Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[higgins-dev] Notes from Higgins Developers call on Thursday, April 9.

Higgins dev call – April 9, 2009

 

 

Attendees

 

* Brian Carroll - Serena

* Andy Hodgkinson - Novell

* Drummond Reed - Cordance

* Mary Ruddy - Meristic

* Markus Sabedello - Parity

* Paul Trevithick - Parity

* Brian Walker - Parity

*John

 

Logistics
Time: noon Eastern
Dial-in: 1-866-362-7064 / 89-2048#

Agenda

1. [Brian]  1.1M7 targeted for April 24

  • See [1]
  • Raising the bar [2]
  • [Brian] This morning I went through the links on the 1.1 plan and made some updates to put a clean circle around the next milestone build plan. I encourage people to take a look at that.  It needs a few more revs.  The lion’s share of the work is around updating the Higgins wiki site with solution and component updates and checking in the code for those solutions and components as well as the clean up tasks around the selectors, etc. So folks should take a look at that. If there are any gaps we’ll go ahead and create those tickets. Want to make sure the list is accurate.  I’ll probably move the date out about a month to get this stuff cleaned up and rolled into the new plan I took a look at the items that were on M7: WS-Trust and  SOAP 1.2 and pushed those out to M8 for the time being. The dates will change, so focus on the content. Questions?
  • [Paul] What was the driver for getting the SOAP 1.2 and WS-Trust 1.3 work done?  On the I5 Interop testing we can’t pass a bunch of tests because of that.
  • [Brian] Yes, general interoperability.


2. [Brian, Alexander, Andy] Selector Architecture Harmonization     

  • See [3]    
  • Synchronizing CardStore call on April 1
  • [Brian] The main thing we are focusing on now is finishing the LICS pieces.  We had a transaction meeting with Andy and Valery. He will begin over the next few days to get started on that and determine next milestones.
  • [Paul] We also agreed on a way to handle the authentication.  I thought the wiki had been updated, but it hasn’t yet. Andy suggested a way to look at the Amazon (S3 services) approach to authenticating a session. So that is where we are going.
  • [John] Using symmetric keys to assign the headers. 
  • [Paul] …
  • [Andy] I have an implementation of that in the code that Valery can look at, if we needed to do it in another language
  • [Paul] That ‘s cool.
  • [Paul] So Brian, is it the goal for M7 to have a synchronizing card store?
  • [Brian] We need to look at the schedule.  


3. [Paul] Website improvements next steps  

  • Implement new downloads page structure [4]
  • Revise “All Selectors” diagram [6]
  • 2.1 New solution names [5]
  • [Paul] We’ve got the home page pretty much how we wanted.  We put all the third party links out to its own page.  I’m starting to think that we might actually want to have them on some other pages. The other new news is that Jeesmon has been tinkering and created a new page for non-Eclipse builds. One of the problems is that Eclipse doesn’t let you redistribute things that are not licensed under Eclipse.  So that makes it practically impossible to have a run-able download with things like Tomcat. So Jeesmon has created a web page with packaged builds. Andy and others have suggested using virtual box images, maybe that is the same thing.  Similarly, the Higgins solution intermediate site might be a place to store those virtual images as well. Other than that I spent a lot of time renaming wiki pages. I haven’t renamed the 1.0 solutions yet, For Higgins  1.1 we have Higgins selector 1.1 after than we might have the GTK flavor, from that page it would link to a page for Linux-GTK that is a page for how to download that.  So  moved to a more consistent naming for all the variants.  They are all Higgins 1.1 with different flavors.  I have done a lot of that [renaming]. We can get it all done for M7 hopefully.
  • [Andy] With the Bandit project we have our own downloads site and that has worked really well for us. So if you need help, I’d be happy to help with that.
  • [Paul] That is good to hear. Jessmon did this all himself.
  • [Paul] Do you think Bandit will let us reuse some of their build server?
  • [Andy] Export restrictions meant that we had to register our website with the government as many or all of them contain cryptographic information.  So at the very least it required registration, which is easy to do.
  • [John] Was the only requirement that you had to keep logs? 
  • [Andy] The only requirement is that the project is a pure open source project. All you have to do is notify the government that you have established this site and make the source code available as well as the binaries.
  • [Paul] That all sounds very promising.
  • [Mary] It will be great to have a place where we can offer things in a packaged format.

