OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Re: [security-services] Official statement to W3C WG about impact on SAML?

Thanks, Scott, I agree. FWIW, Tim Cappalli at Micorosft and Heather Flanagan (independent) are hoping to spin up a formal W3C working group around this stuff. Should we maybe coordinate our messaging with Tim and Heather to see if we can use this as impetus for W3C to honor their request?

Nicole

From: Cantor, Scott <cantor.2@osu.edu>
Sent: Monday, May 8, 2023 1:19 PM
To: Nicole Roy <nroy@internet2.edu>; Hal Lockhart <harold.w.lochhart@gmail.com>
Cc: SAML <security-services@lists.oasis-open.org>
Subject: Re: [security-services] Official statement to W3C WG about impact on SAML?
 
> I'm sorry for being so late to this thread. I'm supportive of the SSTC weighing in
> on this issue with the W3C, but my sense is that it's really Chrome and Firefox
> (and Safari, but they are being typically "Apple coy" about participating in any of
> this at the moment) that need convincing

TL;DR, I agree that the companies don't care, but the W3C might once the final sign off has to happen. Assuming they even intend to standardize...

My thinking on this of late is that, not realizing at first that the current work is happening outside the official W3C WG process (they're doing them as an advisory sort of thing so far), that it might be beneficial to have a statement targeted at the eventual ratification of the work as normative WG output.

I would personally favor that if the eventual W3C Rec requires any effort whatsoever by current deployers that there be an official statement on the record that such a transition should take years, not months. It likely won't matter, but I think that sort of thing ought to be public record, and perhaps the W3C might think twice where Google and Mozilla won't.

There's no precedent I can think of until recently (with everything Google has been up to) for this kind of end run around responsible standards coordination, even across organizations. At least not in my 20+ years of being involved. Normally you wouldn't even need such a statement, it's just implied.

Having said that, I relayed the request to do "something" from "us", so if "us" thinks we should keep things as they are, that's fine. Obviously that doesn't mean OASIS or any members have to agree to that either, they can say what they like.

-- Scott


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]