bias message
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]
Subject: Notes from offline meetings
- From: "Tilton, Cathy" <Cathy.Tilton@daon.com>
- To: "bias@lists.oasis-open.org" <'bias@lists.oasis-open.org'>
- Date: Tue, 17 Apr 2007 21:55:38 +0100
BIAS TC participants -
Below are attached notes from the 2 offline
meetings that were held as a result of our March meeting. I had hoped that
the results would already be incorporated into our document, and thus not needed
to be promulgated separately; however, since that is not possible before our
meeting tomorrow, I am providing them to you in this form.
Regards,
CT
-----------------------------------
Agreement from Synch/Asych
meeting
The
following services need to support asynchronous operations:
-
Identify
Subject
-
Enroll
-
Identify
-
Verify
The
same service will be used for synchronous and asynchronous
operations.
Upon
receipt, the server will either:
-
Immediately process the request and
return the results, or
-
Return a
token & expiration date, indicating that the service is being handled
asynchronously
If a
token is returned, the client/requester will be responsible for polling for the
results using the following service calls, using the token as the only
parameter:
-
Get
Identify Subject Results
-
Get
Enroll Results
-
Get
Identify Results
-
Get
Verify Results
The
requester can use the Query Capabilities call to determine if the server
supports synchronous, asynchronous, or both for each of the 4
operations.
---------------------------
Results of the Security
discussion
We will break the security section
into 3 main topics –
-
Integrity
& Authenticity
o
Signing
-
Confidentiality/Privacy
o
Encryption
-
Access
control
o
To
services
For
each, we will identify potential mechanisms and considerations for using them
(e.g., when to use)
-
Integrity
o
CBEFF
security block (app level)
o
Signed
XML (signed SAML assertions)
o
TSIK
-
Encryption
o
Comms/channel/connection level –
https (ssl, tls)
o
App
level
-
Access
control
o
WSS
(?)
We
will identify MINIMUM requirements as:
-
Signed
XML for integrity
-
https for
confidentiality
Other, higher levels will be
optional
Could
do –
-
Required
– signing
-
Strongly
recommended – encryption
-
As needed
– access control
[Decided on minimums stated
above.]
Could
also have different security conformance levels or
types.
Recommendations based on
environments?
Will
address security of operations across wire, not data at
rest.
Will
mention key management (perhaps referencing existing standards) but note that
this is NOT specifically addressed by
BIAS.
[Date Prev]
| [Thread Prev]
| [Thread Next]
| [Date Next]
--
[Date Index]
| [Thread Index]
| [List Home]