OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xdi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: Minutes: XDI TC Telecon Thursday 1-2PM PT 2008-09-25

Following are the minutes of the unofficial telecon of the XDI TC at:

Date:  Thursday, 25 September 2008 USA
Time:  1:00PM - 2:00PM Pacific Time

ATTENDING

Markus Sabadello
John Bradley 
Drummond Reed
Giovanni Bartolomeo
Nika Jones


AGENDA

1) TECH TOPIC: XDI SIGNATURES AND LINK CONTRACTS

Just before the summer break we had a very productive call reviewing the
proposed base pattern for XDI link contracts. Solutions have now been
suggested to the issues raised on that call. They are illustrated in the
examples at...

	http://wiki.oasis-open.org/xdi/XdiOneIssues/LinkContractPattern

...in particular the "signature blocks" illustrated near the end.

We discussed this pattern, and there was concensus that it solves the issue
of having signatures added to the contract itself, thereby changing the
graph being signed.

John and Markus noted that these examples do not yet include references to
human-readable policy documents -- that's TODO.

John asked about when the same data is accessible over multiple link
contracts. Does Bob ask for the data under a specific link contract or just
ask for the data and let Alice's XDI service figure it out?

There is also the question how much Bob should be able to know about the
permissions Alice has provided Bob. Given that XDI is self-describing, Alice
can do this by simply sharing the link contract with Bob, telling Bob what
he has access to. This works where the data provider agrees that the data
consumer will have access to an exact set of data. But there's also the case
where:

* Access is granted to a bounded section of the graph that's not an exact
set.
* Access is explicitly denied to certain resources (negative permissions).

John noted that if the grammar for the permissions graph includes negative
permissions, then sharing that link contract that can have privacy and
security implications.

John spoke in favor of being able to integrate XDI link contracts with other
access control mechanisms such as XACML. Drummond agreed; he explained that
from the very outset of the XDI TC in 2004, the TC has been intended to
support referencing XACML policies from XDI link contracts.

John talked about token types and how it would be best for XDI from a
security standpoint security to be "token agnostic". OAuth as an example
just uses a very simple bearer token with a hash that's not bound
cryptographically to the relying party in any way. There was agreement that
XDI security should be able to be bound to any token type.

2) NEXT CALL

John and Drummond will be at the OASIS Open Standards Forum in London next
week. Due to the time shift and a dinner that night, they will not be able
to attend next week's call. It was decided to cancel it and continue the
following week.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]