1 message in org.oasis-open.lists.id-cloud[id-cloud] Minutes of July 9, 2012 ID...| From | Sent On | Attachments |
|---|---|---|
| Anil Saldhana | Jul 9, 2012 12:14 pm |  .gif, .gif, .gif |
| Subject: | [id-cloud] Minutes of July 9, 2012 IDCloud TC Meeting | |
|---|---|---|
| From: | Anil Saldhana (Anil...@redhat.com) | |
| Date: | Jul 9, 2012 12:14:43 pm | |
| List: | org.oasis-open.lists.id-cloud | |
| Attachments: | tongue.gif - 1k | |
1) Roll Call, Agenda Review and Minute Taker Nomination
Attendees:
=============
Company Name ascending Role IBM David Kern Voting Member Microsoft Anthony Nadalin Chair Bank of America Dominique Nguyen Voting Member IBM Matthew Rutkowski Secretary Daon Cathy Tilton Voting Member Microsoft David Turner Voting Member New Zealand Government Colin Wallis Member ===========
Quorum was achieved. 6 out 11 voting members (54%)
2) Approval of the June 25, 2012 Meeting Minutes
Link:
https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html
David Turner moves; Dominique N seconds: Approved.
3) Gap Analysis Discussion [Gershon]
Gershon could not attend the meeting due to illness. Discussion is listed in the chat transcript below.
Use cases 15, 17 and 18 were discussed. Use case 15 requires the presence of Thomas Hardjono. Also the members on the call felt that there may be a necessity to make changes to the Kerberos specifications to meet the use case needs.
4) Other Business.
5) Adjourn. adjourned
Chat Transcript ========================
*anonymous morphed into David Kern*
*David Kern morphed into David Kern (IBM)*
*AnilSaldhana(RedHat):* dialing in
*David Kern (IBM):* (listening to the hold music...)
*David Turner:* And ROCKIN' to it
*David Kern (IBM):* (seems to be a cross between jazz and elevator music)
*AnilSaldhana(RedHat):*
https://wiki.oasis-open.org/id-cloud/MeetingCallInInformation
*AnilSaldhana(RedHat):* ================
*AnilSaldhana(RedHat):* Agenda
1) Roll Call, Agenda Review and Minute Taker Nomination
2) Approval of the June 25, 2012 Meeting Minutes
3) Gap Analysis Discussion [Gershon]
4) Other Business.
5) Adjourn.
*AnilSaldhana(RedHat):* =================
*AnilSaldhana(RedHat):* Minutes of June 25,
2012:https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html
*David Turner:* Apparently Tony is bored today
*AnilSaldhana(RedHat):* as usual, Tony pranks.* *
*AnilSaldhana(RedHat):*
https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud
*AnilSaldhana(RedHat):* Attendees: ANil, Tony, dave kern, david turner, Matt R
*AnilSaldhana(RedHat):* Pending use cases for GAP analysis are 15, 17 and 18
*AnilSaldhana(RedHat):* Use Case
Document:http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html
*AnilSaldhana(RedHat):* Addtl attendee: Dominique
*AnilSaldhana(RedHat):* AnilSaldhana(RedHat):
AnilSaldhana(RedHat): Minutes of June 25,
2012:https://lists.oasis-open.org/archives/id-cloud/201207/msg00002.html
*AnilSaldhana(RedHat):* meeting minutes approved
*AnilSaldhana(RedHat):* Use Case
15:http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801920
*AnilSaldhana(RedHat):* colin joined
*anonymous morphed into Colin_NZ*
*AnilSaldhana(RedHat):* Matt: Kerberos token is exchanged for an access token
*David Kern (IBM):* 4.15.4.4 - Kerberos is generally used in intranet-type
environments, so #2 would be expected to be Kerberos -> SAML IdP, and then the
SAML assertion is used to authenticate to the cloud
*AnilSaldhana(RedHat):*
http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-attribute-kerberos.html
*AnilSaldhana(RedHat):* that was kerberos attributes for saml
*AnilSaldhana(RedHat):* Kerberos based SAML web browser
sso:http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-kerberos-browser-sso.html
*Matt Rutkowski (IBM):* The former approach, would require several technical
issues to be addressed. These include development of global identities for
Kerberos (real and pseudonymous), a standard web-layer API for authentication
services, Enterprise-to-Cloud trust establishment, a global authorization
structure, provisioning of users and credentials to the cloud, and others.
