From phil.hunt at oracle.com Tue Nov 6 14:40:40 2007 From: phil.hunt at oracle.com (Phil Hunt) Date: Tue, 06 Nov 2007 14:40:40 -0800 Subject: [Igf-dev] IGF Dev Call cancelled Message-ID: I have a conflict for the call this week and will have to cancel the call for this Thursday 8AM. If anyone has any items they would like to update on, please let me know and I'll be happy to call you direct. Cheers, Phil Hunt Oracle -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071106/b2821078/attachment.html From phil.hunt at oracle.com Wed Nov 28 12:55:11 2007 From: phil.hunt at oracle.com (Phil Hunt) Date: Wed, 28 Nov 2007 12:55:11 -0800 Subject: [Igf-dev] Notes from a teleconf meeting wrt IGF and Higgins IdAS References: <474D709A.D091.001C.0@novell.com> Message-ID: FYI... I had a conference call with the Higgins IdAS team today to talk about our respective architectures and how our 2 projects can work together going forward. The Higgins team is thinking about a lot of the same issues we are and are in good alignment. Configuration handling, where it should occur,and how it should manifest through the layers seems to be one of the big exploratory items. Please see Jim's notes below. We have also discussed how to extend IdAS to support IGF policy both now and in the future as we get to the end-state. I will post some of that discussion to this list shortly. Regards, Phil Hunt Oracle Begin forwarded message: > From: "Jim Sermersheim" > Date: November 28, 2007 12:43:54 PM PST (CA) > To: > Cc: "Phil Hunt" > Subject: Notes from a teleconf meeting wrt IGF > > To try and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we had a > chat on the phone with Phil Hunt. Primarily, the call was geared > toward sharing descriptions of architecture (understanding how IdAS > works and understanding the IGF architecture). > > I put notes here http://wiki.eclipse.org/20071128_IGF_teleconf_notes > which are pointed at from here http://wiki.eclipse.org/IGF_Integration > which is pointed at from here http://wiki.eclipse.org/ > Identity_Attribute_Service > > I'll start a new thread (continuing an old one) on Idas API > extensibility which was one of the work items that came from the call. > > Jim -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071128/2a923c4d/attachment-0001.html From phil.hunt at oracle.com Wed Nov 28 23:04:35 2007 From: phil.hunt at oracle.com (Phil Hunt) Date: Wed, 28 Nov 2007 23:04:35 -0800 Subject: [Igf-dev] [higgins-dev] Notes from a teleconf meeting wrt IGF In-Reply-To: <474DE577.D091.001C.0@novell.com> References: <474D709A.D091.001C.0@novell.com> <474D85E2.D091.001C.0@novell.com> <474DE577.D091.001C.0@novell.com> Message-ID: <9F542CF2-A503-48CD-B66E-AE11982EAC9C@oracle.com> Jim, Thanks. I'll review tomorrow morning. I think that gives lots of options! Phil Hunt Oracle On 28-Nov-07, at 9:02 PM, Jim Sermersheim wrote: > Phil, there's some text at http://wiki.eclipse.org/ > IdAS_Basic_Deployment#Edit_the_configuration_file which describes > two different methods for doing IdAS context registration/ > configuration. > > While the first way uses a configuration file on disk, that's only > one way of creating and configuring the IdASRegistry. In theory, > we should be able to create the entire configuration at runtime as > a Map object, and pass that to IdASRegistry.configure. That > assumes there's some way (at runtime) to know how to build that Map > object. > > A middle-ground alternate would place static configuration data in > the config file, then at runtime, after populating the > ConfigurationHandler, get the Map > (ConfigurationHandler.getSettings), inject the remaining (dynamic) > config settings into the Map, pass that updated Map back into > ConfigurationHandler.config, and continue as normal. > > At least I think that should work -- it might be a good exercise to > test it with the BasicIdAS deployment. > > Jim > > >>> "Jim Sermersheim" 11/28/07 3:14 PM >>> > So, we may need to flesh out our capabilities in these areas. We > can access attributes in IdAS, and we can get/set policy on a > context factory (though we've yet to demonstrate what that looks > like), but we don't yet have the ability to express policy at the > Context or DigitalSubject level. This is stuff that has sort of > been on the back burner. > > >>> Anthony Nadalin 11/28/07 2:00 PM >>> > Not seeing any value with IGF, we already have claims and policy > that can express what IGF is supposed to be able to express, so > maybe the IGF folks can just pickup what has been done with > defining the claims. