incubator-general mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: [PROPOSAL] Heraldry Identity Project
Date Fri, 30 Jun 2006 01:58:15 GMT
Roy T. Fielding wrote:
> On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:
>> it sounds like the IETF would not be interested in standardizing a 
>> protocol above the HTTP layer. Rather, they are looking at a 2-3 year 
>> process to modify something like TLS to support authentication. Then 
>> once that is complete, it is possible using the same assertion format 
>> to provide a solution above the HTTP layer with the appropriate 
>> security considerations documented. While this path certainly isn't 
>> set in stone, it seems to be the direction the WAE BOF is going.
> I am sure that is what some people in the IETF think they are doing.
> The IETF itself does no such thing -- it is just a bunch of mailing lists
> with a social hierarchy nudging from the top.  In general, the security
> work within the IETF has failed miserably in every respect, especially
> in regards to HTTP, and I would encourage you to focus on finding solutions
> to actual problems instead of mythical frameworks that apply to every
> problem but don't actually solve any of them.

Also, be aware that there are fuzzy lines between the IETF and W3C that are
generally well respected and well recognized, and it's the fuzziness in the
middle that causes issues on occasion.

>> The OpenID community is not interested in circumventing the formal 
>> standards process, I can say with my VeriSign hat on that we're also 
>> interested in a lower level solution, but the community sees the need 
>> for something like OpenID today.
> That's because OpenID solves a problem.  Technology should be implemented
> first and standardized later.  Phill Hallam-Baker can tell you how many
> times people have tried to solve a simple security problem in the IETF
> and been stymied by the "it doesn't solve everyone's problem" sillyness.
> You can learn from the discussion, but don't pay any attention
> to claims that the IETF working group process is any more "standardized"
> than collaborative development at Apache.

And to elaborate Roy's point, Apache creates many reference implementations.
Sometimes we implement the specification.  Other times we build one specific
implementation, and then seek ratification in the form of a standard.  We seem
to have been more obsessed with the former, and not paying enough attention
to the later.

One thing that bothers me is that there is a very small handful of ASF people
(committers and members) participating in standards efforts.  Once you have
created the implementation of something novel, there are people in both the
IETF and W3C spheres who would gladly help you to understand their specific
processes of authoring a standards document, and navigating the standardization


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message