OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [security-services] Discussion of Future Work of the SSTC


Your suggested work items are good and will be added to the list. I
would like to comment on one specific portion of your message.

> I'm surprised we are even debating the issue.  If this standard is to
> become
> ubiquitous, as I'm sure we all want it to be, it needs to be
> and
> refreshed as time goes on. Example: Do we really know, today, how a
> Web 2.0 implementation might give rise to modified approaches in SAML

In 2005 OASIS changed its IPR Policy so as to require participants and
contributors to commit in advance to offer specified licensing terms for
IP which is essential to implementing a given specification.

Obviously it is impossible to require non-participants to do anything.
In general in standards development it is desirable to have the key
players participate, both to make technical contributions and to
accelerate adoption. The desire for IPR commitments adds another reason,
as these are the organizations which are most likely to have IPR in the
relevant area.

However it is unreasonable to expect large organizations to commit in
advance to give away technology potentially worth millions of dollars
without any clear statement of the scope of that commitment. The current
SAML Charter says in part: 

"The purpose of the TC is to define, enhance, and maintain a standard
XML-based framework for creating and exchanging authentication and
authorization information."

The Scope section of the charter refers only to SAML 2.0 work. There is
no mention of post 2.0 work. I think it is reasonable for one to take
the view that this needs to be tightened up.

The current thinking of the OASIS Board (as embodied in the TC Process
and IPR Policy) is that TCs should be chartered to do specific work.
This is similar to the philosophy of organizations like the W3C and the
IETF. It is different from organizations like ITU-T and ISO, where
committees have a continuing responsibility for evolving technology in a
general area.

In the SSTC we must at a minimum define what we are doing post SAML 2.0.
Since some members have expressed a desire to see a more precisely
defined charter and may be willing to make an issue of it in IPR
Transition, the chairs are trying to see if we can develop a consensus
around that the Charter should say, so that IP contributors will know
what they are agreeing to and yet we still have the flexibility we need
to respond to external events affecting the use of SAML.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]