[PROPOSAL] Heraldry Identity Project

["Recordon, David" <dr...@verisign.com>]

Proposal
------------------
This is a proposal to create a project within the Apache Software
Foundation to develop technologies around the emerging user-centric
identity space.

The project would start with Yadis [1] for URL/XRI-based service
discovery, OpenID [2] for web based single-sign-on and the basis of
exchanging profile data, and to create a desktop component with a
standard look and feel, ideally working with the Open Source Identity
Selector (OSIS) [3] project.  We are currently working with those
involved in the OSIS project to determine if it would be possible, and
they willing, to integrate their effort as a part of this one.  If not,
we still see the value of having a desktop component of this
infrastructure.  The project would be tasked with the further
development of these technologies as well as creating a bridge between
the light-weight URL/XRI based identity technologies and the desktop.

Yadis is currently being standardized within OASIS as part of the XRI
effort, OpenID has emerged as a de-facto specification, and OSIS does
not depend on a specification although the further development of its
architecture document would ideally be part of this project.


Rationale
------------------
While identity systems such as X.509 have existed for many years, and
more recently SAML and the Liberty Alliance framework, only within the
past two years has there been a true emergence of user-centric
technologies.  Pursuant to Kim Cameron's laws of identity, technologies
such as LID, Yadis, OpenID, and Sxip were defined to put control of a
person's digital identity back into their own hands.

Both Yadis and OpenID have reached a point where they have millions of
users and a strong community backing.  On May 28th 2006, Brion Vibber of
WikiMedia announced in a Google Tech Talk that WikiPedia would support
both of them within the following month.  This sort of broad adoption
and traction has not been seen with other technologies of this kind in
this space.

By bringing these technologies and ideally the OSIS effort to one place,
these communities will have a place to fully converge and continue the
development of interoperable implementations.  Additionally, by not just
focusing on light-weight URL/XRI based identity systems, ASF will be
able to provide a foundation where a person can use one or more digital
identities consistently across blogs, eCommerce sites, and portals as
well as even high-risk transactions via their desktop computer.

Currently Apache does not offer any project such as the one being
proposed.  Integration with projects such as Lenya would definitely be
encouraged.

Initial Goals
------------------
 - Expansion of Yadis and OpenID libraries into additional languages
beyond the existing Python, Ruby, Perl, and PHP libraries
 - OpenID authentication specification revision to fix known security
considerations, investigate compatibility with the DIX IETF proposal,
describe Yadis integration, and allow either an URL or XRI be used as
the End User's Identifier
 - Continue the development of a data transfer protocol on top of OpenID
to allow the exchange of profile data as well as other secure messages
 - Investigate existing mechanisms for profile exchange, namely Sxip 2.0
and SAML, and investigate how they would be layered atop OpenID
 - Development of an identity selector for Windows, OS X, and Gnome/KDE
including interoperability with Yadis/OpenID
 - Extension of OpenID to support non-browser based authentication use
cases.  ie authentication to a Subversion server using your OpenID
Identity without modifying the svn client-side tool

Known Risks
------------------
Commercial Interest
 - Many companies are currently working to build businesses supported on
top of these technologies.  As part of the code contributions, VeriSign
will contribute source to their Personal Identity Provider to provide a
complete base with both libraries and a sample application.  VeriSign
intends to continue development of the PIP and to contribute it within
ASF, although it hopes others will contribute to it as well.

Licensing, Patents, Miscellaneous Legal
 - The OSIS community currently works with Microsoft to have a covenant
not to sue around the InfoCard identity selector look-and-feel
 - We are still in the process of discussing with the OSIS community if
they would be involved in this project

Criteria and Warning Signs
------------------
This proposal is not the result of an orphaned or abandoned project, but
is the result of the continued emergence of a strong community around
these technologies.  Many of the initial contributors have a strong tie
to the Open Source community and do not rely on their salaried position
to continue contributing code.

