Tom,

Excellent questions.  Let me go a little bit into my personal views here.

I have been mentioning ID-WSF in a few different threads, but not because I have any particular fondness for the specification suite in particular.  It's the structure of three concepts that it supports that I think are of great importance:

1)  ID-WSF provides a way to describe in a security credential a location, protocol, and identifier to use to retrieve additional identity information/services associated with that credential.  My general philosophy is "push everything that you can, and if there's something you can't push, then push what's needed to pull it."  ID-WSF endpoint references in SAML tokens allow for that.
2)  The query service is close to what I would consider a generalization of the attribute authority.  It's a better place to end up at from an endpoint reference because it's more flexible: return the attributes if you have them, and if not, then point off towards other places.  It offloads from the SP the requirement to match attributes it needs to identity sources, which has the potential to customize that functionality per user and also help preserve privacy.
3)  The ability to treat the client device itself as a web service capable of acting (roughly) as a provider in specialized circumstances offers interesting delegation and client-generated credential possibilities.

I don't think the Shibboleth project has made any commitment towards or against ID-WSF at this point.  If we could replicate the pieces of functionality I describe above in an alternative way, I'd absolutely support that.  Those are the specific pieces of the Liberty specifications that I'm interested in and the places I'd use it.  I hope that addresses your first set of questions.

There are a lot of overlaps with the other specifications, particularly WS-Trust and WSRF.  I would be very interested in any suggestions you have about how to represent the functionality I refer to above using protocols or specs that are more amenable to Globus integration.

Very useful conversation,
Nate.

On 28 Feb 2007, at 18:49, Tom Scavo wrote:

Hi Nate,


Could you elaborate a little on where you think Liberty ID-WSF might

integrate into the protocol stack?  Or maybe another way to put this

is: What components of Liberty ID-WSF (which is huge!) do you think

are relevant here?


If Shibboleth chooses to align with Liberty, I think that's fine, but

it's not at all clear to me how this impacts the Grid, and hence my

questions above.  Speaking as a Globus developer, Liberty ID-WSF in

Globus Toolkit (if that's what you're proposing) will be a hard sell

since 1) Globus has already made significant investments in

WS-Security and WS-SecureConversation, and 2) ID-WSF may be

incompatible with WSRF (in their use of WS-Addressing, in particular).


If you can shed any light on this issue, that would be great.


Thanks,


Tom Scavo

NCSA