RE: [security-services] New Schedule for SAML 2.0 Standardization

[Anthony Nadalin <drsecure@us.ibm.com>]

>But "should be" and "is" aren't the same thing. It's not a requirement that
>an OASIS specification (probably a preferable term, only a few bodies can
>create "standards") undergo anything expect a vote to CD, public review,
>response, attestations of "use", and submission for final vote (I think
>that's the whole list, I'm sure somebody will correct me).

Agree, just like the conformance, no requirement but a good thing to do, and
given the additional complexity of 2.0 an interop would be perfectly acceptable
for this TC.

>Plus which, how could one argue that it will take more time to just do
>another CD and review cycle than to wait for a formal interop to even get to
>CD? Why wait?

As indicated I think it would be preferable before CD to avoid any major
changes and having to back to the CD phase but could be done after.
Right now the schedule has no interop listed at all and that is my issue.

>Not saying I agree or disagree, but I would note that most of the pieces in
>their progenitive form have undergone extensive interop testing, in the form
>of Liberty. Yes, there are changes, but it's more testing than SAML 1.0 or
>1.1 got.

Not a Liberty member, but we have implemented Liberty 1.1 and passed the
conformance tests and this is driving the concern for an interop as we had
lots of issues and 1.1 was not that complicated/complex compared to 1.2

>I think the tone was more "why bring this up now, when we've been planning a
>CD vote for months?"

Running through the specs and playing with an implementation is what drove this
request, late maybe but this is just where I was in my schedule.

Anthony Nadalin | work 512.838.0085 | cell 512.289.4122
"Scott Cantor" <cantor.2@osu.edu>

"Scott Cantor" <cantor.2@osu.edu>

08/16/2004 02:31 PM

To	Anthony Nadalin/Austin/IBM@IBMUS, "'Eve L. Maler'" <Eve.Maler@Sun.COM>
cc	<security-services@lists.oasis-open.org>
Subject	RE: [security-services] New Schedule for SAML 2.0 Standardization

>Eve, please tell me why its unnecessary to hold an interop event as its
>unnecessary to have a lot of things (like conformance suite) but the TC
>does? I don't see an interop on schedule or in any discussions. Providing
>interoperability should be a core aspect of every OASIS standard (as this
>is why we do stds).

But "should be" and "is" aren't the same thing. It's not a requirement that
an OASIS specification (probably a preferable term, only a few bodies can
create "standards") undergo anything expect a vote to CD, public review,
response, attestations of "use", and submission for final vote (I think
that's the whole list, I'm sure somebody will correct me).

I don't think you can argue that "formal interop event" is part of the
required process, though you can certainly argue it should be.

Also, I assumed the point of requiring attestations is ostensibly to
demonstrate that the spec has been used in some capacity that demonstrates
basic soundness. And that's a precondition for final submission, not CD
approval, unless I'm confused. We could adopt a stricter requirement as to
what constitutes "use", though I'm not sure it's necessary. SAML 1.x did
well enough without it.

>I for one have no idea about the implementation or interoperability issues
>(or non issues) until an interop is done, so its hard to vote to take what
>we have to CD.

Why? CD doesn't mean it can't be changed, it just has to go back through
review if there's a problem. Getting to CD allows people to implement with
some confidence that the spec won't radically change unless a problem is
found, leading to...interop testing. Will we get enough people testing if we
don't put a stake in the ground?

Plus which, how could one argue that it will take more time to just do
another CD and review cycle than to wait for a formal interop to even get to
CD? Why wait?

>I think that with all the changes in SAML 2.0 that an interop is perfectly
>appropriate.

Not saying I agree or disagree, but I would note that most of the pieces in
their progenitive form have undergone extensive interop testing, in the form
of Liberty. Yes, there are changes, but it's more testing than SAML 1.0 or
1.1 got.

>Are you also saying that I can't bring this issue up now as time has
>passed ?

I think the tone was more "why bring this up now, when we've been planning a
CD vote for months?"

-- Scott


To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/security-services/members/leave_workgroup.php.