[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
RE: [higgins-dev] Notes from Nov 2 higgins-dev call noon ET --corrected
|
My previous email notes, got some of the voices/names wrong. This has been
corrected:
Attendees
---------
- MaryR, PaulT, TomS, GerryT, AndyH, MikeM, DanielS, JeffB, ValeryK, BrianC,
DaleO, JimS, TonyN
IP Issues
---------
- MikeM: Need to go down the road of interoperability as far as we can
- (1) what can we demonstrate?
- (2) what can we check into CVS?
What is the demo for Dec 2nd?
-----------------------------
JimS:
- All we have so far is an email outline and an email to-do list
- We call it a reference application and it is described on
banditproject.org
- We had wanted to show all the ISS, etc. components, but there isn't time
to get all that done, so we decided to use the CardSpace selector and
interoperate with an RP our STS.
- This would force us to integrate our STS with IdAS
- Suggestion: a (MediaWiki) RP will do initial authentication and then some
authorization. Someone could use a CardSpace card or traditional un/pw (or
maybe OpenID). If they use a CardSpace card the RP could use the claims to
perform role calculations and do further authorization on the MediaWiki.
Discussion of RP code and IdAS
------------------------------
- Mike: The STS role is also to validate a token. Should someone present an
old token that had been revoked, the STS can validate it. The RP can be
forced to ask the issuer, is the token valid for this purpose. This is a big
part of what WS-Trust is about. The STS is already wrapping IdAS for getting
the claim.
- Mike: When the user gets an old token and tries to present it. The RP
can't know whether the STS just issued it, or issued it 2 weeks ago and
revoked it 1 week ago.
- Jeff(JCB): What type of opportunity do we have to get support from MS. Do
we have someone we can go to? CA is working together with MS. I have some
opportunities to ask some pointed questions
- Mike: sometimes they respond right away. It is hard to get predictable
responses.
...back to the demo
-------------------
JimS:
- whether we do or don't use IdAS to get back to the store is a detail
- On the client side to make things easier, we wanted to use IE7 with
.NET3.0 installation so that we can have a standard informationcard over for
some claims
- On the client side we would need to provide some way for us to build a
managed card and then use the cardspace cardmanager to import that so the
user could select that card. That card would point to our STS.
- From the client side process with that card.
- Paul: this is what Mike calls the "pull" model
- JimS when the card is created we can put enough metadata in the card so
that the STS
- Mike: yes, this is what we call the pull model
- DaleO: in summary for this demo this is the "STS pull" model and the RP
party is going to accept what it gets and not do any pull
- JCB: so we are creating a "Managed Card Provider"
- Mike: in this model the STS is the IdP
Defined Tasks
-------------
JimS:
- (banditproject.org under reference application) is where we are going to
keep track of this
- Mike: the problem I have permission to work on Higgins, so I have a
problem with the IP aspects of having this on the Bandit project. And if you
point me to a different mailing list, I won't be able to read it
- Tony: these are IP issues we need to resolve
- Dale: we're just trying to make a list
- Mary: you just need to register to contribute to the wiki or higgins-dev
- Tom: If we're in agreement that it will benefit everyone
- Pat: we have some drop dead deadlines that we need to meet
- Andy: beyond bugzilla and the wiki, what about checking in source code
- Mike: my understanding that people are writing code to generate
informationcards using Chuck's stuff. Chuck's code don't match the spex
- Tony: this is because the spex are out of date and didn't publish the
changes
- Dale: we only have rights to use the specification, not how the code
actually works
- Tony: we don't know if the rev will ever get published. So if you go by
the spex
- JimS... that's as much as we've got on this topic
- Paul: anyone read my email about using MS Claim namespace?
- Mike: yes, I think it could work, but not for more complicated cases
- Mike: trouble is when you have multiple addresses in my provider and what
I think I'm being forced to do is decide which one is shipping address.
- JimS: my hope was that for simple scenarios we didn't have to do this
- Mike: but we need to be more flexible for the long term
- JCB: where is this demo going to be shown?
- Dale: IIW
- JCB: should we define profiles
- ??: we want to make these demo services available on a public website
- Paul: Eclipse servers are available to host STS or IdAS service, etc.
- Andy: I'm setting up a VMware image, but there are licensing issues
distributing
- JCB: couldn't get Vista in VMware and MSVM and both blow up
- Jeff: could we discuss how it is, as had been suggested on the list that
Higgins may be breaking one or more of Kim's lawas?
- Mary: that was a suggested F2F topic
