Proposal for OpenSAML (or a name TBD)

[Scott Cantor <ca...@osu.edu>]

Here's the proposal solicited (and started) by the ws.apache.org folks, edited by me. The name should indeed change if the scope of
the subproject is to be wider than SAML (see outstanding issues at the bottom).

For the shib/internet2 folks, general@incubator.apache.org is the list to subscribe to to participate in the discussion.

Scott Cantor
The Ohio State Univ
cantor.2@osu.edu

---

Proposal for OpenSAML, A Web Services Subproject (via Incubator)

28 January 2003
Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)

(0) rationale

To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as part of the Shibboleth project
(http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at http://www.opensaml.org. Both a Java
and C++ library are being provided and maintained, with a goal of feature parity and API commonality between them.

One important web services component that might leverage OpenSAML is WS-Security (http://www.oasis-open.org/committees/wss/). There
is also a JSR 155 - Web Services Security Assertions (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in their
words) define a set of APIs, exchange patterns and implementation to securely (integrity and confidentiality) exchange assertions
between web services based on OASIS SAML. We could implement this JSR over OpenSAML, either instead of or in addition to the
existing API.

The ws.apache.org PMC expressed a great deal of interest in the work in order to ramp up their activities quickly, and appears to be
eager to contribute to the success of the subproject.

(0.1) criteria

Meritocracy: Design decisions have been made in consultation with the Shibboleth development team. WS-Sec or other links would be
new code subject to open discussion as to approach and implication.

Community: Aside from Shibboleth, a growing community of developers, mostly from higher ed, have been playing with the code in their
projects. WS-Sec functionality might expand this interest.

Core Developers: Primary author is Scott Cantor, with assistance from the Shibboleth development team, and a few other
contributions, some from Apache contributors.

Alignment: Uses Xerces and Xalan (J and C), xml-security, generally looks to Apache projects before turning elsewhere, due to
compatibility of licensing terms and code quality and support.

Scope: SAML and functionality to simplify the use of SAML in areas of interest. 

(0.2) warning signs

Orphaned products: Shibboleth has some momentum, and sundry research projects exist that have looked at OpenSAML as a possible
starting point.

Inexperience: The primary author has been coding the system for about 14 months, and has 5+ years experience on web security
software, primarily in C and C++. Most of that code has been made publically available and has been shared explicitly with other
institutions. Other Shibboleth developers have contributed Unix systems programming, project organization, and Java experience to
the project, and they have open source experience as well.

Homogeneous Developers: Primarily one developer to this point, though suggestions from other developers have influenced design.
Project expected to support layered functionality contributed by other interested parties once core API stablity is reached. IRC has
been used extensively to discuss issues.

Reliance on Salaried Developers: Shibboleth is funded by Internet2 at the present time, and most of the development has been
contract work, but the entire source base has been open source from the beginning.

No ties to other Apache Products: Extensive reliance on XML and Jakarta projects, should make use of and serve the forthcoming WS
projects.

Fascination with Apache Brand: Would like to foster interest in and use of SAML, attract a stable of developers, extend work into
web services, possibly explore implications of SAML and Shibboleth models for SSO and identity federation within other Apache
projects.

(1) scope of the subproject

The purpose of this subproject is to create and maintain an implementation of the SAML standard, as defined by the OASIS SSTC, via
libraries that support the messages, bindings, and profiles in the standard. This might eventually include reference implementations
of SAML authorities for testing or development use (or more if there's interest). This subproject might include an implementation of
the JSR-155 yet-to-be-published API for SAML in Java.

Work in the web services space, such as the WS-Security work that is emerging from OASIS, could take place either within the scope
of a more broadly named project that includes and subsumes OpenSAML, or could be a dependent subproject at ws.apache.org. This would
include JAX-RPC and Apache Axis specific WS-Security handlers and code to enable quick adoption of SAML and WS-Security within the
Apache project community.

(2) identify the initial source from which the subproject is to be populated 

http://www.opensaml.org

(3) identify the ASF resources to be created 

(3.1) mailing list(s) 

opensaml-user 
opensaml-dev 


(3.2) CVS repositories 

ws-opensaml (currently there is a cvs at cvs.internet2.edu)

(3.3) Bugzilla 

(currently, there is a bugzilla at bugzilla.internet2.edu)

(4) identify the initial set of committers 

Scott Cantor (cantor.2@osu.edu)

Walter Hoehn (wassa@columbia.edu)

Derek Atkins (warlord@mit.edu)

Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)

Mark Wilcox (mark.wilcox@webct.com)

(5) identify apache sponsoring individual 

Davanum Srinivas (dims@yahoo.com)

(6) open issues for discussion

Is OpenSAML a stand-alone subproject, or should it expand to include WS-Security work?

