Re: Fwd: [id-cloud] Groups - Cloud use cases (id-cloud-use-cases-draft-01l.doc)uploaded

[Matt Rutkowski <mrutkows@us.ibm.com>]

Anil,

I think that we should avoid people
directly adding use cases before they are reviewed during a meeting for
comment.  Additionally, I would suggest only editors perform changes
or persons the editors grant "the pen" to on the official OASIS
preliminary drafts.  

Of concern in this case, is that we
now have a use case that seems to endorse a specific security framework/model:

"Toward
that end, TSCP has developed a technical specification that uses identity
federation technology to provide access to shared resources.  This
specification is known as Document Sharing via Identity Federation (DSIF).
 DSIF is a cloud-computing model which is predicated upon the notion
that TSCP members gain access to electronic resources shared among the
various members and other service providers.  TSCP members agree to
adhere to the internally defined Common Operating Rules, which include
terms for identity federation governance.

Even with Kerberos, we were careful
to discuss the need for "profiles" that describe how our more
generic use cases COULD be implemented.  From my point of view, these
is less of a cloud identity use case than an injection of a specific methodology
and architecture (which at this point is opaque to me).

Where TSCP lists: 
Share Information Beyond Organizational
Boundaries - Allows users to easily and securely access documents
that are housed in multiple security domains within an enterprise or across
multiple organizations, and across international boundaries such that different
regulatory policies (e.g. privacy) and national security policies must
be simultaneously enforced.
Reduction in Costs Related to Credential
Management – Identity federation allows for authentication token
reuse, resulting in reduced costs to application owners and simplification
of authentication token management for end users.
Increase Identity Assurance of End
Users – Identity federation, as defined by DSIF v1, provides a
common framework across the aerospace and defense sector for establishing
the appropriate level of identity assurance to be used when remotely accessing
specific categories of information on electronic systems.
Reduce Sign On End User Experience
– Identity Federation allows the end user to enter credentials fewer times
in the process of accessing and completing their work tasks.
Improved Security through the
use of strong, vetted, two-factor authentication, mapping to NIST 800-63
identity assurance levels, and reflecting changes to credentials immediately
across the federated trust.

I see potential "use cases"
that are suitable for inclusion in our TC document, but instead I see top-level
requirements on security, that have ready made solutions within a TSCP
framework.  We have already had a discussion that defining a security
framework goes beyond our charter and referencing a ready made one goes
even beyond that.

When I read the TSCP requirements above,
I see general use cases for:

• hybrid cloud (federated) identity and access control to document resources
• mgmt./use of authentication tokens to simplify access control
• clear/consistent role definitions, access control levels
• Single Sign-On (federated)
• Secure protocols for authentication based upon "trust" credentials, perhaps certificates and/or granular open standard trust protocols

In light of this, I would ask that we
remove the TSCP section as a "use case" and instead leave it
apart, until it can be reviewed/commented upon and turned into purely use
cases with reliance on TSCP framework references reduced.  The previous
draft has outstanding edits due for comments provided on our official review
call that will affect our F2F discussion on our "template" for
use cases which I hoped to work on this weekend.  Please permit me
to restore the draft to its previous version for making these edits for
our scheduled F2F review and table the TSCP use case(s) for separate review
later in the day.

Kind regards,
Matt

Anil Saldhana <Anil.Saldhana@redhat.com>

09/22/2010 10:36 PM

To	"Tolbert, John W" <john.w.tolbert@boeing.com>
cc	"id-cloud@lists.oasis-open.org" <id-cloud@lists.oasis-open.org>
Subject	Re: Fwd: [id-cloud] Groups - Cloud use cases         (id-cloud-use-cases-draft-01l.doc)uploaded

  John,
   many thanks.

The document is reflected in the wiki page:
http://wiki.oasis-open.org/id-cloud/MemberSubmissions

Regards,
Anil

On 09/22/2010 08:25 PM, Tolbert, John W wrote:
>
>
> -----Original Message-----
> From: Anil Saldhana [mailto:Anil.Saldhana@redhat.com]
> Sent: Wednesday, September 22, 2010 6:19 PM
> To: id-cloud@lists.oasis-open.org
> Subject: Re: Fwd: [id-cloud] Groups - Cloud use cases (id-cloud-use-cases-draft-01l.doc)uploaded
>
>    John,
>     I am wondering if you can put your use case in a separate
document (Doc or PDF) and send it to the list.
>
> Since the use case document may get edits, I would like your original
submission be available as-is for the future.
>
> Regards,
> Anil
>
> On 09/22/2010 06:15 PM, anil.saldhana@redhat.com wrote:
>> Thanks John for Boeing's use cases.
>>
>> See you at f2f.
>>
>>
>> Begin forwarded message:
>>
>>> From: john.w.tolbert@boeing.com
>>> Date: September 22, 2010 2:55:39 PM CDT
>>> To: id-cloud@lists.oasis-open.org
>>> Subject: [id-cloud] Groups - Cloud use cases
>>> (id-cloud-use-cases-draft-01l.doc) uploaded
>>>
>>> The document named Cloud use cases (id-cloud-use-cases-draft-01l.doc)
>>> has been submitted by Mr. John Tolbert to the OASIS Identity
in the
>>> Cloud TC document repository.
>>>
>>> Document Description:
>>> Revision"L", including TSCP use case (section
2.14)
>>>
>>> View Document Details:
>>> http://www.oasis-open.org/committees/document.php?document_id=39506
>>>
>>> Download Document:
>>> http://www.oasis-open.org/committees/download.php/39506/id-cloud-use-
>>> cases-draft-01l.doc
>>>
>>>
>>> PLEASE NOTE:  If the above links do not work for you,
your email
>>> application may be breaking the link into two pieces.  You
may be
>>> able to copy and paste the entire link address into the address
field of your web browser.
>>>
>>> -OASIS Open Administration

---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php