Bob's thoughts....
Begin forwarded message:
From: "RL 'Bob' Morgan" <[EMAIL PROTECTED]>
Date: November 9, 2005 3:05:14 PM PST (CA)
To: IETF DIX list <[email protected]>
Subject: [dix] thoughts on "identity" and IETF
I have been somewhat involved in recent discussions regarding
"identity" (see http://www.identitygang.org/ and a zillion other
blogs and links), as well as a long-time IETF participant, so let
me toss out a brief personal view of what's going on here in hopes
it may provide context useful for some folks.
Let me say up front that I don't necessarily agree with all the
positions I describe below, but am trying to express what many
people are saying and thinking.
Many protocols developed in the IETF have served the needs of what
Dick Hardt calls "Identity 1.0", which might be characterized less
flamboyantly as "enterprise identity management". This term
includes several rather different technologies and processes, all
in support of the ability for the owners of services to control who
does what with their computing resources. I use the word
"enterprise" above intentionally, to reflect the fact that
traditionally the parties with interest and ability to control
access to resources have been organizations, usually large ones.
So, for example, the domain of use of the IETF's LDAP protocol is
large directories containing entries for many users, operated by IT
staff in organizations that have an interest in the users whose
info is in those entries, and the applications that use those
directories. The domain of use of the IETF's Kerberos protocol is
similarly organizations with an interest in secure authentication
to a set of apps relying on an organizational KDC. Similar broad-
brush characterizations could be made of PKIX, TLS, SASL, features
like HTTP Basic/Digest authentication, probably other protocols and
features.
Note that the scope of "identity" here includes several things.
One is maintenance of information about a person (or other entity),
including not just userid and password but potentially lots of
other information relevant to authorization, contact, perhaps other
purposes. Another is authentication, ie how a service knows "the
identity" of a client. Another is exchange of identity information
between parties, both at authentication time and at other times.
Out in the world most people's experience of the Internet is of
course the Web, and most people's experience of "Identity 1.0" has
been via account setup and login to a vast array of web-based
services managed by organizations large (mostly) and small. There
have been some non-IETF standard/spec activities that attempt to
address the widely-observed usability problem of people having too
damn many usernames/passwords to remember, as well as security
problems based on that stuff. Perhaps the main one is the OASIS-
published SAML standard, which specifies how to do web sign-on and
attribute exchange. A somewhat similar activity is WS-Federation,
part of the WS-* spec set. These have been called "Identity 1.5"
because they permit some organizations to rely on other
organizations' identity management services, but the use cases
driving the designs are still organization-oriented.
So is there something missing in the above stuff, some new
requirements requiring new stuff, ie "Identity 2.0"? I think the
people who say there is are motivated by the huge number of new
things that have happened on the web in the last few years. The
center of this is the blogging phenomenon. Maybe 20 million people
are now blogging. They're doing other things like putting lots of
photos online at Flickr, keeping their bookmarks on del.icio.us,
tracking tags on technorati, and zillions of other examples. They
are composing these services in myriad ways to create new
services. In sociological terms they are creating online
identities for themselves that they feel much more attachment to
than their organizational account, even their "my.foo.com" page at
one of the traditional portal sites. In Identity 1.0 terms they
are all becoming, or have an interest in becoming, both service
providers and identity providers, that is, they have an interest in
protecting their resources (in the canonical case of reducing blog
spam), and in leveraging their personal info to their millions of
peers.
So now in addition to the tens or hundreds of thousands of
institutions with identity interest, there are tens of millions of
individuals. Many people are trying to figure out what they need
and respond to it. The SXIP technology is one among those, others
are OpenID, LID, Passel, and no doubt many others. For the most
part these approaches reject traditional identity management
protocols and systems; whether they should or should not is one of
the big questions. A key point is that the individual interest in
identity is much more about expression, ie ease of sharing and
discovery, than it is in control (ie, fancy security). Another key
point is individual control, the same sort of control people feel
over their personal domain name and its site, or their blog. Even
people who aren't radically anti-corporate like to feel in charge
of their own stuff.
That's all I have time for now ...
- RL "Bob"
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
