John
Directory Centric Model doesn't work? I agree completely. Pretty
amazing for an LDAP guy! However, I would argue strongly that both
the directory repository (database or whatever) and the user centric
model are needed. Example, you have your driver's license, but the
government has a database that has all the details on all licenses
issued and whether it is revoked and how many points you have lost
(gee...starting to sound like PKI all over again ;-) ).
Also, no matter what happens with directory or identity exchange,
there will always be the application that has to store data. Where
this all breaks down is what happens when the application needs to
maintain context. In this sense, I'm worried about what happens when
the user chooses to present a different credential each time. This
actually makes life for the application programmer even more
difficult. In the end he has to ask more questions like what is your
social sec number or SIN. Hmmm....pretty soon we end up repeating
history.
The key is NOT to build a system that is 100% one way or the other.
The huge uber directory definitely won't work. Neither will the
"user" uber-card. What we need is an easy-to-use and manage and safe
system that combines the 7-laws and the correct mix of technologies.
Just like routers made it easy to inter-connect discreet networks
into the huge global network we take for granted, we really need an
ecosystem to link assertions and authorities in verifiable, portable,
and secure ways.
I think there are really two macro profiles to think about --
"Session" and "Storage" modes. Session mode is really where we see
SAML, SXIP and others playing (the 2.0 team) - where one application
wants to pass data or assertions on to another service with a
portable assertion. The still important "storage mode" is where all
the authoritative stores that comprise the permanent data goes to and
comes from when the session based application needs to assert or
consume something.
Phil Hunt
Note: These comments represent my own personal opinions and do not
necessarily represent those of Oracle.
On 20-Jan-06, at 5:36 PM, John Merrells wrote:
On 20-Jan-06, at 11:18 AM, Leslie Daigle wrote:
It is clearer, but I think the charter still needs to be
clearer about what is meant by "digital identity". Is
the purpose to be able to access *any* stored data about
a person, or *specific* stored data?
'any'... but the relying party has to know the name of
the thing it's asking for.
In many regards, saying "any" is easier; sort out the format
for expressing attribute/values, and you're done.
Yes, that's been the plan so far. Other's can provide the
names of the attributes and the syntax and semantics of
the values. That could be done in the IETF, or in another
standards body, or by industry consortia, or just be a
free for all folksonomy kind of thing
However,
then there are issues of interoperability (is there a minimum
set of identity data that is mandatory to provide?).
Mmm, I'd say 'no', but Scott might say 'yes'. I'm reluctant
to end up down the schema rathole arguing over things
like mobilephone versus cellphone... for example.
And, if it is "any", then how is this not a directory service
with additional labelling (addresses/names/identifiers) on top?
I think that the DIX and LDAP information models will
turn out to be very similar indeed. But I don't think that's
what distinguishes user's agent from a directory service.
In the directory centric model the user informs the
relying party of their DS and the RP does a search
against the DS for the user's attributes, perhaps
using some credentials provided by the user, or
with some credentials provided to the RP by the
DS beforehand.
In the user centric model the RP requests some
data from the user who forwards the request to
their agent, selecting the data items, providing
consent for their release and then forwards them
to the RP.
Same parties, different protocol flow... with greater
user privacy. Kim Cameron's 'Seven Identity Laws',
make it pretty clear why the directory centric model
doesn't work for digital identity, and explains why
Microsoft Passport was not widely adopted outside
of the MSN universe.
John
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
