90 likes | 328 Vues
www.oasis-open.org. IIW 2008b Report November 10-12 2008, Mountain View. Abbie Barbir ( abbieb@nortel.com ) Nortel OASIS IDtrust Steering Committee. IIW 2008 Take home points ..1.
E N D
www.oasis-open.org IIW 2008b ReportNovember 10-12 2008, Mountain View Abbie Barbir (abbieb@nortel.com) NortelOASIS IDtrust Steering Committee
IIW 2008 Take home points ..1 • Many interactive and important session were proposed covering various topics. Full details at IIW 2008 wiki at http://iiw.idcommons.net/Notes_08b • Key involvement from Google, M/S, AOL and Yahoo • 180 participants • Focus was on using the technology in real market deployment. Google is pushing for taking OpenID in combination of other protocols main stream. Google is becomming an OpenID provider. • Discovery is deemed to be very important. A 3.5 hour session was conducted on the topic led by Yahoo. Relation to XRDS, XRI and OAuth is important.
IIW 2008 Take home points ..2 • OAuth authors would like to standarize OAuth at the IETF as opposed to OASIS for various reasons: • They do not feel that they will need to pay OASIS so that they can do their work • They do work outside their companies as supporters of the work this means that their companies will not be interested in joining OASIS • IPR issues need to be solved if they join a TC • OASIS rule of having no more two individuals from a single company hinders the abililty of these individuals to join OASIS • Some individulas can not afford the $300 fee to join OASIS. • A BoF on OAuth was done at the November meeting of IETF • A discussion list was established for OAuth • Need to encage this community to get them to do work in IDTrust • Discussions already started to get them at XRDS TC. Drummond to provide an update. • Same problem occurs with the Open Web Foundation People. An OASIS wide policy is need to deal with the issue.
Important Sessions and impacts..1 • Google OAuth & Federated Login Research see http://sites.google.com/site/oauthgoog/ • Goal is to give investigate how OAuth, OpenID, SAML, XRDS, SaaS, Strong/2ndFactorAuth, InformationCards, CardSpace, OpenSocial, Portable Contacts, WS-*, Geneva, .. technologies fit together • Direct reserach on user login aspects and go to market strategies • Requires IDTrust to focus on Social network aspects and OAuth in addition to XRI/XRDS. • Google Strong Auth Usability and Demos was also covered see videos at http://sites.google.com/site/oauthgoog/UXFedLogin/strongauthvideos
Important Sessions and impacts..2 • Effort underway to standardize Portable Contacts • contact schema; discovery / auth; common operations • Focused on ease & speed of adoption • Active involvement from large & small players • More info & current draft spec: http://portablecontacts.net • IDTrust need to see what role it can play here
OpenID Authentication 2.1 • 2.0 has been finalized; bunch of implementations; found lots of spec bugs • Core specification can support oauth and email addresses • Current focus om making spec more readable , fixing bugs (eratta) and a security appendix • Working on clarifying XRI • Currently there's no firm message about whether RPs MUST support XRIs or not. • Need to clarify how exactly XRI should be used with OpenID. • Clarify if RPs can white or blacklist what OPs they accept, and vice-versa. • Discovery of type of identifiers an RP supports. • Updating discovery. Possibly including the XRD discovery. • Clarifying whether association over SSL must/can use diffie-hellman. • Exploratory work: • Signature mechanisms. Looking at additionally supporting the mechanisms defined in OAuth so that they can be closer together. • Possibly deprecating the current signature mechanism. Use of Public keys? • Need coordination with them and see what they want to do with OpenID. Same participation problems like the OAuth
Browser Extension Convergence • Quick inventory of the existing browser extensions: • Firefox: Sxipper (OpenID, UN/PW), Higgins: HBX4FF (I-Card), OpenInfoCard (I-Card), DigitalMe (I-Card), OpenLiberty (SAML), Verisign Seatbelt (OpenID), IDIB (OpenID…) • IE: Microsoft’s I-Card built-in, Higgins: HBX4IE • A list of protocol “families” that each extension should support: • Username/Password (Form-based, HTTP Auth, WS-Security) • OpenID (OpenID, SAML); I-Card (ISIP‡IMI-TC) • Kerberos; SAML (SAML SSO, SAML ECP) • Browser-native add-on/extension/plug-in • Flash, Java, Gears, Silverlight • Browser Support for RP Auth Discovery Everyone agreed that creating common specs for this was a good idea. Could use XRDS as the basis for discovery of a relying party (RP) site’s authentication support for multiple protocols. The RP site would publish an XRDS document that would allow a “smart client” (well, a browser extension) to discover information about what protocols were supported and how they might be used to authenticate to the site. • Possible new work in IDTRust
Need for a Common Terminology • Exploring the Construction of Online Identity & Definition of Terms. IDTrust can take a lead role here. ITU-T has a current up to date document.
Conclusion • Very Important event • Need to keep involved • OASIS was mentioned a lot in the meeting, the message is going forward to consider OASIS as an SDO • Many opportunities to get involved • Main obstacle is how this community can do their work in OASIS.