[2008-04-08 01:14:40] JOIN #higgins :Jimse!n=jimse@209.31.24.235.ptr.us.xo.net JOIN :#higgins [2008-04-08 03:42:45] JOIN #higgins :peace-keeper!n=peace-ke@chello084114169104.2.15.vie.surfer.at JOIN :#higgins [2008-04-08 03:49:26] JOIN #higgins :peacekeeper!n=peace-ke@chello084114169104.2.15.vie.surfer.at JOIN :#higgins [2008-04-08 04:01:57] QUIT peace-keeper [2008-04-08 06:30:39] JOIN #higgins :rcjsuen!n=rcjsuen@bas6-kitchener06-1177625335.dsl.bell.ca JOIN :#higgins [2008-04-08 06:45:05] <_keturn:#higgins@higginsircbot|QUIT>QUIT _keturn [2008-04-08 06:52:45] <_keturn:#higgins@higginsircbot|JOIN>JOIN #higgins :_keturn!n=acapnoti@pdpc/supporter/sustaining/keturn JOIN :#higgins [2008-04-08 10:05:19] JOIN #higgins :Duane!n=dbuss@nat/novell/x-f121bdd7e58bcccd JOIN :#higgins [2008-04-08 10:07:33] QUIT Jimse [2008-04-08 10:20:30] JOIN #higgins :MikeMc!n=MikeMc@nat/ibm/x-bb730cd04d12afd1 JOIN :#higgins [2008-04-08 10:20:41] JOIN #higgins :Jimse!n=jimse@nat/ibm/x-d4636e80d9a0f642 JOIN :#higgins [2008-04-08 10:23:44] QUIT peacekeeper [2008-04-08 10:35:29] I'll scribe the F2F mtg as well as I can [2008-04-08 10:35:41] sweet [2008-04-08 10:35:42] discussion is around Entity IDs [2008-04-08 10:35:43] cool [2008-04-08 10:35:57] Tony proposes to change so these are always globally unique [2008-04-08 10:36:26] so we'd have to add in the context ID to each Entity ID [2008-04-08 10:36:49] He's talking in terms of the Higgins Data Model. [2008-04-08 10:37:07] I don't like applications having to always have to deal with a fully qualified name [2008-04-08 10:37:35] so I propose there being (at least in IdAS), a getLocalName and a getGlobalName [2008-04-08 10:37:37] but... [2008-04-08 10:37:54] which do we use for methods like getEntity(name) [2008-04-08 10:38:22] getEntity is off the context [2008-04-08 10:38:37] ie. context ID is implied [2008-04-08 10:39:13] a getFullName makes sense but that full name doesn't make sense to me to be passed to getEntity [2008-04-08 10:41:04] so, Mike argues that the data model doesn't always need to exactly reflect the data model [2008-04-08 10:41:30] data model ... data model? [2008-04-08 10:41:44] so, maybe in the IdAS APIs, we could leave everything as-is, but maybe add for convenience an IEntity.getGlobalID [2008-04-08 10:42:09] yes, I'd agree w/ that [2008-04-08 10:44:45] for opensocial all names are always fully qualified [2008-04-08 10:45:21] but in IdAS, getEntity is on a context [2008-04-08 10:45:33] now, we've moved to the topic of attributes as entities [2008-04-08 10:45:33] context ID is implied [2008-04-08 10:45:50] (I agree Tom) [2008-04-08 10:47:00] I like the idea of the getGlobalID though. that could help an application pick the right context to connect to etc. off a persistent reference. [2008-04-08 10:47:15] but what happens when I have joining happening, how do I differentiate between entities that are a mismatch. Fully qualified names would solve that [2008-04-08 10:47:24] yeah -- nice for when a consumer needs an ID they can pass around [2008-04-08 10:48:03] yup [2008-04-08 10:49:50] the current discussion is: if we allow complex attributes to be entities (which may be named), this allows us to share attributes among entities [2008-04-08 10:49:55] but only when they're complex [2008-04-08 10:50:14] why not provide a way to share attributes that are literals? [2008-04-08 10:50:21] Paul doesn't want to allow it [2008-04-08 10:50:54] he argues that it adds too much complexity [2008-04-08 