Are there IPR-related concerns with SAML (patents held by RSA but offered royalty free), or especially with WS-Security and its
family of specifications, most of which are not yet standards?

Re: Proposal for OpenSAML (or a name TBD)

[Davanum Srinivas <di...@yahoo.com>]

To clarify, please re-submit an edited proposal to general@incubator.apache.org.

Thanks,
dims

--- Davanum Srinivas <di...@yahoo.com> wrote:
> Scott,
> 
> Please go ahead as Bob suggests....No problems if you don't want to do it. 
> 
> <semi-kidding>I can't force any one to do something that they don't wanna do :) </semi-kidding>
> 
> -- dims
> 
> --- RL 'Bob' Morgan <rl...@washington.edu> wrote:
> > 
> > So, the point made and apparently agreed to by everyone discussing this
> > today is that SAML and WS-Sec are Two Different Things, not related other
> > than both using XML and being about security (as are XKMS, XACML, XrML,
> > and surely dozens more at this point).  So I'd favor removing all
> > references to WS-Sec from this proposal, so as to let any WS-Sec work
> > proceed on its own merits.  Specifically remove:
> > 
> > > One important web services component that might leverage OpenSAML is
> > > WS-Security (http://www.oasis-open.org/committees/wss/).
> > 
> > and remove:
> > 
> > > WS-Sec or other links would be new code subject to open discussion as to
> > > approach and implication.
> > 
> > and remove:
> > 
> > > WS-Sec functionality might expand this interest.
> > 
> > and remove:
> > 
> > > Work in the web services space, such as the WS-Security work that is
> > > emerging from OASIS, could take place either within the scope of a more
> > > broadly named project that includes and subsumes OpenSAML, or could be a
> > > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > > Apache Axis specific WS-Security handlers and code to enable quick
> > > adoption of SAML and WS-Security within the Apache project community.
> > 
> >  - RL "Bob"
> > 
> > ---
> > 
> > On Tue, 28 Jan 2003, Scott Cantor wrote:
> > 
> > > Here's the proposal solicited (and started) by the ws.apache.org folks,
> > > edited by me. The name should indeed change if the scope of the
> > > subproject is to be wider than SAML (see outstanding issues at the
> > > bottom).
> > >
> > > For the shib/internet2 folks, general@incubator.apache.org is the list
> > > to subscribe to to participate in the discussion.
> > >
> > > Scott Cantor
> > > The Ohio State Univ
> > > cantor.2@osu.edu
> > >
> > > ---
> > >
> > > Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> > >
> > > 28 January 2003
> > > Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> > >
> > > (0) rationale
> > >
> > > To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as
> > part of the Shibboleth project
> > > (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2
> > at http://www.opensaml.org. Both a Java
> > > and C++ library are being provided and maintained, with a goal of feature parity and API
> > commonality between them.
> > >
> > > One important web services component that might leverage OpenSAML is
> > > WS-Security (http://www.oasis-open.org/committees/wss/). There is also a
> > > JSR 155 - Web Services Security Assertions
> > > (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in
> > > their words) define a set of APIs, exchange patterns and implementation
> > > to securely (integrity and confidentiality) exchange assertions between
> > > web services based on OASIS SAML. We could implement this JSR over
> > > OpenSAML, either instead of or in addition to the existing API.
> > >
> > > The ws.apache.org PMC expressed a great deal of interest in the work in
> > > order to ramp up their activities quickly, and appears to be eager to
> > > contribute to the success of the subproject.
> > >
> > > (0.1) criteria
> > >
> > > Meritocracy: Design decisions have been made in consultation with the
> > > Shibboleth development team. WS-Sec or other links would be new code
> > > subject to open discussion as to approach and implication.
> > >
> > > Community: Aside from Shibboleth, a growing community of developers,
> > > mostly from higher ed, have been playing with the code in their
> > > projects. WS-Sec functionality might expand this interest.
> > >
> > > Core Developers: Primary author is Scott Cantor, with assistance from