The OpenID and Yadis communities have both been built on a foundation of
meritocracy with open discussions to shape the technologies.  The
initial committers certainly see the value in the Apache brand and
believe the emerging community will benefit from further widespread
collaboration as well as give the existing developer community a place
to converge and create a community that will outlive the founders.


Initial Source
------------------
OpenID has been in development since the summer of 2005.  It currently
has an active community (over 15 million enabled accounts) and libraries
in a variety of languages.  Additionally it is supported by
LiveJournal.com and is continuing to gain traction in the Open Source
Community.

Yadis has been in development since late 2005 and the specification has
not changed since early 2006.  Like OpenID, it has libraries in various
languages and there is a large overlap between the two communities.  The
specification is currently being incorporated in the XRI Resolution
Working Draft of the OASIS XRI TC (which operates under a 100%
royalty-free IPR mode as detailed in the XRI TC charter at
http://www.oasis-open.org/committees/xri/charter.php.)

OSIS is a project committed to the development and distribution of
non-Microsoft implementations of Microsoft's "InfoCard" technology. OSIS
stands for "Open Source Identity Selector", and is a collection of
interested parties including but not limited to: Red Hat, Novell, IBM,
VeriSign, XDI and of course Microsoft. The goal of the community to
develop a common, open source code base and software practice for
implementing "InfoCard" technology on disparate operating platforms
(Mac, Gnome, KDE, PalmOS and others) as means to providing a uniform
user experience in choosing, managing and deploying identity resources
for internet users.


Source and Intellectual Property Submission Plan
------------------
Initial Submissions
 - The OpenID specification and content on openid.net from Brad
Fitzpatrick of Six Apart, Ltd. and David Recordon of VeriSign, Inc.
 - The domains openid.net and yadis.org from Brad Fitzpatrick of Six
Apart, Ltd. and Johannes Ernst of NetMesh, Inc.
 - OpenID libraries in Python, Ruby, Perl, PHP, and C# from JanRain,
Inc.
 - Yadis libraries in Python, Ruby, Perl, and PHP from JanRain, Inc.
 - OpenID and Yadis test suites from JanRain, Inc.
 - OpenID libraries in Perl from Brad Fitzpatrick of Six Apart, Ltd.
 - OpenID Consumer Ruby on Rails plugin from VeriSign, Inc. and
EastMedia Group.
 - PHP based OpenID Identity Provider from JanRain, Inc.
 - Patch to enable OpenID and LID support in MediaWiki from NetMesh
 - Yadis conformance test suite from NetMesh and VeriSign, Inc.

We will also be soliciting contributions of further plugins and patches
to various pieces of Open Source software.

Additional Submissions
 - Source of the Personal Identity Provider from VeriSign, Inc. and
EastMedia Group, Inc. ideally by August 1st, 2006.
 - XML DSIG libraries in Perl, PHP, Python, and Ruby from VeriSign, Inc.
and Sxip Identity, Corp. in mid-July, 2006.  We realize that it may make
more sense to contribute these libraries to a different ASF project such
as the TSIK subproject of Apache Web Services.


Resources
------------------
We foresee only standard Apache developer resources to be created.

Mailing lists:
 - heraldry-dev
 - heraldry-commits
 - heraldry-user

Subversion repository:
https://svn.apache.org/repos/asf/incubator/heraldry
Overtime, it may be worthwhile to split the project into multiple
repositories to make branching/tagging easier while developing plugins,
libraries, and full applications.

Jira project


Documentation
------------------
[1] Information on Yadis can be found at:
http://yadis.org
http://www.openidenabled.com

[2] Information on OpenID can be found at:
http://www.openid.net
http://www.openidenabled.com

The mailing list for both OpenID and Yadis is located at:
http://lists.danga.com/mailman/listinfo/yadis

[3] The OSIS mailing lists are located at:
http://mailman.netmesh.us/pipermail/osis-general/
http://mailman.netmesh.us/pipermail/osis-dev/

The OpenXRI mailing lists are located at:
http://mail.idcommons.net/mailman/listinfo/openxri

