thank you bob for the clarifications and the history lesson. for the
first time in the long mailing list discussion i got the impression that
i understand what people want to accomplish ...
John Merrells wrote:
Bob's thoughts....
Begin forwarded message:
From: "RL 'Bob' Morgan" <[EMAIL PROTECTED]>
Date: November 9, 2005 3:05:14 PM PST (CA)
To: IETF DIX list <[email protected]>
Subject: [dix] thoughts on "identity" and IETF
I have been somewhat involved in recent discussions regarding
"identity" (see http://www.identitygang.org/ and a zillion other
blogs and links), as well as a long-time IETF participant, so let me
toss out a brief personal view of what's going on here in hopes it
may provide context useful for some folks.
Let me say up front that I don't necessarily agree with all the
positions I describe below, but am trying to express what many people
are saying and thinking.
Many protocols developed in the IETF have served the needs of what
Dick Hardt calls "Identity 1.0", which might be characterized less
flamboyantly as "enterprise identity management". This term includes
several rather different technologies and processes, all in support
of the ability for the owners of services to control who does what
with their computing resources. I use the word "enterprise" above
intentionally, to reflect the fact that traditionally the parties
with interest and ability to control access to resources have been
organizations, usually large ones.
So, for example, the domain of use of the IETF's LDAP protocol is
large directories containing entries for many users, operated by IT
staff in organizations that have an interest in the users whose info
is in those entries, and the applications that use those
directories. The domain of use of the IETF's Kerberos protocol is
similarly organizations with an interest in secure authentication to
a set of apps relying on an organizational KDC. Similar broad- brush
characterizations could be made of PKIX, TLS, SASL, features like
HTTP Basic/Digest authentication, probably other protocols and features.
Note that the scope of "identity" here includes several things. One
is maintenance of information about a person (or other entity),
including not just userid and password but potentially lots of other
information relevant to authorization, contact, perhaps other
purposes. Another is authentication, ie how a service knows "the
identity" of a client. Another is exchange of identity information
between parties, both at authentication time and at other times.
Out in the world most people's experience of the Internet is of
course the Web, and most people's experience of "Identity 1.0" has
been via account setup and login to a vast array of web-based
services managed by organizations large (mostly) and small. There
have been some non-IETF standard/spec activities that attempt to
address the widely-observed usability problem of people having too
damn many usernames/passwords to remember, as well as security
problems based on that stuff. Perhaps the main one is the OASIS-
published SAML standard, which specifies how to do web sign-on and
attribute exchange. A somewhat similar activity is WS-Federation,
part of the WS-* spec set. These have been called "Identity 1.5"
because they permit some organizations to rely on other
organizations' identity management services, but the use cases
driving the designs are still organization-oriented.
So is there something missing in the above stuff, some new
requirements requiring new stuff, ie "Identity 2.0"? I think the
people who say there is are motivated by the huge number of new
things that have happened on the web in the last few years. The
center of this is the blogging phenomenon. Maybe 20 million people
are now blogging. They're doing other things like putting lots of
photos online at Flickr, keeping their bookmarks on del.icio.us,
tracking tags on technorati, and zillions of other examples. They
are composing these services in myriad ways to create new services.
In sociological terms they are creating online identities for
themselves that they feel much more attachment to than their
organizational account, even their "my.foo.com" page at one of the
traditional portal sites. In Identity 1.0 terms they are all
becoming, or have an interest in becoming, both service providers and
identity providers, that is, they have an interest in protecting
their resources (in the canonical case of reducing blog spam), and in
leveraging their personal info to their millions of peers.
So now in addition to the tens or hundreds of thousands of
institutions with identity interest, there are tens of millions of
individuals. Many people are trying to figure out what they need and
respond to it. The SXIP technology is one among those, others are
OpenID, LID, Passel, and no doubt many others. For the most part
these approaches reject traditional identity management protocols and
systems; whether they should or should not is one of the big
questions. A key point is that the individual interest in identity
is much more about expression, ie ease of sharing and discovery, than
it is in control (ie, fancy security). Another key point is
individual control, the same sort of control people feel over their
personal domain name and its site, or their blog. Even people who
aren't radically anti-corporate like to feel in charge of their own
stuff.
That's all I have time for now ...
- RL "Bob"
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
