[WG-OTTO] Proposal for extending the WG charter

Rainer Hoerbe rainer at hoerbe.at
Tue Jan 12 16:14:19 CST 2016

Some time ago we discussed to design the OTTO specification in a way that will be useful to create SAML metadata and X.509 certificates from a common underlying data structure, too. Also, we talked about making „Trust Taxonomies“ a model to manage many circles of trust. I understood that we were basically in agreement. Therefore I would like to ask if WG members agree to extend the charter to reflect these goals. I think that this should be included in the first phase of the WG, but I am not sure about the implications on the workplan of the WG.

I am proposing following changes. Text in red is new:

The working group will develop the basic structures needed for the creation of multi-party federations between OAuth2 entities. The intent is to create a foundation of trust and drive down the cost of collaboration by publishing technical and legal information. These structures will include the set of APIs and related data structures enabling an OAuth entity to manage which entities it trusts and for other OAuth entities to discover members of the federation and details of the services.

The design will feature interoperability with other trust taxonomies such as SAML metadata and X.509 certificates. An underlying layer independent from OAuth2/SAML/X509 will enable the sharing of common data elements. 
Another goal is to allow the operation of many federations within an instance of the trust taxonomy, thus allowing an entity to be part of multiple federations.
The Work Group is necessary to bring together collaborators from existing SAML federations and the OAuth community to collaborate on a draft solution that meets their shared goals in this area and takes into account lessons learned from the past ten years of SAML.

Specifically, this Work Group is responsible for:

Developing a set of use cases and requirements that are specific enough to guide the specification design work
Developing a set of modular draft specifications meeting these use cases and requirements
Overseeing the contribution of each resulting draft specification to a standards-setting organization
The group will target completion of the specifications by 1/15/16.


The APIs and data structures will enable discovery of the members of the federation and details about their services, key material and technical capabilities. The final scope will be refined after consideration of the use cases. 

Existing SAML Federation XML structures will inform this work, but the data structures will not be expressed in XML but in  JSON. The functions supported in existing SAML federations should be supported. Additionally, support for a more efficient and scalable discovery process and dynamic integration process will be considered.


The following technical specifications should be produced, with modular spec boundaries subject to change. The specifications will then be submitted to appropriate standards bodies for further work and completion:

Open Trust Taxonomy for OAuth2 and Others Use Cases
Open Trust Taxonomy for OAuth2 and Others Core Specification


The WG might need another name. OTTOO (Open Trust Taxonomy for OAuth2 and Others) or OTTOMAN (... for OAuth2 Metadata And Non-Oauth2 metadata)?

The rationale for the wider scope is the benefit of a larger base of trusting entities, which would result in reduction of redundancy. Trust relationships may require the application of different protocols, creating the need to support multiple technology stacks such as PKIX, SAML and OIDC. E.g. a secure collaboration scenario might require both document signature and encryption (PKIX) and federated access to web applications; a federation might support both SAML and OIDC  endpoints.

Regards, Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-otto/attachments/20160112/1549837d/attachment.html>

More information about the WG-OTTO mailing list