From MemberWiki

URL: http://www.openajax.org/member/wiki/Security_Minutes_2007-11-30

OpenAjax Alliance Security Task Force minutes 2007-11-30

Contents 1 Attendees 2 Original agenda 3 Minutes 3.1 Jon: [ Status of Hub1.1] 3.2 Access Control Issues 3.3 Authentication Issues

Attendees

• Jon Ferraiolo, IBM
• Larry Koved, IBM
• Suresh Chari, IBM
• Michael Steiner, IBM
• Naohiko Uramoto, IBM
• Sumeer Bhola, IBM
• Kris Zyp, Xucia
• Yuecel Karabulut, SAP

Original agenda

• Discussion about the W3C Access Control proposal
• Status of Hub 1.1
• New topics:
  • End-to-end authentication
  • Security & deployment of mashup apps
• Date/time for follow-up task force phone call
• Wrap up

Minutes

Jon: [ Status of Hub1.1]

• Discussion of bootstrapping issues & Simplifications
• Will post updates to the OpenAjax wiki after some consensus is reached
• Coding to come shortly thereafter.
• Expect Revised APIs during Dec. As early as possible.
• Expect to publish before the holidays

Access Control Issues

w3c proposal discussion

Kris: should OAA be trying to influence this proposal by making suggestion?

Jon: OK not to engage unless there is a serious security issues..

Michael: Make sure cookies are not sent

Jon: To make this proposal to the W3C mailing list.

Kris: Need to point out the implementation issues in the spec regarding cookies. Should point out problems with sending the cookies.

Authentication Issues

Need to discuss what the issues we need to discuss in OAA

Yuecel: How does one achieve cross-domain single sign-on? Should authorization be part of this discussion? Can we have SAML kind of authentication in browser

Jon: to create wiki page for discussion of authentication issues?

Suresh/Michael/Yuecel & others to take initial stab at populating this