Re: [dix] thoughts on "identity" and IETF

To: "RL 'Bob' Morgan" <rlmorgan at washington.edu>, dix at ietf.org
Subject: Re: [dix] thoughts on "identity" and IETF
From: Peter Saint-Andre <stpeter at jabber.org>
Date: Thu, 10 Nov 2005 09:55:02 -0700
Cc:
In-reply-to: <Pine.LNX.4.63.0511091415480.16872@perf.cac.washington.edu>
List-archive: <http://www1.ietf.org/pipermail/dix>
List-help: <mailto:dix-request@ietf.org?subject=help>
List-id: Digital Identity Exchange <dix.ietf.org>
List-post: <mailto:dix@ietf.org>
List-subscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=subscribe>
List-unsubscribe: <https://www1.ietf.org/mailman/listinfo/dix>, <mailto:dix-request@ietf.org?subject=unsubscribe>
References: <Pine.LNX.4.63.0511091415480.16872@perf.cac.washington.edu>
Sender: dix-bounces at ietf.org
User-agent: Thunderbird 1.5 (Macintosh/20051025)

Hi Bob, thanks for the context.

RL 'Bob' Morgan wrote:

In sociological terms they are creating online identities for themselves that they feel much more attachment to than their organizational account, even their "my.foo.com" page at one of the traditional portal sites. In Identity 1.0 terms they are all becoming, or have an interest in becoming, both service providers and identity providers, that is, they have an interest in protecting their resources (in the canonical case of reducing blog spam), and in leveraging their personal info to their millions of peers.

People are increasingly "amphibious" -- they've got one foot in the old world of real-life identity and one foot in the new world of online identity. As more identity moves online, we need to find ways to express, share, manage, and control it. SAML uses the term "assertion" and I think we're talking about the same kind of idea in a personal context -- who gets to make assertions about who I am online? Perhaps part of the frustration with existing identity systems is that they do not put the individual in control (no fault of the existing identity systems, since as you point out individuals didn't have online identities back then).

So now in addition to the tens or hundreds of thousands of institutions with identity interest, there are tens of millions of individuals. Many people are trying to figure out what they need and respond to it. The SXIP technology is one among those, others are OpenID, LID, Passel, and no doubt many others. For the most part these approaches reject traditional identity management protocols and systems; whether they should or should not is one of the big questions.

Well, probably much could be done with the existing public key infrastructure, but I note with sadness that very few people even on IETF lists digitally sign their emails. If even the hardcore bit-heads aren't using PKI, why should we expect anyone else to?

A key point is that the individual interest in identity is much more about expression, ie ease of sharing and discovery, than it is in control (ie, fancy security). Another key point is individual control, the same sort of control people feel over their personal domain name and its site, or their blog. Even people who aren't radically anti-corporate like to feel in charge of their own stuff.

Yes, expressing your identity online, sharing it with others, managing it, and controlling its canonical expressions are important parts of what's happening. It seems to me that we need to really think about what each of these entails. For example:

Part of expressing online identity may involve formulating a common language or flexible structure for capturing such assertions (which is already happening from the bottom up through Flickr, FOAF, tagging, and the like).

Part of sharing online identity may involve figuring out how one can assert ownership over the information one shares (what some are calling "identity rights agreements", kind of a Creative Commons in reverse).

Part of managing online identity may involve improving on the existing, informal process of registering with websites, known as "email based identification and authentication" (EBIA).

Part of controlling online identity may involve explicitly tying assertions to individuals (PKI again?) and treating individuals as the canonical source of information about themselves (without implying that others cannot make assertions about individuals, naturally).

These are all interesting topics. It's not clear to me what the IETF's role is here. Do we have engineering tasks to complete yet? (If so, which aspects are folks proposing to work on?) Are these more like research topics for the IRTF? Does identity work even belong in the IETF? I have opinions, but right now I'm just asking the questions.

Peter

--
Peter Saint-Andre
Jabber Software Foundation
http://www.jabber.org/people/stpeter.shtml

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
dix mailing list
dix at ietf.org
https://www1.ietf.org/mailman/listinfo/dix

Follow-Ups:
- Re: [dix] thoughts on "identity" and IETF
  - From: John Merrells

References:
- [dix] thoughts on "identity" and IETF
  - From: RL 'Bob' Morgan

Prev by Date: [dix] thoughts on "identity" and IETF
Next by Date: [dix] Report on DIX meeting
Previous by thread: [dix] thoughts on "identity" and IETF
Next by thread: Re: [dix] thoughts on "identity" and IETF
Index(es):
- Date
- Thread

Re: [dix] thoughts on "identity" and IETF

Note: Messages sent to this list are the opinions of the senders and do not imply endorsement by the IETF.