[dix] thoughts on "identity" and IETF

["RL 'Bob' Morgan" <rlmorgan at washington.edu>]

I have been somewhat involved in recent discussions regarding "identity" 
(see http://www.identitygang.org/ and a zillion other blogs and links), as 
well as a long-time IETF participant, so let me toss out a brief personal 
view of what's going on here in hopes it may provide context useful for 
some folks.

Let me say up front that I don't necessarily agree with all the positions 
I describe below, but am trying to express what many people are saying and 
thinking.

Many protocols developed in the IETF have served the needs of what Dick 
Hardt calls "Identity 1.0", which might be characterized less flamboyantly 
as "enterprise identity management".  This term includes several rather 
different technologies and processes, all in support of the ability for 
the owners of services to control who does what with their computing 
resources.  I use the word "enterprise" above intentionally, to reflect 
the fact that traditionally the parties with interest and ability to 
control access to resources have been organizations, usually large ones.

So, for example, the domain of use of the IETF's LDAP protocol is large 
directories containing entries for many users, operated by IT staff in 
organizations that have an interest in the users whose info is in those 
entries, and the applications that use those directories.  The domain of 
use of the IETF's Kerberos protocol is similarly organizations with an 
interest in secure authentication to a set of apps relying on an 
organizational KDC.  Similar broad-brush characterizations could be made 
of PKIX, TLS, SASL, features like HTTP Basic/Digest authentication, 
probably other protocols and features.

Note that the scope of "identity" here includes several things.  One is 
maintenance of information about a person (or other entity), including not 
just userid and password but potentially lots of other information 
relevant to authorization, contact, perhaps other purposes.  Another is 
authentication, ie how a service knows "the identity" of a client. 
Another is exchange of identity information between parties, both at 
authentication time and at other times.

Out in the world most people's experience of the Internet is of course the 
Web, and most people's experience of "Identity 1.0" has been via account 
setup and login to a vast array of web-based services managed by 
organizations large (mostly) and small.  There have been some non-IETF 
standard/spec activities that attempt to address the widely-observed 
usability problem of people having too damn many usernames/passwords to 
remember, as well as security problems based on that stuff.  Perhaps the 
main one is the OASIS-published SAML standard, which specifies how to do 
web sign-on and attribute exchange.  A somewhat similar activity is 
WS-Federation, part of the WS-* spec set.  These have been called 
"Identity 1.5" because they permit some organizations to rely on other 
organizations' identity management services, but the use cases driving the 
designs are still organization-oriented.

So is there something missing in the above stuff, some new requirements 
requiring new stuff, ie "Identity 2.0"?  I think the people who say there 
is are motivated by the huge number of new things that have happened on 
the web in the last few years.  The center of this is the blogging 
phenomenon.  Maybe 20 million people are now blogging.  They're doing 
other things like putting lots of photos online at Flickr, keeping their 
bookmarks on del.icio.us, tracking tags on technorati, and zillions of 
other examples.  They are composing these services in myriad ways to 
create new services.  In sociological terms they are creating online 
identities for themselves that they feel much more attachment to than 
their organizational account, even their "my.foo.com" page at one of the 
traditional portal sites.  In Identity 1.0 terms they are all becoming, or 
have an interest in becoming, both service providers and identity 
providers, that is, they have an interest in protecting their resources 
(in the canonical case of reducing blog spam), and in leveraging their 
personal info to their millions of peers.

So now in addition to the tens or hundreds of thousands of institutions 
with identity interest, there are tens of millions of individuals.  Many 
people are trying to figure out what they need and respond to it.  The 
SXIP technology is one among those, others are OpenID, LID, Passel, and no 
doubt many others.  For the most part these approaches reject traditional 
identity management protocols and systems; whether they should or should 
not is one of the big questions.  A key point is that the individual 
interest in identity is much more about expression, ie ease of sharing and 
discovery, than it is in control (ie, fancy security).  Another key point 
is individual control, the same sort of control people feel over their 
personal domain name and its site, or their blog.  Even people who aren't 
radically anti-corporate like to feel in charge of their own stuff.

That's all I have time for now ...

 - RL "Bob"


_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix