incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: [PROPOSAL] Heraldry Identity Project
Date Thu, 29 Jun 2006 23:20:35 GMT
On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:

> For the last IETF meeting, Dick Hardt of Sxip had created a mailing  
> list called DIX ( <> ) and had a BOF  
> under the same name. It was focused on the Sxip 2.0 protocol as a  
> way to move authentication and profile assertions. Sxip 2.0 is also  
> based upon OpenID 1.1 at a protocol level. During the BOF it was  
> clear that there was not consensus that the technology Dick was  
> proposing would meet the needs of everyone at the IETF, nor did  
> everyone really understand the problem they were trying to solve.
> After the BOF, Sxip documented a set of use cases as well as began  
> investigating the use of SAML assertions for exchanging profile  
> data. Their goal was to create a light-weight version of a SAML  
> profile, though took it to the extreme that the current DIX  
> proposal is not SAML compliant. For this upcoming IETF meeting in  
> July, two BOF requests we're received, one from DIX and one from  
> Sam Hartman called WARP. They have both been merged into a new BOF  
> called WAE (Web Authentication Enhancement) chaired by Pete Resnick.
> In talking with Lisa Dusseault, ASF member and IETF Applications  
> Area Director,

Lisa is not an ASF member.

> it sounds like the IETF would not be interested in standardizing a  
> protocol above the HTTP layer. Rather, they are looking at a 2-3  
> year process to modify something like TLS to support  
> authentication. Then once that is complete, it is possible using  
> the same assertion format to provide a solution above the HTTP  
> layer with the appropriate security considerations documented.  
> While this path certainly isn't set in stone, it seems to be the  
> direction the WAE BOF is going.

I am sure that is what some people in the IETF think they are doing.
The IETF itself does no such thing -- it is just a bunch of mailing  
with a social hierarchy nudging from the top.  In general, the security
work within the IETF has failed miserably in every respect, especially
in regards to HTTP, and I would encourage you to focus on finding  
to actual problems instead of mythical frameworks that apply to every
problem but don't actually solve any of them.

> The OpenID community is not interested in circumventing the formal  
> standards process, I can say with my VeriSign hat on that we're  
> also interested in a lower level solution, but the community sees  
> the need for something like OpenID today.

That's because OpenID solves a problem.  Technology should be  
first and standardized later.  Phill Hallam-Baker can tell you how many
times people have tried to solve a simple security problem in the IETF
and been stymied by the "it doesn't solve everyone's problem" sillyness.
You can learn from the discussion, but don't pay any attention
to claims that the IETF working group process is any more "standardized"
than collaborative development at Apache.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message