On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:
For the last IETF meeting, Dick Hardt of Sxip had created a mailing
list called DIX (http://dixs.org <http://dixs.org/> ) and had a BOF
under the same name. It was focused on the Sxip 2.0 protocol as a
way to move authentication and profile assertions. Sxip 2.0 is also
based upon OpenID 1.1 at a protocol level. During the BOF it was
clear that there was not consensus that the technology Dick was
proposing would meet the needs of everyone at the IETF, nor did
everyone really understand the problem they were trying to solve.
After the BOF, Sxip documented a set of use cases as well as began
investigating the use of SAML assertions for exchanging profile
data. Their goal was to create a light-weight version of a SAML
profile, though took it to the extreme that the current DIX
proposal is not SAML compliant. For this upcoming IETF meeting in
July, two BOF requests we're received, one from DIX and one from
Sam Hartman called WARP. They have both been merged into a new BOF
called WAE (Web Authentication Enhancement) chaired by Pete Resnick.
In talking with Lisa Dusseault, ASF member and IETF Applications
Area Director,
Lisa is not an ASF member.
it sounds like the IETF would not be interested in standardizing a
protocol above the HTTP layer. Rather, they are looking at a 2-3
year process to modify something like TLS to support
authentication. Then once that is complete, it is possible using
the same assertion format to provide a solution above the HTTP
layer with the appropriate security considerations documented.
While this path certainly isn't set in stone, it seems to be the
direction the WAE BOF is going.
I am sure that is what some people in the IETF think they are doing.
The IETF itself does no such thing -- it is just a bunch of mailing
lists
with a social hierarchy nudging from the top. In general, the security
work within the IETF has failed miserably in every respect, especially
in regards to HTTP, and I would encourage you to focus on finding
solutions
to actual problems instead of mythical frameworks that apply to every
problem but don't actually solve any of them.
The OpenID community is not interested in circumventing the formal
standards process, I can say with my VeriSign hat on that we're
also interested in a lower level solution, but the community sees
the need for something like OpenID today.
That's because OpenID solves a problem. Technology should be
implemented
first and standardized later. Phill Hallam-Baker can tell you how many
times people have tried to solve a simple security problem in the IETF
and been stymied by the "it doesn't solve everyone's problem" sillyness.
You can learn from the discussion, but don't pay any attention
to claims that the IETF working group process is any more "standardized"
than collaborative development at Apache.
....Roy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
