[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Project Moonshot
> 6. Assorted threads on saml-dev/comment list: > - Trust in artifact resolution > > Scott notes that the topic is about using SAML in a Radius type > interaction. Scott will ask for this to be shared on SSTC list. Apologies for missing the call, I had some car issues. There is some context that I should provide. JANET is currently in the process of starting up a new project that is intended to apply SAML in some rather novel ways. There are two basic use-cases we want to address: 1. 'Beyond Web SSO': how can we bring the benefits of SAML-based federated identity to applications other than Web SSO. We have some customers who are interested in, for example, the use of SAML-based identity within the SSH, SCP, SCP and NFS protocols so that they might federate High Performance Computing facilities in different Institutions (primarily for Business Continuity and Disaster Recovery, but also for HPC-as-a-service). We think there is likely to be interest in this capability in other sectors, for example software-as- a-service, 'cloud' services, and so forth. 2. 'Scaleable Trust': Now that we have federated all of these non- web services, how do we manage trust in the resulting SAML system that might be comprised of at least 10^5-10^6 entities? As the name and use-cases indicate, this is a fairly ambitious proposal. As due diligence, we asked Sam Hartman to perform an independent /technical/ feasibility study of our proposed approach. You can read about this here: http://www.painless-security.com/blog/2010/02/12/moonshot1 Sam's conclusion was that it is technically feasible. We are now trying to understand the acceptability of the proposal to the communities where most of the work would need to take place (IETF and SSTC). To this end, we are intending to hold a Bar BOF at IETF 78 in a few weeks time. Before that (within the next three weeks) we will be releasing a paper describing the use-cases and proposed architecture, and the first set of draft specifications. The first set of specs will be split between IETF and SSTC. To SSTC, we wish to bring a new binding (the 'SAML RADIUS Binding') and a new SSO profile (which I humorously refer to as the 'SAML Single SSO Profile', but which currently labors under the name of 'SAML EAP Profile'). These are intended to satisfy the 'Beyond Web SSO' use-cases. We also believe that these /same/ specs will mostly address the 'Scaleable Trust' use-case, with the application of some hard-to- summarise profiling. However, this requires some tricky profiling, so this work will lag behind the initial set of specs. Sam will be delivering a final recommendation to JANET at the start of April, which will inform our strategy going forwards. If we decide to take this work forwards, we will continue developing these specifications and implement these over the period April 2010 - August 2011. We have no web presence beyond Sam's post (for JANET this is formally a feasibility analysis phase), although we do have a mailing list where you are very welcome to join us. https://www.jiscmail.ac.uk/cgi-bin/webadmin?A0=moonshot-community I was intending to ask the SSTC chairs if we could spend some time on a call during March or April to discuss this project. best regards, josh.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]