OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

security-services message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: SAML and serializations (was) Proposed Agenda for SSTC Telecon (7 August 2012)


Thanks for the invitation to visit with the TC this week.  And thank
you to Thomas, Anil, Abbie and John for some formative conversations
on the topic, some live in Burlington last month.

Various clusters of folks have been talking about alternate
serializations and representations of SAML for a while, now.  As you
probably know, our XACML TC is working on a REST profile and JSON
representation:
https://wiki.oasis-open.org/xacml/RestProfileRequirements

Should SAML do the same thing?

I was just finishing some chats about that in July -- more about
technology, than standards politics -- when the latest round of blog
buzz cropped up.  Craig Burton, now at Kuppinger Cole, got the OpenID
folks at the Denver cloud identity summit excited, with a "SAML is
Dead" speech.  A bunch of other bloggers jumped in to defend SAML, or
agree with Craig, or make other comments.  Peter Williams had his own
take on the OpenID-general list.  Jonathan Sander contributed both a
blog (http://identitysander.wordpress.com/2012/07/31/saml-joins-the-it-zombie-legions/)
and infographic (pic.twitter.com/2sKNfjfK).

Meanwhile, various OAuth proponents are firing shots at each other and
their own project, as IETF met.
(http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/)
(http://www.thread-safe.com/2012/07/the-oauth-2-sky-is-not-falling.html)
 And so on.

Maybe it's something in the water?  Silly season in standards land?
August used to be a slow month.  Now we have F2F weeks from Ping,
IETF, Gartner, NSTIC all in a row.   When you're living in airport
hotels for a month straight, maybe there's just not a lot to do at
night, other than tweet smack.

OASIS usually doesn't rise to troll bait.  At industry events, I do
get asked sometimes what "we" think about the stack of SAML-like stuff
working its way through IETF.  Generally, my answer is one of these:

  --  There is no we.  This is OASIS; we don't do hive minds.  Ask our members.
  --  Specifically, ask software engineers.  Better yet, ask some
large-scale RPs.
  --  Anyway, standards are better than proprietary interfaces. So,
good for them.  SOMEbody has to figure out how to securely attach
tokens to JSON,
  --  It's 2012:  why are we arguing about serializations?  Can't we
talk about attributes instead?   If we have a good data model, does
anyone really think the fundamental issue is angle brackets versus
curly brackets?  Doesn't computer science have transforms?

As staff, we're not the technical policymakers here.  We're open for
guidance from you folks about how, or whether, you want to take in
this feedback.

Cordially, Jamie

James Bryce Clark, General Counsel
OASIS: Advancing open standards for the information society
http://www.oasis-open.org/who/staff.php#clark


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]