> > > the Shibboleth development team, and a few other contributions, some
> > > from Apache contributors.
> > >
> > > Alignment: Uses Xerces and Xalan (J and C), xml-security, generally
> > > looks to Apache projects before turning elsewhere, due to compatibility
> > > of licensing terms and code quality and support.
> > >
> > > Scope: SAML and functionality to simplify the use of SAML in areas of
> > > interest.
> > >
> > > (0.2) warning signs
> > >
> > > Orphaned products: Shibboleth has some momentum, and sundry research
> > > projects exist that have looked at OpenSAML as a possible starting
> > > point.
> > >
> > > Inexperience: The primary author has been coding the system for about 14
> > > months, and has 5+ years experience on web security software, primarily
> > > in C and C++. Most of that code has been made publically available and
> > > has been shared explicitly with other institutions. Other Shibboleth
> > > developers have contributed Unix systems programming, project
> > > organization, and Java experience to the project, and they have open
> > > source experience as well.
> > >
> > > Homogeneous Developers: Primarily one developer to this point, though
> > > suggestions from other developers have influenced design. Project
> > > expected to support layered functionality contributed by other
> > > interested parties once core API stablity is reached. IRC has been used
> > > extensively to discuss issues.
> > >
> > > Reliance on Salaried Developers: Shibboleth is funded by Internet2 at
> > > the present time, and most of the development has been contract work,
> > > but the entire source base has been open source from the beginning.
> > >
> > > No ties to other Apache Products: Extensive reliance on XML and Jakarta
> > > projects, should make use of and serve the forthcoming WS projects.
> > >
> > > Fascination with Apache Brand: Would like to foster interest in and use
> > > of SAML, attract a stable of developers, extend work into web services,
> > > possibly explore implications of SAML and Shibboleth models for SSO and
> > > identity federation within other Apache projects.
> > >
> > > (1) scope of the subproject
> > >
> > > The purpose of this subproject is to create and maintain an
> > > implementation of the SAML standard, as defined by the OASIS SSTC, via
> > > libraries that support the messages, bindings, and profiles in the
> > > standard. This might eventually include reference implementations of
> > > SAML authorities for testing or development use (or more if there's
> > > interest). This subproject might include an implementation of the
> > > JSR-155 yet-to-be-published API for SAML in Java.
> > >
> > > Work in the web services space, such as the WS-Security work that is
> > > emerging from OASIS, could take place either within the scope of a more
> > > broadly named project that includes and subsumes OpenSAML, or could be a
> > > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > > Apache Axis specific WS-Security handlers and code to enable quick
> > > adoption of SAML and WS-Security within the Apache project community.
> > >
> > > (2) identify the initial source from which the subproject is to be
> > > populated
> > >
> > > http://www.opensaml.org
> > >
> > > (3) identify the ASF resources to be created
> > >
> > > (3.1) mailing list(s)
> > >
> > > opensaml-user
> > > opensaml-dev
> > >
> > >
> > > (3.2) CVS repositories
> > >
> > > ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> > >
> > > (3.3) Bugzilla
> > >
> > > (currently, there is a bugzilla at bugzilla.internet2.edu)
> > >
> > > (4) identify the initial set of committers
> > >
> > > Scott Cantor (cantor.2@osu.edu)
> > >
> > > Walter Hoehn (wassa@columbia.edu)
> > >
> > > Derek Atkins (warlord@mit.edu)
> > >
> > > Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> > >
> > > Mark Wilcox (mark.wilcox@webct.com)
> > >
> > > (5) identify apache sponsoring individual
> > >
> > > Davanum Srinivas (dims@yahoo.com)
> > >
> > > (6) open issues for discussion
> > >
> > > Is OpenSAML a stand-alone subproject, or should it expand to include
> > > WS-Security work?
> > >
> > > Are there IPR-related concerns with SAML (patents held by RSA but
> > > offered royalty free), or especially with WS-Security and its family of
> > > specifications, most of which are not yet standards?
> > >
> 
=== message truncated ===