*AnilSaldhana(RedHat):* Matt refers to gaps identified by the author
*AnilSaldhana(RedHat):* cathie tilton joined
*AnilSaldhana(RedHat):* Dave Kern: if this was a private cloud, highly relevant
*AnilSaldhana(RedHat):* Since there are mentions of public saas provider, it
applies beyond a tightly controlled cloud infra
*anonymous morphed into Cathy Tilton (Daon)*
*AnilSaldhana(RedHat):* Use case
17:http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cn01/IDCloud-usecases-v1.0-cn01.html#_Toc324801930
*David Kern (IBM):* Obvious security risk on #16 - if the application provider
accepts assertions for all users from any of a long list of IdPs, then one
misbehaving or hacked low-security IdP could compromise users with higher
security needs
*AnilSaldhana(RedHat):* THis use case is related to use case 10: Cloud Tenant
Administration
*AnilSaldhana(RedHat):* Latest gap analysis
doc:https://www.oasis-open.org/committees/document.php?document_id=46334&wg_abbrev=id-cloud
*Matt Rutkowski (IBM):* Use case 17: asks for a std means to configure an
External ID Provider (EID), specifically at an app (or lower) granularity.
This includes perhaps a protocol, along with the data/metadata needed to
establishing and managing an EIP within a cloud provider
*AnilSaldhana(RedHat):* From gap analysis doc: Applicable standards: IMI, SPML
and SCIM
*AnilSaldhana(RedHat):* mattR: trust level exchange
*AnilSaldhana(RedHat):* mattR: needs to be established
*AnilSaldhana(RedHat):* mattR: OpenID Connect
*AnilSaldhana(RedHat):* mattR: profiles: IdP registration
*David Kern (IBM):* IdP -> SP metadata pull could be fairly simple, but SP->IdP
metadata configuration would be much harder, if for no other reason than that
identity providers are (or at least should be) tightly controlled.
*AnilSaldhana(RedHat):* Gap: There is no standard for configuration
*AnilSaldhana(RedHat):* mattR: depends on granularity: enterprise level or
departmental level granularity
*Matt Rutkowski (IBM):* on the IdP side yes...
*Matt Rutkowski (IBM):* on the provider side EIP configuration applies at least
to the application level
*AnilSaldhana(RedHat):* 4.18 Use Case 18: Delegated Identity Provider
Configuration
*David Kern (IBM):* This case seems to suggest an OAuth-style delegated
authorization from the tenant administrator to the identity provider for the
purposes of IDP<->SP configuration
*David Kern (IBM):* which raises the question of who watches the watchmen? What
does one gain from trying to protect the tenant administrator's credentials for
a service from the identity provider that asserts that admins's identity to that
service?
*AnilSaldhana(RedHat):* Dominique should look at this blog
entry:http://www.okta.com/blog/2012/02/implementing-an-on-premises-identity-management-solution-good-luck-you%E2%80%99ll-need-it/
*AnilSaldhana(RedHat):* and then read my comment to that blog entry at the
bottom
*AnilSaldhana(RedHat):* Dominique thinks outsourcing identity services to 3rd
party provider may be dangerous
*Colin_NZ:* Is anyone at CIS in Vail next week?
*Dominique Nguyen (Bank of America):* good bye
*David Kern (IBM):* That's one way to end a call... put it on hold and feed
them your hold music.
*AnilSaldhana(RedHat):* it is called Smarter Planet ================================================================================