Report from Digital Identity Exchange (DIX) BOF

Disclaimer: I was only there for the first 90 minutes of the meeting
because I was in AVT for the last bit.

Summary: Highly confused.

It's not entirely clear what this is about, but I'm going to explain
what I think this is about. Obviously, people are constantly having to
authenticate themselves to a variety of services. It's obviously
attractive to avoid having pairwise authentication credentials between
each user/service pair. We already have a bunch of "single signon"
protocols which are designed to let you do this. The classic example
is Kerberos. Most successful versions of these protocols really only
work well in an enterprise setting, rather than in settings where the
communicating parties are distributed over different enterprises.

A related issue is that the claims that people want to make to
services often involve information other than identity. A common
example of this is wanting to establish that you're over 21.
Currently, the systems we have for establishing this type of claim in
the Internet setting are clumsy at best. (cf.  Age Verification
Systems where you use your credit card to "establish" that you're over

These two desires have created a lot of interest in Internet-scale
single signon-type services. The idea here is that you establish a
relationship with some authentication provider and then you can
somehow authenticate once to that authentication provider and then
they somehow assist you in authenticating to the services you want to
use. I'm being deliberately vague here because there are a zillion
ways of doing this, ranging from them issuing a certificate, being
involved in your connection, etc. There are a bunch of
technologies/players in this space. Keywords here are Passport, SAML,
Infocard, ... There's a sense that a lot of people have that
deployment of these systems has been less than would be desirable, but
the field is quite crowded.

The motivating factor for this BOF is that Sxip Identity has a
particular protocol which does some of this stuff
(draft-merrels-dix-01) and they want it considered in IETF.  There's
also been a bunch of other initiatives to discuss this stuff (see, for
instance Kim Cameron's "Laws of Identity")

The BOF itself was a mess. The BOF organizers seemed mostly 
unable to answer the following key questions:

       1. What are you trying to accomplish?
       2. What's wrong with the current approaches people are
	  trying on this front?

That makes it pretty hard to discuss the technical details of
the BOF. In particular, the question of whether or not the
identity provider/authentication service is able to assert
"real-world" claims like (over 21) was never really adequately
addressed. Several attempts by Crocker, Lear, and myself to
get clarity on the objectives were unsuccessful.

The really big elephant in the room is the existing identity
management systems. It's entirely possible that these are
inadequate, but without understanding what the objective is,
it's hard to know whether that's true or not. 

Nowhere near ready for charter.