RE: [saml-dev] SAML, trust and WS.

["Scott Cantor" <cantor.2@osu.edu>]

> I doubly thank you for this document. This is indeed one of the big
> problems I have had in the healthcare standards world (IHE). 
> For me all of these network transactions need to be based on standards 
> that can be pre-coordinated to some extent.

I know, but this is probably not that document. It's not a standard, and I
rather doubt it's going to be a standard. That is precisely why I wrote it,
in some sense, to figure out what the interesting pieces might be.

As I've said on many occasions, there isn't really anything in there that
you can't do interoperably with Liberty WSF today, though 2.0 will be a bit
cleaner at it. You cannot do it interoperably with anything else, and I
still stand behind that. But so far, I keep hearing that Liberty's too hard
(I'd hate to think what that makes WS-*), so this was sort of an attempt to
tease out what the LCD might be and then try and map that back to what's
available.

> How can I help in the development of your document? When do you think it
> will be done?

I have no "standing" to produce such a document for anybody but the
Shibboleth project. I hesitated before I posted that link, because I knew
this was exactly what would happen. That says more about the state of things
than it does anything good about that rather simplistic document.

Obviously, I'm a SAML TC member, but other than a fairly small piece,
there's no active effort to push any of that stuff into an OASIS-published
profile. I suppose one response I might give is to say that OASIS is really
ours, if we're members. If people want the TC to do something, the quickest
way is to join and vote for it.

Where Shibboleth is concerned, I can't tell you exactly what will happen. I
know people want us to "solve" a problem, but that problem is different for
every developer who looks at it, which is why it's been so difficult to know
what to do. I think we have to find a set of specifications that isn't a
moving target and try and build something simple on top of it. I still like
to think I can get a decent amount of that out of WSF, but I don't know.

But if you're asking me if I think that document has a future by itself, no,
I doubt it. I think some of it is stuff that I may be able to get from WSF,
and some small bits may end up as a SAML profile, and maybe the rest will be
implemented as an experiment, but only by one product (mine). To me, it's a
win if that document disappears entirely, because it means there's something
else solving the problem.

> I suspect that I won't have solutions for all of the above use-case, nor
> some of my other use-cases not described here. It is good to see someone
> working on these real-world scenarios.

I appreciate the support. I guess it's worth something if people think those
are real world scenarios, since part of the point was to determine exactly
that, whether a reasonable set of problems could be solved with something
that specific.

-- Scott