Re: Call for Participation: OASIS Identity Based Attestation and Open Exchange Protocol Specification (IBOPS) TC

It seems to me as an effort by a team at Bank of America to re-fashion
their in-house credentials management system as an external "industry
standard". It it comes to be adopted by others, this saves Bank of
America the trouble of migrating to something else.

It's common for entities with major in-house deployments to try to get
their thing placed as the basis for a standard.


On Sat, Aug 9, 2014 at 6:01 PM, Manu Sporny <> wrote:
> On 08/09/2014 02:25 AM, Anders Rundgren wrote:
>> I think OASIS should try things they have a chance succeeding with.
>> AFAIK, their stake in the client platform is close to NULL. It is sad
>> that banks don't spend a dime on genuine web tech such as WebCrypto.
>> Or VISA explaining how their "tokenization" scheme would go into
>> WebPayments.
> Agreed. I don't understand why the work is being done at OASIS either
> unless this is a purely insider play (meaning, the technology isn't
> meant to be used by the public, it's primarily for use in large
> enterprises). They have been successful at getting SAML adopted, so this
> wouldn't be the first time they've worked in the space. That Bank of
> America, RedHat, and Intel are taking the lead is interesting, the
> solution will most likely be colored (for better or worse) by a "big
> enterprise" palette.
> For those that don't want to dig deep into the documents, here's what
> they're working on:
> "The TC will develop the IBOPS specification to enable security systems
> to provide Identity Assertion, Role Gathering, Multi-Level Access
> Control, Assurance, and Auditing capabilities. IBOPS will define how
> software running on a client device can communicate with an
> IBOPS-enabled server. Methods for enabling security components to work
> with existing IBOPS components for integration into current operating
> environments will also be considered. An end-to-end specification
> describing the standards necessary to perform server-based enhanced
> biometric security will be created.  This solution will consider
> enrollment phase, maintenance, storage, and revocation. Version 1.0 of
> the specification should be completed within 18 to 24 months of the
> first meeting. "
> "The TC might also develop interoperability profiles for OASIS Trust
> Elevation Protocol, FIDO, SAML, Open ID Connect and OAuth if deemed
> appropriate by the TC."
> Sounds like they're biting of a great deal of stuff, much of which we've
> marked as out of scope for the credentials work because each item alone
> would take years to complete.
> We should track the IBOPS work closely and learn from it if they do
> something interesting. It wouldn't hurt to try and create a liason
> relationship between the Credentials CG and the IBOPS WG.
> -- manu
> [1]
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: High-Stakes Credentials and Web Login

Received on Saturday, 9 August 2014 22:48:31 UTC