OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Project Moonshot

> 6. Assorted threads on saml-dev/comment list:
>      - Trust in artifact resolution
> Scott notes that the topic is about using SAML in a Radius type  
> interaction. Scott will ask for this to be shared on SSTC list.

Apologies for missing the call, I had some car issues.

There is some context that I should provide. JANET is currently in the  
process of starting up a new project that is intended to apply SAML in  
some rather novel ways. There are two basic use-cases we want to  

  1. 'Beyond Web SSO': how can we bring the benefits of SAML-based  
federated identity to applications other than Web SSO. We have some  
customers who are interested in, for example, the use of SAML-based  
identity within the SSH, SCP, SCP and NFS protocols so that they might  
federate High Performance Computing facilities in different  
Institutions (primarily for Business Continuity and Disaster Recovery,  
but also for HPC-as-a-service). We think there is likely to be  
interest in this capability in other sectors, for example software-as- 
a-service, 'cloud' services, and so forth.

  2. 'Scaleable Trust': Now that we have federated all of these non- 
web services, how do we manage trust in the resulting SAML system that  
might be comprised of at least 10^5-10^6 entities?

As the name and use-cases indicate, this is a fairly ambitious  
proposal. As due diligence, we asked Sam Hartman to perform an  
independent /technical/ feasibility study of our proposed approach.  
You can read about this here:


Sam's conclusion was that it is technically feasible. We are now  
trying to understand the acceptability of the proposal to the  
communities where most of the work would need to take place (IETF and  

To this end, we are intending to hold a Bar BOF at IETF 78 in a few  
weeks time. Before that (within the next three weeks) we will be  
releasing a paper describing the use-cases and proposed architecture,  
and the first set of draft specifications.

The first set of specs will be split between IETF and SSTC. To SSTC,  
we wish to bring a new binding (the 'SAML RADIUS Binding') and a new  
SSO profile (which I humorously refer to as the 'SAML Single SSO  
Profile', but which currently labors under the name of 'SAML EAP  
Profile'). These are intended to satisfy the 'Beyond Web SSO' use-cases.

We also believe that these /same/ specs will mostly address the  
'Scaleable Trust' use-case, with the application of some hard-to- 
summarise profiling. However, this requires some tricky profiling, so  
this work will lag behind the initial set of specs.

Sam will be delivering a final recommendation to JANET at the start of  
April, which will inform our strategy going forwards. If we decide to  
take this work forwards, we will continue developing these  
specifications and implement these over the period April 2010 - August  

We have no web presence beyond Sam's post (for JANET this is formally  
a feasibility analysis phase), although we do have a mailing list  
where you are very welcome to join us.


I was intending to ask the SSTC chairs if we could spend some time on  
a call during March or April to discuss this project.

best regards, josh.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]