[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [security-services] SAML Testing Referral Program Proposal for SSTC Review & 30 Day Feedback - Response to SSTC Feedback
Andy, I haven't seen an answer to Tony's question about the process going forward. If you've replied privately, would you please post the answer to the list? Trustgenix has been a strong supporter of SAML interoperability testing in both Liberty and Oasis and of independent certification programs, such as the ones run by IEEE for Liberty and by the GSA for the US Government. However, we continue to see a fundamental problem with a vendor of SAML products running a certification program for other vendors of SAML products (their competitors). I don't know of any other industry that operates this way. I finally got a chance to read through your response last night and here are some initial comments (by number from your response): 1) You say that Oasis defines the test suite and that changes can't be made without a vote, but in the general background info on PingDeploy it is made clear that it exists independently of Oasis and is owned and managed by Ping. I don't understand how both can be true. How does Oasis know that PingDeploy implements the test suite specified by Oasis, or that it does not favor some implementations over others? 2) The complexity of the attached "Privacy Directive" just reinforces the fact that all parties acknowledge a fundamental conflict of interest in having a vendor of SAML products run the SAML certification program. It raises many more questions than it answers. How can we be sure that the Privacy Directive is sufficient or can even be implemented successfully. 3) It's that Ping, a vendor of SAML products, would be selected to run an Oasis branded SAML certification program that is the problem. As noted in (2), the "Privacy Directive" raises more questions that it answers. 6) I don't understand this. If this is not an Oasis program, why is Oasis involved at all? 7) This seems like something that should be corrected in the CURRENT program, not left to future programs. -Greg On Apr 21, 2005, at 5:11 PM, Andy Moir wrote: > SSTC Members: > > > > In response to feedback provided from SSTC members to the SAML Testing > Referral Program Proposal provided by Ping Identity I have created a > summary document that addresses each issue that was raised. > > > > Since several of the feedback items focus on confidentiality, Ping has > provided a copy of their “Policy Directive—Ping Deploy > Confidentiality” document which is referred to in several of the > responses. > > > > Additionally, I have included the original SAML Testing Referral > Program Proposal e-mail for your convenience. However, due to file > size I was not able to include the zip file attachment. Please refer > to the zip file attached in the March 11 e-mail for the Program > Proposal documentation. > > > Andy > > > > Andy Moir > > OASIS > > Director of Business Development > > 412-213-0338 Work > > 978-761-1648 Cell > > andy.moir@oasis-open.org > > > > > -----Original Message----- > From: Andy Moir [mailto:andy.moir@oasis-open.org] > Sent: Friday, March 11, 2005 9:17 PM > To: security-services@lists.oasis-open.org > Subject: [security-services] SAML Testing Referral Program Proposal > for SSTC Review & 30 Day Feedback > > SSTC Members: > > OASIS Adoption Services are a group of services which help drive > global adoption of OASIS Standards via various service offerings. The > OASIS Adoption Services Program is flexible enough to handle the > intricacies of working with multiple service providers, standards > organizations, and global regions in order to develop fair, equitable, > and reasonably priced services that will drive the global adoption of > OASIS Standards. > > As part of the OASIS Adoption Services Program, OASIS has created an > OASIS Adoption Services Program Referral Service Provider Guideline > that allows organizations that have created services or programs > related to OASIS Standards to enter into a referral relationship with > OASIS. > > For complete details of the OASIS Adoption Services Program Referral > Service Provider Guidelines: > http://www.oasis-open.org/who/adoption_services.php > > In response to the Referral Guideline, Ping Identity has submitted a > proposal to OASIS to be considered as a Referral Service Provider for > SAML testing. Per the Referral Guideline, Ping Identity has submitted > specific documentation that includes: > • Ping Identity Proposal > • Appendix A - SAML v1.1 Testing Matrix > • Appendix B - PingDeploy SAML v1.1 Conformance and Security Testing > Datasheet > • Appendix C - Ping Identity SC > • Appendix D - Ping Identity Certification Services Agreement > • Appendix E - Press Release: Ping Identity Conformance Service for > SAML v1.1 > > Per the Referral Guideline, the technical requirements and business > case submiitted by the service provider will be shared with the OASIS > TC for a 30 day review period. > > Please send any feedback or questions directly to Andy Moir: > andy.moir@oasis-open.org > > Feedback will accepted until end of day U.S. ET on Monday, April 11. > > Andy > > Andy Moir > Director, Business Development > OASIS > 412-213-0338 Work > 978-761-1648 Cell (New #) > andy.moir@oasis-open.org > <Policy Directive--Ping Deploy Confidentiality.pdf><Response to SSTC > Feedback on Ping Indentity Referral Program Proposal 2005 04 > 20.doc>---------------------------------------------------------------- > ----- > To unsubscribe from this mail list, you must leave the OASIS TC that > generates this mail. You may a link to this group and all your TCs in > OASIS > at: > https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]