OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Use Case & Requirements Doc Strawman 1 Issues List

The Use Case & Requirements Group has boiled down a list of major issues
related to the content of the requirements doc.  We will be working our way
through the issues in groups over the next few weeks, and the purpose of
this message is a sort of 'last call' for your input on the first group
before we attempt to resolve them.  Please direct any relevant comments to
the security-use@lists.oasis-open.org list.  Please try to structure any
comment as a suggested requirement, rather than a suggested implementation.

Here is a list of the primary issues.  The notation directs you to the
related use case from the requirements doc (the first four characters).
These four characters are followed by an issue number and an issue name.

ISSUE[UC-1-01:Shibboleth] Which requirements of the Shibboleth
security system for Internet 2
(http://middleware.internet2.edu/shibboleth/index.shtml) are to be
included? In particular, how to address the requirements for anonymity
and privacy that Shibboleth makes? Should an additional use case
scenario explicitly using Shibboleth be added to the use case and
requirements document?

ISSUE[UC-1-02:ThirdParty] Use case scenario 3 (single sign-on, third
party) describes a scenario in which a Web user logs in to a
particular 3rd-party security provider which returns an authentication
reference that can be used to access multiple destination Web
sites. Is this different than Use case scenario 1 (single sign-on,
pull model)? If not, should it be removed from the use case and
requirements document?

ISSUE[UC-1-03:ThirdPartyDoable] Questions have arisen whether use case
scenario 3 is doable with current Web browser technology. An
alternative is using a Microsoft Passport-like architecture or
scenario. What is the difference? Should this be done?

ISSUE[UC-1-04:ARundgrenPush] Anders Rundgren has proposed on
security-use an alternative to use case scenario 2 (single sign-on,
push model). The particular variation is that the source Web site
requests an authorization profile for a resource (e.g., the
credentials necessary to access the resource) before requesting
access. Should this scenario replace the existing use case scenario 2?
Should it be made an additional scenario?

ISSUE[UC-3-01:UserSession] AuthXML includes an entity called a "session"
that is not specified by any of the use cases in Straw Man 1. What is
a session, and what use case scenarios should be developed to specify
the need for sessions and their use?

ISSUE[UC-3-02:ConversationSession] Is the concept of a session between
security authorities separate from the concept of a user session? If
so, should use case scenarios or requirements supporting security
system sessions be supported?

ISSUE[UC-5-01:AuthCProtocol] Straw Man 1 explicitly makes
challenge-response authentication a non-goal. Is specifying which
types of authc are allowed and what protocols they can use necessary
for this document? If so, which types and which protocols?


Darren Platt
Principal Technical Evangelist
Securant Technologies
1 Embarcadero Center, Floor 5
San Francisco, CA 94111
tel - (415) 315-1529
fax - (415) 315-1545

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC