CC'ing Sandeep and Krishna - the co-leads for JSR 155. Thanks, dims
--- Scott Cantor <[EMAIL PROTECTED]> wrote: > A revised proposal with the references to WS-Sec removed by general consent of the >parties > involved. > > --- Scott > > --- > > Proposal for OpenSAML, A Web Services Subproject (via Incubator) > > 28 January 2003, > Davanum Srinivas ([EMAIL PROTECTED]), Scott Cantor ([EMAIL PROTECTED]) > > (0) rationale > > To support SAML (Security Assertion Markup Language), OpenSAML was developed by >Internet2 as > part of the Shibboleth project > (http://shibboleth.internet2.edu/). The project is currently hosted and managed by >Internet2 at > http://www.opensaml.org. Both a Java > and C++ library are being provided and maintained, with a goal of feature parity and >API > commonality between them. > > There is also a JSR 155 - Web Services Security Assertions > (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their > words) define a set of APIs, exchange patterns and implementation to securely >(integrity and > confidentiality) exchange assertions > between web services based on OASIS SAML. We could implement this JSR over OpenSAML, >either > instead of or in addition to the > existing API. This is analagous to the migration in Xerces to JAXP when it became >appropriate. > > The ws.apache.org PMC expressed a great deal of interest in the work in order to >ramp up their > activities quickly, and appears to be > eager to contribute to the success of the subproject. > > (0.1) criteria > > Meritocracy: Design decisions have been made in consultation with the Shibboleth >development > team. > > Community: Aside from Shibboleth, a growing community of developers, mostly from >higher ed, have > been playing with the code in their > projects. > > Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth >development > team, and a few other > contributions, some from Apache contributors. > > Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache >projects > before turning elsewhere, due to > compatibility of licensing terms and code quality and support. > > Scope: SAML and functionality to simplify the use of SAML in areas of interest. > > (0.2) warning signs > > Orphaned products: Shibboleth has some momentum, and sundry research projects exist >that have > looked at OpenSAML as a possible > starting point. > > Inexperience: The primary author has been coding the system for about 14 months, and >has 5+ > years experience on web security > software, primarily in C and C++. Most of that code has been made publically >available and has > been shared explicitly with other > institutions. Other Shibboleth developers have contributed Unix systems programming, >project > organization, and Java experience to > the project, and they have open source experience as well. > > Homogeneous Developers: Primarily one developer to this point, though suggestions >from other > developers have influenced design. > Project expected to support layered functionality contributed by other interested >parties once > core API stablity is reached. IRC has > been used extensively to discuss issues. > > Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present >time, and most > of the development has been > contract work, but the entire source base has been open source from the beginning. > > No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, >should make > use of and serve the forthcoming WS > projects. > > Fascination with Apache Brand: Would like to foster interest in and use of SAML, >attract a > stable of developers, extend work into > web services, possibly explore implications of SAML and Shibboleth models for SSO >and identity > federation within other Apache > projects. > > (1) scope of the subproject > > The purpose of this subproject is to create and maintain an implementation of the >SAML standard, > as defined by the OASIS SSTC, via > libraries that support the messages, bindings, and profiles in the standard. This >might > eventually include reference implementations > of SAML authorities for testing or development use (or more if there's interest). >This > subproject might include an implementation of > the JSR-155 yet-to-be-published API for SAML in Java. > > (2) identify the initial source from which the subproject is to be populated > > http://www.opensaml.org > > (3) identify the ASF resources to be created > > (3.1) mailing list(s) > opensaml-user > opensaml-dev > > > (3.2) CVS repositories > ws-opensaml (currently there is a cvs at cvs.internet2.edu) > > (3.3) Bugzilla > > (currently, there is a bugzilla at bugzilla.internet2.edu) > > (4) identify the initial set of committers > > Scott Cantor ([EMAIL PROTECTED]) > > Walter Hoehn ([EMAIL PROTECTED]) > > Derek Atkins ([EMAIL PROTECTED]) > > Christian Geuer-Pollmann ([EMAIL PROTECTED]) > > Mark Wilcox ([EMAIL PROTECTED]) > > (5) identify apache sponsoring individual > > Davanum Srinivas ([EMAIL PROTECTED]) > > (6) open issues for discussion > > Are there IPR-related concerns with SAML (patents held by RSA but offered royalty >free)? > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > ===== Davanum Srinivas - http://webservices.apache.org/~dims/ __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
