- From: Paul Denning <pauld@mitre.org>
- Date: Wed, 28 Jan 2004 13:24:53 -0500
- To: www-ws-arch@w3.org
This completes my action to provide a section for the security appendix of WSA. A.6 Identity Federation The Liberty Alliance is defining specifications [1] dealing with various aspects of identity. Their phase 2 work is grouped into three categories: ID-FF, ID-WSF, and ID-SIS. ID-FF (Identity Federation Framework) discusses how businesses or organizations can be affiliated into circles of trust and trust relationships. ID-FF includes several normative specifications, which in turn make normative references to SAML. ID-WSF (Identity Web Services Framework) is a set of specifications for creating, discovering, using, and updating various aspects of identities through a particular type of web service known as an Identity Service. ID-WSF builds on ID-FF. A user (Principal) may register with several Identity Services. A prominent part of ID-WSF is a discovery service for locating an Identity Service for a given user (Principal). ID-SWF also defines a Data Services Template. ID-WSF has also defined a draft specification for an approach to negotiating an authentication method using SOAP messages to identify SASL mechanisms (RFC 2222) [2]. Note that WS-Security [4] specifically states that establishing a security context or authentication mechanisms is outside its scope. ID-WSF may fill this void. However, WS-Security also defines a Username Token Profile, which could be used as an authentication mechanism. Potentially, Liberty ID-WSF could be used to negotiate the use of WSS Username Token Profile as the authentication mechanism. Currently, WSS Username Token Profile is not registered in IANA's SASL Mechanisms collection [3]. ID-SIS (Identity Service Instance Specifications) defines profiles for particular types of Identity Services. These profiles conform to the ID-WSF Data Services Template. Liberty has defined two such profiles. The Employee Profile (ID-SIS-EP) defines how to query and modify information associated with a Principal in the context of their employer. The Personal Profile (ID-SIS-PP) defines how to query and modify identity information for Principals themselves. [1] http://projectliberty.org/specs/ [2] http://www.rfc-editor.org/rfc/rfc2222.txt [3] http://www.iana.org/assignments/sasl-mechanisms [4] http://www.oasis-open.org/committees/download.php/5072/oasis-200401-wss-soap-message-security-1.0.pdf [5] http://www.oasis-open.org/committees/download.php/5074/oasis-200401-wss-username-token-profile-1.0.pdf Paul
Received on Wednesday, 28 January 2004 13:25:13 UTC