| Re: [higgins-dev] Notes from Nov 2 higgins-dev call noon ET |
|
Thanks for the notes, Paul.
I meant to expand the point I was making in the second bullet under "What is the demo for Dec 2nd?": I wanted to say we started out calling it a reference application, but we view what we're working on now as more of a demo which is a step toward a reference app (which would fulfil the larger set of goals)
>>> "Paul Trevithick" <paul@xxxxxxxxxxxxxxxxx> 11/2/06 11:17 AM >>> Attendees --------- - MaryR, PaulT, TomS, GerryT, AndyH, MikeM, DanielS, JeffB, ValeryK, BrianC, DaleO, JimS, TonyN IP Issues --------- - MikeM: Need to go down the road of interoperability as far as we can - (1) what can we demonstrate? - (2) what can we check into CVS? What is the demo for Dec 2nd? ----------------------------- JimS: - All we have so far is an email outline and an email to-do list - We call it a reference application and it is described on banditproject.org - We had wanted to show all the ISS, etc. components, but there isn't time to get all that done, so we decided to use the CardSpace selector and interoperate with an RP our STS. - This would force us to integrate our STS with IdAS - Suggestion: a (MediaWiki) RP will do initial authentication and then some authorization. Someone could use a CardSpace card or traditional un/pw (or maybe OpenID). If they use a CardSpace card the RP could use the claims to perform role calculations and do further authorization on the MediaWiki. Discussion of RP code and IdAS ------------------------------ - Mike: The STS role is also to validate a token. Should someone present an old token that had been revoked, the STS can validate it. The RP can be forced to ask the issuer, is the token valid for this purpose. This is a big part of what WS-Trust is about. The STS is already wrapping IdAS for getting the claim. - Mike: When the user gets an old token and tries to present it. The RP can't know whether the STS just issued it, or issued it 2 weeks ago and revoked it 1 week ago. - Jeff: What type of opportunity do we have to get support from MS. Do we have someone we can go to? - Mary: CA is working together with MS. I have some opportunities to ask some pointed questions - Mike: sometimes they respond right away. It is hard to get predictable. ...back to the demo ------------------- - JimS: - whether we do or don't use IdAS to get back to the store is a detail - On the client side to make things easier, we wanted to use IE7 with .NET3.0 installation so that we can have a standard informationcard over for some claims - On the client side we would need to provide some way for us to build a managed card and then use the cardspace cardmanager to import that so the user could select that card. That card would point to our STS. - From the client side process with that card. - Paul: this is what Mike calls the "pull" model - JimS when the card is created we can put enough metadata in the card so that the STS - Mike: yes, this is what we call the pull model - Jims: - DaleO: in summary for this demo this is the "STS pull" model and the RP party is going to accept what it gets and not do any pull - Paul: so we are creating a "Managed Card Provider" - Mike: in this model the STS is the IdP Defined Tasks ------------- JimS: (banditproject.org under reference application) - that's where we are going to keep track of this - Mike: the problem I have permission to work on Higgins, so I have a problem with the IP - Mike: if you point me to a different mailing list, I can't read it - Tony: these are IP issues - Dale: we're just trying to make a list - Mary: you just need to register - Tom: If we're in agreement that it will benefit everyone - Pat: we have some drop dead deadlines that we need to meet - Andy: beyond bugzilla and the wiki, what about checking in source code - Mike: my understanding that people are writing code to generate informationcards using Chuck's stuff. Chuck's code don't match the spex - Tony: this is because the spex are out of date and didn't publish the changes - Dale: we only have rights to use the specification, not how the code actually works - Tony: we don't know if the rev will ever get published. So if you go by the spex - JimS... that's as much as we've got on this topic - Paul: anyone read my email about using MS Claim namespace? - Mike: yes, I think it could work, but not for more complicated cases - Mike: trouble is when you have multiple addresses in my provider and what I think I'm being forced to do is decide which one is shipping address. - JimS: my hope was that for simple scenarios we didn't have to do this - Mike: but we need to be more flexible for the long term - Tom: where is this demo going to be shown? - Dale: IIW - Tom: should we define profiles - ??: we want to make these demo services available on a public website - Paul: Eclipse servers are available to host STS or IdAS service, etc. - Andy: I'm setting up a VMware image, but there are licensing issues distributing - Andy: couldn't get Vista in VMware and MSVM and both blow up - Jeff: could we discuss how it is, as had been suggested on the list that Higgins may be breaking one or more of Kim's lawas? - Mary: that was a suggested F2F topic _______________________________________________ higgins-dev mailing list higgins-dev@xxxxxxxxxxx https://dev.eclipse.org/mailman/listinfo/higgins-dev |