[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [UC-1-04:ARundgrenPush]
>>>>> "HL" == Hal Lockhart <hal.lockhart@entegrity.com> writes: >> You also lack a business case. Why do you need a particular >> business case when we are talking about extending the access >> system of practially all computer systems (but with arbitrary >> granularity and semantics) to function over the web between >> different, independent and constantly changing organizations as >> well? IMO that's *hell* of a use case! If it is a hell to >> design I am not yet able to tell. I'm replying to the wrong message, so, sorry. But I think Anders has gotten to the kernel of this issue. I think for most of us with experience with AuthXML or S2ML, we've dealt from the get-go with expecting peer security systems to have arranged their partnership out-of-band. In other words, there are configuration options on each piece of software that say what data is sent as credentials, what profile information to share, what keys belong to what security system, etc. We explicitly have this called out in the current doc, saying that "trust negotiations must be made out-of-band." I agree with Anders that there's a momentous opportunity in dropping this non-goal and allowing the trust relationship to be negotiated IN-band ("Who are you? Who says that's you? What do you want?"). However, I am extremely leery of this expansion of scope. I wonder if there's an opportunity here to stow away this use case and use it for a next version of [OSSML] or for even another effort of this TC. Something that operates well with what we do, but not part of this current effort. ~ESP
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC