[dix] thoughts on "identity" and IETF
"RL 'Bob' Morgan" <rlmorgan@washington.edu> Wed, 09 November 2005 23:04 UTC
Received: from localhost.cnri.reston.va.us ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZyzv-000611-Qc; Wed, 09 Nov 2005 18:04:55 -0500
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EZyzu-0005x8-5s for dix@megatron.ietf.org; Wed, 09 Nov 2005 18:04:54 -0500
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id SAA16403 for <dix@ietf.org>; Wed, 9 Nov 2005 18:04:25 -0500 (EST)
Received: from mxout7.cac.washington.edu ([140.142.32.178]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EZzFz-0005GD-AW for dix@ietf.org; Wed, 09 Nov 2005 18:21:32 -0500
Received: from smtp.washington.edu (smtp.washington.edu [140.142.32.139]) by mxout7.cac.washington.edu (8.13.5+UW05.10/8.13.5+UW05.09) with ESMTP id jA9N4okc018766 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for <dix@ietf.org>; Wed, 9 Nov 2005 15:04:50 -0800
X-Auth-Received: from [209.52.106.152] (pp106-152.bctel.ca [209.52.106.152]) (authenticated authid=rlmorgan) by smtp.washington.edu (8.13.5+UW05.10/8.13.5+UW05.09) with ESMTP id jA9N4nI1022683 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT) for <dix@ietf.org>; Wed, 9 Nov 2005 15:04:49 -0800
Date: Wed, 09 Nov 2005 15:05:14 -0800
From: RL 'Bob' Morgan <rlmorgan@washington.edu>
X-X-Sender: rlmorgan@perf.cac.washington.edu
To: IETF DIX list <dix@ietf.org>
Message-ID: <Pine.LNX.4.63.0511091415480.16872@perf.cac.washington.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"; format="flowed"
X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0, __MIME_VERSION 0, __PORN_PHRASE_15_0 0, __SANE_MSGID 0'
X-Spam-Score: 0.0 (/)
X-Scan-Signature: c3a18ef96977fc9bcc21a621cbf1174b
Subject: [dix] thoughts on "identity" and IETF
X-BeenThere: dix@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Digital Identity Exchange <dix.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/dix>
List-Post: <mailto:dix@ietf.org>
List-Help: <mailto:dix-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
Sender: dix-bounces@ietf.org
Errors-To: dix-bounces@ietf.org
I have been somewhat involved in recent discussions regarding "identity" (see http://www.identitygang.org/ and a zillion other blogs and links), as well as a long-time IETF participant, so let me toss out a brief personal view of what's going on here in hopes it may provide context useful for some folks. Let me say up front that I don't necessarily agree with all the positions I describe below, but am trying to express what many people are saying and thinking. Many protocols developed in the IETF have served the needs of what Dick Hardt calls "Identity 1.0", which might be characterized less flamboyantly as "enterprise identity management". This term includes several rather different technologies and processes, all in support of the ability for the owners of services to control who does what with their computing resources. I use the word "enterprise" above intentionally, to reflect the fact that traditionally the parties with interest and ability to control access to resources have been organizations, usually large ones. So, for example, the domain of use of the IETF's LDAP protocol is large directories containing entries for many users, operated by IT staff in organizations that have an interest in the users whose info is in those entries, and the applications that use those directories. The domain of use of the IETF's Kerberos protocol is similarly organizations with an interest in secure authentication to a set of apps relying on an organizational KDC. Similar broad-brush characterizations could be made of PKIX, TLS, SASL, features like HTTP Basic/Digest authentication, probably other protocols and features. Note that the scope of "identity" here includes several things. One is maintenance of information about a person (or other entity), including not just userid and password but potentially lots of other information relevant to authorization, contact, perhaps other purposes. Another is authentication, ie how a service knows "the identity" of a client. Another is exchange of identity information between parties, both at authentication time and at other times. Out in the world most people's experience of the Internet is of course the Web, and most people's experience of "Identity 1.0" has been via account setup and login to a vast array of web-based services managed by organizations large (mostly) and small. There have been some non-IETF standard/spec activities that attempt to address the widely-observed usability problem of people having too damn many