incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Davanum Srinivas <d...@yahoo.com>
Subject Re: Proposal for OpenSAML (or a name TBD)
Date Wed, 29 Jan 2003 01:51:29 GMT
To clarify, please re-submit an edited proposal to general@incubator.apache.org.

Thanks,
dims

--- Davanum Srinivas <dims@yahoo.com> wrote:
> Scott,
> 
> Please go ahead as Bob suggests....No problems if you don't want to do it. 
> 
> <semi-kidding>I can't force any one to do something that they don't wanna do :)
</semi-kidding>
> 
> -- dims
> 
> --- RL 'Bob' Morgan <rlmorgan@washington.edu> wrote:
> > 
> > So, the point made and apparently agreed to by everyone discussing this
> > today is that SAML and WS-Sec are Two Different Things, not related other
> > than both using XML and being about security (as are XKMS, XACML, XrML,
> > and surely dozens more at this point).  So I'd favor removing all
> > references to WS-Sec from this proposal, so as to let any WS-Sec work
> > proceed on its own merits.  Specifically remove:
> > 
> > > One important web services component that might leverage OpenSAML is
> > > WS-Security (http://www.oasis-open.org/committees/wss/).
> > 
> > and remove:
> > 
> > > WS-Sec or other links would be new code subject to open discussion as to
> > > approach and implication.
> > 
> > and remove:
> > 
> > > WS-Sec functionality might expand this interest.
> > 
> > and remove:
> > 
> > > Work in the web services space, such as the WS-Security work that is
> > > emerging from OASIS, could take place either within the scope of a more
> > > broadly named project that includes and subsumes OpenSAML, or could be a
> > > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > > Apache Axis specific WS-Security handlers and code to enable quick
> > > adoption of SAML and WS-Security within the Apache project community.
> > 
> >  - RL "Bob"
> > 
> > ---
> > 
> > On Tue, 28 Jan 2003, Scott Cantor wrote:
> > 
> > > Here's the proposal solicited (and started) by the ws.apache.org folks,
> > > edited by me. The name should indeed change if the scope of the
> > > subproject is to be wider than SAML (see outstanding issues at the
> > > bottom).
> > >
> > > For the shib/internet2 folks, general@incubator.apache.org is the list
> > > to subscribe to to participate in the discussion.
> > >
> > > Scott Cantor
> > > The Ohio State Univ
> > > cantor.2@osu.edu
> > >
> > > ---
> > >
> > > Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> > >
> > > 28 January 2003
> > > Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> > >
> > > (0) rationale
> > >
> > > To support SAML (Security Assertion Markup Language), OpenSAML was developed
by Internet2 as
> > part of the Shibboleth project
> > > (http://shibboleth.internet2.edu/). The project is currently hosted and managed
by Internet2
> > at http://www.opensaml.org. Both a Java
> > > and C++ library are being provided and maintained, with a goal of feature parity
and API
> > commonality between them.
> > >
> > > One important web services component that might leverage OpenSAML is
> > > WS-Security (http://www.oasis-open.org/committees/wss/). There is also a
> > > JSR 155 - Web Services Security Assertions
> > > (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in
> > > their words) define a set of APIs, exchange patterns and implementation
> > > to securely (integrity and confidentiality) exchange assertions between
> > > web services based on OASIS SAML. We could implement this JSR over
> > > OpenSAML, either instead of or in addition to the existing API.
> > >
> > > The ws.apache.org PMC expressed a great deal of interest in the work in
> > > order to ramp up their activities quickly, and appears to be eager to
> > > contribute to the success of the subproject.
> > >
> > > (0.1) criteria
> > >
> > > Meritocracy: Design decisions have been made in consultation with the
> > > Shibboleth development team. WS-Sec or other links would be new code
> > > subject to open discussion as to approach and implication.
> > >
> > > Community: Aside from Shibboleth, a growing community of developers,
> > > mostly from higher ed, have been playing with the code in their
> > > projects. WS-Sec functionality might expand this interest.
> > >
> > > Core Developers: Primary author is Scott Cantor, with assistance from
> > > the Shibboleth development team, and a few other contributions, some
