From: Richard Shockey [mailto:richard(_at_)shockey(_dot_)us]
Hallam-Baker, Phillip wrote:
Perhaps it is just me but I find the two assertions
implicit/explicit
in your messages to be incompatible:
1) That identity is a topic that the IETF has failed to do
useful work
on in the past
That is a unfair statement. 1. There is lots of useful work
being done on Identity Management its just not being done at
the IETF. We are not the only standards body on the planet.
Just to make clear, what I was objecting to was Dave's constant talking
down what is known about this and other subjects by others. I was
certainly not endorsing his assertion, merely presenting an iminent
critique of his argument.
I am pretty sick of the asgument 'we do not understand this problem, we
must be cautious, therefore it would be a big mistake not to do it my
way'. The term 'we' really meaning 'you'.
I think that when you have a big problem you need to have people with a
big enough ego to solve it. People who see only pitfalls and problems
may provide useful input but nobody can solve a problem until they
understand it.
Are you familiar with the existent SIP SAML work?
Not really, but I am familiar with SAML having been the first editor of
the core spec. I don't claim exclusive insight into SAML but I think I
can fairly claim some knowledge of the subject.
I think that one aspect of the DIX proposal has the potential to unlock
the whole field in the same way that the URL opened up the Web. Once you
decide that you are going to have one identifier for a person and the
semantics of that identifier are going to be uniform across the Internet
all the pieces of the existing federated auth designs that I have felt
are somewhat disconnected and 'squishy' become clear.
The question continues to be what areas _could_ or _should_
the IETF make a useful contribution on and how does that
relate if any to the existing body of work on SAML and
Liberty's Federated Identity Management work. I have some
suspicion that W3C is also looking at this area.
Actually several of the people in this thread are on the organizing
committee of the W3C workshop. That is not necessarily going to overlap,
we have to see.
Phishing is theft of credentials through a social engineering attack.
One solution to the problem is better outbound authentication mechanisms
(bank to customer) to defeat the social engineering attack. Another
solution is better inbound credentials (customer to bank) that are theft
proof.
I think that it is clear that both problems have to be addressed. It is
also clear that W3C is much better placed to address the user interface
related issues of outbound authentication. The IETF as a rule avoids
that area. So that is an item I very much hope that W3C will take up.
The question of inbound credentials is not how to make the credentials
theft proof, plenty have solved that problem. The question is how to use
theft proof credentials in the existing Internet infrastructure. How to
make them snap into use.
This is not the problem that DIX is intended to solve but it is a
problem that DIX provides a solution for. Federate the authentication
scheme so that the identity holder chooses their own identity broker and
all things become clear and possible.
With DIX unified identifiers in place I can see how I could choose an
identity broker that supports a strong authentication scheme of my
choice (biometric, PKI, OTP) and use it with a range of sites without
each web site having to take special steps.
You were correct earlier post that the current work in
Liberty has been oriented towards the enterprise single sign
on problem but that does not mean it cannot be generalized to
the cross domain problem that is the focus of the current
Liberty Federation work. As everyone knows modern Identity
management theory came out of the violent reaction to
Microsoft's Passport proposal.
Violent? I don't recall any Microsoft offices being burnt down or
ransacked. Must have missed that bit.
I remain very cautious about reinventing the wheel here.
As one of the inventors of the wheel allegedly being reinvented I see
this more as an essential refinement on the wheel, the axle perhaps.
You incorrectly assume there are failures in this space. In
fact there are several successes. I for one agree that the
IETF has not looked correctly at Identity management in
general but I also strongly believe the IETF has ignored the
significant body of existing work in the space.
As I said, I was anoyed at the argument 'we do not understand this,
therefore the group must listen to us'.
My experience is that when someone says 'we do not understand this' what
they really mean is 'you do not understand this you great ignorant oaf
but I do and I am going to try to force you to admit the fact of your
ignorant oafishness by forcing you to either agree with my statement or
appear to be suffering from meglomania.'
Of course in the real world 95% of important stuff is done by people who
are not concerned about appearing to be suffering from meglomania.
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/ietf