Blair Dillaway wrote:
I think we've all been disappointed by the level of participation in the AuthZ area. We really should consider whether continued work on the currently chartered documents is justified and what actions might lead to renewed interest.
I've been concerned about this for a while now and have spoken with some with other security professionals about this work. The general response was apathetic.
That's worrying, but not surprising. While I'm in a project with some very good security people, they're not interested in doing standards work *at all* at the moment. :-\
- Isn't the work already being done in OASIS on WS-Trust, XACML, etc. adequate
It would be nice if we could operate as profiles on those other specs. If we can't (and the only way we can tell is by thorough analysis of our use-cases, which are certainly fairly sophisticated when we start to think about multi-partner collaborations) then it is incumbent upon us to feed back this information to the OASIS guys.
- Standards in this area aren't a priority since most customers don't care about pluggability for these types of components.
My impression (as someone only intermittently involved) has been that it is horrendously difficult even to do the basic stages of interoperable AuthN, so the higher-level aspects (such as *all* of AuthZ!) have been largely ignored. This suggests to me that a valuable way forward would be to put effort into trying to make these basic things work, which is very much the focus of the OGSA Express work. Maybe the advanced things are more academically interesting, but without the interoperable basic parts, it's suspiciously like a castle in the air. (There are many parallels with other parts of OGSA, such as in execution management where the really interesting things are in areas like reservations, but much needed to be worked on first so that the foundations could be built on which the fun stuff rests.) Donal.