Re: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins

From: Anthony Nadalin <drsecure@xxxxxxxxxx>
Date: Fri, 23 Feb 2007 12:59:48 -0600
Delivered-to: higgins-dev@xxxxxxxxxxx
List-archive: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>
List-help: <mailto:higgins-dev-request@eclipse.org?subject=help>
List-subscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://dev.eclipse.org/mailman/listinfo/higgins-dev>, <mailto:higgins-dev-request@eclipse.org?subject=unsubscribe>

Well the reason for this to make sure there is no spoofing, so I agree with the limitation that was put on this and opening this up is a security issue, so I'm aginst this

Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122
"Jim Sermersheim" <jimse@xxxxxxxxxx>

"Jim Sermersheim" <jimse@xxxxxxxxxx>

Sent by: higgins-dev-bounces@xxxxxxxxxxx

02/23/2007 11:50 AM

Please respond to
"Higgins \(Trust Framework\) Project developer discussions" <higgins-dev@xxxxxxxxxxx>

To	<higgins-dev@xxxxxxxxxxx>
cc
Subject	[higgins-dev] Re: Redirecting Bandit STS efforts to Higgins

So, as far as I understand the use case, I'm for adding the managedCardID. The argument's I've heard against this say that if I want to have multiple managed cards backed by the same personal card, then those managed cards must represent the same identity in the backing store. And if there's a need to use a different identity in the backing store, then a different personal card should be used. While I agree that in practice this is likely the pattern that one should follow, but I don't like restricting the former possibility.

Jim

>>> "Daniel Sanders" <dsanders@xxxxxxxxxx> 2/23/07 9:20 AM >>>
Mike,

I should have also replied about the following:

I also am waiting for the change to the IdAS described here:
http://dev.eclipse.org/mhonarc/lists/higgins-dev/msg01601.html

This is the request that we allow managedCardID+PersonalCardPPID+modulus+exponent to be the auth material for a self-issued token. I had some reservations, which I expressed in followup e-mails. My 2nd-to-last email asked whether you meant managedCardID or managedCardPPID, and I pointed out problems with managedCardPPID. ... I guess I just wanted clarification that you really meant managedCardID, not managedCardPPID. ... I was under the impression that we still needed to have everyone accept the proposed idea. I'm not sure where Jim and Tom are on the idea -- I will discuss it with them today to see what they think. As I recall, they didn't chime in on the thread.

Daniel

>>> "Daniel Sanders" <dsanders@xxxxxxxxxx> 2/23/2007 8:38 AM >>>
Thanks Mike. -- I did have a followup question on #2 (PPID claim handling). This should be independent of SAML provider, so I'm not sure what you mean here. All providers should do it this way, should they not? Am I misunderstanding what you mean by SAML provider? Could you clarify this?

I am also putting this particular e-mail out on the dev list - minus the other discussion about contributing to the STS.

Thanks,

Daniel

>>> Michael McIntosh <mikemci@xxxxxxxxxx> 2/23/2007 8:22 AM >>>
"Daniel Sanders" <dsanders@xxxxxxxxxx> wrote on 02/22/2007 03:45:49 PM:

> The term "fully implemented" implies a lot more than you are
> allowing for. It includes major and minor bug fixes, reliability
> fixes, scalability fixes, etc., etc. It's stuff that benefits ALL
> users of the STS. There is a lot of stuff in the STS that people
> are VERY interested in, that ought to be in the STS, that is not
> going to be specified in a high-level WS-Trust document. We need to
> collaborate about these things, including submitting patches and/or
> committing changes, bug fixes, etc. directly. We would like to be
> able to help with these things. We would like a task list or to-do
> list that everyone can help out with - as is common with most other
> open source projects.
>
> Examples of things that have recently been requested are as follows:
>
> 1) Some restructuring of the code modules. See my e-mail, and
> Mike's response - both out on the higgins-dev list if you are watching
it:
> http://dev.eclipse.org/mhonarc/lists/higgins-dev/msg01607.html

Allow 1 STS Core to be used by N STS Bindings - this is checked in today
(you can now pass a configured STS instance into the binding configure
method and get the configured STS instance from a binding).

> 2) A change in how PPID claims are handled. See http://wiki.
> eclipse.org/index.php/Milestone_0.7 under the heading "IIW Reference
> Application Post Mortem"

PPID handling - this has been how the SAML provider works since the F2F.

> 1. The STS needs to give special handling to the
> privatepersonalidentifier claim. The document, A Guide to
> Integrating with Information Cards and Windows CardSpace v1.0, says
> the following: "To enable an identity provider that supports the
> PPID claim type to be able to always produce a consistent claim
> value, Windows CardSpace includes the extension element ic:
> ClientPseudonym/ic:PPID in the RST request. It contains the result
> of applying a hash function to a relying party identity and optional
> user-supplied entropy to produce an opaque yet consistent reference
> for the relying party. If the issued token contains the PPID claim,
> this value is to be used as the basis. The IP/STS may use this value
> as is or as an input seed to a custom function to derive a value for
> the PPID claim." The STS should look for this ClientPseudonym/PPID
> element whenever the RST requests the personalprivateidentifier
> claim, and at the very least, return that value for the claim.
> 3) A change in how the STS determines what claims to ask for from IdAS.
See:
> http://dev.eclipse.org/mhonarc/lists/higgins-dev/msg01541.html.

Ask for specific claims when calling getDigitalSubject - this is checked
in today (I still feel that this is an LDAPism and would like to discuss
whether getDigitalSubject is expected to provide dynamic read-write access
via an to the DigitalSubject or whether its expected to provide a static
cached copy of the Digital Subject.
>
> Mike may have already worked on some of these, perhaps all of them.
> I haven't checked for the past few days. I am just showing you that
> there are things that need tweeking, adjusting, refactoring, etc. -
> that have little or nothing to do with the high-level WS-Trust
> architecture. These kinds of requests come up somewhat regularly,
> and we anticipate that more will happen.

I also am waiting for the change to the IdAS described here:
http://dev.eclipse.org/mhonarc/lists/higgins-dev/msg01601.html

> Daniel Sanders

<snip rest of discussion...>_______________________________________________ higgins-dev mailing list higgins-dev@xxxxxxxxxxxhttps://dev.eclipse.org/mailman/listinfo/higgins-dev

Follow-Ups:
- Re: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins
  - From: Daniel Sanders

References:
- [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins
  - From: Jim Sermersheim

Prev by Date: Re: [higgins-dev] IdASRegistry as Singleton?
Next by Date: Re: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins
Previous by thread: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins
Next by thread: Re: [higgins-dev] Re: Redirecting Bandit STS efforts to Higgins
Index(es):
- Date
- Thread

Breadcrumbs