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Proposal for OpenSAML (or a name TBD)

[Davanum Srinivas <di...@yahoo.com>]

Scott,

Please go ahead as Bob suggests....No problems if you don't want to do it. 

<semi-kidding>I can't force any one to do something that they don't wanna do :) </semi-kidding>

-- dims

--- RL 'Bob' Morgan <rl...@washington.edu> wrote:
> 
> So, the point made and apparently agreed to by everyone discussing this
> today is that SAML and WS-Sec are Two Different Things, not related other
> than both using XML and being about security (as are XKMS, XACML, XrML,
> and surely dozens more at this point).  So I'd favor removing all
> references to WS-Sec from this proposal, so as to let any WS-Sec work
> proceed on its own merits.  Specifically remove:
> 
> > One important web services component that might leverage OpenSAML is
> > WS-Security (http://www.oasis-open.org/committees/wss/).
> 
> and remove:
> 
> > WS-Sec or other links would be new code subject to open discussion as to
> > approach and implication.
> 
> and remove:
> 
> > WS-Sec functionality might expand this interest.
> 
> and remove:
> 
> > Work in the web services space, such as the WS-Security work that is
> > emerging from OASIS, could take place either within the scope of a more
> > broadly named project that includes and subsumes OpenSAML, or could be a
> > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > Apache Axis specific WS-Security handlers and code to enable quick
> > adoption of SAML and WS-Security within the Apache project community.
> 
>  - RL "Bob"
> 
> ---
> 
> On Tue, 28 Jan 2003, Scott Cantor wrote:
> 
> > Here's the proposal solicited (and started) by the ws.apache.org folks,
> > edited by me. The name should indeed change if the scope of the
> > subproject is to be wider than SAML (see outstanding issues at the
> > bottom).
> >
> > For the shib/internet2 folks, general@incubator.apache.org is the list
> > to subscribe to to participate in the discussion.
> >
> > Scott Cantor
> > The Ohio State Univ
> > cantor.2@osu.edu
> >
> > ---
> >
> > Proposal for OpenSAML, A Web Services Subproject (via Incubator)
> >
> > 28 January 2003
> > Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
> >
> > (0) rationale
> >
> > To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as
> part of the Shibboleth project
> > (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2
> at http://www.opensaml.org. Both a Java
> > and C++ library are being provided and maintained, with a goal of feature parity and API
> commonality between them.
> >
> > One important web services component that might leverage OpenSAML is
> > WS-Security (http://www.oasis-open.org/committees/wss/). There is also a
> > JSR 155 - Web Services Security Assertions
> > (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in
> > their words) define a set of APIs, exchange patterns and implementation
> > to securely (integrity and confidentiality) exchange assertions between
> > web services based on OASIS SAML. We could implement this JSR over
> > OpenSAML, either instead of or in addition to the existing API.
> >
> > The ws.apache.org PMC expressed a great deal of interest in the work in
> > order to ramp up their activities quickly, and appears to be eager to
> > contribute to the success of the subproject.
> >
> > (0.1) criteria
> >
> > Meritocracy: Design decisions have been made in consultation with the
> > Shibboleth development team. WS-Sec or other links would be new code
> > subject to open discussion as to approach and implication.
> >
> > Community: Aside from Shibboleth, a growing community of developers,
> > mostly from higher ed, have been playing with the code in their
> > projects. WS-Sec functionality might expand this interest.
> >
> > Core Developers: Primary author is Scott Cantor, with assistance from
> > the Shibboleth development team, and a few other contributions, some
> > from Apache contributors.
> >
> > Alignment: Uses Xerces and Xalan (J and C), xml-security, generally
