incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "RL 'Bob' Morgan" <rlmor...@washington.edu>
Subject Re: Proposal for OpenSAML (or a name TBD)
Date Wed, 29 Jan 2003 01:38:14 GMT

So, the point made and apparently agreed to by everyone discussing this
today is that SAML and WS-Sec are Two Different Things, not related other
than both using XML and being about security (as are XKMS, XACML, XrML,
and surely dozens more at this point).  So I'd favor removing all
references to WS-Sec from this proposal, so as to let any WS-Sec work
proceed on its own merits.  Specifically remove:

> One important web services component that might leverage OpenSAML is
> WS-Security (http://www.oasis-open.org/committees/wss/).

and remove:

> WS-Sec or other links would be new code subject to open discussion as to
> approach and implication.

and remove:

> WS-Sec functionality might expand this interest.

and remove:

> Work in the web services space, such as the WS-Security work that is
> emerging from OASIS, could take place either within the scope of a more
> broadly named project that includes and subsumes OpenSAML, or could be a
> dependent subproject at ws.apache.org. This would include JAX-RPC and
> Apache Axis specific WS-Security handlers and code to enable quick
> adoption of SAML and WS-Security within the Apache project community.

 - RL "Bob"

---

On Tue, 28 Jan 2003, Scott Cantor wrote:

> Here's the proposal solicited (and started) by the ws.apache.org folks,
> edited by me. The name should indeed change if the scope of the
> subproject is to be wider than SAML (see outstanding issues at the
> bottom).
>
> For the shib/internet2 folks, general@incubator.apache.org is the list
> to subscribe to to participate in the discussion.
>
> Scott Cantor
> The Ohio State Univ
> cantor.2@osu.edu
>
> ---
>
> Proposal for OpenSAML, A Web Services Subproject (via Incubator)
>
> 28 January 2003
> Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
>
> (0) rationale
>
> To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2
as part of the Shibboleth project
> (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2
at http://www.opensaml.org. Both a Java
> and C++ library are being provided and maintained, with a goal of feature parity and
API commonality between them.
>
> One important web services component that might leverage OpenSAML is
> WS-Security (http://www.oasis-open.org/committees/wss/). There is also a
> JSR 155 - Web Services Security Assertions
> (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in
> their words) define a set of APIs, exchange patterns and implementation
> to securely (integrity and confidentiality) exchange assertions between
> web services based on OASIS SAML. We could implement this JSR over
> OpenSAML, either instead of or in addition to the existing API.
>
> The ws.apache.org PMC expressed a great deal of interest in the work in
> order to ramp up their activities quickly, and appears to be eager to
> contribute to the success of the subproject.
>
> (0.1) criteria
>
> Meritocracy: Design decisions have been made in consultation with the
> Shibboleth development team. WS-Sec or other links would be new code
> subject to open discussion as to approach and implication.
>
> Community: Aside from Shibboleth, a growing community of developers,
> mostly from higher ed, have been playing with the code in their
> projects. WS-Sec functionality might expand this interest.
>
> Core Developers: Primary author is Scott Cantor, with assistance from
> the Shibboleth development team, and a few other contributions, some
> from Apache contributors.
>
> Alignment: Uses Xerces and Xalan (J and C), xml-security, generally
> looks to Apache projects before turning elsewhere, due to compatibility
> of licensing terms and code quality and support.
>
> Scope: SAML and functionality to simplify the use of SAML in areas of
> interest.
>
> (0.2) warning signs
>
> Orphaned products: Shibboleth has some momentum, and sundry research
> projects exist that have looked at OpenSAML as a possible starting
> point.
>
> Inexperience: The primary author has been coding the system for about 14
> months, and has 5+ years experience on web security software, primarily
> in C and C++. Most of that code has been made publically available and
> has been shared explicitly with other institutions. Other Shibboleth
> developers have contributed Unix systems programming, project
> organization, and Java experience to the project, and they have open
> source experience as well.
>
> Homogeneous Developers: Primarily one developer to this point, though
> suggestions from other developers have influenced design. Project
> expected to support layered functionality contributed by other
> interested parties once core API stablity is reached. IRC has been used
> extensively to discuss issues.
>
> Reliance on Salaried Developers: Shibboleth is funded by Internet2 at
> the present time, and most of the development has been contract work,
> but the entire source base has been open source from the beginning.
>
> No ties to other Apache Products: Extensive reliance on XML and Jakarta
> projects, should make use of and serve the forthcoming WS projects.
>
> Fascination with Apache Brand: Would like to foster interest in and use
> of SAML, attract a stable of developers, extend work into web services,
> possibly explore implications of SAML and Shibboleth models for SSO and
> identity federation within other Apache projects.
>
> (1) scope of the subproject
>
> The purpose of this subproject is to create and maintain an
> implementation of the SAML standard, as defined by the OASIS SSTC, via
> libraries that support the messages, bindings, and profiles in the
> standard. This might eventually include reference implementations of
> SAML authorities for testing or development use (or more if there's
> interest). This subproject might include an implementation of the
> JSR-155 yet-to-be-published API for SAML in Java.
>
> Work in the web services space, such as the WS-Security work that is
> emerging from OASIS, could take place either within the scope of a more
> broadly named project that includes and subsumes OpenSAML, or could be a
> dependent subproject at ws.apache.org. This would include JAX-RPC and
> Apache Axis specific WS-Security handlers and code to enable quick
> adoption of SAML and WS-Security within the Apache project community.
>
> (2) identify the initial source from which the subproject is to be
> populated
>
> http://www.opensaml.org
>
> (3) identify the ASF resources to be created
>
> (3.1) mailing list(s)
>
> opensaml-user
> opensaml-dev
>
>
> (3.2) CVS repositories
>
> ws-opensaml (currently there is a cvs at cvs.internet2.edu)
>
> (3.3) Bugzilla
>
> (currently, there is a bugzilla at bugzilla.internet2.edu)
>
> (4) identify the initial set of committers
>
> Scott Cantor (cantor.2@osu.edu)
>
> Walter Hoehn (wassa@columbia.edu)
>
> Derek Atkins (warlord@mit.edu)
>
> Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
>
> Mark Wilcox (mark.wilcox@webct.com)
>
> (5) identify apache sponsoring individual
>
> Davanum Srinivas (dims@yahoo.com)
>
> (6) open issues for discussion
>
> Is OpenSAML a stand-alone subproject, or should it expand to include
> WS-Security work?
>
> Are there IPR-related concerns with SAML (patents held by RSA but
> offered royalty free), or especially with WS-Security and its family of
> specifications, most of which are not yet standards?
>
>


Mime
View raw message