(r4) SSO20RFC < IVOA

IVOA Web>IvoaGridAndWebServices>SSO20RFC (revision 4) (raw view)~~EditAttach~~
---++ SSO v2.0 Proposed Recommendation: Request for Comments

Public discussion page for the IVOA SSO 2.0 Proposed Recommendation.

The latest version of the SSO Specification can be found at:
   * [[http://www.ivoa.net/documents/SSO/20151029/index.html][http://www.ivoa.net/documents/SSO/20151029/index.html]]

---++ Comments from the IVOA Community and TCG members during RFC period: 2015-11-01 - 2015-12-13
---+++ Comment by Pierre Fernique
   1 Are there authenticated services already described in the VO registry ? and if yes, is it already in use ? Can we considered it as a reference implementation ? And in fact, do we have reference implementations ?
   1 Author list and editor lists seems to not follow the current usage of IVOA. It is a little bit strange to have all the Grid and Web service group as authors, and 3 editors. Maybe it opens the question concerning the method to keep knowledge of successive editors.
   1 I wonder if all complementary sections (short introduction to each authentication method) are really relevant in an IVOA standard. I would suggest to put all normative points in a dedicated section and move all explanation of existing authoritative methods in an general non normative section, or as an appendix.
   1 The structuration of section 3 could be modified for avoiding the section 3.1 alone item.
   1 Appendix A must have a short introduction to explain what is this long XML schema. The title "VOResource SecurityMethod extract" is definitively not clear.
   1 must, may, shall... should be in uppercase in normative sections.
Typos:
   * p1: Andreé =&gt; André
   * p4: user?s =&gt; users
   * p4: service?s =&gt; service
   * p4: Is =&gt; If a service
   * p6: as having a em Web =&gt; ?
   * p7: table 1 label strangely folded
-- IVOA.PierreFernique - 2015-11-01

---+++ Comments from IVOA.MarkTaylor

I don't have a good enough understanding of security to assess the substance of this document, but I have some editorial comments.

   * Sec 1: _"... to another service This ..."_ -> _"... to another service.    This ..."_
   * Sec 2.1: _"... this element distinguished ..."_ -> _"... this element      distinguishes ..."_
   * Sec 2.2: There are problems with the XML snippets included here.  The =&lt;interface&gt;= start tag in both cases assigns an attribute with the name       =xmlns:vs:= - I'm pretty sure the trailing colon there should be removed. Also, the attribute assignments are quoted with repeated single quotes e.g.     =xsi:type=''vs:ParamHTTP''= - that looks a bit wrong in the PDF but is definitely wrong in the HTML.  Quote using single quotes (or single-character double quotes) instead.
   * Sec 2.2: _"The order identify the priority ..."_ -> _"The order identifies the priority ..."_
   * Sec 2.2: _"... SAML, than cookies ..."_ -> _"... SAML, then cookies ..."_
   * Sec 3.1: _"... combination of the them"_ -> _"... combination of them."_ ?
   * Table 1: This table lists IVOA Identifiers defined as securityMethod values.  These identifiers are in some cases referenced in the mechanism-specific subsections later in the text, but not others, e.g. sec 7.1 says: _"Interfaces  using this mechanism shall be be registered with the security method =ivo://ivoa.net/sso#tls-with-password= ."_ , but there is no corresponding note in the subsections describing cookies,  OAuth, SAML or !OpenID.  Similar notes should be added to the relevant subsections for   consistency and clarity.
   * Table 1: The HTTP Basic Authentication securityMethod value in this table  is missing a colon ( =http//www..."= ).
   * Table 1: Where does the HTTP Basic Auth URI come from?  There's no requirement that these URIs are dereferenceable, but using the form =http://www.w3.org/Protocols/HTTP/1.0/spec/html#BasicAA= which has a different form from the others, looks like it would make sense if that URL was dereferenceable, but it's not.  There might be a good answer to this, but I'm interested to know what it is.
   * Sec 9.2: "IdP" and "IDP" are both used, are these the same thing?
   * Sec 9.2: _"SAML2.0 allow also to service discovery mechanisms"_ - I don't  understand what this means.
   * Appendix A: Like Pierre, I don't understand what this XML is doing here.   Also, the top-level =xs:schema= element contains the attribute =version="1.02"= - what's that the version of?

-- IVOA.MarkTaylor - 2015-11-12

<!-- Uncomment when TCG Review period starts

---++ Comments from TCG members during the TCG Review Period: 2015-12-01 - 2016-01-15

WG chairs or vice chairs must read the Document, provide comments if any and formally indicate if they approve or do not approve of the Standard.

IG chairs or vice chairs are also encouraged to do the same, although their inputs are not compulsory.

---+++ TCG Chair & Vice Chair ( _Matthew Graham, Pat Dowler_ )

---+++ Applications Working Group ( _Pierre Fernique, Tom Donaldson_ )

---+++ Data Access Layer Working Group ( _François Bonnarel, Marco Molinaro_ )

---+++ Data Model Working Group ( _Mark Cresitello-Dittmar, Laurent Michel_ )

---+++ Grid & Web Services Working Group ( _Brian Major, Giuliano Taffoni_ )

---+++ Registry Working Group ( _Markus Demleitner, Theresa Dower_ )

---+++ Semantics Working Group ( _Mireille Louys, Alberto Accomazzi_ )

---+++ Education Interest Group ( _Massimo Ramella, Sudhanshu Barway_ )

---+++ Time Domain Interest Group ( _John Swinbank, Mike Fitzpatrick_ )

---+++ Data Curation & Preservation Interest Group ( _Françoise Genova_ )

---+++ Operations Interest Group ( _Tom !McGlynn, Mark Taylor_ )

---+++ Knowledge Discovery in Databases Interest Group ( _George Djorgovski_ )

---+++ Theory Interest Group ( _Franck Le Petit, Carlos Rodrigo_ )

---+++ Standards and Processes Committee ( _Françoise Genova_)

-->

<br /> <!--
      * Set ALLOWTOPICRENAME = IVOA.TWikiAdminGroup
-->
Topic revision: r4 - 2015-11-12 - MarkTaylor
IVOA
Log in or Register
IVOA.net
Wiki Home
WebChanges
WebTopicList
WebStatistics
Twiki Meta & Help
IVOA
Know
Main
Sandbox
TWiki
TWiki intro
TWiki tutorial
User registration
Notify me
Working Groups
Interest Groups
Time Domain
Committees
Stds&Procs
www.ivoa.net
Documents
Events
Members
XML Schema