RE: [id-cloud] ID-Cloud Minutes from June 28 2010 Call

[Thomas Hardjono <hardjono@MIT.EDU>]

Thanks John.

Towards the last part of the discussion of Use-case 3, I got interrupted for about 10 seconds (knock on my door), so I may have missed some items.

/thomas/

__________________________________________

> -----Original Message-----
> From: Dilley, John [mailto:jad@akamai.com]
> Sent: Monday, June 28, 2010 4:43 PM
> To: Thomas Hardjono; id-cloud
> Cc: Anil Saldhana; Anthony Nadalin
> Subject: RE: [id-cloud] ID-Cloud Minutes from June 28 2010 Call
> 
> Thank you for the notes.  In addition to what's captured below there
> was a discussion around use case 3 that used the example of an end user
> supplying their google username and password to third party sites
> (Netflix was given as example).
> 
> This seems like a good motivator for the use case and I want to make
> sure it was captured in the use case itself.  Or, if more appropriate,
> a standalone (negative) use case illustrating what we want to avoid?
> 
> Regards,
> 
> -jad-
> John Dilley
> Akamai Technologies
> 
> 
> 
> -----Original Message-----
> From: Thomas Hardjono [mailto:hardjono@MIT.EDU]
> Sent: Monday, June 28, 2010 12:53 PM
> To: id-cloud
> Cc: Anil Saldhana; Anthony Nadalin
> Subject: [id-cloud] ID-Cloud Minutes from June 28 2010 Call
> 
> Minutes from Oasis ID-Cloud TC (June 28, 2010)
> 
> 1) Roll Call:
> John Bradley
> Andy Kindred - Acxiom
> John Dilley - Akamai Technologies
> James Ducharme Aveksa, Inc.
> Paul Lipton - CA*
> Mark Robinton - HID Global
> Heather Hinton - IBM
> Matthew Rutkowski - IBM
> John Bradley - Individual
> Peter Brown - Individual
> Gershon Janssen - Individual
> Michael Stiefel* - Individual
> Thomas Hardjono - M.I.T.
> Dee Schur - OASIS *
> Patrick Harding - Ping Identity Corporation* Anil Saldhana - Red Hat
> Bill Becker - SafeNet, Inc.
> Tom Clifford - Symantec Corp.*
> Kyle Austin - TriCipher, Inc.
> Siddharth Bajaj - VeriSign
> Daniel Turissini - WidePoint Corporation
> 
> 2) Approval of the June 14th Minutes
> http://lists.oasis-open.org/archives/id-cloud/201006/msg00036.html
> 
>    Moved: Gershon Janssen.
>    Second: John Bradley.
>    No objections. Minutes approved.
> 
> 
> 3) Discussion of Safe Net Use Cases by Doron Cohen/Bill Baker
> 
> (A) Use-Case #1: Privileged Accounts in the Cloud.
> - Use-Case description: Need more stringent security (eg. auth, audit,
> etc) than normal accounts and in-perimeter accounts.
> 
> - Anil: Q: Can we make this into an infrastructure Privileged Account
>   + Doron: We need a new set of requirements for cloud service
> (different from traditional in-perimeter infra).
>   + Siddarth: Supports this use-case.
> 
> - John Dilley: Q: Would authN infra for this use-case be different than
> in normal accounts?
>   + Doron: They may have different policies and different back-end
> capabilities. Thus we need this new use-case.
> 
> - John Dilley: We need to create a core set of mechanisms that are
> true/valid across all use-cases (in the Cloud-ID TC).
> 
> - John Bradley: has been looking at Federation metadata (from projects
> in Europe), including issues relating to SAML usage (eg. is SAML secure
> enough). Some accounts in the cloud will need better risk analysis.
> 
> - Patrick: agrees with John Bradley and John Dilley. Has questions
> about federated accounts. What happens if things go wrong (ie. when
> even the privileged accounts/users get locked-out). Need a statement
> how to handle this.
> 
> - Anil: Any assumptions about federated identity and the priviledged
> accounts use-case?
>   + Doron: No assumptions. Up to each implementation.
>   + Siddarth: has seen these implemented before.
> 
> 
> (B) Use-Case #2: Enterprise employee accesing cloud services.
> - Use-Case description: Regular employee of Enterprise want to access
> cloud services.
>   + Want to benefit from SSO
>   + Will require different level of assurance (ie. compared to intra-
> enterprise services)
>   + Will require different sec. requirements and authN policies.
>   + Related to federated provisioning.
>   + Will need to support different form-factors and access methods.
> 
> - Thomas Hardjono: Q: Is the cloud-service part of the Enterprise or is
> it run by a trusted third party (TTP)?
>   + Doron: the later (ie. TTP).
> 
> - Anil: Suggest to change the title of the use-case.
>   + Doron: agree, but want to focus on extending the (enterprise)
