Skip to main content

Notice: this Wiki will be going read only early in 2024 and edits will no longer be possible. Please see: for the plan.

Jump to: navigation, search

Jan 29-31 Provo F2F Agenda

Higgins face-to-face meeting in Provo, Utah, January 29-31, 2008.



  • Location: Executive Briefing Room 1, Building H, Novell's office. 1800 South Novell Place, Provo, UT 84606, (801) 861-7000, map
    • After you enter building H, the executive briefing rooms are through glass doors on your right.
    • Call Jim at 801 380 8760 if you have any problems.
  • Time: The event will start Tuesday at 9:00 AM and end Thursday at noon.
    • A continental breakfast will be available starting at 8:30 AM
    • For early-comers and late-leavers, we're planning one or more ski days. See the ski poll
  • Hotel: Several of us are staying at the Marriott Conference Center in Provo (Map). There are also a few hotels within walking distance (may have to deal with snow though)
  • Weather: Dress warmly. It may be cold.
  • Getting there: Most people fly into the SLC airport and drive to Provo. Here are directions from SLC International Airport to Novell.

Expected Attendees

  1. Dale Olds - Novell
  2. Jim Sermersheim - Novell
  3. Mary Ruddy - SocialPhysics/Parity
  4. Paul Trevithick - SocialPhysics/Parity
  5. Tony Nadalin - Bandit
  6. Tom Doman - Novell
  7. Daniel Sanders - Novell
  8. Phil Hunt - Oracle
  9. Drummond Reed - Cordance/Parity
  10. Andy Hodgkinson - Novell
  11. Duane Buss
  12. Michael McIntosh - IBM
  13. Markus Sabadello - Parity
  14. Carl Binding - IBM
  15. Uppili Srinivasan - Oracle
  16. George Stanchev - Serena
  17. Anthony Bussani - IBM

Attending by Phone (888-457-5984, passcode 5849826). Alert us on #higgins IRC for agenda items you wish to join for:

  1. Brian Carroll - Serena
  2. Paula Austel - IBM
  3. David Primmer - Google (for session on STS IdP + SAML IdP refactoring)
  4. Bruce Rich - IBM
  5. Greg Byrd - IBM (for configuration discussion, possibly more)



The agenda as proposed on this wiki page is just a place to start. Usually we rearrange and adjust the topics as the meeting progresses. We take notes right in this wiki page. If a demo is included it is in the topic's title line "[DEMO]". If the topic can't be moved there should be a bullet.

We will track at least the agenda on the #Higgins IRC channel. If you wish to call in for an agenda item, please let us know on the #higgins IRC channel and we'll set up a conference bridge. The conference bridge number will be 888-457-5984, passcode 5849826

9:00-9:20 Welcome, Introductions, Logistics [Jim, Paul, Mary, (Dale)]

  • Introductions
  • Eclipse ground rules
  • Logistics
    • We will post the current agenda item to #higgins
      • Need IRC Scribes: Mike and Jim volunteered
    • Will take notes onto this Wiki
      • Need Wiki Scribes (we'll decide per session)

9:30 [2:20 hrs] IdAS & IGF Design [Jim and Phil]

11:50 [15min] Higgins 1.0 Release Plans [Mary]

  • Review of 1.0 bug list
  • Status of IP Review – IP Log accepted
  • Status of Release Review
    • Have OK to hold review
    • Tentatively scheduled for Feb 13
    • First drafts slides due 1/30
    • Final slides due 1/3
    • Final slides posted by EMO on 1/6
    • Can release if get OK at release review (no more waiting period)
    • Possible Eclipse announcement date – Feb 20
  • Status of "graduation from incubation" review - Revisit this after complete Release Review and 1.1 planning
  • Eclipse Quality page


1pm Tuesday Afternoon

[15min] Introduction to Higgins [Paul]

  • As we move towards paying more attention to documentation and technical marketing of what we've already done, we need to find a way to divide Higgins into logical peices.
  • Paul will introduce the new three layer model (See Solutions)
  • Paul will then focus on the "new/old" bottom layer: (see Context Data Model)

[10min] API Extensibility [Jim]

  • Now that we've decided to consider Higgins APIs "provisional" (see <insert link>) this issue is something that we can keep working on over time.
  • Jim present requirements
  • We're pushing this beyond 1.0, and tentatively pushing this agenda topic to a later slot.