10:55:19] so, Paul suggests that we separate the discussion of complex attrs as entities from the discussion of shared literal values [2008-04-08 10:57:06] JOIN #higgins :Duan1!n=dbuss@nat/novell/x-3dd7382b3181bd7b JOIN :#higgins [2008-04-08 11:07:42] QUIT Duane [2008-04-08 11:12:23] somehow we've moved on to access control statements [2008-04-08 11:12:48] Paul proposes that we make use of XACML [2008-04-08 11:13:13] someone could write a XACML CP that can be overlaid on other CPs [2008-04-08 11:13:20] which is very descriptive, has two parsers, and is a royal pain to edit [2008-04-08 11:13:28] hehe [2008-04-08 11:13:51] Tony is proposing a way of doing access control statements using attributes [2008-04-08 11:28:51] QUIT MikeMc [2008-04-08 11:36:27] so, should we define an attribute type which represents an access control statement? It could contain the traditional 3-parts (subject, action, object) where object could be implied by the placement of the attribute? [2008-04-08 11:36:54] that would allow us to make statements about who can do what to which bits of data [2008-04-08 11:37:15] but it doesn't provide a simple way of asking: What can *I* do? [2008-04-08 11:38:18] I could do a search that asks: "search for all accessControlStatement where Jimse is listed as the subject" [2008-04-08 11:38:29] that would tell me what I can/can't do [2008-04-08 11:38:40] but only if it matches true for implied permissions [2008-04-08 11:38:43] need more than three parts, also need to specify inheritiance, what type of resource (this object, attr, object class, object xxx) [2008-04-08 11:38:48] remote object [2008-04-08 11:39:27] yeah, inheritance is needed if we want to be able to apply permissions at a higher scope [2008-04-08 11:40:05] the only explicit scopes we have today are Context/Entity/Attribute/AttributeValue/subvalue... [2008-04-08 11:40:25] if we mix in the notion of relationships, we can build any ad-hoc hierarchy we want [2008-04-08 11:42:22] JOIN #higgins :MikeMc!n=MikeMc@nat/ibm/x-fbb8a05acc517181 JOIN :#higgins [2008-04-08 11:50:57] I wonder if the resource type could be wrapped into the resource identifier [2008-04-08 12:01:09] so, Paul proposes that ALL access control statements be placed as attributes on the context [2008-04-08 12:01:16] not on entities themselves [2008-04-08 12:02:44] which means that we have to deal with referential integrity [2008-04-08 12:02:59] hah, and their relationship to real access control as enforced by the provider? [2008-04-08 12:03:34] and since that means local storage that might be mucked about with by the user this helps how? [2008-04-08 12:03:48] sure, the CP would have to abstract from the underlying data's model [2008-04-08 12:03:54] If there anyone from team bandit that can take a look at the logs on your RP and let us know more details about the errors we are getting? [2008-04-08 12:04:12] Which RP? [2008-04-08 12:04:15] which RP [2008-04-08 12:04:26] JOIN #higgins :litie!n=litie@nat/ibm/x-28a644ad66d2db14 JOIN :#higgins [2008-04-08 12:04:27] woof ? [2008-04-08 12:04:39] hang on [2008-04-08 12:06:12] Duane, I don't think anyone was suggesting that a provider MUST allow "higgins" access control statements to be added which represent things not enforced by the underlying data store [2008-04-08 12:06:26] they're saying the provider needs to "map" to the higgins way [2008-04-08 12:06:49] If the underlying store supports them then they would be stored by the provider [2008-04-08 12:06:56] woof's