Re: [foaf-dev] Re: RDFAuth: an initial sketch

Story Henry wrote:
> Another friendly anonymous reader sent me some detailed responses 
> below. I'll forward them on this thread.
>
> On 31 Mar 2008, at 16:22, XXX wrote:
>> Dear Henry,
>>
>> You really, really, really, really need a security person!
>
> Yes. I know that :-)
This is a recurring theme :)

It will be hard to recruit the right security expertise without getting 
a characterisation of the problem space (and the constraints we have, 
and the technical opportunities) that is clearly separated from 
candidate technical solutions.

How close are we to having that?

I'd like to see a 1 page "here's the problem we're trying to solve" that 
doesn't itself specify any protocol design.

Borrowing from Stefan Decker's page at 
http://www.stefandecker.org/the-heilmeier-catechism.html quoting George 
Heilmeier:


[[
   1.
      What is the problem, why is it hard?
   2.
      How is it solved today?
   3.
      What is the new technical idea; why can we succeed now?
   4.
      What is the impact if successful?
   5.
      How will the program be organized?
   6.
      How will intermediate results be generated?
   7.
      How will you measure progress?
   8.
      What will it cost?
]]

Maybe it doesn't have an exact fit to this thread, but I think something 
at this level of abstraction is worth getting clear before we get caught 
up in talk of nonces and replays and extensibility and so on.  Also can 
I once more encourage everyone thinking in this direction (ie. I'm not 
picking on Henry) to take a good hard look at the work going on around 
OpenID and OAuth. This unfortunately means more than just reading the 
core spec; it means digging into the surrounding community, for 
proposals, critiques, extension work in progress and so forth. Expensive 
stuff I know, but that's the way Web standards get made :)

When there's a problem statement (user level, use-casey stuff) and 
-separately- a sketch of a solution, we can go chasing security experts. 
The best ones tend to be rather busy so won't have time to follow long 
email threads I suspect, hence the need for short crisp problem statements.

cheers,

Dan

--
http://danbri.org/

Received on Monday, 31 March 2008 16:11:21 UTC