Difference between revisions of "March 25, 2014 Security WG Conference Call"
| (3 intermediate revisions by the same user not shown) | |||
| Line 36: | Line 36: | ||
|| || [mailto:weida@apelon.com Tony Weida] ||x | || || [mailto:weida@apelon.com Tony Weida] ||x | ||
|- | |- | ||
| − | | [mailto: Chris Clark] ||. | + | | [mailto:Chris.R.Clark@wv.gov Chris Clark] ||. |
|| || ||. | || || ||. | ||
|| || ||. | || || ||. | ||
| Line 62: | Line 62: | ||
VOTE: Objections: none, Abstentions: none, Motion passed 0/0/8 | VOTE: Objections: none, Abstentions: none, Motion passed 0/0/8 | ||
| − | Presentation: John Moehrke OAuth [ | + | Presentation: John Moehrke OAuth '''[http://gforge.hl7.org/gf/download/docmanfileversion/7986/11684/OAuth_Tutorial_JohnM_20140325.pdf OAuth Presentation]''' |
| + | |||
| + | Mike | ||
| + | Suzanne, do we have minutes to approve from the last call? | ||
| + | Suzanne | ||
| + | No, we don’t. I have to redo them. | ||
| + | |||
| + | Item (off-agenda) – Passing motion to ballot Security and Privacy DAM | ||
| + | |||
| + | Mike | ||
| + | We’ve asked John to come to this meeting and talk to us about SAML and OAuth, and OpenID as an alternative source of authentication authorization information. We’ve prepared our DAM for balloting on the May cycle, as informative without changes. The intent is to keep it as informative. We’re going to move portions of it into the PASS architecture, which we can make normative. I don’t recall whether we formally took a motion to ballot this. | ||
| + | Suzanne | ||
| + | I don’t’ see it in the last two meeting minutes. | ||
| + | Kathleen | ||
| + | MOTION: (Kathleen/Suzanne) I would like to move that we’ll ballot the current Security and Privacy DAM as informative. | ||
| + | Abstentions: 0, Objections: 0, Agreed: 7 MOTION Paases | ||
| + | |||
| + | Item 2 - Informative discussion on OAuth and OpenID Connect | ||
| + | |||
| + | John - I sent out the slides in case screen sharing doesn’t work too well for me. First off, I’m just presenting my knowledge. I’m not all-knowing on this subject. There is this OAuth 2, which is attracting a lot of concern, because it became more of a framework rather than an operational standard. It needs additional standards to make it work. Many of those standards are still in draft form. OAuth is still about authorizing an application to do things on your behalf. People liken this to providing your car keys to the valet. The authorization side of OAuth is comprised of three different parties: an application that wants to do something (like an iPad); a service, which is handled as an authorization step; and then there is a resource server. The technology in OAuth is similar to Kerberos. There are service tickets. It provides users the ability to grant and revoke authorization to resources. The OpenID Connect is actually a new version of OpenID. It’s not 2.0; it’s beyond 2.0. OpenID basically answers the question: “What is your identity?” It’s a way of describing a resource that is a description of you as the user. It provides the ability to fine-grain control access to your data. The dirty little secret is that all of this is managed by shared secrets that are issued by the authorization server, so it can’t just randomly take the application from the App Store and have it work with any identity provider. The authorization server has to have shared secrets within that application. | ||
| + | |||
| + | |||
| + | Meeting Adjourned at 1510 PST | ||
| + | --[[User:Suzannegw|Suzannegw]] ([[User talk:Suzannegw|talk]]) 21:04, 1 April 2014 (UTC) | ||
Latest revision as of 15:53, 2 April 2014
Attendees
| Member Name | Present | Member Name | Present | Member Name | Present | ||
|---|---|---|---|---|---|---|---|
| Mike Davis Security Co-chair | x | John Moehrke Security Co-chair | x | Trish Williams Security Co-chair | |||
| Bernd Blobel, Security Co-chair | . | Johnathan Coleman | x | Kathleen Connor | x | ||
| Duane DeCouteau | Reed Gelzer | . | Suzanne Gonzales-Webb CBCC Co-chair | x | |||
| Rick Grow | x | David Henkel | x | Mohammed Jafari | |||
| Don Jorgenson | . | Diana Proud-Madruga | x | Harry Rhodes | . | ||
| Ioana Singureanu | . | Richard Thoreson CBCC Co-chair | . | Ross Freeman | . | ||
| Amanda Nash | Walter Suarez | . | Tony Weida | x | |||
| Chris Clark | . | . | . | ||||
| . | . | . |
Agenda
- (05 min) Roll Call, Approve March 18, 2014 Security WG Conference Call Minutes & Accept Agenda
- (30 min) Informative discussion on OAuth and OpenID Connect - John Moehrke
- (05 min) Other business, action items
Meeting Minutes DRAFT
Meeting minutes for 3/18 are not ready for approval
Security DAM prepared for the upcoming May 2014 ballot cycle - balloting as informative without any changes. we will be moving portions of it over to the PASS Architecture (to make those pieces moved as normative)
MOTION ((Kathleen/Suzanne)To approve moving forward with balloting the current Composite Security and Privacy DAM as informative VOTE: Objections: none, Abstentions: none, Motion passed 0/0/8
Presentation: John Moehrke OAuth OAuth Presentation
Mike Suzanne, do we have minutes to approve from the last call? Suzanne No, we don’t. I have to redo them.
Item (off-agenda) – Passing motion to ballot Security and Privacy DAM
Mike We’ve asked John to come to this meeting and talk to us about SAML and OAuth, and OpenID as an alternative source of authentication authorization information. We’ve prepared our DAM for balloting on the May cycle, as informative without changes. The intent is to keep it as informative. We’re going to move portions of it into the PASS architecture, which we can make normative. I don’t recall whether we formally took a motion to ballot this. Suzanne I don’t’ see it in the last two meeting minutes. Kathleen MOTION: (Kathleen/Suzanne) I would like to move that we’ll ballot the current Security and Privacy DAM as informative. Abstentions: 0, Objections: 0, Agreed: 7 MOTION Paases
Item 2 - Informative discussion on OAuth and OpenID Connect
John - I sent out the slides in case screen sharing doesn’t work too well for me. First off, I’m just presenting my knowledge. I’m not all-knowing on this subject. There is this OAuth 2, which is attracting a lot of concern, because it became more of a framework rather than an operational standard. It needs additional standards to make it work. Many of those standards are still in draft form. OAuth is still about authorizing an application to do things on your behalf. People liken this to providing your car keys to the valet. The authorization side of OAuth is comprised of three different parties: an application that wants to do something (like an iPad); a service, which is handled as an authorization step; and then there is a resource server. The technology in OAuth is similar to Kerberos. There are service tickets. It provides users the ability to grant and revoke authorization to resources. The OpenID Connect is actually a new version of OpenID. It’s not 2.0; it’s beyond 2.0. OpenID basically answers the question: “What is your identity?” It’s a way of describing a resource that is a description of you as the user. It provides the ability to fine-grain control access to your data. The dirty little secret is that all of this is managed by shared secrets that are issued by the authorization server, so it can’t just randomly take the application from the App Store and have it work with any identity provider. The authorization server has to have shared secrets within that application.
Meeting Adjourned at 1510 PST
--Suzannegw (talk) 21:04, 1 April 2014 (UTC)
