Notice: This Wiki is now read only and edits are no longer possible. Please see: https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/wikis/Wiki-shutdown-plan for the plan.
Oct 2-4 Austin F2F Agenda
Higgins Face-to-Face meeting October 2-4, 2007
Contents
- 1 Themes
- 2 Logistics
- 3 Expected Attendees
- 4 Tuesday
- 5 Wednesday
- 5.1 9:25AM New RP Enablement
- 5.2 10:05 Higgins and CardSpace RP Compatibility
- 5.3 10:30AM Configuration Issues
- 5.4 10:50AM CDS Demo
- 5.5 11:00AM Preparing a response to Microsoft's OSP Update (July 9th 2007)
- 5.6 11:30AM RESTful interface to IdAS
- 5.7 1:15pm Demo of the RP Code
- 5.8 1:30pm-2:20 Barcelona Round 2
- 5.9 3pm Meeting with Equinox Folks
- 6 Thursday
Themes
- The main theme will be release 1.0 planning. We'll go through the components and build a master list of what work remains for 1.0. Then we'll reproject the 1.0 date.
- Preparations for the interop event in Barcelona will be an additional theme.
- Higgins 1.1 and beyond
Logistics
- Start: The event will start Tuesday, October 2 at 9:00AM
- End: Thursday at noon.
- Where: IBM Austin, 11501 Burnet Road, Austin, Texas, 78758. Report to building 904 to get your badge. The meeting will be held in building 901 3G14.
- Hotel List for IBM Austin
See visitor information for google map, etc.
Expected Attendees
- Tony Nadalin (IBM)
- Mary Ruddy (Parity, SocialPhysics)
- Paul Trevithick (Parity, SocialPhysics)
- Greg Byrd (IBM, NC State Univ.)
- Bruce Rich (IBM)
- Jim Sermersheim (Novell)
- Michael McIntosh (IBM Research)
- Jeesmon Jacob (Parity)
Tuesday
9:10 Barcelona Interop Event
- Preparations for Barcelona Interop Event
- There are rumors of Microsoft showing up with a "v1.5" of CardSpace (packaged within in .NET Framework 3.5 Beta 2 ships within Vista SP1 and IE7). Unfortunately we have little information on what changes Microsoft has made and thus the interop implications.
- Rumors are the Microsoft is considering using WS-Trust 1.3, and SOAP 1.1, WS-Addressing W3C/2005/08
- This blog has some interesting details: http://blogs.msdn.com/card/rss.xml
- and specificically: http://blogs.msdn.com/card/archive/2007/09/25/first-post-for-the-cardspace-team-blog.aspx mentions:
- Support RPs that don't use SSL
- PPID calculation is different
- Self-issued tokens are not encrypted.
- This blog has some interesting details: http://blogs.msdn.com/card/rss.xml
- Conclusions
- Markus Sabadello (Parity) will attend to demonstrate the Higgins H1 Identity Agent
- Andy (Novell) will demonstrate the Higgins H2 IA
- In both cases we will likely demonstrate nothing different from what was recently demonstrated at DIDW and June Catalyst
- Higgins project needs to request formally that the above rumored changes are (a) documented in, e.g. Information Card interoperability profile 1.5??" and (b) that this document be covered under the OSP
- Higgins project will not begin work on interoperability with these new 1.5 changes
- In any event this work will not be part of Higgins 1.0
10AM Higgins 1.0
2:50pm IPR update [Mary]
Clear up the following:
- Axiom 1.2 is approved (we have some folks using 1.2.2 who need to move back to 1.2)
- Apache Commons Logging 1.04 (is approved) vs. 1.01 confusion
- mail1.4 is part of the axis 1.4 (is approved) distribution (otherwise the STS doesn't use it)
Still unresolved:
- OpenXDAS (auditing framework) used by the JNDI Context Provider
- OpenXRI --Drummond is working to get signatures, etc. to resolve this
News:
- The OpenID foundation put out three documents: "OpenID IPR Policy" Process", "OpenID IPR Policy Rationale" for 30 day review. It looks promising.
Summary:
- We're just about caught up with the Components dependencies
3:15pm Change 3rd party lib location
Starting week of Oct 8th:
- Create one Higgins project containing all approved .jar files
- Create one project containing all of un-approved .jar file (and the lib folder is empty)
- Create one Maven script to pull down all third-party .jars
- Create one Maven script to pull down all unapproved third-party .jars
3:25 Higgins and JAAS
- H4 deployment will include a JAAS LoginModule for RCP
- H4 will be OSGI-based
- There is an RCP-based client that can also be used to login to clients
3:30pm Improving H2 Deployment
- Paul to create a proposal for what we'd like to see in the way of improved H2 documentation
- Initial thoughts are
- to make this only developer-friendly, not end-user friendly
- Maven configure and build script
Other Topics
- Ability to configure IdAS Registry using Configuration API
Wednesday
9:25AM New RP Enablement
- MikeM: presentation of new contribution
10:05 Higgins and CardSpace RP Compatibility
- RP summit: makes sense when we have some new features (e.g. new params to the <object> tag) that add value
- There are some issues. Tracking the OSIS work in this area. There may be IP issues here. E.g. Pam may not have the rights to the IP behind the recommendations she's making.
