OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

xdi message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [xdi] Link Contract Authentication Requirement


Bill,

The business case for Gluu participating in the XDI TC is to enable data 
federation between organizations... which leverages their existing 
organizational signing capability. In my vision, organizations will host 
your PDS in the same way that they host your email address.

I believe the enterprise standard for federated authetication is SAML--not 
OAUTH (which will soon be the standard for large consumer IDPs). With the 
advent of ADFS, and the predominance of Oracle, CA and to a much lesser 
extent Ping in the enterprise SSO market, I would argue that SAML is the 
defacto standard.

Also, I actually think that the trust model should be external as much as 
possible to the spec... i.e. XDI should be trust model neutral. There will 
always be new and improved trust models being invented... Let the 
implementers worry about tokens. I am just looking for a way to express 
the policy in XDI, and identifying the major trust models as a matter of 
convenience.

- Mike



--------------------------------------------------------------------------------------

Michael Schwartz
Gluu
Founder, CEO
mike@gluu.org
https://www.gluu.org
+1 646-810-8761



On Fri, 3 Jun 2011, Barnhill, William [USA] wrote:

> I think XDI needs to support PKI (Federal/DoD market, some enterprise market), OAUTH (rest of enterprise market), and none (hobbyists and people learning the technology). I think SAML can be an add on later. What Id' recommend that we focus on a generic token-based credential passing authentication, message signing, and message encryption, and leave the specific mechanisms for a separate document. This lets people with different needs use the same core spec but use different security profiles.
>
> So to sum up:
> Core doc: XDI Signing, XDI message based encryption, incorporation of i-name and zero or more authentication tokens
> Later (in near term) docs...
> .. PKI-based XDI authentication, specifically with details on using a CAC and covering CRLs, etc.
> .. OAUTH-based XDI Authentication
> .. Web of Trust authentication (Connect.me, PGP, etc.)
>
> -Bill
>
> -----Original Message-----
> From: Michael Schwartz [mailto:mike@gluu.org]
> Sent: Friday, June 03, 2011 10:04 AM
> To: OASIS - XDI TC
> Cc: yuriy@gluu.org
> Subject: [xdi] Link Contract Authentication Requirement
>
>
> I think OX needs to support 4 authentication trust models:
>   1) None (secure network is trust model)
>   2) PKI  (requester publishes public key, and signs messages)
>   3) SAML (organization signs message)
>   4) OAUTH (requster publishes consumer IDP and username, and
>      is re-directed there for authentication)
>
> It think it would be convenient to have XRI vocabulary to express these policies in a Link contract.
>
> Thoughts?
>
> - Mike
>
>
> --------------------------------------------------------------------------------------
>
> Michael Schwartz
> Gluu
> Founder, CEO
> mike@gluu.org
> https://www.gluu.org
> +1 646-810-8761
>
> ---------------------------------------------------------------------
> To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail.  Follow this link to all your TCs in OASIS at:
> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>
>

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]