[1hr] IdAS and the Higgins Data Model; Open Issues [Jim]

  • Background: Higgins Data Model
  • Issues are tracked at Data Model Open Issues#General
    • Covered "mixed attribute values" and "Closed or Open Simple data types" but didn't really get a lot of resolution.
    • Still need to talk about other two issues

3:00pm 15 min break

3:15pm [30min] HOWL and the Higgins Data Model; Proposed update [Paul]

4:10pm [15min] Higgins on Android [Tony, Paul]

  • IBM
    • IBM's CES Demo
  • Parity
    • [5min] Parity's work
      • WebKit limitations
      • Javascript injection approach
      • Challenges/Issues
      • Wishlist
  • Starting an Android work area within Higgins?
    • IP issues around Android
    • Contributions

4:20pm [10min] DEMO: Eclipse-based Selector [Mike]

4:30pm [45min+] Higgins Selector Selector [Mike, Paul]

[5min] Report on Java Impl Selector Performance Issues [Paul]

[15min] DEMO: Client-based Selector "DigitalMe" [Andy]

  • Demo
  • Current status
  • Integration of next-gen HBX and Higgins Selector Selector ??
  • Documentation
    • Harmonization of Bandit site
  • Roadmap

9:00am Wednesday Morning

9:10 [10min] [DEMO] Firefox-embedded Selector Demo [Paul]

  • We've added what we think is a UI improvment over CardSpace UX: "remember this card (at this site)" (coupled with "remember this password for the card")
  • Remember this Card Overview
  • Feedback that something has happened when you use this feature

9:30 [45min] Selector UIs [Tony?, Andy?]

  • Higgins is blessed(!) with multiple i-card selector UIs:
    • GTK-based "DigitalMe" on Linux
    • Cocoa-based "DigitalMe" on OSX
    • RCP-based
    • Firefox-embedded (requires hosted I-Card svc)h
    • AIR-based (requires hosted I-Card svc)
  • Need to reduce the number of parallel implementations
  • Need to converge on a common UI
    • Document the steps in any login process where: (trying for "common enough" here)
      • The user needs to make a decision (e.g. to operate a control)
      • What information is needed by the user to make the decision
      • Where this information comes from
      • What is at risk if such a choice is hidden from the user, e.g. by user preference
  • Need to improve the UI
  • What about

10:15 [15 min] [DEMO] AIR-based Selector Demo [Jeesmon]

  • [3 min] HBX/Firefox Demo [Paul]
  • [12 min] HBX/IE AIR web-based Selector Demo [Jeesmon remote from Needham, MA]
  • Architecture Diagram including integration with Selector Selector
  • Installation demonstration
  • Login to RP site demonstration

10:30 [30min] The Future of the Configuration Component [Greg]

  • Configuration component: need two versions of Configuration.common (one for plugin-based configurations and one for jar-based configurations)
  • support "writing" not just reading
    1. requirement: there's no configuration schema so I don't know how to build the Map
    2. requirement: ability to write out configuration
    3. requirement: ability to update the configuration itself through writing
  • better support for passwords in the file
  • make it possible to do "round tripping" somehow (MikeM)
    • Mike please elaborate
  • central configuration service?
    • problems: how to transfer stuff from file system (e.g. keystore) to the service?
    • we're currently passing objects around that are hard to serialize
    • use JSON
  • Configuration UI?
  • C++ Configuration Component?

11:00 [15 min] Access Control [Tom]

  • Access Control Issues in LDAP
  • Acesss Control Issues in JNDI
  • General Access Control Issues
  • Providing Access Control through IdAS
  • Should we start collecting use cases?

