id-cloud message

Subject: Minutes of July 9, 2012 IDCloud TC Meeting

From: Anil Saldhana <Anil.Saldhana@redhat.com>
To: id-cloud <id-cloud@lists.oasis-open.org>
Date: Mon, 09 Jul 2012 14:15:24 -0500

1) Roll Call, Agenda Review and Minute Taker Nomination

Attendees:

=============

Company     Name ascending     Role
IBM     David Kern     Voting Member
Microsoft     Anthony Nadalin     Chair
Bank of America     Dominique Nguyen     Voting Member
IBM     Matthew Rutkowski     Secretary
Daon     Cathy Tilton     Voting Member
Microsoft     David Turner     Voting Member
New Zealand Government     Colin Wallis     Member
===========

Quorum was achieved. 6 out 11 voting members (54%)

2) Approval of the June 25, 2012 Meeting Minutes

Link:

https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html

David Turner moves; Dominique N seconds: Approved.

3) Gap Analysis Discussion [Gershon]

Gershon could not attend the meeting due to illness.
Discussion is listed in the chat transcript below.

Use cases 15, 17 and 18 were discussed.
Use case 15 requires the presence of Thomas Hardjono. Also the members on the call felt that there may be a necessity to make changes to the Kerberos specifications to meet the use case needs.

4) Other Business.

5) Adjourn.
adjourned

Chat Transcript
========================
anonymous morphed into David Kern David Kern morphed into David Kern (IBM) AnilSaldhana(RedHat): dialing in David Kern (IBM): (listening to the hold music...) David Turner: And ROCKIN' to it David Kern (IBM): (seems to be a cross between jazz and elevator music) AnilSaldhana(RedHat): https://wiki.oasis-open.org/id-cloud/MeetingCallInInformation AnilSaldhana(RedHat): ================ AnilSaldhana(RedHat): Agenda 1) Roll Call, Agenda Review and Minute Taker Nomination 2) Approval of the June 25, 2012 Meeting Minutes 3) Gap Analysis Discussion [Gershon] 4) Other Business. 5) Adjourn. AnilSaldhana(RedHat): ================= AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html David Turner: Apparently Tony is bored today AnilSaldhana(RedHat): as usual, Tony pranks. AnilSaldhana(RedHat): https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud AnilSaldhana(RedHat): Attendees: ANil, Tony, dave kern, david turner, Matt R AnilSaldhana(RedHat): Pending use cases for GAP analysis are 15, 17 and 18 AnilSaldhana(RedHat): Use Case Document: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html AnilSaldhana(RedHat): Addtl attendee: Dominique AnilSaldhana(RedHat): AnilSaldhana(RedHat): AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html AnilSaldhana(RedHat): meeting minutes approved AnilSaldhana(RedHat): Use Case 15: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801920 AnilSaldhana(RedHat): colin joined anonymous morphed into Colin_NZ AnilSaldhana(RedHat): Matt: Kerberos token is exchanged for an access token David Kern (IBM): 4.15.4.4 - Kerberos is generally used in intranet-type environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the SAML assertion is used to authenticate to the cloud AnilSaldhana(RedHat): http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerberos.html AnilSaldhana(RedHat): that was kerberos attributes for saml AnilSaldhana(RedHat): Kerberos based SAML web browser sso: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html Matt Rutkowski (IBM): The former approach, would require several technical issues to be addressed. These include development of global identities for Kerberos (real and pseudonymous), a standard web-layer API for authentication services, Enterprise-to-Cloud trust establishment, a global authorization structure, provisioning of users and credentials to the cloud, and others. AnilSaldhana(RedHat): Matt refers to gaps identified by the author AnilSaldhana(RedHat): cathie tilton joined AnilSaldhana(RedHat): Dave Kern: if this was a private cloud, highly relevant AnilSaldhana(RedHat): Since there are mentions of public saas provider, it applies beyond a tightly controlled cloud infra anonymous morphed into Cathy Tilton (Daon) AnilSaldhana(RedHat): Use case 17: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801930 David Kern (IBM): Obvious security risk on #16 - if the application provider accepts assertions for all users from any of a long list of IdPs, then one misbehaving or hacked low-security IdP could compromise users with higher security needs AnilSaldhana(RedHat): THis use case is related to use case 10: Cloud Tenant Administration AnilSaldhana(RedHat): Latest gap analysis doc: https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud Matt Rutkowski (IBM): Use case 17: asks for a std means to configure an External ID Provider (EID), specifically at an app (or lower) granularity. This includes perhaps a protocol, along with the data/metadata needed to establishing and managing an EIP within a cloud provider AnilSaldhana(RedHat): From gap analysis doc: Applicable standards: IMI, SPML and SCIM AnilSaldhana(RedHat): mattR: trust level exchange AnilSaldhana(RedHat): mattR: needs to be established AnilSaldhana(RedHat): mattR: OpenID Connect AnilSaldhana(RedHat): mattR: profiles: IdP registration David Kern (IBM): IdP -> SP metadata pull could be fairly simple, but SP->IdP metadata configuration would be much harder, if for no other reason than that identity providers are (or at least should be) tightly controlled. AnilSaldhana(RedHat): Gap: There is no standard for configuration AnilSaldhana(RedHat): mattR: depends on granularity: enterprise level or departmental level granularity Matt Rutkowski (IBM): on the IdP side yes... Matt Rutkowski (IBM): on the provider side EIP configuration applies at least to the application level AnilSaldhana(RedHat): 4.18 Use Case 18: Delegated Identity Provider Configuration David Kern (IBM): This case seems to suggest an OAuth-style delegated authorization from the tenant administrator to the identity provider for the purposes of IDP<->SP configuration David Kern (IBM): which raises the question of who watches the watchmen? What does one gain from trying to protect the tenant administrator's credentials for a service from the identity provider that asserts that admins's identity to that service? AnilSaldhana(RedHat): Dominique should look at this blog entry: http://www.okta.com/blog/2012/02/implementing-an-on-premises-identity-management-solution-good-luck-you%E2%80%99ll-need-it/ AnilSaldhana(RedHat): and then read my comment to that blog entry at the bottom AnilSaldhana(RedHat): Dominique thinks outsourcing identity services to 3rd party provider may be dangerous Colin_NZ: Is anyone at CIS in Vail next week? Dominique Nguyen (Bank of America): good bye David Kern (IBM): That's one way to end a call... put it on hold and feed them your hold music. AnilSaldhana(RedHat): it is called Smarter Planet ================================================================================