Hi all, A while back we received a liaison statement from ITU-T's Joint Coordination Activity for Identity Management (JCA-IdM), inquiring about current identity management standards in IETF and our roadmaps for future work. The liaison statement is available here: https://datatracker.ietf.org/documents/LIAISON/file654.doc While we don't usually maintain roadmap PowerPoints in IETF, and the term "identity management" is rarely used in RFCs, many IETF technologies have important roles when it comes to managing identities. Thus, some kind of response is probably warranted. Tim and I have started preparing a response, briefly listing some IETF technologies that are somehow related to identity management. The list is not intended to cover everything IETF has done (preparing such a list is unlikely to be a good use of IETF's resources). The current draft text is included below. If you have any comments, or are interested in contributing to the liaison statement text, please send email to Tim and me within two weeks. Best regards, Pasi & Tim -------------- The Internet Engineering Task Force (IETF) Security Area would like to thank ITU-T Joint Coordination Activity for Identity Management for the opportunity to provide information about IETF's identity management activities. The IETF has developed or is currently developing a number of standards dealing with how entities (including humans, hosts, routers, and so on) are identified, how those identities are authenticated, and how they're used for, e.g., access control and other purposes. These standards may be used to establish, authenticate, and leverage identity information at various network layers in Internet protocols and applications. The IETF does not maintain roadmaps covering past and future work for identity management specifically, but we believe at least the following work may be of interest to ITU-T JCA-IdM: * Transport Layer Security (TLS), HTTP authentication mechanisms, and HTTP cookies provide a foundation for authenticating servers and users on the web. * DNS Security (DNSSEC) provides data origin authentication and data integrity for DNS names, which are often used as host identities, and included in typical user identities such as email addresses and SIP URIs. * DomainKeys Identified Mail (DKIM) provides an authenticated identity who claims responsibility for a message, assisting in control of spam and phishing. * S/MIME and OpenPGP provide end-to-end authentication of email sender identities. * Internet X.509 Public Key Infrastructure (PKIX) certificate profiles and protocols provide basis for managing identities and authorizations with a public key infrastructure. * Lightweight Directory Access Protocol (LDAP), Remote Authentication Dial In User Service (RADIUS), and Diameter are used to access directories and authentication/authorization/accounting (AAA) servers, facilitating single sign-on and centralized management of identity and authorization information. * Simple Authentication and Security Layer (SASL) framework and mechanisms, Kerberos, and Generic Security Service Application Program Interface (GSS-API) framework and mechanisms are used to authenticate users in number of protocols, ranging from IMAP and XMPP/Jabber to NFS and SMB/CIFS. Kerberos is also used to facilitate single sign-on especially in enterprise environments. * Extensible Authentication Protocol (EAP) framework and authentication methods are used to authenticate users in, for example, wireless networks such as Wi-Fi and WiMAX. * Session Identity Protocol (SIP) authentication and identity mechanisms can bw applied to a broad variety of applications, including voice, conferencing, and messaging. * Open Authentication Protocol (OAUTH) leverages identity information to permit a user to grant a third-party access to their resources, without sharing or revealing their credentials. * Dynamic Symmetric Key Provisioning Protocol (DSKPP) deals with how symmetric key based authentication credentials are provisioned (and connected with an existing identity), especially in the context of one-time password tokens. The IETF also leverages identity credentials across network layers using channel bindings, as described in RFC 5056. With channel bindings, authentication results in the application layer are cryptographically bound to the security mechanisms provided at the session or transport layer. Several IETF protocols include support for channel bindings. -------------------
Note Well: Messages sent to this mailing list are the opinions of the senders and do not imply endorsement by the IETF.