11:40 [20min] Separating out the Selector Authentication Service [Drummond]

  • Today the web-based selector uses a username and "master" password to authenticate directly to the back end selector service (aka rpps)
  • A new approach is to factor out provisioning and authentication of the client-side identity selector to separate web services. This approach has several advantages:
    • It can provide non-identifying tokens to provision and/or authenticate a back end selector service account, preserving privacy.
    • It can standardize provisioning and configuration of multiple front-end identity selectors (e.g., on different devices all used by the same user) to talk to the same back end identity agent.
    • It can opening new models of authentication in the future without requiring changes to the back end identity agent service.
  • Work has begun on a protocol for this purpose: ISAP - Identity Selector Authentication Protocol.
  • It lays the foundation for a "grand unification" of OpenID and Cards --The Selector Authentication Service can also (optionally) be the user's OpenID OP. We can nestle the concept of I-Cards UNDERNEATH the user's OpenID. OpenID's are great for public identification (e.g. log on to blogs, etc.) and for social networking and other low transaction value, public interactions where the person wants to use (or doesn't mind using) a 100% correlatable identifier. Cards are multiple, contextualized, nuanced and may be anonymous, pseudonymous, or partly to fully identifying. The opportunity here is to unify the two. Since the user already has an OpenID password at a service she trusts, we can (thanks to OpenID 1.1 and especially 2.0's XRDS discovery mechanism) simply add the Selector Service as a new XRDS service endpoint. The user now has only ONE master password. They have an OpenID that works anywhere and they have a card/selector service that integrates nicely with it. [Paul and Drummond are working on a white paper that describes this grand unification. The OpenID foundation is also exploring unification approaches, so this is all very timely]
  • We have begun conversations with OpenID providers on implementing ISAP on their end to allow them to offer selector services


[15min] Review of Eclipse Release Review Slides [Mary]

  • Mary will send slides to list

Wednesday Afternoon

[20 min] Considerations for a multi-protocol ID provider [Uppili]

  • When considering merging of STS and SAML from a Higgins infrastructure perspective, it will be useful to discuss and get some common understanding about what is the ultimate "functional" objective. Are there cross-functional use cases in scope for the resulting multi-protocol system, or are we just sharing code between what would be completely independent systems. Would this guide how to approach the same issue if a reference implementation of OpenID were considered as part of Higgins (in future).
    • Look at the canonical layers of an IDP
    • Allude about infrastructure building blocks that can be shared
    • Meditate about some cross-protocol use cases / scenarios (like global sign-out)
  • ( I think this item should be here or somewhere prior to the "Merging" discussion, below).

[15 min] Short session on STS IdP / SAML IdP merge/refactoring [Mike]

  • In NY we were looking at things that could be reused
  • We agree it can be done
  • To be continued on Thursday

[15 min] Introduction to Open Identity Network Non-profit [Paul]

[30min] Introduction to R-Cards [Paul]

[45min] Introduction to XDI and X3 [Drummond]

  • Very brief background on OASIS XDI TC
  • Explain how XDI is the protocol equivalent of the Higgins Data Model (and that's why I'm working with Paul and Markus and Higgins)
  • Show a few simple examples of X3 (using Markus' XDI Converter) to show how the XDI RDF Model can be used to implement the HDM and vice versa.
  • Point out the XDI RDF Model sections.
  • Finish by showing X3 for the same r-card scenario that Paul went through

3:45pm [15min] [DEMO] XDI4J Code Walk-through [Markus]

  • Introduce XDI4J
  • Give a basic tour
  • Show the XDI Messenger
  • Show the XDI messages that would be transmitted for the BestBuy change of address VRM use case

4:10pm [45min] [DEMO] Novell open source IdP presentation [Daniel]

  • This uses the Higgins STS and IdAS components. Presentation will include the following:
  • High level architectural overview of IdP and how Higgins STS and IdAS are used.
  • Demonstration.
    • Download the IdP tarball.
    • Build it.
    • Deploy to server that has Tomcat installed.
    • Configure using web based admin.
      • Miscellaneous configuration.
      • Configuration of attributes that can be stored.
      • Configuration of information card templates.
      • Configuration of Java keystore
      • Configuration of IdAS context provider.
      • Look at the XML configuration files that are generated by admin.
      • Customizing how the IdP will look and feel.
    • Create user account
    • Manage user account, including change password
    • Issue information card using a card template
    • Use information card

5pm [45min] Design Principles [Mike]

