Security TF
From MemberWiki
Contents |
Background
The members of OpenAjax Alliance decided during its October 2006 face-to-face meeting that there should be a Security Task Force, which resulted in various people signing up, preparatory discussions, selection of a Chair (Larry Koved), and then a kick-off teleconference Security_Minutes_2007-06-15.
Task Force Schedule
Phone calls on Mashup Authentication and Authorization
Upcoming phone calls:
- Next phone call will probably happen in April 2009. We are waiting for updated samples that show how to do authentication within a widgets.
Current topic of discussion: Mashup authentication and authorization, focused on single-signon issues. As we discussed at the face-to-face meeting last fall, the Security Task Force will be exploring how to address mashup authentication and authorization, particularly focused at single sign-on requirements. The short-term goal is to have a conversation among the OpenAjax members about target use cases, identification of requirements, and gap analysis versus what exists in the industry today. Ultimately, this initiative will produce recommendations about formal activities (if any) that OpenAjax Alliance should pursue to address industry gaps.
- Work in Process
- Call-in number:
- Toll Free: 1-877-422-0052
- Toll: 1-314-655-1417
- Participant Pin access code: 142380
Ongoing meeting frequency and standard time slot
TBD at the kick-off phone call
Chair and membership
Larry Koved chairs this task force. The following list is the current members in this task force:
- Alex Russell <alex(at)dojotoolkit.org>
- Bertrand Le Roy <bleroy (at) microsoft.com>
- David Boloker <boloker(at)us.ibm.com>
- Frank Nimphius <frank.nimphius(at)oracle.com>
- Gideon Lee <glee(at)openspot.com>
- Howard Weingram <weingram (at)tibco.com>
- Joe Walker <joe(at)getahead.org>
- John Crupi <john.crupi(at)jackbe.com>
- Jon Ferraiolo <jferrai(at)us.ibm.com>
- Larry Koved <koved(at)us.ibm.com>
- Naohiko Uramoto <uramoto(at)jp.ibm.com>
- Ondrej Zara <ozara(at)openlinksw.com>
- Paddy Byers <paddy.byers(at)gmail.com> (Aplix)
- Shel Finkelstein <shel.finkelstein(at)sap.com>
- Steve Hunt <steve.hunt(at)coradiant.com>
- Ted Thibodeau <tthibodeau(at)openlinksw.com>
- Todd Kaplinger <todkap(at)us.ibm.com>
- Yuecel Karabulut <yuecel.karabulut (at) sap.com>
- Xiaofeng Fan <xiaoffan(at)exchange.microsoft.com>
- Samuel Santos <ssantos(at)present-technologies.com>
Email list
The email list for the Security Task Force is security@openajax.org. Archives can be found at: http://openajax.org/pipermail/security/. To subscribe to this list, fill out the form at: http://openajax.org/mailman/listinfo/security.
Work in progress
- Mashup_Authorization_Authentication_Requirements
- Security Use Cases
- Ajax Security Resources
- Ajax Authentication : "AJAX (Re)authentication Signaling and Handling for Single-domain and Multi-domain (mashup) applications"
- CSRF Protection : "The RequesterOrigin header: CSRF protection and beyond"
Documents
- http://www.openajax.org/member/wiki/JonFerraiolo_Thoughts_On_W3C_Access_Control
- SMash: Secure Cross-Domain Mashups on Unmodified Browsers[1] - technical report (see also source on sourceforge[2], svn module
/hub/trunk/sandbox/smash) - WP3 - Ajax and Mashup Security - white paper that is in progress
- Mashup Security Approaches
Meeting minutes
- Security_Minutes_2009-03-06 (minutes taken by Jon Ferraiolo, IBM)
- Security_Minutes_2009-02-18 (minutes taken by Suresh Chari and Jon Ferraiolo, IBM)
- Security_Minutes_2009-02-11 (minutes taken by Larry Koved and Jon Ferraiolo, IBM)
- Security_Minutes_2007-11-30 (minutes taken by Suresh Chari, IBM)
- Security_Minutes_2007-09-12 (minutes taken by Larry Koved, IBM)
- Security_Minutes_2007-08-10 (minutes taken by Larry Koved, IBM)
- Security_Minutes_2007-07-27 (minutes taken by Larry Koved, IBM)
- Security_Minutes_2007-07-13 (minutes taken by Larry Koved, IBM)
- Security_Minutes_2007-06-29 (minutes taken by Suresh Chari, IBM)
- Security_Minutes_2007-06-15 - (minutes taken by Jon Ferraiolo, IBM)
