On 27-Feb-06, at 8:57 AM, Hallam-Baker, Phillip wrote:
I think that DIX is doing something different but it can certainly be
something complimentary. I would like DIX to reuse components from
SAML
and WS-* wherever that makes sense.
I agree.
If DIX is going to be used with attributes supplied by trusted third
parties then DIX code is going to have to accept attributes in the
form(s) supported by the commercial TTPs. At this point the only
formats
that I am aware that commercial TTPs support or are planning to
support
are X.509v3 certificates and SAML assertions.
Also agree.
Given where we are starting from I think that the most likely response
from the IESG here is going to be 'go write a requirements
document', it
is certainly what I would request if I was making the decision and was
not otherwise involved.
Sure, the draft charter includes a milestone for a use-case draft,
which I think serves as requirements.
I think that there are clear justifications for certain DIX
innovations:
* The SAML assertion format is designed to support signed assertions
using XML Signature. The overhead required is certainly justified when
dealling with TTP assertions where the attributes are trusted and must
be trustworthy.
Yes.
URI form encoding is much simpler and easier to manage
and equally useful when the data is originally self asserted.
Yes.
* The use of a uniform identifier for identity is a key architectural
innovation. SAML supports the use of a uniform identifier but there
is a
huge difference between support for a feature and designing a system
around a feature.
Yes
When WS-* was first introduced people were determined to see a
competition between the two. Today most people agree that there is a
need for different approaches for different applications. WS-* is
essentially a no-compromises system designed to provide the best
possible security infrastructure for Web Services. It can also be used
for other purposes and used standalone but the architecture does not
make concessions that are designed to encourage early adoption for
that
application.
The environment for WS-* seems different. Economically it's a two
party platform... the desktop and the server... but Microsoft can
leverage it's installed base and development tools to make sure
it's at both ends everywhere.
The objective here is to establish an open identity system for the
Internet. DIX, SAML, WS-* are merely means to that end. I am quite
happy
if it turns out that the output of DIX turns out to be a protocol that
is mostly used as a transitional technology; a scafolding that allows
the more ambitious schemes to be built more quickly.
Me too, and I think that dmd0 reflects that. All it really does is
some discovery and then the movement of a blob between
two parties.
John
_______________________________________________
dix mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/dix