  • Code Reuse and Size and Prerequisites
    • Reduce Download Size, Redundant Code, and Maintenance
    • Smallest/Earliest Possible JRE
  • Reusable System Services
    • Configurable Components
      • Need to make the ConfigurationSettings available more consistently (getInstance/Singleton)
      • Need to convert classes in ...sts.utilities into shared components
    • ImplementationFactory
      • Code to Interfaces not Implementations
      • Configuration Maps Implementation Classes to Interfaces
      • Call "Object ImplementationFactory.getInstance(IInterfaceClass)"
    • ConversionService
      • Extensible by configuration, not by change to core code
      • Configuration Maps Conversion Classes to SourceClass/DestinationClass pairs
      • Replaces BindingHelper, CertificateHelper, XMLHelper, DateHelper, UUIDHelper, functions
      • Call "Object ConversionService.convert(Object from, Class to)"
      • Replace KeyGenHelper/X931KeyGenerator with: RPIDGenerator
        • CertificateChain should be passed in, should not reconnect in this module

> > PPIDGenerator > > KeyPairGenerator > > CertificateChainGenerator > > UUIDGenerator > > EVCertificateManager > > Extensible by configuration > > Call "boolean isEV(Certificate cert)", > > WebApp Structure > > Split TokenService WebApp into > > TokenService (WS-Trust/STS) > > MetadataExchangeService > > ProfileService > > All common code in JARs > > All deployment specific configuration files +JARs in WAR > > Move System Properties to WEB.XML file! > >

[15min] Plugin vs. JAR Dynamic Loading and ClassPath/Resource Issues [Mike]

> > Can we add /Resource/*config.xml to Plugin without impact to JARs? > > How do we deal with It is in the redist plugin -

  • how can we change it without changing plugin code?

[30min] PKCS5 vs. ISO10126 Encryption/Decryption [Mike]

     Should always: Encrypt via PKCS5 and Decrypt via ISO10126
                             Encrypt           Decrypt
         Relying Party           No*           Yes
         Identity Selector       Yes           No*
         Identity Provider       Yes           Yes
      *Current implementations may not use encrypt or decrypt but future  ones may.
      The IXMLSecurityExtension should be broken into:
     The xmlsecurity.apache should be broken into
     The xmlsec-1.4.0 (1.4.1) should not be in the redist plugin.
     It should be in the various xml*extension.apache plugins.
      The name of the config.xml (IBM vs. Sun(default)) should be a configuration setting

6:15 Dinner

At Tucanos 4801 North University Ave. Unit 790 Provo, Utah 84604 [map]


9AM Agenda Bashing

9:25 Data Model

Is defined by:

  1. HOWL based on OWL-FULL (with mods from what it is today)
  2. wiki/documents


  • Compare Tony's data model definitions with the wiki

10:33 Marketing & Outreach [Paul, Mary]

  • Bandit T-shirts Caroline Ford
  • Communications Strategy
  • DOOR 1
    • Target audience: enterprise deployers, developers, and (in the long run) end users
    • Problem: I want a non-proprietary Identity Selector
    • Problem: I want an Identity Selector that runs on OSX or Linux
    • Solution: Higgins Identity Selector
      • Download one of the selectors
      • Get the source
  • DOOR 2
    • Target audience: Enterprise product consumers (deployment people)
    • Target audience: Open source developers
    • Problem: I want federated single-sign on solution
    • Problem: I want a non-proprietary Identity Selector
    • Problem: I want a non-proprietary IdP
    • Problem: I'm interested in WS-Trust-based identity technology
    • Solution: Higgins Identity Web Services
      • Try Eclipse-hosted demo services
      • Deploy your own server
      • Download the source
  • DOOR 3
    • Target audience: Open source developers
    • Problem: I'm interested in data portability (like the video)
    • Problem: Breaking down the identity silos
    • Solution: Context Data Model and the Higgins Global Graph
      • Download the spex
      • Look at the code

Release Planning, Roadmap

1.0.0 (release) 20th of Feb

  • We'll create the 1.0 branch in the next few days
  • We'll renumber all plugins to 1.0.0.
  • Wiki page on how to configure the existing Jena CP using JDBC

1.0.1M1 (stable) Mid March PlugFest

  • WS-Trust 1.3, SOAP 1.2, etc.
  • WS-Federation Passive Interop
  • AIR-based selector, Higgins Selector Selector
  • New Jena CP
  • (Non-Jena) JDBC-based CP optimized for p/m-card storage
  • De-Axisify
  • Revised HOWL

