atom feed4 messages in org.oasis-open.lists.security-servicesRE: Challenge-Response/OBI & S2ML (An...
FromSent OnAttachments
Ahmed, ZahidJan 11, 2001 1:28 am 
Anders RundgrenJan 11, 2001 4:29 am 
Orchard, DavidJan 11, 2001 10:00 am 
Anders RundgrenJan 11, 2001 10:24 am 
Subject:RE: Challenge-Response/OBI & S2ML (Anders Rundgren's suggestion)
From:Orchard, David (dorc@jamcracker.com)
Date:Jan 11, 2001 10:00:46 am
List:org.oasis-open.lists.security-services

I guess it's open to debate, but Jamcracker plans on voting against any addition of challenge/response of credentials.

Anders, you have to weigh the utility of pushing through an agenda that has significant probability of a lack of success. I have the same dilemma on trying to remove authorization challenge/response but decided to fold the hand given the other members stated public intentions and lack of any other member stepping forward.

Committees work best when we try to focus on what is achievable given the other members stated and often unstated positions.

I think it's Kenny Rogers who sings "You gotta know when to hold 'em, know when to fold 'em, know when to run".

Cheers, Dave Orchard XML Architect Jamcracker Inc., 14000 Homestead Dr., Sunnyvale, CA 94086 p: 408.864.5118 f: 408.725.4310

Named to Red Herring's list of 100 Most Important Companies: www.redherring.com/mag/issue79/herring100/jamcracker.html

-----Original Message----- From: Anders Rundgren [mailto:ande@telia.com] Sent: Thursday, January 11, 2001 4:27 AM To: Ahmed, Zahid; secu@lists.oasis-open.org Subject: Re: Challenge-Response/OBI & S2ML (Anders Rundgren's suggestion)

I have reviewed all of your e-mails expressing concerns about not including Challenge-Response.

Overall, I agree with Phil's previous response:

Zahid, That is not such a surprise as you are one of the S2ML authors :-)

You did however not respond to my request: Is this open for debate or is the decision final?

Regarding the technical part of this, I suspect that we (all) may not even refer to the same thing and the likely scenarious which makes it very hard for anyone to have an opinion above the level "we must have this" or "this is out of scope". It *is* fairly complicated. It would be interesting to know why MACE-Shibbeloth uses (sort of) C-A Auth if it is "redundant" (Bob, are there?)

If any *real* progress is to be made, a sub-commitee or ad-hoc group should be formed.

Regards Anders