OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

security-use message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Subject: Re: [UC-1-04:ARundgrenPush]

>>>>> "HL" == Hal Lockhart <hal.lockhart@entegrity.com> writes:

    >> You also lack a business case.  Why do you need a particular
    >> business case when we are talking about extending the access
    >> system of practially all computer systems (but with arbitrary
    >> granularity and semantics) to function over the web between
    >> different, independent and constantly changing organizations as
    >> well?  IMO that's *hell* of a use case!  If it is a hell to
    >> design I am not yet able to tell.

I'm replying to the wrong message, so, sorry.

But I think Anders has gotten to the kernel of this issue. I think for
most of us with experience with AuthXML or S2ML, we've dealt from the
get-go with expecting peer security systems to have arranged their
partnership out-of-band. In other words, there are configuration
options on each piece of software that say what data is sent as
credentials, what profile information to share, what keys belong to
what security system, etc.

We explicitly have this called out in the current doc, saying that
"trust negotiations must be made out-of-band." I agree with Anders
that there's a momentous opportunity in dropping this non-goal and
allowing the trust relationship to be negotiated IN-band ("Who are
you? Who says that's you? What do you want?").

However, I am extremely leery of this expansion of scope. I wonder if
there's an opportunity here to stow away this use case and use it for
a next version of [OSSML] or for even another effort of this
TC. Something that operates well with what we do, but not part of this
current effort.


[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]

Powered by eList eXpress LLC