> > looks to Apache projects before turning elsewhere, due to compatibility
> > of licensing terms and code quality and support.
> >
> > Scope: SAML and functionality to simplify the use of SAML in areas of
> > interest.
> >
> > (0.2) warning signs
> >
> > Orphaned products: Shibboleth has some momentum, and sundry research
> > projects exist that have looked at OpenSAML as a possible starting
> > point.
> >
> > Inexperience: The primary author has been coding the system for about 14
> > months, and has 5+ years experience on web security software, primarily
> > in C and C++. Most of that code has been made publically available and
> > has been shared explicitly with other institutions. Other Shibboleth
> > developers have contributed Unix systems programming, project
> > organization, and Java experience to the project, and they have open
> > source experience as well.
> >
> > Homogeneous Developers: Primarily one developer to this point, though
> > suggestions from other developers have influenced design. Project
> > expected to support layered functionality contributed by other
> > interested parties once core API stablity is reached. IRC has been used
> > extensively to discuss issues.
> >
> > Reliance on Salaried Developers: Shibboleth is funded by Internet2 at
> > the present time, and most of the development has been contract work,
> > but the entire source base has been open source from the beginning.
> >
> > No ties to other Apache Products: Extensive reliance on XML and Jakarta
> > projects, should make use of and serve the forthcoming WS projects.
> >
> > Fascination with Apache Brand: Would like to foster interest in and use
> > of SAML, attract a stable of developers, extend work into web services,
> > possibly explore implications of SAML and Shibboleth models for SSO and
> > identity federation within other Apache projects.
> >
> > (1) scope of the subproject
> >
> > The purpose of this subproject is to create and maintain an
> > implementation of the SAML standard, as defined by the OASIS SSTC, via
> > libraries that support the messages, bindings, and profiles in the
> > standard. This might eventually include reference implementations of
> > SAML authorities for testing or development use (or more if there's
> > interest). This subproject might include an implementation of the
> > JSR-155 yet-to-be-published API for SAML in Java.
> >
> > Work in the web services space, such as the WS-Security work that is
> > emerging from OASIS, could take place either within the scope of a more
> > broadly named project that includes and subsumes OpenSAML, or could be a
> > dependent subproject at ws.apache.org. This would include JAX-RPC and
> > Apache Axis specific WS-Security handlers and code to enable quick
> > adoption of SAML and WS-Security within the Apache project community.
> >
> > (2) identify the initial source from which the subproject is to be
> > populated
> >
> > http://www.opensaml.org
> >
> > (3) identify the ASF resources to be created
> >
> > (3.1) mailing list(s)
> >
> > opensaml-user
> > opensaml-dev
> >
> >
> > (3.2) CVS repositories
> >
> > ws-opensaml (currently there is a cvs at cvs.internet2.edu)
> >
> > (3.3) Bugzilla
> >
> > (currently, there is a bugzilla at bugzilla.internet2.edu)
> >
> > (4) identify the initial set of committers
> >
> > Scott Cantor (cantor.2@osu.edu)
> >
> > Walter Hoehn (wassa@columbia.edu)
> >
> > Derek Atkins (warlord@mit.edu)
> >
> > Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
> >
> > Mark Wilcox (mark.wilcox@webct.com)
> >
> > (5) identify apache sponsoring individual
> >
> > Davanum Srinivas (dims@yahoo.com)
> >
> > (6) open issues for discussion
> >
> > Is OpenSAML a stand-alone subproject, or should it expand to include
> > WS-Security work?
> >
> > Are there IPR-related concerns with SAML (patents held by RSA but
> > offered royalty free), or especially with WS-Security and its family of
> > specifications, most of which are not yet standards?
> >
> >
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 


