Yes, my mistake about Lisa being a member. Someone earlier in the week told me that she was and I never double checked that, no harm intended. Agreed, using "the IETF" to represent the community that makes it up. Certainly the predicted direction today can easily change and it will be very interesting to see what is said at the WAE BOF and what sort of charter a working group gets, if one is even chartered at this time. Also agreed, while the community has never claimed OpenID to be perfect or to solve 100% of the problems, it is technology that can be deployed today and is useful in solving many people's problems. --David
________________________________ From: Roy T. Fielding [mailto:[EMAIL PROTECTED] Sent: Thu 6/29/2006 4:20 PM To: general@incubator.apache.org Subject: Re: [PROPOSAL] Heraldry Identity Project On Jun 29, 2006, at 6:50 AM, Recordon, David wrote: > For the last IETF meeting, Dick Hardt of Sxip had created a mailing > list called DIX (http://dixs.org <http://dixs.org/> ) and had a BOF > under the same name. It was focused on the Sxip 2.0 protocol as a > way to move authentication and profile assertions. Sxip 2.0 is also > based upon OpenID 1.1 at a protocol level. During the BOF it was > clear that there was not consensus that the technology Dick was > proposing would meet the needs of everyone at the IETF, nor did > everyone really understand the problem they were trying to solve. > > After the BOF, Sxip documented a set of use cases as well as began > investigating the use of SAML assertions for exchanging profile > data. Their goal was to create a light-weight version of a SAML > profile, though took it to the extreme that the current DIX > proposal is not SAML compliant. For this upcoming IETF meeting in > July, two BOF requests we're received, one from DIX and one from > Sam Hartman called WARP. They have both been merged into a new BOF > called WAE (Web Authentication Enhancement) chaired by Pete Resnick. > > In talking with Lisa Dusseault, ASF member and IETF Applications > Area Director, Lisa is not an ASF member. > it sounds like the IETF would not be interested in standardizing a > protocol above the HTTP layer. Rather, they are looking at a 2-3 > year process to modify something like TLS to support > authentication. Then once that is complete, it is possible using > the same assertion format to provide a solution above the HTTP > layer with the appropriate security considerations documented. > While this path certainly isn't set in stone, it seems to be the > direction the WAE BOF is going. I am sure that is what some people in the IETF think they are doing. The IETF itself does no such thing -- it is just a bunch of mailing lists with a social hierarchy nudging from the top. In general, the security work within the IETF has failed miserably in every respect, especially in regards to HTTP, and I would encourage you to focus on finding solutions to actual problems instead of mythical frameworks that apply to every problem but don't actually solve any of them. > The OpenID community is not interested in circumventing the formal > standards process, I can say with my VeriSign hat on that we're > also interested in a lower level solution, but the community sees > the need for something like OpenID today. That's because OpenID solves a problem. Technology should be implemented first and standardized later. Phill Hallam-Baker can tell you how many times people have tried to solve a simple security problem in the IETF and been stymied by the "it doesn't solve everyone's problem" sillyness. You can learn from the discussion, but don't pay any attention to claims that the IETF working group process is any more "standardized" than collaborative development at Apache. ....Roy --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
