RE: [security-services] Re: comments re draft-sstc-metadata-iop-02

["Scott Cantor" <cantor.2@osu.edu>]

> Are you referring to Holder-of-Key Web Browser SSO?

Yes.

> That profile is
> clearly and correctly characterized as an adjunct to Web Browser SSO,
> so there is no mistaking its scope and intent.

It's still much more of a niche profile than this one is, but I'm not
arguing that it needs to be characterized differently.

> The Metadata
> Interoperability Profile (IOP) is not so easily categorized, however.
> The IOP does not characterize itself as being applicable to a
> particular use case or community, so by default it must be applicable
> to everyone.  Therein lies my objection.

It *is* applicable to everyone. There is absolutely no reason why the
TeraGrid, or any other user of SAML metadata, can't use it. It is quite
usable with all the SAML profiles I know of that rely on metadata, and it
works perfectly well for communities that insist on using PKI all over the
place. It just doesn't expose the other communities they might want to
federate with to that PKI, which is a big reason for doing it this way.

That doesn't mean everyone has to use it, but that's true of every SAML
profile.

> I think that's a laudable goal, and I support it.  However, I claim
> that the profile as written does not identify the communities to which
> it applies.

It would be impossible to do so, since it can in fact apply to just about
anybody. Showing that some communities do different things doesn't speak to
whether they could (at a purely technical level) do something else if they
chose to.

> I would rather not leave that interpretation as an
> exercise to the reader.  What I'm trying to avoid is the following
> thought pattern on the part of the reader: "Community A makes use of
> SAML metadata but that usage does not conform to IOP so Community A
> metadata is not an interoperable use of SAML metadata."

That's a different issue. I actually happen to believe that that's true as
it stands today. But I'm satisfied to leave that out of the text (which I
have, apart from the title).

> AFAICT, the IOP appears to be a profile designed to accompany SAML Web
> Browser SSO. Certainly that is the historical basis for its existence.

No, not really. Perhaps because that's the historical basis for SAML's own
existence.

> So why not characterize it as such?  Is what you've
> written a SAML V2.0 Metadata Interoperability Profile for Web Browser
> SSO?

There's nothing in it that has any dependency on the profile(s) being
implemented. It is exactly what the title says...*a* profile for metadata
interoperability (as opposed to the "only" profile for that, though it's the
only one I've ever seen).

Anyway, at this particular moment, I haven't come up with any good alternate
names that don't sound awkward, so rather than waste my time on it, I'll
leave the floor open. But I would object to something with "higher ed" in
it, because this isn't specific to one community. The title should reflect
some technical aspect of the profile.

-- Scott