=====
Davanum Srinivas - http://xml.apache.org/~dims/

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Proposal for OpenSAML (or a name TBD)

[RL 'Bob' Morgan <rl...@washington.edu>]

So, the point made and apparently agreed to by everyone discussing this
today is that SAML and WS-Sec are Two Different Things, not related other
than both using XML and being about security (as are XKMS, XACML, XrML,
and surely dozens more at this point).  So I'd favor removing all
references to WS-Sec from this proposal, so as to let any WS-Sec work
proceed on its own merits.  Specifically remove:

> One important web services component that might leverage OpenSAML is
> WS-Security (http://www.oasis-open.org/committees/wss/).

and remove:

> WS-Sec or other links would be new code subject to open discussion as to
> approach and implication.

and remove:

> WS-Sec functionality might expand this interest.

and remove:

> Work in the web services space, such as the WS-Security work that is
> emerging from OASIS, could take place either within the scope of a more
> broadly named project that includes and subsumes OpenSAML, or could be a
> dependent subproject at ws.apache.org. This would include JAX-RPC and
> Apache Axis specific WS-Security handlers and code to enable quick
> adoption of SAML and WS-Security within the Apache project community.

 - RL "Bob"

---

On Tue, 28 Jan 2003, Scott Cantor wrote:

> Here's the proposal solicited (and started) by the ws.apache.org folks,
> edited by me. The name should indeed change if the scope of the
> subproject is to be wider than SAML (see outstanding issues at the
> bottom).
>
> For the shib/internet2 folks, general@incubator.apache.org is the list
> to subscribe to to participate in the discussion.
>
> Scott Cantor
> The Ohio State Univ
> cantor.2@osu.edu
>
> ---
>
> Proposal for OpenSAML, A Web Services Subproject (via Incubator)
>
> 28 January 2003
> Davanum Srinivas (dims@yahoo.com), Scott Cantor (cantor.2@osu.edu)
>
> (0) rationale
>
> To support SAML (Security Assertion Markup Language), OpenSAML was developed by Internet2 as part of the Shibboleth project
> (http://shibboleth.internet2.edu/). The project is currently hosted and managed by Internet2 at http://www.opensaml.org. Both a Java
> and C++ library are being provided and maintained, with a goal of feature parity and API commonality between them.
>
> One important web services component that might leverage OpenSAML is
> WS-Security (http://www.oasis-open.org/committees/wss/). There is also a
> JSR 155 - Web Services Security Assertions
> (http://www.jcp.org/en/jsr/detail?id=155) in progress that will (in
> their words) define a set of APIs, exchange patterns and implementation
> to securely (integrity and confidentiality) exchange assertions between
> web services based on OASIS SAML. We could implement this JSR over
> OpenSAML, either instead of or in addition to the existing API.
>
> The ws.apache.org PMC expressed a great deal of interest in the work in
> order to ramp up their activities quickly, and appears to be eager to
> contribute to the success of the subproject.
>
> (0.1) criteria
>
> Meritocracy: Design decisions have been made in consultation with the
> Shibboleth development team. WS-Sec or other links would be new code
> subject to open discussion as to approach and implication.
>
> Community: Aside from Shibboleth, a growing community of developers,
> mostly from higher ed, have been playing with the code in their
> projects. WS-Sec functionality might expand this interest.
>
> Core Developers: Primary author is Scott Cantor, with assistance from
> the Shibboleth development team, and a few other contributions, some
> from Apache contributors.
>
> Alignment: Uses Xerces and Xalan (J and C), xml-security, generally
> looks to Apache projects before turning elsewhere, due to compatibility
> of licensing terms and code quality and support.
>
> Scope: SAML and functionality to simplify the use of SAML in areas of
> interest.
>
> (0.2) warning signs
>
> Orphaned products: Shibboleth has some momentum, and sundry research
> projects exist that have looked at OpenSAML as a possible starting
> point.
>
> Inexperience: The primary author has been coding the system for about 14
> months, and has 5+ years experience on web security software, primarily
> in C and C++. Most of that code has been made publically available and
> has been shared explicitly with other institutions. Other Shibboleth
> developers have contributed Unix systems programming, project
> organization, and Java experience to the project, and they have open
> source experience as well.
>
> Homogeneous Developers: Primarily one developer to this point, though
> suggestions from other developers have influenced design. Project
> expected to support layered functionality contributed by other
> interested parties once core API stablity is reached. IRC has been used
> extensively to discuss issues.
>
> Reliance on Salaried Developers: Shibboleth is funded by Internet2 at
> the present time, and most of the development has been contract work,
> but the entire source base has been open source from the beginning.
>
> No ties to other Apache Products: Extensive reliance on XML and Jakarta
> projects, should make use of and serve the forthcoming WS projects.
>
> Fascination with Apache Brand: Would like to foster interest in and use
> of SAML, attract a stable of developers, extend work into web services,
> possibly explore implications of SAML and Shibboleth models for SSO and
> identity federation within other Apache projects.
>
> (1) scope of the subproject
>
> The purpose of this subproject is to create and maintain an
> implementation of the SAML standard, as defined by the OASIS SSTC, via
> libraries that support the messages, bindings, and profiles in the
> standard. This might eventually include reference implementations of
> SAML authorities for testing or development use (or more if there's
> interest). This subproject might include an implementation of the
> JSR-155 yet-to-be-published API for SAML in Java.
>
> Work in the web services space, such as the WS-Security work that is
> emerging from OASIS, could take place either within the scope of a more
> broadly named project that includes and subsumes OpenSAML, or could be a
> dependent subproject at ws.apache.org. This would include JAX-RPC and
> Apache Axis specific WS-Security handlers and code to enable quick
> adoption of SAML and WS-Security within the Apache project community.
>
> (2) identify the initial source from which the subproject is to be
> populated
>
> http://www.opensaml.org
>
> (3) identify the ASF resources to be created
>
> (3.1) mailing list(s)
>
> opensaml-user
> opensaml-dev
>
>
> (3.2) CVS repositories
>
> ws-opensaml (currently there is a cvs at cvs.internet2.edu)
>
> (3.3) Bugzilla
>
> (currently, there is a bugzilla at bugzilla.internet2.edu)
>
> (4) identify the initial set of committers
>
> Scott Cantor (cantor.2@osu.edu)
>
> Walter Hoehn (wassa@columbia.edu)
>
> Derek Atkins (warlord@mit.edu)
>
> Christian Geuer-Pollmann (geuer-pollmann@nue.et-inf.uni-siegen.de)
>
> Mark Wilcox (mark.wilcox@webct.com)
>
> (5) identify apache sponsoring individual
>
> Davanum Srinivas (dims@yahoo.com)
>
> (6) open issues for discussion
>
> Is OpenSAML a stand-alone subproject, or should it expand to include
> WS-Security work?
>
> Are there IPR-related concerns with SAML (patents held by RSA but
> offered royalty free), or especially with WS-Security and its family of
> specifications, most of which are not yet standards?
>
>