From: Yaron Sheffer [yaronf(_dot_)ietf(_at_)gmail(_dot_)com]
[...] but what I'm reading is three concrete statements that IETF
members can respond to, and (if we accept them as true) consider how
to address in the future:
- A Web-focused protocol was forced to adopt enterprise use cases.
[...]
My first impulse is to say, yes, protocols that solve "enterprise"
problems are a lot more difficult than ones that solve individual-user
problems. One that showed up in my field (SIP) was the concept of
"securely" identifying the party you have called. If I normally call
John Smith at my bank to do business, and if John Smith is replaced at
his job by another person, and I call "John Smith at the bank", should
I authenticate that I am talking to John Smith, or should I
authenticate that I am talking to the person who holds the job at the
bank that John Smith used to have?
Tim bray writes in an essay:
Enterpriseyness · One of Eran’s central gripes is the immense
difficulty of knitting "Enterprise" requirements into OAuth — or any
other standards work, for that matter. He’s right. The Web use cases
may not be easy to solve, but they’re easy to understand. [...]
On the other hand, whenever I get into a conversation with someone on
the Enterprise side, even when I think I understand the problem
domain, I lose the plot, and fast. The requirements these people claim
to have around both authentication and authorization are so arcane and
subtle and legacy-laden that you have to be a full-time professional
to even understand them.
Which reminds me that large organizations have the problem that every
new activity is necessarily a small change on a monstrous base of
current systems, and has to work harmoniously with them. As someone
once observed:
The reason God could create the Universe in six days is that He didn't
have to make it upward compatible.
Dale