usernames/passwords to remember, as well as security problems based on that stuff. Perhaps the main one is the OASIS-published SAML standard, which specifies how to do web sign-on and attribute exchange. A somewhat similar activity is WS-Federation, part of the WS-* spec set. These have been called "Identity 1.5" because they permit some organizations to rely on other organizations' identity management services, but the use cases driving the designs are still organization-oriented. So is there something missing in the above stuff, some new requirements requiring new stuff, ie "Identity 2.0"? I think the people who say there is are motivated by the huge number of new things that have happened on the web in the last few years. The center of this is the blogging phenomenon. Maybe 20 million people are now blogging. They're doing other things like putting lots of photos online at Flickr, keeping their bookmarks on del.icio.us, tracking tags on technorati, and zillions of other examples. They are composing these services in myriad ways to create new services. In sociological terms they are creating online identities for themselves that they feel much more attachment to than their organizational account, even their "my.foo.com" page at one of the traditional portal sites. In Identity 1.0 terms they are all becoming, or have an interest in becoming, both service providers and identity providers, that is, they have an interest in protecting their resources (in the canonical case of reducing blog spam), and in leveraging their personal info to their millions of peers. So now in addition to the tens or hundreds of thousands of institutions with identity interest, there are tens of millions of individuals. Many people are trying to figure out what they need and respond to it. The SXIP technology is one among those, others are OpenID, LID, Passel, and no doubt many others. For the most part these approaches reject traditional identity management protocols and systems; whether they should or should not is one of the big questions. A key point is that the individual interest in identity is much more about expression, ie ease of sharing and discovery, than it is in control (ie, fancy security). Another key point is individual control, the same sort of control people feel over their personal domain name and its site, or their blog. Even people who aren't radically anti-corporate like to feel in charge of their own stuff. That's all I have time for now ... - RL "Bob" _______________________________________________ dix mailing list dix@ietf.org https://www1.ietf.org/mailman/listinfo/dix
- Re: [dix] thoughts on "identity" and IETF Carsten Bormann
- Re: [dix] thoughts on "identity" and IETF Carsten Bormann
- [dix] thoughts on "identity" and IETF RL 'Bob' Morgan
- Re: [dix] thoughts on "identity" and IETF Peter Saint-Andre
- Re: [dix] thoughts on "identity" and IETF Jeffrey Altman
- Re: [dix] thoughts on "identity" and IETF D'Andrew "Dave" Thompson
- Re: [dix] thoughts on "identity" and IETF John Merrells
- Re: [dix] thoughts on "identity" and IETF Harald Tveit Alvestrand
- Re: [dix] thoughts on "identity" and IETF Peter Saint-Andre
- Re: [dix] thoughts on "identity" and IETF ad
- Re: [dix] thoughts on "identity" and IETF Peter Saint-Andre
- Re: [dix] thoughts on "identity" and IETF Hallett German
- Re: [dix] thoughts on "identity" and IETF Anthony Nadalin
- Re: [dix] thoughts on "identity" and IETF Hallett German
- Re: [dix] thoughts on "identity" and IETF Harald Tveit Alvestrand
- Re: [dix] thoughts on "identity" and IETF Haripriya S
- Re: [dix] thoughts on "identity" and IETF Carsten Bormann
- [dix] A What is wrong list Doug Royer
- Re: [dix] thoughts on "identity" and IETF Michael Ströder
- RE: [dix] thoughts on "identity" and IETF THOMAS, BRIAN M (SBCSI)
- RE: [dix] thoughts on "identity" and IETF Duane Nickull
- RE: [dix] thoughts on "identity" and IETF THOMAS, BRIAN M (SBCSI)
- RE: [dix] thoughts on "identity" and IETF Hallam-Baker, Phillip
- RE: [dix] thoughts on "identity" and IETF THOMAS, BRIAN M (SBCSI)
- RE: [dix] thoughts on "identity" and IETF Hallam-Baker, Phillip
- Re: [dix] thoughts on "identity" and IETF Jeffrey Altman
- FW: [dix] thoughts on "identity" and IETF THOMAS, BRIAN M (SBCSI)
- RE: [dix] thoughts on "identity" and IETF Hallam-Baker, Phillip
- Fwd: [dix] thoughts on "identity" and IETF John Merrells
- Re: Fwd: [dix] thoughts on "identity" and IETF Hannes Tschofenig
- Re: Fwd: [dix] thoughts on "identity" and IETF prasanta behera
- Re: [dix] thoughts on "identity" and IETF Dick Hardt
- Re: Fwd: [dix] thoughts on "identity" and IETF Peter Saint-Andre