[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: RE: Welcome to security-leaders
since you asked for a reply, This sounds good to me, I think we are going to have to do quite a bit of shuffling arround of stuff since the Core assertions and use cases are strongly connected. Essentially I think the use cases needs to contain three separate pieces of data, 1) use scenarios, 2) abstract requirements derrived from the use scenarios and 3) examples of using the spec to meet the use scenarios. It may be usefull to distinguish between abstract requirements and constraints since a large number of constraints of the web environment can be stated concisely as a series of facts: * Web browsers support limited means for maintaining state between requests * All web browsers support encoding of state in URLs *the maximum limit on the length of a URL is in practice 1024 bytes. * Most browsers support cookies * the maximum size of a cookie is 4096 bytes??? * cookies may be emphemeral, being bound to a particular browser instance and will not be stored on disk * cookies may be persistent, these will be stored on disk but users MAY delete them * transfer of cookies from one domain to another is subject to constraints * Public key cryptography is relatively slow * Using digital signatures for authentication is compute intensive * Message Authentication Codes are fast but limited * require symetric keys to be established out of band * cannot support non-repudiation * Communication restrictions may exist * firewalls * issuing server may not want to issue assertion to client directly and so on... these can then be re-used in other specs. Phillip Hallam-Baker Principal Scientist VeriSign Inc. pbaker@verisign.com 781 245 6996 x227 > -----Original Message----- > From: Eve L. Maler [mailto:eve.maler@east.sun.com] > Sent: Friday, February 16, 2001 11:09 AM > To: security-leaders@lists.oasis-open.org > Subject: Welcome to security-leaders > > > Hi folks-- This list replaces the old security-editors list. > I'd like us > to conduct planning discussions here (such as how to > structure the F2F > agenda, planning "leaders-only" telecons, etc.). For now, I > would like > people to respond to my mail of yesterday if they haven't > already responded > to me privately: > > ==== > In the next telecon, I will be asking for motions to name the > spec, and I > will propose to consider them in order of apparent popularity > given the > poll results. If the top contender has majority support, it will > win. Then all attempts to discuss it will be ruled out of order. > > On the matter of what we should be spending our time on, I'd > like to ask > the subgroup leaders to take up Strawman #2 with their groups, and > provide feedback to the use-case group as soon as possible. What > requirements are missing? What requirements are too > implementation-focused? What requirements should be out of > scope? I'd > like the "technical theme" of the next telecon to be > requirements, with > Darren giving a report on the substance of the strawman and the other > subgroups giving a report on their reactions. > > Since we haven't really used this list for leader > communications yet, I > would appreciate it if I could hear back from all the > subgroup leaders with > their thoughts on this approach. > ==== > > Eve > -- > Eve Maler +1 781 442 3190 > Sun Microsystems XML Technology Center eve.maler @ east.sun.com >
Phillip Hallam-Baker (E-mail).vcf
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC