Skip to Content.
Sympa Menu

shibboleth-dev - Re: How important is interop?

Subject: Shibboleth Developers

List archive

Re: How important is interop?


Chronological Thread 
  • From: "RL 'Bob' Morgan" <>
  • To: Scott Cantor <>
  • Cc: Shibboleth Design Team <>
  • Subject: Re: How important is interop?
  • Date: Thu, 24 Apr 2003 15:58:47 -0700 (PDT)

Scott:

This does seem like a pays-me-now-or-pays-me-later thing, and obviously
it's better to break things prior to having a real production federation.
My questions are:

(1) When SAML 2.0 changes everything again, I think we won't be in a
position to break things, but will have to offer a non-disruptive
transition path. Seems like the rest of the SAML community would be in
the same boat (as they are not now, since people say "there's no serious
deployment, we can still change"). From what I've seen the plans are
mostly about adding Liberty-style metadata and some new scenarios, eg
credential collector, ie additions rather than changes. So it seems like
relatively smooth transition should be possible, though of course one
never knows till we get there. But at least at this point we could be
encouraging about this, no? There are certainly folks out there saying
"why SAML?", and version incompatibilities give them ammunition ...

(2) Can you explain the nature of the target side insecurities? All
releases have some security assumptions and caveats, obviously we can't
fix everything. But you're talking something fundamental, so I'd like to
understand it better and how the 1.1 changes will fix it.

(3) How does this affect schedule? I guess you're saying that providing
SAML 1.0+1.1 compatibility is the hardest, hence would cause most delay.
And the SAML 1.0 that's in 0.8, and in the absence of making the 1.1
changes would remain more or less the same in 1.0, has security holes? So
the quickest path to market, while not opening ourselves up to massive
abuse on bugtraq, is to make the 1.1 improvements, and break 0.8 compat?

Obviously there will be enforced breakage with the move to Real InCommon,
so adding a version change there too doesn't seem like a big deal to me.
Just as obviously the SAML-1.1-supporting Shib would have to be
pilot-tested, so a SAML-1.1-based pilot would have to exist. It seems to
me that as things move along pilots will tend to exist in various stages
of semi-interop, based on attribute evolution if nothing else. So the
idea of a homogeneous pilot is kind of a dream anyway. This makes it
rough to do demos, but of course once there's production we'll have much
more compelling demos ...

So, modulo your answers to the above, I'm OK with breaking the leg again.

- RL "Bob"



------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--




Archive powered by MHonArc 2.6.16.

Top of Page