[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Minutes of July 9, 2012 IDCloud TC Meeting
1) Roll Call, Agenda Review and Minute Taker Nomination ============= Company
Name ascending Role Quorum
was achieved. 6 out 11 voting members (54%) 2) Approval of the June 25, 2012 Meeting Minutes
Link:
David Turner moves; Dominique N seconds: Approved.
Gershon could not attend the meeting due to illness. Use
cases 15, 17 and 18 were discussed. 4) Other Business. 5)
Adjourn. Chat Transcript ======================== anonymous morphed into David Kern David Kern morphed into David Kern (IBM) AnilSaldhana(RedHat): dialing in David Kern (IBM): (listening to the hold music...) David Turner: And ROCKIN' to it David Kern (IBM): (seems to be a cross between jazz and elevator music) AnilSaldhana(RedHat): https://wiki.oasis-open.org/id-cloud/MeetingCallInInformation AnilSaldhana(RedHat): ================ AnilSaldhana(RedHat): Agenda 1) Roll Call, Agenda Review and Minute Taker Nomination 2) Approval of the June 25, 2012 Meeting Minutes 3) Gap Analysis Discussion [Gershon] 4) Other Business. 5) Adjourn. AnilSaldhana(RedHat): ================= AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html David Turner: Apparently Tony is bored today AnilSaldhana(RedHat): as usual, Tony pranks. AnilSaldhana(RedHat): https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud AnilSaldhana(RedHat): Attendees: ANil, Tony, dave kern, david turner, Matt R AnilSaldhana(RedHat): Pending use cases for GAP analysis are 15, 17 and 18 AnilSaldhana(RedHat): Use Case Document: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html AnilSaldhana(RedHat): Addtl attendee: Dominique AnilSaldhana(RedHat): AnilSaldhana(RedHat): AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html AnilSaldhana(RedHat): meeting minutes approved AnilSaldhana(RedHat): Use Case 15: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801920 AnilSaldhana(RedHat): colin joined anonymous morphed into Colin_NZ AnilSaldhana(RedHat): Matt: Kerberos token is exchanged for an access token David Kern (IBM): 4.15.4.4 - Kerberos is generally used in intranet-type environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the SAML assertion is used to authenticate to the cloud AnilSaldhana(RedHat): http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerberos.html AnilSaldhana(RedHat): that was kerberos attributes for saml AnilSaldhana(RedHat): Kerberos based SAML web browser sso: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html Matt Rutkowski (IBM): The former approach, would require several technical issues to be addressed. These include development of global identities for Kerberos (real and pseudonymous), a standard web-layer API for authentication services, Enterprise-to-Cloud trust establishment, a global authorization structure, provisioning of users and credentials to the cloud, and others. AnilSaldhana(RedHat): Matt refers to gaps identified by the author AnilSaldhana(RedHat): cathie tilton joined AnilSaldhana(RedHat): Dave Kern: if this was a private cloud, highly relevant AnilSaldhana(RedHat): Since there are mentions of public saas provider, it applies beyond a tightly controlled cloud infra anonymous morphed into Cathy Tilton (Daon) AnilSaldhana(RedHat): Use case 17: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801930 David Kern (IBM): Obvious security risk on #16 - if the application provider accepts assertions for all users from any of a long list of IdPs, then one misbehaving or hacked low-security IdP could compromise users with higher security needs AnilSaldhana(RedHat): THis use case is related to use case 10: Cloud Tenant Administration AnilSaldhana(RedHat): Latest gap analysis doc: https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud Matt Rutkowski (IBM): Use case 17: asks for a std means to configure an External ID Provider (EID), specifically at an app (or lower) granularity. This includes perhaps a protocol, along with the data/metadata needed to establishing and managing an EIP within a cloud provider AnilSaldhana(RedHat): From gap analysis doc: Applicable standards: IMI, SPML and SCIM AnilSaldhana(RedHat): mattR: trust level exchange AnilSaldhana(RedHat): mattR: needs to be established AnilSaldhana(RedHat): mattR: OpenID Connect AnilSaldhana(RedHat): mattR: profiles: IdP registration David Kern (IBM): IdP -> SP metadata pull could be fairly simple, but SP->IdP metadata configuration would be much harder, if for no other reason than that identity providers are (or at least should be) tightly controlled. AnilSaldhana(RedHat): Gap: There is no standard for configuration AnilSaldhana(RedHat): mattR: depends on granularity: enterprise level or departmental level granularity Matt Rutkowski (IBM): on the IdP side yes... Matt Rutkowski (IBM): on the provider side EIP configuration applies at least to the application level AnilSaldhana(RedHat): 4.18 Use Case 18: Delegated Identity Provider Configuration David Kern (IBM): This case seems to suggest an OAuth-style delegated authorization from the tenant administrator to the identity provider for the purposes of IDP<->SP configuration David Kern (IBM): which raises the question of who watches the watchmen? What does one gain from trying to protect the tenant administrator's credentials for a service from the identity provider that asserts that admins's identity to that service? AnilSaldhana(RedHat): Dominique should look at this blog entry: http://www.okta.com/blog/2012/02/implementing-an-on-premises-identity-management-solution-good-luck-you%E2%80%99ll-need-it/ AnilSaldhana(RedHat): and then read my comment to that blog entry at the bottom AnilSaldhana(RedHat): Dominique thinks outsourcing identity services to 3rd party provider may be dangerous Colin_NZ: Is anyone at CIS in Vail next week? Dominique Nguyen (Bank of America): good bye David Kern (IBM): That's one way to end a call... put it on hold and feed them your hold music. AnilSaldhana(RedHat): it is called Smarter Planet ================================================================================ |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]