RE: Inputs to Strawman/Issue List - Group 2: B2B Scenario Variati ons

["Ahmed, Zahid" <zahid.ahmed@commerceone.com>]

Thanks for the comments.

> There's options missing from each issue:
> x) Drop this issue/scenario/requirement
> y) Seek further clarification

I believe the first possible resolution option has been included
in the Strawman 3 that Darren sent out. I agree that the second 
resolution item w.r.t. further clarification could be included. 
My assumption is that we will discuss the new issues in Strawman 3 
Issues List in our next tele-conf.

> We had a clear indication (10-1 on UC-5-3) that the use case group 
> does not want credential exchange in scope, yet UC-2-05 (steps 2-4) 
> explicitly brings this up and proposes making it back into scope.. 

It is true that we have voted on 5-03 (a), (b), and (c), and that the
proposed use case in 5-03 applies Credentials to exchange authentication 
data between 2 B2B applications. Since we have decided to not support
such Credential applications in the scope of SAML and furthermore we
are going to explicitly state in the spec something to the effect: 
"Authentication methods or frameworks are outside the scope of [OSSML]",
I'm willing to revise steps 2-4 in UC2-05 such that it remains consistent 
with 5-03 conclusions.

However, I must point out that non-human operated applications 
(communicating over the internet) do need ability to specify and 
transmit authentication data above the transport protocols such as 
HTTP and SSL. HTTP was primarily designed for browser clients and 
SSL was also designed as an authentication mechanism for end-point 
socket client (e.g., browser) and servers (e.g., web servers). Hence, 
there may be situations where some folks may exploit the simplicity
of SAML Credential specification for sending authentication data 
at the application protocol level for such application-to-application 
connectivity scenario even if we spellout that authenticaiton mechanism 
is out-of-scope of SAML, which I agree that it should. [E.g., I
know that ebXML Security WG has discussed such potential apps in
the past w/o any conclusions yet...]


> What I suggest is that the scenarios you propose should have 
> some clearly delineated sections so that we could vote on portions.  
> Say steps 2-4 are out of scope, but (picking fictious groupings) 
> 5-8 and 9-11 could be put into scope.  If they are all bundled together, 
> then I'm faced with the choice of voting No( to ensure previously 
> No stands) or voting Yes (to ensure new steps are added), and I don't 
> know which way I should vote.

Yes, I'm willing to delineate UC2-05 in the above stated manner, possibly
using the latest session mgmnt use case as the example. Lets talk about 
this in our tele-conf tomorrow, if need be.

thanks,
Zahid



> -----Original Message-----
> From: Orchard, David [mailto:dorchard@jamcracker.com]
> Sent: Tuesday, February 27, 2001 12:21 PM
> To: Ahmed, Zahid; Darren Platt; UseCaseList
> Subject: RE: Inputs to Strawman/Issue List - Group 2: B2B Scenario
> Variati ons
> 
> 
> There's options missing from each issue:
> x) Drop this issue/scenario/requirement
> y) Seek further clarification
> 
> I'm a little fuzzy about the overlap betweent these issues.  
> We had a clear
> indication (10-1 on UC-5-3) that the use case group does not 
> want credential
> exchange in scope, yet UC-2-05 (steps 2-4) explicitly brings 
> this up and
> proposes making it back into scope..  
> 
> What I suggest is that the scenarios you propose should have 
> some clearly
> delineated sections so that we could vote on portions.  Say 
> steps 2-4 are
> out of scope, but (picking fictious groupings) 5-8 and 9-11 
> could be put
> into scope.  If they are all bundled together, then I'm faced with the
> choice of voting No( to ensure previously No stands) or voting Yes (to
> ensure new steps are added), and I don't know which way I should vote.
> 
> On the session mgmt, I broke them up - the general notion of session
> management - and specific step sets.  Some people wanted session with
> timeouts, some wanted session with logouts, some wanted 
> session with logouts
> and timeouts.  
> 
> Cheers,
> Dave
> 
> > -----Original Message-----
> > From: Ahmed, Zahid [mailto:zahid.ahmed@commerceone.com]
> > Sent: Monday, February 26, 2001 3:13 PM
> > To: Darren Platt; UseCaseList
> > Subject: Inputs to Strawman/Issue List - Group 2: B2B Scenario
> > Variations
> > 
> > 
> > Attached is the B2B Transaction Scenarios that I been re-written
> > in terms of Issue List format adopted in latest strawman/issue
> > list document.
> > 
> > 1) ISSUE:[UC-2-05:B2B Transaction via an e-marketplace or 
> trading hub]
> > 
> > 2) ISSUE:[UC-2-06: B2B Transaction using different messaging and   
> >    application protocols]
> > 
> > 3) ISSUE:[UC-2-07:  B2B Transaction over multiple e-marketplace or 
> >    trading hubs/portals]
> > 
> > 
> > Sorry for late feedback; please provide any comments.
> > 
> > I will definitely provide in the future some UML based interaction
> > diagrams; however, all three issues have detailed use case steps
> > described and also possible resolution questions.
> > 
> > >This input will no doubt be very useful then, and I look forward to
> > >benefiting from your expertise in this area.  In the 
> > meantime we should
> > >start tracking these scenarios on the issue list.  You 
> suggested that
> > >you could provide more details - could we ask that you 
> please do so,
> > >perhaps providing interaction diagrams if possible, so that 
> > we can add
> > >them to the issue list for Strawman 3?>
> > 
> > 
> > 
> > > -----Original Message-----
> > > From: Darren Platt [mailto:dplatt@securant.com]
> > > Sent: Wednesday, February 21, 2001 6:59 PM
> > > To: UseCaseList
> > > Subject: Issue Groups and Champions
> > > 
> > > 
> > > Here are the current list of issue groups, and thier champions:
> > > 
> > > Group 1: Single Sign-on Push and Pull Variations - Darren 
> > Platt, Evan
> > > Prodromou
> > > Group 2: B2B Scenario Variations - Prateek Mishra, Zahid Ahmed
> > > Group 3: Sessions - David Orchard
> > > Group 4: Security Services
> > > Group 5: AuthC Protocols - Prateek Mishra, Bob Blakley
> > > Group 6: Protocol Bindings
> > > Group 7: Enveloping vs. Enveloped
> > > Group 8: Intermediaries
> > > Group 9: Privacy
> > > Group 10: Framework
> > > Group 11: AuthZ Use Case - Irving Reid
> > > 
> > > Please let me know if I missed anybody.
> > > 
> > > 
> > > 
> > > Darren Platt
> > > Principal Technical Evangelist
> > > Securant Technologies
> > > 1 Embarcadero Center, Floor 5
> > > San Francisco, CA 94111
> > > tel - (415) 315-1529
> > > fax - (415) 315-1545
> > > http://www.securant.com/
> > > -----------------------------
> > > 
> > > 
> > > 
> > > ------------------------------------------------------------------
> > > To unsubscribe from this elist send a message with the single word
> > > "unsubscribe" in the body to: 
> > > security-use-request@lists.oasis-open.org
> > > 
> > 
> > 
>