log file is empty... [2008-04-08 12:07:18] catalina.out ? [2008-04-08 12:07:58] there must be another one [2008-04-08 12:08:09] that's dated 3/11 [2008-04-08 12:09:21] there is no real logging on woof. [2008-04-08 12:09:42] It's pretty crusty old mediawiki code. We need to update it to the latest mediawiki and plugins [2008-04-08 12:09:45] but how can it be a month old and zero lines in catalina.out? [2008-04-08 12:09:50] what problem are you seeing [2008-04-08 12:10:03] because we don't run tomcat on woof at all [2008-04-08 12:10:25] oh yeah, duh [2008-04-08 12:10:40] ok, so they're seeing some padding issues [2008-04-08 12:11:22] he's going to try again so he can get the exact error [2008-04-08 12:12:50] Unable to decrypt keyWrapCipher, probably using incorrect private key [2008-04-08 12:13:41] which identity selector and which sts? [2008-04-08 12:14:07] higgins rcp selector - higgins sts [2008-04-08 12:17:06] Daniel is going to dig into this shortly [2008-04-08 12:17:13] thanks [2008-04-08 12:32:13] I fixed up woof so we can login with an information card. Someone want to try whatever it was they were doing? [2008-04-08 12:33:57] ok -will retry [2008-04-08 12:35:21] incoming [2008-04-08 12:37:23] looks like your RP now takes our token - but others dont - did you do something to it? [2008-04-08 12:37:50] I disabled some java bridge stuff that wasn't working anymore. [2008-04-08 12:37:59] Nothing to do with token handling though. [2008-04-08 12:38:26] We are pretty liberal on woof as to what tokens we will take though [2008-04-08 12:38:31] not much checking of any kind. [2008-04-08 12:38:58] It also uses a very old XML canonicalization algorithm [2008-04-08 12:39:27] I suspect that woof won't take others tokens if they aren't formatted just right - speaking of how they are canonicalized. [2008-04-08 12:39:59] We really need to upgrade woof to the latest media wiki code and to use the Pamelaware plugin for mediawiki [2008-04-08 12:40:09] ok thanks - we'll keep plugging [2008-04-08 12:40:42] is there another RP you guys have that is more current - and that you can look at logs for? [2008-04-08 12:40:42] Yes [2008-04-08 12:40:54] We have one on wag and cards [2008-04-08 12:41:06] try the pytyon rp's they both are set for debug logging so you get the feedback [2008-04-08 12:41:06] Both sights allow you to login with a card [2008-04-08 12:41:23] There is also a "test cards" sight that allows you to test any card: [2008-04-08 12:41:36] can you post me the url? [2008-04-08 12:41:47] https://wag.bandit-project.org/BanditIdP/index.jsp?option=testinfocard&action=testinfocardform [2008-04-08 12:41:49] http://code.bandit-project.org/demo/python/rp/ [2008-04-08 12:42:13] The test cards sight will show the encrypted token as well as the decrypted token [2008-04-08 12:42:24] It also lets you determine what claims you want to ask for [2008-04-08 12:42:32] oh good thanks - will likely be asking you to look at the logs shoprtly [2008-04-08 12:42:33] Dynamic RP policy [2008-04-08 12:42:49] Let me turn trace on [2008-04-08 12:42:53] first [2008-04-08 12:43:03] Currently it is only info [2008-04-08 12:43:30] http://code.bandit-project.org/demo/python/rp/ doesn't support dynamic rp policy but does allow you to see encrypted/decrypted token, the parsed values of everything, and the log generated while processing. [2008-04-08 12:44:18] Are you ok if I restart tomcat on Wag? [2008-04-08 12:44:30] yes [2008-04-08 12:44:35] here goes... [2008-04-08 