OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

id-cloud message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: MINUTES OASIS IDCloud TC Meeting 23 July 2012

----------------------------------------

DRAFT MINUTES

OASIS IDCloud TC Meeting

23 July 2012, 02:00pm to 03:00pm ET

----------------------------------------

 

Member status changes after 23 July 2012 meeting:

 

Lost voting rights:

None.

 

Gained voting rights:

None.

 

Now: 12 voting members in TC.

 

 

Scribe: Gershon Janssen

 

1. Roll Call and Agenda Review

 

Name                  Status

----                  ------

Anil Saldhana         Member

Anthony Nadalin       Member

Gershon Janssen       Member

David Turner          Member

Thomas Hardjono       Member

Roger Bass            Member

Cathy Tilton          Member

Colin Wallis          Member

Matthew Rutkowski     Member

David Kern            Member

 

Observers:

None.

 

10 people joined the meeting.

 

LoA:

Dominique on Leave of Absence.

 

This meeting quorates.

 

No changes to the proposed agenda.

 

 

2. Approval of 9 July 2012 Meeting Minutes

https://lists.oasis-open.org/archives/id-cloud/201207/msg00005.html

 

Roger moves to approve the minutes; Cathy T. seconds. No discussion. Motion carries.

Meeting minutes approved.

 

 

3. Gap Analysis Roadmap

- When do we send the document for first public review?

Gershon's suggestion: push out final document this week. TC can review. 06/aug TC meeting talk through the document and after that publish it for Public Review.

 

 

4. Gap Analysis Discussion

Use Case 15: URL: http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801920

Matt:

- Kerberos token is exchanged for an access token

 

David Kern:

- 4.15.4.4 - Kerberos is generally used in intranet-type environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the SAML assertion is used to authenticate to the cloud

 

Anil:

- http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerberos.html

- that was kerberos attributes for saml

- Kerberos based SAML web browser sso: http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html

 

Matt:

- The former approach, would require several technical issues to be addressed. These include development of global identities for Kerberos (real and pseudonymous), a standard web-layer API for authentication services, Enterprise-to-Cloud trust establishment, a global authorization structure, provisioning of users and credentials to the cloud, and others.

 

Anil:

- Matt refers to gaps identified by the author since there are mentions of public saas provider, it applies beyond a tightly controlled cloud infra

- Output of last TC meeting wrt Kerberos based use case.

 

Q. progress in standards for kerberos?

Opinion was: use case identifies gaps that exists in the Kerberos world for application environments

 

Thomas H:

- Yes; kerberos has an enterprise focus.

- private cloud is easiest; hybrid cloud is more difficult; enterprises wishing to partition their network for employees and external customers, use existing infrastructure to cater for outside customers to come in.

- standards work posted by Anil covers all the developments. One of the Web Services specs is being updated (WSKerberosTokenProfile)

 

Anil:

- job to identify the gaps for wide spread use of kerberos in the scenario's mentioned, both outbound and inbound

 

Roger:

- scenario where kerberos based service powering an OAuth interface?

 

Thomas H:

- OAuth 2.0 token?

- in kerberos community, some discussion about using a kerberos ticket as a bearer token for OAuth.

- one cloud AuthN using Kerberos, get an OAuth token in return. That is the analogy with the browser SSO profile, where SAML assertion is the bearer token.

- This is all inbound.

- Most machines out there used by mom and dad (so Windows), Kerberos clients are being build into them, but not really begin used.

 

Roger:

- Seems a shame its not being used; why?

 

Thomas H:

- is a user experience problem. Typing a password in a website in a form over SSL versus rather than typing a password in a separate kerberos authN box.

- another solution from kerberos working group: implement kerberos client in _javascript_.

- this is a recent discussion

- scenario: KDC behind web server in the cloud. When user hits this web server, full kerberos client begin downloaded in _javascript_ to the clients browser. The kerberos client is running in the client browser, opaque to the user.

- this is dependent on whether or not the new W3C standardization effort for crypto libs makes an impact on the browser community.

- For this to work all browsers need the same crypto set of APIs.

- This is a technology GAP.

- scenario 1: same technology to do this; kerberos browser sso

 

5. Other Business

Next meeting in two week @ 06/Aug.

 

 

6. Adjourn

Meeting adjourned.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]