10:30AM Configuration Issues
- Issue: how to allow you to discover how to configure any one of the configurable Higgins component
- This is not for 1.0
- ISettingDescriptor
- Jim: Should we have an XML description of the ISettingDescriptor that could be put at the top of an XML file that contains configuration datasets?
- Daniel posted an example of something like that to the dev list
10:50AM CDS Demo
11:00AM Preparing a response to Microsoft's OSP Update (July 9th 2007)
- Mary to get from Tony some IP issues related to <object> tag, etc.
- New parameters to the <object> tag
- e.g. multiple issuers AND/OR
- Issues around the upcoming (.Net 3.5 version) of CardSpace
- Need to verify that an agent can post N>1 token in the POST
11:30AM RESTful interface to IdAS
- e.g. have a look at http://cloudtripper.org
- At present we have no REST-full interface to IdAS
- Is this in scope for Higgins?
- Are others in the Higgins community interested in contributing to this effort?
- Consensus seems to be yes and yes
1:15pm Demo of the RP Code
1:30pm-2:20 Barcelona Round 2
- Updated this table: http://osis.netmesh.org/wiki/I2-Barcelona
3pm Meeting with Equinox Folks
Thursday
9:30AM [Jim] An IdAS look at IGF
Jim: I went through the IGF documents, especially the IGF MRD collecting the requirements
Examples of requirements:
- allow for intended usage statement in requests
- intended attributes as well as intent to propagate, store, cache, or need to update
- can be passed in advance or as part of exchange
- allowable usage can be associated with data returned
- discovery based on requirements
- e.g. this kind of schema, this kind of functionality
- fine-grained error reporting
- ie. allow a partial subject to be returned with specific errors indicating why certain attributes were withheld. a way to report an exception "you didn't get attribute #5 because there's a policy restriction in place"
- auditability of actions
- when you read the MRD it implies that humans are reading documents
- things that happen that create audit logs and be able to compare with policy, etc.
- access control model
- ability to manage (update permissions)
- ability to query (e.g. can Joe perform a read on Alice's telephoneNumber attribute?)
- enforcement
- schema advertisement
- function/feature advertisement (at the least access-control-ish things like "can I update attribute"
- mapping/obfuscation/filtering/minimization
- name transformation, masking, value transformation
- attributes differ from properties
- attributes are traditional identifier/value form
- properties are always true or false
- example: isOverEighteen, Last4SSNDigits is "1234", PoliticalAffiliation is neither "republican" nor "democrat"
- VS IdAS: we have compare operations or search filters (could be thought of as "canned comparisons")
- one API to allow an app to consume from different sources
- example is similar to an RP which consumes some identity data from an RSTR and other identity data from a local DB
- What IdAS can do towards this today?
- allows part of intended usage statement
- IdAS allows a caller to state which attributes will be read when fetching a subject
- nothing else is conveyed (intent to propagate, cache, etc.)
- can't convey in a stateful way
- allows part of intended usage statement
- one API to allow an app to consume from different sources
- example is similar to an RP which consumes some identity data
- ...Jim to copy in here the rest of his PPT points
- IdAS elements allow metadata
- ...Jim to copy in here
- schema is discoverable, but probably not in any format IGF expects
- What IdAS can't yet do
- no ACM or enforcement
- no discovery based on capabilities, schema, access control,
- no way to assert intended usage
- no partial attribute support
- no mapping (only via special CP's)
- no auditing or recommended audit callouts
Build Errors
- java
- Axiom 1.2.2 vs. 1.2
Prep for 2pm CDT OSIS Barcelona Call
- Review this table: http://osis.netmesh.org/wiki/I2_Relying_Party_Profiles within http://osis.netmesh.org/wiki/I2-Barcelona
11:50AM Next Steps
Urgent
- M1.0M9 build of the STS is needed by 10/5
- Complete the merge of AnthonyB's branch --Valery
Build Process Liason(!)
- Jeesmon will take over responsibility for coordinating:
- Maven script for approved third party libraries
- Maven script for non-approved...
- Maven configure script for IdAS
- Master tutorial wiki page on:
- How to create nightly build scripts
- How to create Maven configure script
- How to create Maven build script
- Every Higgins call we'll review P1 1.0 items
Next F2F
- Jan 8-10 Provo
Tabled for beyond Higgins 1.0
- Architectural changes including:
- Support for ability for user to edit some attributes managed by an external STS/IdP. Attribute maintenance. Metadata about attributes. User can request changes to an attributes. Different levels of attributes. Etc. (e.g. R-Cards, etc.)
- Moving towards Agent Broker-based architecture
- Mike's "Basic Auth" i-card idea
- Jim suggests we look at recent IETF efforts in this area
- Need a working session: Higgins UI and its relationship to CardSpace's UI
- Date of next F2F
- IdAS Futures
- Changes to IdAS to support eventual WSDL for IdAS
- 197366 C# binding for IdAS
- Access Control Model
- Access Control CP
- Remotable IdAS Interfaces
- Better schema support (including modifications)
- Capabilities-based selection of Context
- Refactor AuthN to something like JAAS
- C# Implementation.
- Audit Instrumentation
- Allow policy (like CARML requirements) to be passed through.
- May need API Extensibility in order to pass policies through to the backing data store
- Activation Framework for CPs
- IdAS Alignment with IGF (includes a number of the above)
- Selector issues
- How to present the different selectors to the world
- How to move forward toward commonality (Progress discussion on selector collaboration)