12:44:51] QUIT Jimse [2008-04-08 12:45:29] ok, wag is restarted with trace logging on. [2008-04-08 12:48:11] we can't use the http sites - only https [2008-04-08 12:48:26] https will work on wag [2008-04-08 12:48:34] yes - trying now [2008-04-08 12:48:56] I suspect Duane's site also supports https [2008-04-08 12:49:14] yes [2008-04-08 12:49:23] of course :-> [2008-04-08 12:49:44] Daniel - on wag we just got an error - are there any more details in the logs ? [2008-04-08 12:49:55] There probably are [2008-04-08 12:49:59] what was the error? [2008-04-08 12:50:36] Exception ...XMLEncryptionException ... Unwrapping failed [2008-04-08 12:50:44] As a test site it is actually configured to be very lenient it what it accepts. [2008-04-08 12:51:23] There won't be more info in the log for that one... [2008-04-08 12:51:47] ok - thanks [2008-04-08 12:52:15] What more would be helpful? [2008-04-08 12:52:42] are you able to tell which java API failed? [2008-04-08 12:52:58] I could print out a call stack.... [2008-04-08 12:53:05] try https://code.bandit-project.org/demo/python/rp/ I might provide more details, including the openssl exceptions. [2008-04-08 12:54:12] Mike can you paste the exact message you get in here? [2008-04-08 12:55:38] tie li just did [2008-04-08 12:56:05] but it doesnt show here - odd [2008-04-08 12:56:27] Is he in another window? [2008-04-08 12:56:50] Exception org.apache.xml.security.encryption.XMLEncryptionException decrypting token DOM: Unwrapping failed Original Exception: java.security.InvalidKeyException: Unwrapping failed [2008-04-08 12:57:50] I've seen this one..... trying to remember what I had to do to resolve it.... [2008-04-08 12:58:42] Is this a case where there is an AppliesTo? [2008-04-08 12:58:55] I think I know what he's doing wrong.... [2008-04-08 12:59:01] Wag has a certificate chain [2008-04-08 12:59:11] He is using the wrong key in the cert chain to encrypt the token. [2008-04-08 12:59:30] we'll look into this [2008-04-08 12:59:51] You have to figure out which cert is the "leaf" cert and use that, instead of just taking the first cert you see [2008-04-08 13:00:09] ok - we'll try that [2008-04-08 13:00:22] You might talk to Andy to see how he determines that. [2008-04-08 13:00:39] think I saw code to do that recently [2008-04-08 13:00:50] Also, look at the STS code I put in to handle finding the right cert when there is an AppliesTo [2008-04-08 13:01:10] can you remember where that was? [2008-04-08 13:01:11] A couple of weeks ago I checked in some changes to the STS [2008-04-08 13:01:20] Let me look, just a sec... can't remember... [2008-04-08 13:01:43] BindingHelper.java I think [2008-04-08 13:03:37] Look in the toEndpointReference method. [2008-04-08 13:03:57] and look at how the certList variable is built up and then processed to determine the leaf cert. [2008-04-08 13:04:21] near the end - right? [2008-04-08 13:04:33] right [2008-04-08 13:04:45] I basically look for the cert that is NOT listed as an issuer to another cert. [2008-04-08 13:04:56] sort of dumb... but seems to work. [2008-04-08 13:05:48] I know of one case when it doesn't [2008-04-08 13:05:55] when the SSL Cert is self signed [2008-04-08 13:06:04] yeah, it would bomb on that case [2008-04-08 13:06:10] We need a better way to do it. [2008-04-08 13:06:18] That was the best I could come up with on short notice. [2008-04-08 13:06:25] well - that is case when list has one item so easy mod [2008-04-08 13:06:47] I am going to turn this into a util funciton so I can use in client side - [2008-04-08 13:06:52] ok? [2008-04-08 13:06:56] go for it [2008-04-08 13:07:06] It's your code to begin with :) [2008-04-08 13:08:32] gotta step out for a few minutes -- will brb [2008-04-08 13:11:50] JOIN #higgins :Jimse!