Skip to Content.
Sympa Menu

shibboleth-dev - NOTES: SHIB design call -- (5/10), 3:00 pm edt, noon pdt

Subject: Shibboleth Developers

List archive

NOTES: SHIB design call -- (5/10), 3:00 pm edt, noon pdt


Chronological Thread 
  • From:
  • To:
  • Subject: NOTES: SHIB design call -- (5/10), 3:00 pm edt, noon pdt
  • Date: Mon, 10 May 2004 16:36:07 -0400
Phone #: (800) 541-1710
Pin #: 0142203

Agenda:

1) Current programming issues/questions
-- status of 1.2 testing; outstanding issues
-- we've promised that a "release candidate" would be available on 5/11...

Known to crash under heavy load under Solaris; not enuf data to make any definitive statements about other platforms. We are working to identify this problem, and will post a fix as soon as we have it. This release is stable enuf to be used in pilot situations.

2) continue discussion of security approaches for Fedora and ECL. On 4/18, we started a discussion with the Fedora group. This time, a couple of people from Simon Fraser Univ will also be joining us .... they have developed ECL (a SOAP-based implementation of the IMS DRI protocol). Like the Fedora project, they want to add security ......

There is currently no "best practice" describing how to add security to SOAP (where, IMHO, best practice results from real experience... not from pronouncements from vendor marketing depts). Different groups are proposing different approaches..... I think our task will be to understand our requirements, and make the best choice we can... understanding full well that three years from now the market may have decided that there were better choices than the one we made. And I suspect that some people may suggest "this situation is too confusing...let's wait". That's a choice, too.

During the last conversation, there was a suggestion that we explore the use of HTTP-level authentication. Based on conversation with Scott, I'd like to suggest that we also explore the relevance of Web Services Security:

http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=wss

and of some of the Liberty approaches.

---------------

Marak -- do something, but do it in a way tat leaves as many options open as possible

two different camps, and they begin to differ at the session level (eg handling the session cookie)

for SAML, the only existing profiles are the browser ones -- there are no profiles describing how a SOAP client obtains a credential

-- howard -- is this discussion really about how to "do business internally"...

RL - another concern -- where's the code, to support whatever we recommend?

apache web-services PMT includes WSS impl in java, as does globus v3

not sure to what extent wss-j is compliant (altho starting to talk about participating in interops), or is it ipr free......

RL - in the short term, might just want to use SSL + HTTP for the short term......

scott -- since WSS transports tokens, the real hard work is in the mechanism specific plugins

http://ws.apache.org/

  • NOTES: SHIB design call -- (5/10), 3:00 pm edt, noon pdt, Steven_Carmody, 05/10/2004

Archive powered by MHonArc 2.6.16.

Top of Page