1 >Municipal Broadband Wireless Access Danny Ng Director, Nortel Asia [email protected].
IIW 2008b Report November 10-12 2008, Mountain View Abbie Barbir...
-
Upload
rolf-stevens -
Category
Documents
-
view
212 -
download
0
Transcript of IIW 2008b Report November 10-12 2008, Mountain View Abbie Barbir...
IIW 2008b ReportNovember 10-12 2008, Mountain View
www.oasis-open.org
Abbie Barbir ([email protected])
Nortel
OASIS IDtrust Steering Committee
IIW 2008 Take home points ..1
Many interactive and important session were proposed covering various topics. Full details at IIW 2008 wiki at http://iiw.idcommons.net/Notes_08b
Key involvement from Google, M/S, AOL and Yahoo 180 participants Focus was on using the technology in real market deployment.
Google is pushing for taking OpenID in combination of other protocols main stream. Google is becomming an OpenID provider.
Discovery is deemed to be very important. A 3.5 hour session was conducted on the topic led by Yahoo. Relation to XRDS, XRI and OAuth is important.
IIW 2008 Take home points ..2 OAuth authors would like to standarize OAuth at the IETF as opposed to OASIS for
various reasons: They do not feel that they will need to pay OASIS so that they can do their work They do work outside their companies as supporters of the work this means that
their companies will not be interested in joining OASIS IPR issues need to be solved if they join a TC OASIS rule of having no more two individuals from a single company hinders
the abililty of these individuals to join OASIS Some individulas can not afford the $300 fee to join OASIS. A BoF on OAuth was done at the November meeting of IETF A discussion list was established for OAuth Need to encage this community to get them to do work in IDTrust Discussions already started to get them at XRDS TC. Drummond to provide an
update.
Same problem occurs with the Open Web Foundation People. An OASIS wide policy is need to deal with the issue.
Important Sessions and impacts..1
Google OAuth & Federated Login Research see
http://sites.google.com/site/oauthgoog/
Goal is to give investigate how OAuth, OpenID, SAML, XRDS, SaaS,
Strong/2ndFactorAuth, InformationCards, CardSpace, OpenSocial, Portable
Contacts, WS-*, Geneva, .. technologies fit together
Direct reserach on user login aspects and go to market strategies
Requires IDTrust to focus on Social network aspects and OAuth in addition to
XRI/XRDS.
Google Strong Auth Usability and Demos was also covered see videos at
http://sites.google.com/site/oauthgoog/UXFedLogin/strongauthvideos
Important Sessions and impacts..2
Effort underway to standardize Portable Contacts– contact schema; discovery / auth; common operations
– Focused on ease & speed of adoption– Active involvement from large & small players
– More info & current draft spec: http://portablecontacts.net
– IDTrust need to see what role it can play here
OpenID Authentication 2.1 2.0 has been finalized; bunch of implementations; found lots of spec bugs
Core specification can support oauth and email addresses
Current focus om making spec more readable , fixing bugs (eratta) and a security appendix
Working on clarifying XRI Currently there's no firm message about whether RPs MUST support XRIs or not. Need to clarify how exactly XRI should be used with OpenID.
Clarify if RPs can white or blacklist what OPs they accept, and vice-versa. Discovery of type of identifiers an RP supports.
Updating discovery. Possibly including the XRD discovery.
Clarifying whether association over SSL must/can use diffie-hellman.
Exploratory work:
Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together.
Possibly deprecating the current signature mechanism. Use of Public keys?
Need coordination with them and see what they want to do with OpenID. Same participation problems like the OAuth
Browser Extension Convergence Quick inventory of the existing browser extensions:
Firefox: Sxipper (OpenID, UN/PW), Higgins: HBX4FF (I-Card), OpenInfoCard (I-Card), DigitalMe (I-Card), OpenLiberty (SAML), Verisign Seatbelt (OpenID), IDIB (OpenID…)
IE: Microsoft’s I-Card built-in, Higgins: HBX4IE
A list of protocol “families” that each extension should support:
Username/Password (Form-based, HTTP Auth, WS-Security)
OpenID (OpenID, SAML); I-Card (ISIP‡IMI-TC)
Kerberos; SAML (SAML SSO, SAML ECP)
Browser-native add-on/extension/plug-in
Flash, Java, Gears, Silverlight
Browser Support for RP Auth Discovery Everyone agreed that creating common specs for this was a good idea. Could use XRDS as the basis for discovery of a relying party (RP) site’s authentication support for multiple protocols. The RP site would publish an XRDS document that would allow a “smart client” (well, a browser extension) to discover information about what protocols were supported and how they might be used to authenticate to the site.
Possible new work in IDTRust
Need for a Common Terminology
Exploring the Construction of Online Identity &
Definition of Terms. IDTrust can take a lead role
here. ITU-T has a current up to date document.
Conclusion
Very Important event
Need to keep involved
OASIS was mentioned a lot in the meeting,
the message is going forward to consider
OASIS as an SDO
Many opportunities to get involved
Main obstacle is how this community can do
their work in OASIS.