[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [id-cloud] Corrected Minutes of July 9, 2012 IDCloud TC Meeting
---------------------------------------- DRAFT MINUTES OASIS IDCloud TC Meeting 09 July 2012, 02:00pm to 03:00pm ET ---------------------------------------- Member status changes after 09 July 2012 meeting: Lost voting rights: None. Gained voting rights: Colin Wallis Now: 12 voting members in TC. Scribe: Anil Saldhana 1) Roll Call, Agenda Review and Minute Taker Nomination Attendees: ============= Company Name ascending Role IBM David Kern Voting Member Microsoft Anthony Nadalin Chair Bank of America Dominique Nguyen Voting Member IBM Matthew Rutkowski Secretary Daon Cathy Tilton Voting Member Microsoft David Turner Voting Member New Zealand Government Colin Wallis Member Red Hat Anil Saldhana Chair =========== Quorum was achieved. 7 out 11 voting members (63%) 2) Approval of the June 25, 2012 Meeting Minutes Link: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html David Turner moves; Dominique N seconds: Approved. 3) Gap Analysis Discussion [Gershon] Gershon could not attend the meeting due to illness. Discussion is listed in the chat transcript below. Use cases 15, 17 and 18 were discussed. Use case 15 requires the presence of Thomas Hardjono. Also the members on the call felt that there may be a necessity to make changes to the Kerberos specifications to meet the use case needs. 4) Other Business. 5) Adjourn. adjourned Chat Transcript ======================== AnilSaldhana(RedHat): https://wiki.oasis-open.org/id-cloud/MeetingCallInInformation AnilSaldhana(RedHat): ================ AnilSaldhana(RedHat): Agenda 1) Roll Call, Agenda Review and Minute Taker Nomination 2) Approval of the June 25, 2012 Meeting Minutes 3) Gap Analysis Discussion [Gershon] 4) Other Business. 5) Adjourn. AnilSaldhana(RedHat): ================= AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html David Turner: Apparently Tony is bored today AnilSaldhana(RedHat): as usual, Tony pranks. AnilSaldhana(RedHat): https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbr ev=id-cloud AnilSaldhana(RedHat): Attendees: ANil, Tony, dave kern, david turner, Matt R AnilSaldhana(RedHat): Pending use cases for GAP analysis are 15, 17 and 18 AnilSaldhana(RedHat): Use Case Document: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-useca ses-v1.0-cn01.html AnilSaldhana(RedHat): Addtl attendee: Dominique AnilSaldhana(RedHat): AnilSaldhana(RedHat): AnilSaldhana(RedHat): Minutes of June 25, 2012: https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html AnilSaldhana(RedHat): meeting minutes approved AnilSaldhana(RedHat): Use Case 15: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-useca ses-v1.0-cn01.html#_Toc324801920 AnilSaldhana(RedHat): colin joined anonymous morphed into Colin_NZ AnilSaldhana(RedHat): Matt: Kerberos token is exchanged for an access token David Kern (IBM): 4.15.4.4 - Kerberos is generally used in intranet-type environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the SAML assertion is used to authenticate to the cloud AnilSaldhana(RedHat): http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerbero s.html AnilSaldhana(RedHat): that was kerberos attributes for saml AnilSaldhana(RedHat): Kerberos based SAML web browser sso: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser- sso.html Matt Rutkowski (IBM): The former approach, would require several technical issues to be addressed. These include development of global identities for Kerberos (real and pseudonymous), a standard web-layer API for authentication services, Enterprise-to-Cloud trust establishment, a global authorization structure, provisioning of users and credentials to the cloud, and others. AnilSaldhana(RedHat): Matt refers to gaps identified by the author AnilSaldhana(RedHat): cathie tilton joined AnilSaldhana(RedHat): Dave Kern: if this was a private cloud, highly relevant AnilSaldhana(RedHat): Since there are mentions of public saas provider, it applies beyond a tightly controlled cloud infra anonymous morphed into Cathy Tilton (Daon) AnilSaldhana(RedHat): Use case 17: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-useca ses-v1.0-cn01.html#_Toc324801930 David Kern (IBM): Obvious security risk on #16 - if the application provider accepts assertions for all users from any of a long list of IdPs, then one misbehaving or hacked low-security IdP could compromise users with higher security needs AnilSaldhana(RedHat): THis use case is related to use case 10: Cloud Tenant Administration AnilSaldhana(RedHat): Latest gap analysis doc: https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbr ev=id-cloud Matt Rutkowski (IBM): Use case 17: asks for a std means to configure an External ID Provider (EID), specifically at an app (or lower) granularity. This includes perhaps a protocol, along with the data/metadata needed to establishing and managing an EIP within a cloud provider AnilSaldhana(RedHat): From gap analysis doc: Applicable standards: IMI, SPML and SCIM AnilSaldhana(RedHat): mattR: trust level exchange AnilSaldhana(RedHat): mattR: needs to be established AnilSaldhana(RedHat): mattR: OpenID Connect AnilSaldhana(RedHat): mattR: profiles: IdP registration David Kern (IBM): IdP -> SP metadata pull could be fairly simple, but SP->IdP metadata configuration would be much harder, if for no other reason than that identity providers are (or at least should be) tightly controlled. AnilSaldhana(RedHat): Gap: There is no standard for configuration AnilSaldhana(RedHat): mattR: depends on granularity: enterprise level or departmental level granularity Matt Rutkowski (IBM): on the IdP side yes... Matt Rutkowski (IBM): on the provider side EIP configuration applies at least to the application level AnilSaldhana(RedHat): 4.18 Use Case 18: Delegated Identity Provider Configuration David Kern (IBM): This case seems to suggest an OAuth-style delegated authorization from the tenant administrator to the identity provider for the purposes of IDP<->SP configuration David Kern (IBM): which raises the question of who watches the watchmen? What does one gain from trying to protect the tenant administrator's credentials for a service from the identity provider that asserts that admins's identity to that service? AnilSaldhana(RedHat): Dominique should look at this blog entry: http://www.okta.com/blog/2012/02/implementing-an-on-premises-identity-manage ment-solution-good-luck-you%E2%80%99ll-need-it/ AnilSaldhana(RedHat): and then read my comment to that blog entry at the bottom AnilSaldhana(RedHat): Dominique thinks outsourcing identity services to 3rd party provider may be dangerous Colin_NZ: Is anyone at CIS in Vail next week? Dominique Nguyen (Bank of America): good bye David Kern (IBM): That's one way to end a call... put it on hold and feed them your hold music. AnilSaldhana(RedHat): it is called Smarter Planet ============================================================================ ====
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]