Initial Committers 
------------------
David Recordon (drecordon@verisign.com)
Andy Dale (andy.dale@ootao.com)
Brad Fitzpatrick (bradfitz@sixapart.com)
Brian Ellin (brian@janrain.com)
Dan Lyke (danlyke@flutterby.com)
Dan Quelhorst (dan@abtain.com)
Drummond Reed (drummond.reed@cordance.net)
Johannes Ernst (jernst@netmesh.us)
Jonathan Daugherty (cygnus@janrain.com)
Josh Hoyt (josh@janrain.com)
Les Chasen (les.chasen@neustar.biz)
Matt Pelletier (matt@eastmedia.com)
Michael Graves (mgraves@verisign.com)
Paul Trevithick (paul@parityinc.net)
Steve Churchill (steven.churchill@ootao.com)
Trotter Cashion (cashion@gmail.com)
Wil Tan (william.tan@neustar.biz)


Apache Sponsor
------------------
We respectfully request that The Board of the Apache Software Foundation
sponsor this project.


Apache Champion
------------------
Ben Laurie (benl@google.com) - Champion


Contact
------------------
David Recordon, Innovator for Advanced Products and Research
VeriSign, Inc.
487 East Middlefield Road
M/S MV6-2-1
Mountain View, CA 94043

Email: drecordon@verisign.com
Phone: +1-650-426-4424

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[Justin Erenkrantz <ju...@erenkrantz.com>]

On 6/19/06, Recordon, David <dr...@verisign.com> wrote:
> Apache Sponsor
> ------------------
> We respectfully request that The Board of the Apache Software Foundation
> sponsor this project.

Your proposal looks fine to me.

One minor comment though: the Incubator PMC should be the Sponsor, not
the Board.  After the Incubator PMC eventually approves this project
for graduation, the Board would approve this project as a TLP.  But, I
see no reason why the Board needs to be involved at this point - the
Incubator PMC is satisfactory for now.

Good luck!  -- justin

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[Geir Magnusson Jr <ge...@pobox.com>]

With the additional request that when discussion is over and it comes
for a vote, a copy of what is being voted in be submitted in the email
calling for the vote.

gier


Paul Querna wrote:
> General Comments:
> Is it possible to put this proposal onto the wiki (
> http://wiki.apache.org/incubator/ ) for a stable url when there are
> updates/changes?
> 
> Recordon, David wrote:
> ....snip....
>> Initial Committers ------------------
>> David Recordon (drecordon@verisign.com)
>> Andy Dale (andy.dale@ootao.com)
>> Brad Fitzpatrick (bradfitz@sixapart.com)
>> Brian Ellin (brian@janrain.com)
>> Dan Lyke (danlyke@flutterby.com)
>> Dan Quelhorst (dan@abtain.com)
>> Drummond Reed (drummond.reed@cordance.net)
>> Johannes Ernst (jernst@netmesh.us)
>> Jonathan Daugherty (cygnus@janrain.com)
>> Josh Hoyt (josh@janrain.com)
>> Les Chasen (les.chasen@neustar.biz)
>> Matt Pelletier (matt@eastmedia.com)
>> Michael Graves (mgraves@verisign.com)
>> Paul Trevithick (paul@parityinc.net)
>> Steve Churchill (steven.churchill@ootao.com)
>> Trotter Cashion (cashion@gmail.com)
>> Wil Tan (william.tan@neustar.biz)
> 
> My biggest concern right now is that there seems to be a 1 to 1 mapping
> of so many of the initial committers to the individual code bases that
> want to be donated.  It worries me about fragmentation of the project,
> especially since there are at least 4 or 5 different programing
> languages already involved.
> 
> -Paul
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
> For additional commands, e-mail: general-help@incubator.apache.org
> 
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[Paul Querna <ch...@force-elite.com>]

General Comments:
Is it possible to put this proposal onto the wiki ( 
http://wiki.apache.org/incubator/ ) for a stable url when there are 
updates/changes?

