[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: SAML and serializations (was) Proposed Agenda for SSTC Telecon (7 August 2012)
Thanks for the invitation to visit with the TC this week. And thank you to Thomas, Anil, Abbie and John for some formative conversations on the topic, some live in Burlington last month. Various clusters of folks have been talking about alternate serializations and representations of SAML for a while, now. As you probably know, our XACML TC is working on a REST profile and JSON representation: https://wiki.oasis-open.org/xacml/RestProfileRequirements Should SAML do the same thing? I was just finishing some chats about that in July -- more about technology, than standards politics -- when the latest round of blog buzz cropped up. Craig Burton, now at Kuppinger Cole, got the OpenID folks at the Denver cloud identity summit excited, with a "SAML is Dead" speech. A bunch of other bloggers jumped in to defend SAML, or agree with Craig, or make other comments. Peter Williams had his own take on the OpenID-general list. Jonathan Sander contributed both a blog (http://identitysander.wordpress.com/2012/07/31/saml-joins-the-it-zombie-legions/) and infographic (pic.twitter.com/2sKNfjfK). Meanwhile, various OAuth proponents are firing shots at each other and their own project, as IETF met. (http://hueniverse.com/2012/07/oauth-2-0-and-the-road-to-hell/) (http://www.thread-safe.com/2012/07/the-oauth-2-sky-is-not-falling.html) And so on. Maybe it's something in the water? Silly season in standards land? August used to be a slow month. Now we have F2F weeks from Ping, IETF, Gartner, NSTIC all in a row. When you're living in airport hotels for a month straight, maybe there's just not a lot to do at night, other than tweet smack. OASIS usually doesn't rise to troll bait. At industry events, I do get asked sometimes what "we" think about the stack of SAML-like stuff working its way through IETF. Generally, my answer is one of these: -- There is no we. This is OASIS; we don't do hive minds. Ask our members. -- Specifically, ask software engineers. Better yet, ask some large-scale RPs. -- Anyway, standards are better than proprietary interfaces. So, good for them. SOMEbody has to figure out how to securely attach tokens to JSON, -- It's 2012: why are we arguing about serializations? Can't we talk about attributes instead? If we have a good data model, does anyone really think the fundamental issue is angle brackets versus curly brackets? Doesn't computer science have transforms? As staff, we're not the technical policymakers here. We're open for guidance from you folks about how, or whether, you want to take in this feedback. Cordially, Jamie James Bryce Clark, General Counsel OASIS: Advancing open standards for the information society http://www.oasis-open.org/who/staff.php#clark
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]