Versions Compared

Old Version 3

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

...

  1. Administration:
    1. Roll Call
    2. Agenda Confirmation
    3. Approval of Minutes: AIM WG Minutes 20-Mar-2013
  2. Discussion / Action Item Review
    1. Status of the OIX work (Sal)
    2. Cross-analysis of the various protocols e.g. an OpenID Connect approach versus a SAML based approach versus UMA etc (Keith)
    3. Latest in flow diagrams (Ken)
  3. AOB
  4. Adjourn

...

Cross-analysis of the various protocols e.g. an OpenID Connect approach versus a SAML based approach versus UMA etc (Keith)

  • See working diagram: WG - Attributes In Motion - Comparison of Protocol-based Solutions by Decomposition into Atomic Functions
  • Started as one of the NSTIC pilot efforts; there will be solutions proposed that rely on drastically different protocol stack and protocol models
  • Q&A
    • Is this a useful effort? Is this a problem that needs to be solved?
      • definitely on to something here; the trust framework adoption process has the notion of comparability - they look at different IdPs and the processes against 800-63 and use that to determine LoA; like the idea of using a table like this to help define comparability; trick is that the process only applies to IdPs that have an authN model that align neatly with 800-63; looking at the side-by-side comparison, row 2, 800-63 doesn't talk about authorization and provides no guidance, so how could we compare these things?  This isn't a fault of the table, it's a fault of 800-63
      • One of the challenges entering to this is that LoA is a multifaceted attribute, and one service may have multiple LoA depending on the component
      • if UMA broke up their components in to smaller functional components, could see how to use federated authentication in SAML
    • is there another column we could create around anonymous credentials and how they unfold, or is it a subset of existing cases?
      • if you wanted to bring anonymous credentials in, you'd have to create a use case of non-associability and then we could pose solutions that would have to use anonymous credentials or include some kind of obfuscator
    • is there a difference between an attribute verifier and an attribute provider?  is there a substantive difference between a service that collects information and has the info verified, versus having the user direct the service to something that just provides verified attributes?
      • there may be differences in consent
      • an attribute verifier allows for a more privacy-respective architecture
    • is there room for any additional kinds of columns? 
      • absolutely, there are probably many stacks out there competing for space and different mixes and matches to the space
      • we should develop the comparisons only when someone puts a concrete proposal on the table, otherwise it's too big an effort; need real not hypothetical use cases

...