[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes: XDI TC Telecon Thursday 1-2PM PT 2008-09-25
Following are the minutes of the unofficial telecon of the XDI TC at: Date: Thursday, 25 September 2008 USA Time: 1:00PM - 2:00PM Pacific Time ATTENDING Markus Sabadello John Bradley Drummond Reed Giovanni Bartolomeo Nika Jones AGENDA 1) TECH TOPIC: XDI SIGNATURES AND LINK CONTRACTS Just before the summer break we had a very productive call reviewing the proposed base pattern for XDI link contracts. Solutions have now been suggested to the issues raised on that call. They are illustrated in the examples at... http://wiki.oasis-open.org/xdi/XdiOneIssues/LinkContractPattern ...in particular the "signature blocks" illustrated near the end. We discussed this pattern, and there was concensus that it solves the issue of having signatures added to the contract itself, thereby changing the graph being signed. John and Markus noted that these examples do not yet include references to human-readable policy documents -- that's TODO. John asked about when the same data is accessible over multiple link contracts. Does Bob ask for the data under a specific link contract or just ask for the data and let Alice's XDI service figure it out? There is also the question how much Bob should be able to know about the permissions Alice has provided Bob. Given that XDI is self-describing, Alice can do this by simply sharing the link contract with Bob, telling Bob what he has access to. This works where the data provider agrees that the data consumer will have access to an exact set of data. But there's also the case where: * Access is granted to a bounded section of the graph that's not an exact set. * Access is explicitly denied to certain resources (negative permissions). John noted that if the grammar for the permissions graph includes negative permissions, then sharing that link contract that can have privacy and security implications. John spoke in favor of being able to integrate XDI link contracts with other access control mechanisms such as XACML. Drummond agreed; he explained that from the very outset of the XDI TC in 2004, the TC has been intended to support referencing XACML policies from XDI link contracts. John talked about token types and how it would be best for XDI from a security standpoint security to be "token agnostic". OAuth as an example just uses a very simple bearer token with a hash that's not bound cryptographically to the relying party in any way. There was agreement that XDI security should be able to be bound to any token type. 2) NEXT CALL John and Drummond will be at the OASIS Open Standards Forum in London next week. Due to the time shift and a dinner that night, they will not be able to attend next week's call. It was decided to cancel it and continue the following week.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]