Roy T. Fielding wrote:
On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:
it sounds like the IETF would not be interested in standardizing a
protocol above the HTTP layer. Rather, they are looking at a 2-3 year
process to modify something like TLS to support authentication. Then
once that is complete, it is possible using the same assertion format
to provide a solution above the HTTP layer with the appropriate
security considerations documented. While this path certainly isn't
set in stone, it seems to be the direction the WAE BOF is going.
I am sure that is what some people in the IETF think they are doing.
The IETF itself does no such thing -- it is just a bunch of mailing lists
with a social hierarchy nudging from the top. In general, the security
work within the IETF has failed miserably in every respect, especially
in regards to HTTP, and I would encourage you to focus on finding solutions
to actual problems instead of mythical frameworks that apply to every
problem but don't actually solve any of them.
Also, be aware that there are fuzzy lines between the IETF and W3C that are
generally well respected and well recognized, and it's the fuzziness in the
middle that causes issues on occasion.
The OpenID community is not interested in circumventing the formal
standards process, I can say with my VeriSign hat on that we're also
interested in a lower level solution, but the community sees the need
for something like OpenID today.
That's because OpenID solves a problem. Technology should be implemented
first and standardized later. Phill Hallam-Baker can tell you how many
times people have tried to solve a simple security problem in the IETF
and been stymied by the "it doesn't solve everyone's problem" sillyness.
You can learn from the discussion, but don't pay any attention
to claims that the IETF working group process is any more "standardized"
than collaborative development at Apache.
And to elaborate Roy's point, Apache creates many reference implementations.
Sometimes we implement the specification. Other times we build one specific
implementation, and then seek ratification in the form of a standard. We seem
to have been more obsessed with the former, and not paying enough attention
to the later.
One thing that bothers me is that there is a very small handful of ASF people
(committers and members) participating in standards efforts. Once you have
created the implementation of something novel, there are people in both the
IETF and W3C spheres who would gladly help you to understand their specific
processes of authoring a standards document, and navigating the standardization
process.
bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