Recordon, David wrote:
....snip....
> Initial Committers 
> ------------------
> David Recordon (drecordon@verisign.com)
> Andy Dale (andy.dale@ootao.com)
> Brad Fitzpatrick (bradfitz@sixapart.com)
> Brian Ellin (brian@janrain.com)
> Dan Lyke (danlyke@flutterby.com)
> Dan Quelhorst (dan@abtain.com)
> Drummond Reed (drummond.reed@cordance.net)
> Johannes Ernst (jernst@netmesh.us)
> Jonathan Daugherty (cygnus@janrain.com)
> Josh Hoyt (josh@janrain.com)
> Les Chasen (les.chasen@neustar.biz)
> Matt Pelletier (matt@eastmedia.com)
> Michael Graves (mgraves@verisign.com)
> Paul Trevithick (paul@parityinc.net)
> Steve Churchill (steven.churchill@ootao.com)
> Trotter Cashion (cashion@gmail.com)
> Wil Tan (william.tan@neustar.biz)

My biggest concern right now is that there seems to be a 1 to 1 mapping 
of so many of the initial committers to the individual code bases that 
want to be donated.  It worries me about fragmentation of the project, 
especially since there are at least 4 or 5 different programing 
languages already involved.

-Paul

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: [PROPOSAL] Heraldry Identity Project

["Recordon, David" <dr...@verisign.com>]

>From feedback at ApacheCon today, I've updated the proposal on the wiki.  http://wiki.apache.org/incubator/HeraldryIdentityProposal
 
Mainly streamlined it to better describe the "deliverables" for the project and then give some background on the Higgins project which would be the proposed tie to the desktop.  We're looking for all of the feedback we can get.  I'm also happy to answer any questions in person this week while many of us are face to face.
 
Thanks,
--David

________________________________

From: Recordon, David [mailto:drecordon@verisign.com]
Sent: Mon 6/19/2006 4:04 AM
To: general@incubator.apache.org
Subject: [PROPOSAL] Heraldry Identity Project



Proposal
------------------
This is a proposal to create a project within the Apache Software
Foundation to develop technologies around the emerging user-centric
identity space.

The project would start with Yadis [1] for URL/XRI-based service
discovery, OpenID [2] for web based single-sign-on and the basis of
exchanging profile data, and to create a desktop component with a
standard look and feel, ideally working with the Open Source Identity
Selector (OSIS) [3] project.  We are currently working with those
involved in the OSIS project to determine if it would be possible, and
they willing, to integrate their effort as a part of this one.  If not,
we still see the value of having a desktop component of this
infrastructure.  The project would be tasked with the further
development of these technologies as well as creating a bridge between
the light-weight URL/XRI based identity technologies and the desktop.

Yadis is currently being standardized within OASIS as part of the XRI
effort, OpenID has emerged as a de-facto specification, and OSIS does
not depend on a specification although the further development of its
architecture document would ideally be part of this project.


Rationale
------------------
While identity systems such as X.509 have existed for many years, and
more recently SAML and the Liberty Alliance framework, only within the
past two years has there been a true emergence of user-centric
technologies.  Pursuant to Kim Cameron's laws of identity, technologies
such as LID, Yadis, OpenID, and Sxip were defined to put control of a
person's digital identity back into their own hands.

Both Yadis and OpenID have reached a point where they have millions of
users and a strong community backing.  On May 28th 2006, Brion Vibber of
WikiMedia announced in a Google Tech Talk that WikiPedia would support
both of them within the following month.  This sort of broad adoption
and traction has not been seen with other technologies of this kind in
this space.

By bringing these technologies and ideally the OSIS effort to one place,
these communities will have a place to fully converge and continue the
development of interoperable implementations.  Additionally, by not just
focusing on light-weight URL/XRI based identity systems, ASF will be
able to provide a foundation where a person can use one or more digital
identities consistently across blogs, eCommerce sites, and portals as
well as even high-risk transactions via their desktop computer.

Currently Apache does not offer any project such as the one being
proposed.  Integration with projects such as Lenya would definitely be
encouraged.