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 13:11:54] I'm back [2008-04-08 13:16:25] JOIN #higgins :Jims1!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 13:18:24] we're still implementing this fix on client side - will hopefully test this soon [2008-04-08 13:22:28] QUIT litie [2008-04-08 13:24:23] QUIT Duan1 [2008-04-08 13:38:11] JOIN #higgins :Duane!n=dbuss@nat/novell/x-da2ed90885b4ff09 JOIN :#higgins [2008-04-08 13:40:18] QUIT Jims1 [2008-04-08 13:56:20] JOIN #higgins :Jims1!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 14:12:04] QUIT Jimse [2008-04-08 14:55:09] JOIN #higgins :Jimse!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 15:10:58] QUIT Jims1 [2008-04-08 15:26:14] PART #higgins [2008-04-08 16:00:19] JOIN #higgins :Duan1!n=dbuss@137.65.229.85 JOIN :#higgins [2008-04-08 16:00:32] JOIN #higgins :tdoma1!n=IronMan@137.65.229.21 JOIN :#higgins [2008-04-08 16:00:36] 1 [2008-04-08 16:02:50] 2 [2008-04-08 16:03:02] 3 [2008-04-08 16:03:11] heh, hey did you get the pwd I sent you jim?> [2008-04-08 16:03:16] man, we're awesome [2008-04-08 16:03:19] yeah, thanks! [2008-04-08 16:04:02] oh, except it doesn't work [2008-04-08 16:04:20] maybe it works for the paparazzi IdP [2008-04-08 16:05:03] I logged into wag IdP w/ that 30 min ago [2008-04-08 16:05:13] hmm, nope [2008-04-08 16:06:13] ok, it works [2008-04-08 16:06:16] https://wag.bandit-project.org/BanditIdP/admin.jsp [2008-04-08 16:06:18] I was going a diff route [2008-04-08 16:06:33] oh, okay, was baffled [2008-04-08 16:06:51] sorry about that [2008-04-08 16:07:08] np [2008-04-08 16:16:12] QUIT Duane [2008-04-08 16:16:36] QUIT tdoman [2008-04-08 16:16:43] NICK tdoman [2008-04-08 16:17:15] NICK now_known_as_tdo [2008-04-08 16:40:05] QUIT Duan1 [2008-04-08 16:48:31] JOIN #higgins :MikeMc!n=MikeMc@198.83.145.37 JOIN :#higgins [2008-04-08 16:51:13] JOIN #higgins :tdoman!n=IronMan@nat/novell/x-9ddd6a903c8de96c JOIN :#higgins [2008-04-08 16:56:27] JOIN #higgins :Duane!n=dbuss@nat/novell/x-1a1df49bd44a529b JOIN :#higgins [2008-04-08 17:09:58] QUIT now_known_as_tdo [2008-04-08 17:42:56] QUIT Duane [2008-04-08 17:53:45] QUIT MikeMc [2008-04-08 18:08:41] JOIN #higgins :Jims1!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 18:24:42] QUIT Jimse [2008-04-08 18:39:25] QUIT tdoman [2008-04-08 18:39:58] JOIN #higgins :tdoma1!n=TeeDoh@137.65.229.21 JOIN :#higgins [2008-04-08 18:44:21] JOIN #higgins :Jimse!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 18:44:47] QUIT tdoma1 [2008-04-08 19:00:17] QUIT Jims1 [2008-04-08 19:08:48] JOIN #higgins :Jeesmon!n=jjacob@pool-72-71-243-198.cncdnh.fios.verizon.net JOIN :#higgins [2008-04-08 19:13:18] JOIN #higgins :Jims1!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 19:23:05] QUIT Jimse [2008-04-08 19:25:11] PART #higgins [2008-04-08 19:32:27] JOIN #higgins :MikeMc!n=MikeMc@198.83.145.37 JOIN :#higgins [2008-04-08 19:59:45] JOIN #higgins :Jimse!n=jimse@198.83.145.37 JOIN :#higgins [2008-04-08 20:15:48] QUIT Jims1 [2008-04-08 20:17:38] QUIT MikeMc [2008-04-08 20:23:38] QUIT Jimse [2008-04-08 22:32:36] QUIT Ben [2008-04-08 22:32:56] JOIN #higgins :BenL!n=ben@dsl-217-155-92-105.zen.co.uk JOIN :#higgins [2008-04-08 23:01:09] QUIT rcjsuen