4. [Paul, JohnB] Relationship Brokering With R-Cards (held over)


·   Additional updates [7]

·         [Mary]  John would you like to kick off this topic?

·         [John] It’s a good thing.  Over to Paul.

·         [Paul] I’m on the road now, so I will have to wing this.  There is a link in the agenda. 

·         [Paul] An r-card is a managed card. It is a superset. It has one extra piece of information - a resource UDI defined by the UDI spec. It is a grab bag set of ways to refer to an item. You’ve get got this card and you are a selector or something that asked for the information. We are trying to track what Drummond is doing with XRD, but for various reasons you might want to have this discovery private. We can return the meta data around the UDI end point, as a value of one of the claims on the managed card. The details of which I’m still waiting for John to review, the flavors some of which are more chatty than others.  What they want to be able to do is discover enough to resolve it and authenticate to the r-card data. That wiki page needs a lot of work and attention.  It describes how a person can share that r-card with another party using standard attribute exchange and now the RP can discover how to resolve that UDI modulo the access control policy.

·         [John] One of the things that handling the discovery document back privately lets us do is…

·         [Paul] Beautiful example, we should add it to the wiki page.

·         [Paul] Calling it r-card relationship brokering is covering a number of possible sub use cases.  Combing a lot of what you have done.  Drummond, it may well use XRI, XRD.  It builds on everything we’ve got and defines a user experience for how an RP ask for these claims.. It is very general purpose.  I’m hoping we as a community can refine the design of it and implement it.  Many of the building blocks are already implemented in Higgins.

·         [Markus] When the selector wants to resolve it, the selector also gets the resource UDI from the STS?

·         [Paul] The resource UDI would be in the r-card itself.  The selector can read that value directly.  Depending on what John comes up with, the end point, the identity data service if it resources an oAuth , etc access token. The selector may well have to do that.

·         [John] There is the potential for embedding other access credentials in the r-card. You could put the XRD inside the card.

·         [Paul] There might be use cases for doing that.  So John needs to work through that.  He and other folks.

·         [John] You may not always want the selector to be able to access the service without their intervention.

·         [Paul] So the answer depends. So we need a number of possible flows.

·         [Paul] So that was an overview Mary.

·         [Markus] Can you say that in order to access part of a context service you need an…

·         [John] Portable contacts is a oAuth secured service, so if you put that you would need to put the persistent token in and it would switch it for a session token

·         [Markus] So the token from a Higgins perspective would be a kind of authentication materials. 

·         [John] The output of a private UDI resolution.

·         [John] The private one is only happening.

·         [Drummond] The private version is push, the public version is pull.

·         [John] Until there is security around the pull version, you can’t really put access token in it.

·         [Drummond] We are stretching the term resolution here.  The recipient to whom you are granting access you are sending the XRD in a claim.

·         [John] If the XRD has multiple services it may help indicate the service being used.  If the reliant parity’s security policy says give me a UDI claim and the value of the UDI claim is an XRD that has all that it needs that could work.

·         [Markus] Can you consider the XRD a kind of UDI?

·         [John] Right, that is what I was thinking..

·         [Markus] It is similar to what we were thinking with ID-WSF.

·         [John] Essentially the RP doesn’t know what kind of relationship it wants.

·         [Paul] So we are using r-cards to broker.

·         [John] Yes to broker relationships.

·         [Paul] Do you have a problem with what John and Markus are saying?

·         [Drummond] Semantically we might be overloading it.  It might be simpler to keep UDI as we have been defining it.  In the claim, that is what could be expanded…discovery meta data, you can…

·         [John] There is no way to give the UDI easily to a standard RP except as a value of a  claim. 

·         [John] Perhaps I want to give …..

·         [John] Is that complexity necessary?  Putting the XDI endpoint in the XRD?

·         [Drummond] If you need to use the private options you need to hand the credentials over in this blob.  If the endpoint speaks XDI, it is likely you can give it an XDI. A push option of moving that data is a classic example of XDI anyway.

·         [John] There are conceptually some issues with not knowing who you are sending the…

·         [John] Concept of assigning an identity .. the assumption is that it already has an identity.

·         [Drummond] It is not a strong enough use case., I’m not worried about supporting that.  We are looking to support EPR’s and XRD.

·         [John] I would argue event the EPR should be passed inside an XRD.

·         [Paul] On this call, I think a lot of people would support that. So you have a good chance of prevailing there.

·         [John] The nice thing about XRD is you can pass back an EPR and a portable contact to an RP.

