Disclaimer: I was only there for the first 90 minutes of the meeting because I was in AVT for the last bit. Summary: Highly confused. BACKGROUND It's not entirely clear what this is about, but I'm going to explain what I think this is about. Obviously, people are constantly having to authenticate themselves to a variety of services. It's obviously attractive to avoid having pairwise authentication credentials between each user/service pair. We already have a bunch of "single signon" protocols which are designed to let you do this. The classic example is Kerberos. Most successful versions of these protocols really only work well in an enterprise setting, rather than in settings where the communicating parties are distributed over different enterprises. A related issue is that the claims that people want to make to services often involve information other than identity. A common example of this is wanting to establish that you're over 21. Currently, the systems we have for establishing this type of claim in the Internet setting are clumsy at best. (cf. Age Verification Systems where you use your credit card to "establish" that you're over 21). These two desires have created a lot of interest in Internet-scale single signon-type services. The idea here is that you establish a relationship with some authentication provider and then you can somehow authenticate once to that authentication provider and then they somehow assist you in authenticating to the services you want to use. I'm being deliberately vague here because there are a zillion ways of doing this, ranging from them issuing a certificate, being involved in your connection, etc. There are a bunch of technologies/players in this space. Keywords here are Passport, SAML, Infocard, ... There's a sense that a lot of people have that deployment of these systems has been less than would be desirable, but the field is quite crowded. The motivating factor for this BOF is that Sxip Identity has a particular protocol which does some of this stuff (draft-merrels-dix-01) and they want it considered in IETF. There's also been a bunch of other initiatives to discuss this stuff (see, for instance Kim Cameron's "Laws of Identity") THE BOF The BOF itself was a mess. The BOF organizers seemed mostly unable to answer the following key questions: 1. What are you trying to accomplish? 2. What's wrong with the current approaches people are trying on this front? That makes it pretty hard to discuss the technical details of the BOF. In particular, the question of whether or not the identity provider/authentication service is able to assert "real-world" claims like (over 21) was never really adequately addressed. Several attempts by Crocker, Lear, and myself to get clarity on the objectives were unsuccessful. The really big elephant in the room is the existing identity management systems. It's entirely possible that these are inadequate, but without understanding what the objective is, it's hard to know whether that's true or not. BOTTOM LINE Nowhere near ready for charter.