[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: MINUTES OASIS IDCloud TC Meeting 23 July 2012
---------------------------------------- DRAFT MINUTES OASIS IDCloud TC Meeting 23 July 2012, 02:00pm to 03:00pm ET ---------------------------------------- Member status changes after 23 July 2012 meeting: Lost voting rights: None. Gained voting rights: None. Now: 12 voting members in TC. Scribe: Gershon Janssen 1. Roll Call and Agenda Review Name Status ---- ------ Anil Saldhana Member Anthony Nadalin Member Gershon Janssen Member David Turner Member Thomas Hardjono Member Roger Bass Member Cathy Tilton Member Colin Wallis Member Matthew Rutkowski Member David Kern Member Observers: None. 10 people joined the meeting. LoA: Dominique on Leave of Absence. This meeting quorates. No changes to the proposed agenda. 2. Approval of 9 July 2012 Meeting Minutes https://lists.oasis-open.org/archives/id-cloud/201207/msg00005.html Roger moves to approve the minutes; Cathy T. seconds. No discussion. Motion carries. Meeting minutes approved. 3. Gap Analysis Roadmap - When do we send the document for first public review? Gershon's suggestion: push out final document this week. TC can review. 06/aug TC meeting talk through the document and after that publish it for Public Review. 4. Gap Analysis Discussion Use Case 15: URL: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801920 Matt: - Kerberos token is exchanged for an access token David Kern: - 4.15.4.4 - Kerberos is generally used in intranet-type environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the SAML assertion is used to authenticate to the cloud Anil: - http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerberos.html - that was kerberos attributes for saml - Kerberos based SAML web browser sso: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html Matt: - The former approach, would require several technical issues to be addressed. These include development of global identities for Kerberos (real and pseudonymous), a standard web-layer API for authentication services, Enterprise-to-Cloud trust establishment, a global authorization structure, provisioning of users and credentials to the cloud, and others. Anil: - Matt refers to gaps identified by the author since there are mentions of public saas provider, it applies beyond a tightly controlled cloud infra - Output of last TC meeting wrt Kerberos based use case. Q. progress in standards for kerberos? Opinion was: use case identifies gaps that exists in the Kerberos world for application environments Thomas H: - Yes; kerberos has an enterprise focus. - private cloud is easiest; hybrid cloud is more difficult; enterprises wishing to partition their network for employees and external customers, use existing infrastructure to cater for outside customers to come in. - standards work posted by Anil covers all the developments. One of the Web Services specs is being updated (WSKerberosTokenProfile) Anil: - job to identify the gaps for wide spread use of kerberos in the scenario's mentioned, both outbound and inbound Roger: - scenario where kerberos based service powering an OAuth interface? Thomas H: - OAuth 2.0 token? - in kerberos community, some discussion about using a kerberos ticket as a bearer token for OAuth. - one cloud AuthN using Kerberos, get an OAuth token in return. That is the analogy with the browser SSO profile, where SAML assertion is the bearer token. - This is all inbound. - Most machines out there used by mom and dad (so Windows), Kerberos clients are being build into them, but not really begin used. Roger: - Seems a shame its not being used; why? Thomas H: - is a user experience problem. Typing a password in a website in a form over SSL versus rather than typing a password in a separate kerberos authN box. - another solution from kerberos working group: implement kerberos client in _javascript_. - this is a recent discussion - scenario: KDC behind web server in the cloud. When user hits this web server, full kerberos client begin downloaded in _javascript_ to the clients browser. The kerberos client is running in the client browser, opaque to the user. - this is dependent on whether or not the new W3C standardization effort for crypto libs makes an impact on the browser community. - For this to work all browsers need the same crypto set of APIs. - This is a technology GAP. - scenario 1: same technology to do this; kerberos browser sso 5. Other Business Next meeting in two week @ 06/Aug. 6. Adjourn Meeting adjourned. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]