OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

bias message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Notes from offline meetings

BIAS TC participants -
 
Below are attached notes from the 2 offline meetings that were held as a result of our March meeting.  I had hoped that the results would already be incorporated into our document, and thus not needed to be promulgated separately; however, since that is not possible before our meeting tomorrow, I am providing them to you in this form.
 
Regards,
CT
 
-----------------------------------
Agreement from Synch/Asych meeting
 
The following services need to support asynchronous operations:
 
-        Identify Subject
-        Enroll
-        Identify
-        Verify
 
The same service will be used for synchronous and asynchronous operations.
 
Upon receipt, the server will either:
 
-        Immediately process the request and return the results, or
-        Return a token & expiration date, indicating that the service is being handled asynchronously
 
If a token is returned, the client/requester will be responsible for polling for the results using the following service calls, using the token as the only parameter:
 
-        Get Identify Subject Results
-        Get Enroll Results
-        Get Identify Results
-        Get Verify Results
 
The requester can use the Query Capabilities call to determine if the server supports synchronous, asynchronous, or both for each of the 4 operations.
---------------------------

Results of the Security discussion

We will break the security section into 3 main topics –
 
-        Integrity & Authenticity
o       Signing
-        Confidentiality/Privacy
o       Encryption
-        Access control
o       To services
 
For each, we will identify potential mechanisms and considerations for using them (e.g., when to use)
-        Integrity
o       CBEFF security block (app level)
o       Signed XML (signed SAML assertions)
o       TSIK
-        Encryption
o       Comms/channel/connection level – https (ssl, tls)
o       App level
-        Access control
o       WSS (?)
 
We will identify MINIMUM requirements as:
-        Signed XML for integrity
-        https for confidentiality
Other, higher levels will be optional
 
Could do –
-        Required – signing
-        Strongly recommended – encryption
-        As needed – access control
[Decided on minimums stated above.]
 
Could also have different security conformance levels or types.
 
Recommendations based on environments?
 
Will address security of operations across wire, not data at rest.
 
Will mention key management (perhaps referencing existing standards) but note that this is NOT specifically addressed by BIAS.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]