> > > from Apache contributors.
> > >
> > > Alignment: Uses Xerces and Xalan (J and C), xml-security, generally
> > > looks to Apache projects before turning elsewhere, due to compatibility
> > > of licensing terms and code quality and support.
> > >
> > > Scope: SAML and functionality to simplify the use of SAML in areas of
> > > interest.
> > >
> > > (0.2) warning signs
> > >
> > > Orphaned products: Shibboleth has some momentum, and sundry research
> > > projects exist that have looked at OpenSAML as a possible starting
> > > point.
> > >
> > > Inexperience: The primary author has been coding the system for about 14
> > > months, and has 5+ years experience on web security software, primarily
> > > in C and C++. Most of that code has been made publically available and
> > > has been shared explicitly with other institutions. Other Shibboleth
> > > developers have contributed Unix systems programming, project
> > > organization, and Java experience to the project, and they have open
> > > source experience as well.
> > >
> > > Homogeneous Developers: Primarily one developer to this point, though
> > > suggestions from other developers have influenced design. Project
> > > expected to support layered functionality contributed by other
> > > interested parties once core API stablity is reached. IRC has been used
> > > extensively to discuss issues.
> > >
> > > Reliance on Salaried Developers: Shibboleth is funded by Internet2 at
> > > the present time, and most of the development has been contract work,
> > > but the entire source base has been open source from the beginning.
> > >
> > > No ties to other Apache Products: Extensive reliance on XML and Jakarta
> > > projects, should make use of and serve the forthcoming WS projects.
> > >
> > > Fascination with Apache Brand: Would like to foster interest in and use
> > > of SAML, attract a stable of developers, extend work into web services,
> > > possibly explore implications of SAML and Shibboleth models for SSO and
> > > identity federation within other Apache projects.
> > >
> > > (1) scope of the subproject
> > >
> > > The purpose of this subproject is to create and maintain an
> > > implementation of the SAML standard, as defined by the OASIS SSTC, via
> > > libraries that support the messages, bindings, and profiles in the
> > > standard. This might eventually include reference implementations of
> > > SAML authorities for testing or development use (or more if there's
> > > interest). This subproject might include an implementation of the
> > > JSR-155 yet-to-be-published API for SAML in Java.
> > >
> > > Work in the web services space, such as the WS-Security work that is
> > > emerging from OASIS, could take place either within the scope of a more
> > > broadly named project that includes and subsumes OpenSAML, or could be a
> > > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > > Apache Axis specific WS-Security handlers and code to enable quick
> > > adoption of SAML and WS-Security within the Apache project community.
> > >
> > > (2) identify the initial source from which the subproject is to be
> > > populated
> > >
> > > http://www.opensaml.org
> > >
> > > (3) identify the ASF resources to be created
> > >
> > > (3.1) mailing list(s)
> > >
> > > opensaml-user
> > > opensaml-dev
> > >
> > >
> > > (3.2) CVS repositories
> > >
> > > ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> > >
> > > (3.3) Bugzilla
> > >
> > > (currently, there is a bugzilla at bugzilla.internet2.edu)
> > >
> > > (4) identify the initial set of committers
> > >
> > > Scott Cantor (cantor.2@osu.edu)
> > >
> > > Walter Hoehn (wassa@columbia.edu)
> > >
> > > Derek Atkins (warlord@mit.edu)
> > >
> > > Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> > >
> > > Mark Wilcox (mark.wilcox@webct.com)
> > >
> > > (5) identify apache sponsoring individual
> > >
> > > Davanum Srinivas (dims@yahoo.com)
> > >
> > > (6) open issues for discussion
> > >
> > > Is OpenSAML a stand-alone subproject, or should it expand to include
> > > WS-Security work?
> > >
> > > Are there IPR-related concerns with SAML (patents held by RSA but
> > > offered royalty free), or especially with WS-Security and its family of
> > > specifications, most of which are not yet standards?
> > >
> 
=== message truncated ===


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Mime
View raw message