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > > > > From: > > "Jim Sermersheim" > > To: > > > > Date: > > 11/28/2007 02:45 PM > > Subject: > > [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > > To try and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we had a > chat on the phone with Phil Hunt. Primarily, the call was geared > toward sharing descriptions of architecture (understanding how IdAS > works and understanding the IGF architecture). > > I put notes here http://wiki.eclipse.org/20071128_IGF_teleconf_notes > which are pointed at from here http://wiki.eclipse.org/IGF_Integration > which is pointed at from here http://wiki.eclipse.org/ > Identity_Attribute_Service > > I'll start a new thread (continuing an old one) on Idas API > extensibility which was one of the work items that came from the call. > > Jim _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071128/222aa870/attachment.html From phil.hunt at oracle.com Fri Nov 30 12:36:06 2007 From: phil.hunt at oracle.com (Phil Hunt) Date: Fri, 30 Nov 2007 12:36:06 -0800 Subject: [Igf-dev] [higgins-dev] Notes from a teleconf meeting wrt IGF In-Reply-To: References: <474D709A.D091.001C.0@novell.com>

Message-ID: <057EB71F-8551-42F3-8ED4-892D81023DE8@oracle.com> Thanks for the link. The document referenced (Relying Party Security Policy) is definitely important. But at this stage seems preliminary since it implies only a single protocol scenario. [aside...the ontology links are broken] By this I mean, we need to take that document and further expand on it. The major component of policy referred to in Relying Party Security Policy document is what I would call relying party web policy. It describes only what information is needed to be transferred and how it is to be transferred (i.e. WS-SecurityPolicy). IGF doesn't conflict with what already exists in WS-SecurityPolicy, but rather adds more context and more information. IGF answers more of the following issues: * How do attribute authorities (e.g. Identity Providers) that hold information decide to accept and release information? * Consent can raise transactional conditions that must be accounted for. E.g. two partners might agree on how to generally share information enabling a general flow. However, user-consent may indicate special conditions (e.g. suppression or filtering of specific claims, denial of claims, or special conditions such as "do not propagate"). * Context - there is a greater need in fine-grained authorization to fully define the context under which information is released. This means being able to transmit both the credentials of the application, the end-user involved, and potentially a transaction name and purpose (e.g. legal context). * From an consuming application perspective (relying party), WS- SecPol describes attributes and how they are to be delivered. It does not document the applications intended use of data. CARML provides additional meta data gives the Attribute Authority more context to approve the release of information. CARML and WS-SecPol definitely have a relationship and should support each other. The nature of that relationship needs to be defined more clearly. http://wiki.eclipse.org/Relying_Party_Security_Policy is a good early document and useful for discussion within the Higgins framework and within IGF. It represents the case where IGF is applied in a WS-Fed scenario. I'd be happy to reference this material from the openLiberty site if you like. I think it is important that we support and build on these ideas. Phil Hunt Oracle On 29-Nov-07, at 6:25 PM, Anthony Nadalin wrote: > Here is the general policy language description that drives the > enhanced privacy support in Higgins http://wiki.eclipse.org/ > Relying_Party_Security_Policy. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > > Phil Hunt ---11/28/2007 03:41:08 PM---Tony...what are > you referring to exactly? > > > From: > Phil Hunt > > To: > "Higgins (Trust Framework) Project developer discussions" dev at eclipse.org> > > Cc: > higgins-dev-bounces at eclipse.org > > Date: > 11/28/2007 03:41 PM > > Subject: > Re: [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > Tony...what are you referring to exactly? > > Phil Hunt > Oracle > > > On 28-Nov-07, at 1:00 PM, Anthony Nadalin wrote: > Not seeing any value with IGF, we already have claims and policy > that can express what IGF is supposed to be able to express, so > maybe the IGF folks can just pickup what has been done with > defining the claims. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > > "Jim Sermersheim" ---11/28/2007 02:45:24 PM---To try > and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we > > From: > "Jim Sermersheim" > > To: > > > Date: > 11/28/2007 02:45 PM > > Subject: > [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > To try and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we had a > chat on the phone with Phil Hunt. Primarily, the call was geared > toward sharing descriptions of architecture (understanding how IdAS > works and understanding the IGF architecture). > > I put notes here http://wiki.eclipse.org/20071128_IGF_teleconf_notes > which are pointed at from here http://wiki.eclipse.org/IGF_Integration > which is pointed at from here http://wiki.eclipse.org/ > Identity_Attribute_Service > > I'll start a new thread (continuing an old one) on Idas API > extensibility which was one of the work items that came from the call. > > > Jim _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > ____________________________________________ > ___ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/8a021975/attachment-0001.html From phil.hunt at oracle.com Fri Nov 30 15:55:23 2007 From: phil.hunt at oracle.com (Phil Hunt) Date: Fri, 30 Nov 2007 15:55:23 -0800 Subject: [Igf-dev] Fwd: [higgins-dev] Notes from a teleconf meeting wrt IGF References: Message-ID: <174E2D0C-A613-4F0B-A524-8514D8108A25@oracle.com> FYI... Phil Hunt Oracle Begin forwarded message: > From: Anthony Nadalin > Date: November 30, 2007 1:15:58 PM PST (CA) > To: "Higgins \(Trust Framework\) Project developer discussions" > > Cc: higgins-dev-bounces at eclipse.org, igf-dev at lists.openliberty.org, > "Higgins \(Trust Framework\) Project developer discussions" > > Subject: Re: [higgins-dev] Notes from a teleconf meeting wrt IGF > Reply-To: "Higgins \(Trust Framework\) Project developer > discussions" > > Phil, this document is as you point out partial as it was taken > from a much larger scope document (IDEMIX) that we have and was > specifically scoped to the RP, but the overall document and concept > behind IDEMIX is not just RP. The policy aspects cover all parties > involved, IdP, Identity Agents and RP and it not limited to WS- > Federation, we use the WS-Policy constructs since that is a > standards base policy framework. We also wanted to fit with the > Claims framework to be able to expand upon beyond what Cardspace > has done, yet be compatible > > In our analyses the "AAPML" spec is a bit like EPAL profile in > XACML and "CARML" spec is like a token request specification, > > > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > ?Phil Hunt ---11/30/2007 02:38:33 PM---Thanks for the link. > ? > From: ? > Phil Hunt ? > To: ? > "Higgins (Trust Framework) Project developer discussions" dev at eclipse.org> ? > Cc: ? > igf-dev at lists.openliberty.org ? > Date: ? > 11/30/2007 02:38 PM ? > Subject: ? > Re: [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > Thanks for the link. > > The document referenced (Relying Party Security Policy) is > definitely important. But at this stage seems preliminary since it > implies only a single protocol scenario. [aside...the ontology > links are broken] By this I mean, we need to take that document > and further expand on it. > > The major component of policy referred to in Relying Party Security > Policy document is what I would call relying party web policy. It > describes only what information is needed to be transferred and how > it is to be transferred (i.e. WS-SecurityPolicy). IGF doesn't > conflict with what already exists in WS-SecurityPolicy, but rather > adds more context and more information. > > IGF answers more of the following issues: > * How do attribute authorities (e.g. Identity Providers) that hold > information decide to accept and release information? > * Consent can raise transactional conditions that must be accounted > for. E.g. two partners might agree on how to generally share > information enabling a general flow. However, user-consent may > indicate special conditions (e.g. suppression or filtering of > specific claims, denial of claims, or special conditions such as > "do not propagate"). > * Context - there is a greater need in fine-grained authorization > to fully define the context under which information is released. > This