1.0.1MX (stable) April 7-11 RSA

  • ISAP
  • X509
  • Kerberos
  • SAML 2.0

1.0.1MX (stable) May 12-14 IIWa

  • WS-Federation Active Interop

1.0.1 (release) June

  • R-Cards
  • OpenID
  • Higgins Selector Selector
  • UN/PW-Card

Upcoming Interop Planning

  • RSA Conference
  • Burton
  • MSFT PlugFest (WS-Trust 1.3, SOAP 1.2, etc.)
    • NOTE: Need to Eliminate Axis
  • WS-Federation Passive Interop
  • WS-Federation Active Interop
  • Objectives?
  • Documentation of Higgins (eclipse-based, client-based, web-based) interop status/results?
    • The Higgins wiki is still circa June 2007
    • Need a matrix of support for Higgins 1.0
  • New functionality
    • R-Cards
    • OpenID
    • Selector Selector
    • Managed Cards with X.509 for Authentication)
    • Managed Cards with Kerberos for Authentication
    • Username/Password Cards
    • Relying Party/STS
      • Cancel/Validate
      • Issuer Policy
    • Writable IdAS Interface for ProfileService
    • Support for Metadata on IdP and Client
    • OSGi Servlet Engine

Thursday afternoon - Unofficial Continuation

Whoever wants to stay, stay

12:20 More Higgins Data Model

1:30pm extensible ISIP-M format and CardStore

  • .crd ISIP-M <--making it extensible (.crdx??)
  • .crd ISIP-P <--any changes??
  • .crds extensions

2pm [2hrs] STS IdP Solution in Depth [Mike]

  • Similar to New York F2F sesion, but shorter
  • (Weds or Thurs please)
  • STS Work items:
    • STS token service still bypasses IdAS to access/update attributes
    • Sample STS should cut over to using XMLFile Context Provider
    • Use of "informationCard generator" in STS's profile service?
    • Currently the STS MEX endpoint only advertises support for transport-level security (using UN token or self-seigned SAML token)

OpenID and Oauth

[45min] Merging SAML2 IdP into STS framework [Mike, Markus]

  • Pre-merge refactoring
    • Should we rename low level reusable sts.* components -> htp.* (Higgins Token Processing)
  • Task planning
  • Resources

Extra topics we might not get to

[15 min] Card-based Oauth [Paul]

  • Support for Oauth in the world of Higgins
  • Oauth uses redirects all over the place and asks the person to sign in using un/pw at the service

provider. There must be a better user experience.

  • How about O-cards? User experience:
    • User gets an O-card from Service Provider (e.g. Google Calendar)
    • User fires up Oauth Consumer that wants Google Calendar data stream
    • Selector appears with Google Calendar card displayed
    • Selector UI asks to approve grant of rights
    • User clicks "Approve" button
    • Done. [No redirects, no un/pw entry at SP, etc.]

Autobuilds, Auto-tests

  • Eclipse features building: Peter is working on this
  • C++: currently built using "cmake" (configure and make). compatible with SUSE autobuild service.

builds the RPM packages.

  • Nightly Junit tests: for longer term

Moving, Renaming Components

  • Split selector selector from HBXIE
  • Plugins folder
  • .deployment.idas.basic -> move to app?
  • .rpps -> ss
  • .rsse -> rename to .ss.rsse

[30min] Five ways to integrate OpenID [Paul]

  1. OP Uses Cards for Auth (prevents phishing)
  2. Sxip OpenID Cards (OpenID claim type in managed cards or shared cards)
  3. OpenID Card: fills in pw at OP (prevents phishing)
  4. OpenID CP: OpenID OP into CP
  5. OpenID & Cards: Grand Unification

More Fodder


Skiing at The Canyons

  • Plan is to meet at or around the Ticket Sales (#24 on this page) at 8:15AM, ready to ride
  1. Carl Binding
  2. Phil Hunt
  3. Wendy Hunt
  4. Michael McIntosh
  5. Tony Nadalin
  6. Drummond Reed
  7. Markus Sabadello
  8. Jim Sermersheim
  9. Paul Trevithick


Copyright © Eclipse Foundation, Inc. All Rights Reserved.