a strong supporter of SAML interoperability testing in
both Liberty and Oasis and of independent certification programs, such as
the ones run by IEEE for Liberty and by the GSA for the US Government.
However, we continue to see a fundamental problem with a vendor of SAML
products running a certification program for other vendors of SAML products
(their competitors). I don't know of any other industry that operates this
way.
I finally got a chance to read through your response last night and here are
some initial comments (by number from your response):
1) You say that Oasis defines the test suite and that changes can't be made
without a vote, but in the general background info on PingDeploy it is made
clear that it exists independently of Oasis and is owned and managed by
Ping. I don't understand how both can be true. How does Oasis know that
PingDeploy implements the test suite specified by Oasis, or that it does not
favor some implementations over others?
2) The complexity of the attached "Privacy Directive" just reinforces the
fact that all parties acknowledge a fundamental conflict of interest in
having a vendor of SAML products run the SAML certification program. It
raises many more questions than it answers. How can we be sure that the
Privacy Directive is sufficient or can even be implemented successfully.
3) It's that Ping, a vendor of SAML products, would be selected to run an
Oasis branded SAML certification program that is the problem. As noted in
(2), the "Privacy Directive" raises more questions that it answers.
6) I don't understand this. If this is not an Oasis program, why is Oasis
involved at all?
7) This seems like something that should be corrected in the CURRENT
program, not left to future programs.
-Greg
On Apr 21, 2005, at 5:11 PM, Andy Moir wrote:
> SSTC Members:
>
>
>
> In response to feedback provided from SSTC members to the SAML Testing
> Referral Program Proposal provided by Ping Identity I have created a
> summary document that addresses each issue that was raised.
>
>
>
> Since several of the feedback items focus on confidentiality, Ping has
> provided a copy of their "Policy Directive-Ping Deploy
> Confidentiality" document which is referred to in several of the
> responses.
>
>
>
> Additionally, I have included the original SAML Testing Referral
> Program Proposal e-mail for your convenience. However, due to file
> size I was not able to include the zip file attachment. Please refer
> to the zip file attached in the March 11 e-mail for the Program
> Proposal documentation.
>
>
> Andy
>
>
>
> Andy Moir
>
> OASIS
>
> Director of Business Development
>
> 412-213-0338 Work
>
> 978-761-1648 Cell
>
> andy.moir@oasis-open.org
>
>
>
>
> -----Original Message-----
> From: Andy Moir [mailto:andy.moir@oasis-open.org]
> Sent: Friday, March 11, 2005 9:17 PM
> To: security-services@lists.oasis-open.org
> Subject: [security-services] SAML Testing Referral Program Proposal
> for SSTC Review & 30 Day Feedback
>
> SSTC Members:
>
> OASIS Adoption Services are a group of services which help drive
> global adoption of OASIS Standards via various service offerings. The
> OASIS Adoption Services Program is flexible enough to handle the
> intricacies of working with multiple service providers, standards
> organizations, and global regions in order to develop fair, equitable,
> and reasonably priced services that will drive the global adoption of
> OASIS Standards.
>
> As part of the OASIS Adoption Services Program, OASIS has created an
> OASIS Adoption Services Program Referral Service Provider Guideline
> that allows organizations that have created services or programs
> related to OASIS Standards to enter into a referral relationship with
> OASIS.
>
> For complete details of the OASIS Adoption Services Program Referral
> Service Provider Guidelines:
> http://www.oasis-open.org/who/adoption_services.php
>
> In response to the Referral Guideline, Ping Identity has submitted a
> proposal to OASIS to be considered as a Referral Service Provider for
> SAML testing. Per the Referral Guideline, Ping Identity has submitted
> specific documentation that includes:
> * Ping Identity Proposal
> * Appendix A - SAML v1.1 Testing Matrix
> * Appendix B - PingDeploy SAML v1.1 Conformance and Security
Testing
> Datasheet
> * Appendix C - Ping Identity SC
> * Appendix D - Ping Identity Certification Services Agreement
> * Appendix E - Press Release: Ping Identity Conformance
Service for
> SAML v1.1
>
> Per the Referral Guideline, the technical requirements and business
> case submiitted by the service provider will be shared with the OASIS
> TC for a 30 day review period.
>
> Please send any feedback or questions directly to Andy Moir:
> andy.moir@oasis-open.org
>
> Feedback will accepted until end of day U.S. ET on Monday, April 11.
>
> Andy
>
> Andy Moir
> Director, Business Development
> OASIS
> 412-213-0338 Work
> 978-761-1648 Cell (New #)
> andy.moir@oasis-open.org
> <Policy Directive--Ping Deploy Confidentiality.pdf><Response to SSTC
> Feedback on Ping Indentity Referral Program Proposal 2005 04
> 20.doc>---------------------------------------------------------------
> -
> -----
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail. You may a link to this group and all your TCs in
> OASIS
> at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail. You may a link to this group and all your TCs in OASIS
at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]