means being able to transmit both the credentials of the > application, the end-user involved, and potentially a transaction > name and purpose (e.g. legal context). > * From an consuming application perspective (relying party), WS- > SecPol describes attributes and how they are to be delivered. It > does not document the applications intended use of data. CARML > provides additional meta data gives the Attribute Authority more > context to approve the release of information. CARML and WS-SecPol > definitely have a relationship and should support each other. The > nature of that relationship needs to be defined more clearly. > > http://wiki.eclipse.org/Relying_Party_Security_Policy is a good > early document and useful for discussion within the Higgins > framework and within IGF. It represents the case where IGF is > applied in a WS-Fed scenario. I'd be happy to reference this > material from the openLiberty site if you like. I think it is > important that we support and build on these ideas. > > Phil Hunt > Oracle > > > On 29-Nov-07, at 6:25 PM, Anthony Nadalin wrote: > Here is the general policy language description that drives the > enhanced privacy support in Higgins http://wiki.eclipse.org/ > Relying_Party_Security_Policy. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > > Phil Hunt ---11/28/2007 03:41:08 PM---Tony...what are > you referring to exactly? > > From: > Phil Hunt > > To: > "Higgins (Trust Framework) Project developer discussions" dev at eclipse.org> > > Cc: > higgins-dev-bounces at eclipse.org > > Date: > 11/28/2007 03:41 PM > > Subject: > Re: [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > Tony...what are you referring to exactly? > > Phil Hunt > Oracle > > > On 28-Nov-07, at 1:00 PM, Anthony Nadalin wrote: > Not seeing any value with IGF, we already have claims and policy > that can express what IGF is supposed to be able to express, so > maybe the IGF folks can just pickup what has been done with > defining the claims. > > Anthony Nadalin | Work 512.838.0085 | Cell 512.289.4122 > > "Jim Sermersheim" ---11/28/2007 02:45:24 PM---To try > and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we > > From: > "Jim Sermersheim" > > To: > > > Date: > 11/28/2007 02:45 PM > > Subject: > [higgins-dev] Notes from a teleconf meeting wrt IGF > > > > To try and push ahead on fleshing out what it would take to consume > Higgins by the IGF, or implement parts of it in Higgins, we had a > chat on the phone with Phil Hunt. Primarily, the call was geared > toward sharing descriptions of architecture (understanding how IdAS > works and understanding the IGF architecture). > > I put notes here http://wiki.eclipse.org/20071128_IGF_teleconf_notes > which are pointed at from here http://wiki.eclipse.org/IGF_Integration > which is pointed at from here http://wiki.eclipse.org/ > Identity_Attribute_Service > > I'll start a new thread (continuing an old one) on Idas API > extensibility which was one of the work items that came from the call. > > > Jim _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > ____________________________________________ > ___ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > > > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev > ?? > _______________________________________________ > higgins-dev mailing list > higgins-dev at eclipse.org > https://dev.eclipse.org/mailman/listinfo/higgins-dev -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0013.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0014.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0015.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0016.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0017.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0018.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0019.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0020.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0021.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0022.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0023.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: graycol.gif Type: image/gif Size: 105 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0024.gif -------------- next part -------------- A non-text attachment was scrubbed... Name: ecblank.gif Type: image/gif Size: 45 bytes Desc: not available Url : http://lists.openliberty.org/pipermail/igf-dev_lists.openliberty.org/attachments/20071130/5b9587e4/attachment-0025.gif