> identity to the cloud.
> 
> 
> (C) Use-Case #3: Consumer scenario.
> - Use-Case description: Want to use a Consumer Identity to access
> different services on the Internet
>   + Instead of using the one-ID per service today.
>   + Want SSO capability.
>   + Has similar requirements (to previous use-case?)
>   + Main twist: Need for privacy and need for user-control over which
> informations to disclose.
> 
> - John Dilley: Q: is that ID linked to an enterprise ID?
>   + There is the *why* and the *how* questions.
>   + Is this simply a federated ID use-case?
>   + Each ID (in an environment) typically has an accompanying info
> about that ID. Do we mean to export this info to other/new
> environments?
> 
> - Patrick Harding: If I was a web service, why would I let my user
> authenticate using Google, Yahoo, etc ?
>   + John Bradley: for targetted apps.
> 
> 
> 
> 4) Follow up on the Kerberos In The Cloud Discussion
> - Thomas Hardjono: no update for today, but plan to update the use-case
> doc.
> 
> 5) Other Business
> * Members Reference: Cloud Identity Summit in July
> (http://www.cloudidentitysummit.com/)
> 
> 6) Adjourn
> - Next telecon on 12 July 2010.
> - Moved: Gershon
>  + seconded: John Dilley.
>  + No objections. Meeting adjourned.
> 
> 
> ________
> SoapHub chatroom:
> 
> anonymous2 morphed into Michael Stiefel
> anonymous3 morphed into Doron Cohen
> Doron Cohen morphed into Doron Cohen (SafeNet) anonymous morphed into
> John Dilley (Akamai)
> AnilSaldhana_RedHat: The bridge has toll free numbers your individual
> countries. That will save you from calling the US.
> AnilSaldhana_RedHat: Doron, thanks for joining in.  It must be late for
> you.
> Peter morphed into Peter F Brown
> anonymous morphed into Jim Ducharme
> Jim Ducharme morphed into Jim Ducharme (Aveksa)
> anonymous1 morphed into Siddharth Bajaj
> Siddharth Bajaj morphed into Siddharth Bajaj (VeriSign) anonymous
> morphed into Benny Koren (Mellanox) anonymous morphed into Jason
> Rouault (HP) Heather Hinton (IBM): just joined on the phone anonymous
> morphed into Patrick Harding Thomas Hardjono (MIT)1: Notes: Minutes
> from 14 June 2010 meeting approved unanimously. Moved by Gershon
> Janssen. 2nd by John Bradley.
> John Bradley: Meeting Attendees
> NameCompanyStatus
> Andy KindredAcxiomGroup Member
> John DilleyAkamai TechnologiesGroup Member Paul LiptonCA*Group Member
> Mark RobintonHID GlobalGroup Member Heather HintonIBMGroup Member
> Matthew RutkowskiIBMGroup Member John BradleyIndividualGroup Member
> Peter BrownIndividualGroup Member Gershon JanssenIndividualGroup Member
> Michael Stiefel*IndividualGroup Member Thomas HardjonoM.I.T.Group
> Member Dee SchurOASIS *Group Member Patrick HardingPing Identity
> Corporation*Group Member Anil SaldhanaRed HatGroup Member Bill
> BeckerSafeNet, Inc.Group Member Tom CliffordSymantec Corp.*Group Member
> Kyle AustinTriCipher, Inc.Group Member Siddharth BajajVeriSignGroup
> Member Daniel TurissiniWidePoint CorporationGroup Member Jim Ducharme
> (Aveksa): Please add Jim Ducharme (Aveksa) to the attendee list.
> AnilSaldhana_RedHat: John, I usually copy paste into an editor and
> remove the "Group Member"
> Matt Rutkowski (IBM): The case of avoiding use of the same identity
> (token) (e.g. email address) seems new to the discussion as this leads
> to customer risk.  In cloud, it seems a real concern that there is a
> masking to the customer that they are accessing hosted (partner)
> services and that leads to inadvertent release of privacy information
> related to identity and at the worst perception that reuse of passwords
> for the same identity token is acceptable.
> John Bradley: NameCompany
> Andy KindredAcxiom
> John DilleyAkamai Technologies
> James DucharmeAveksa, Inc.
> Paul LiptonCA*
> Mark RobintonHID Global
> Heather HintonIBM
> Matthew RutkowskiIBM
> John BradleyIndividual
> Peter BrownIndividual
> Gershon JanssenIndividual
> Michael Stiefel*Individual
> Thomas HardjonoM.I.T.
> Dee SchurOASIS *
> Patrick HardingPing Identity Corporation* Anil SaldhanaRed Hat Bill
> BeckerSafeNet, Inc.
> Tom CliffordSymantec Corp.*
> Kyle AustinTriCipher, Inc.
> Siddharth BajajVeriSign
> Daniel TurissiniWidePoint Corporation
> AnilSaldhana_RedHat: I am bit under the weather. thanks to everyone for
> bearing my voice.
> ___________________________________
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that
> generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php