·         [Drummond] I agree with John. The point of XRD is to be the one discovery format that binds them all.

·         [Paul ] I agree we should scrape it , we shouldn’t use EPR’s natively.

·         [John] Is the subject of the XRD the UDI?

·         [Drummond] Yes.

·         [John] Then you are always passing the XRD..

·         [Markus] I Don’t think it is a good idea to put an EPR in an xid.  I would be happier with just considering an EPR to be another kind of UDI,  I think that fits better in the overall data model.  One of the most important concepts is an entity relationship which contains a UDI.  An r-card is just an application of that data model

·         [Paul] I agree with you.

·         [Drummond]The devil’s advocate would say that the subject of the XRD is that entity relation. It is a matter of how you are going to package the information.  The penalty of making it an XRD for everything is that you need to process that even if you’ve just stuck in a UDI. 

·         [Paul] The foundation is ..

·         [John] If you want to make the XRD a separate claim,,, most RP’s will want to get  other things with RESTful tokens….

·         [Drummond] That would suggest the possibility that there is a UDI claim and an XRD claim.  Don’t overload them. 

·         [John/Markus] You could use a dynamic UDI claim and the RP could pass in a parameter that tells the STS in which format you want the USI.

·         [John] That also works, that would be nicer than having three different claims types. 

·         [Markus] We would have to define…

·         [Drummond] The dynamic claim

·         [John] That is the part of the spec that doesn’t exist.

·         [Paul]  I envision Axels proposal

·         [John]  It is not going to be part of the IMI spec. It breaks WS-Fed.

·         ……..

·         [John] Changing the claim URI has a whole bunch of consequences..

·         [John] Having structured claims requests and replies is best.

·         [Paul] We have people who need to get on with it. Waiting a couple of years isn’t going to work. John if you can advise us of a way that is more likely to be closer to the eventual standard….

·         [John] I will work on documenting what I’ve been discussing.

·         [John] What we are missing in the object tag is a pointer to the….

 

 

5. [Paul] Observations on Higgins from across the pond

·         [Mary] The last agenda topic is Paul’s feedback from his recent trip to England

·         [Paul]  As you get further away from America and Higgins, I was observing their perceptions of Higgins.  It was sobering. One researcher fired up DigitalME and looked at the card history, and it wasn’t there.  He said that all there is, is CardSpace.

·         [Paul] The perception is that Higgins and ICF were actually funded by Microsoft.

·         [Paul] Lastly even the packaged DigitalME is something only an administrator would love.  My take away is we can’t work hard enough and fast enough to make Higgins end user consumable. We can’t move fast enough to improve the Higgins project in all the ways we’ve talked about. People are taking the temperature of the entire IC ecosystem.  The entire world and what everyone knows about CardSpace is being colored by Higgins.

·         [Drummond]

·         [Paul] I came back realizing that even though Higgins isn’t a project we are trying to attract end users to, it is important as every researcher is an end user. Researchers use Higgins as a litmus test to see if the card ecosystem is real. The answer is that the info card ecosystem isn’t ready for prime time as it doesn’t have multiple implementations that are commercial grade.  From a polish point of view CardSpace looks real, and the Higgins stuff looks not real. The consequences are very bad  for everyone…

·         [Mary] Did they try the Azigo selector or just DigitalME?

·         [Paul] Just DigitalME.

·         [Andy] Can have an agenda item for this next week?

·         [Mary] Yes.

·         [John]  I was on a Concordia call conversation Scott Cantor and I have been looking at ways to extend the IMI to support the web proxy selector…

·         [Paul] Great.

·         [John] We have a theory on that that requires very little change at the RP end.

·         [Paul] We should talk about this next week too.

·         [Mary] Yes.

·         [Paul] We are out of time.  Bye.



[1] http://wiki.eclipse.org/Higgins_1.1M7
[2] http://wiki.eclipse.org/Selector_Architecture_Harmonization
[3] http://wiki.eclipse.org/Higgins_1.1_Plan#Infrastructure_.26_Cross-cutting_Improvements
[4] http://wiki.eclipse.org/Higgins_1.1_Plan#New_Downloads_Page
[5] http://wiki.eclipse.org/Higgins_1.1_Plan#Website
[6] http://wiki.eclipse.org/Selector_Overview#H1.1_All_Selectors
[7] http://wiki.eclipse.org/Relationship_Brokering_With_R-Cards

 

 

 


Back to the top