Initial Goals
------------------
 - Expansion of Yadis and OpenID libraries into additional languages
beyond the existing Python, Ruby, Perl, and PHP libraries
 - OpenID authentication specification revision to fix known security
considerations, investigate compatibility with the DIX IETF proposal,
describe Yadis integration, and allow either an URL or XRI be used as
the End User's Identifier
 - Continue the development of a data transfer protocol on top of OpenID
to allow the exchange of profile data as well as other secure messages
 - Investigate existing mechanisms for profile exchange, namely Sxip 2.0
and SAML, and investigate how they would be layered atop OpenID
 - Development of an identity selector for Windows, OS X, and Gnome/KDE
including interoperability with Yadis/OpenID
 - Extension of OpenID to support non-browser based authentication use
cases.  ie authentication to a Subversion server using your OpenID
Identity without modifying the svn client-side tool

Known Risks
------------------
Commercial Interest
 - Many companies are currently working to build businesses supported on
top of these technologies.  As part of the code contributions, VeriSign
will contribute source to their Personal Identity Provider to provide a
complete base with both libraries and a sample application.  VeriSign
intends to continue development of the PIP and to contribute it within
ASF, although it hopes others will contribute to it as well.

Licensing, Patents, Miscellaneous Legal
 - The OSIS community currently works with Microsoft to have a covenant
not to sue around the InfoCard identity selector look-and-feel
 - We are still in the process of discussing with the OSIS community if
they would be involved in this project

Criteria and Warning Signs
------------------
This proposal is not the result of an orphaned or abandoned project, but
is the result of the continued emergence of a strong community around
these technologies.  Many of the initial contributors have a strong tie
to the Open Source community and do not rely on their salaried position
to continue contributing code.

The OpenID and Yadis communities have both been built on a foundation of
meritocracy with open discussions to shape the technologies.  The
initial committers certainly see the value in the Apache brand and
believe the emerging community will benefit from further widespread
collaboration as well as give the existing developer community a place
to converge and create a community that will outlive the founders.


Initial Source
------------------
OpenID has been in development since the summer of 2005.  It currently
has an active community (over 15 million enabled accounts) and libraries
in a variety of languages.  Additionally it is supported by
LiveJournal.com and is continuing to gain traction in the Open Source
Community.

Yadis has been in development since late 2005 and the specification has
not changed since early 2006.  Like OpenID, it has libraries in various
languages and there is a large overlap between the two communities.  The
specification is currently being incorporated in the XRI Resolution
Working Draft of the OASIS XRI TC (which operates under a 100%
royalty-free IPR mode as detailed in the XRI TC charter at
http://www.oasis-open.org/committees/xri/charter.php.)

OSIS is a project committed to the development and distribution of
non-Microsoft implementations of Microsoft's "InfoCard" technology. OSIS
stands for "Open Source Identity Selector", and is a collection of
interested parties including but not limited to: Red Hat, Novell, IBM,
VeriSign, XDI and of course Microsoft. The goal of the community to
develop a common, open source code base and software practice for
implementing "InfoCard" technology on disparate operating platforms
(Mac, Gnome, KDE, PalmOS and others) as means to providing a uniform
user experience in choosing, managing and deploying identity resources
for internet users.


Source and Intellectual Property Submission Plan
------------------
Initial Submissions
 - The OpenID specification and content on openid.net from Brad
Fitzpatrick of Six Apart, Ltd. and David Recordon of VeriSign, Inc.
 - The domains openid.net and yadis.org from Brad Fitzpatrick of Six
Apart, Ltd. and Johannes Ernst of NetMesh, Inc.
 - OpenID libraries in Python, Ruby, Perl, PHP, and C# from JanRain,
Inc.
 - Yadis libraries in Python, Ruby, Perl, and PHP from JanRain, Inc.
 - OpenID and Yadis test suites from JanRain, Inc.
 - OpenID libraries in Perl from Brad Fitzpatrick of Six Apart, Ltd.
 - OpenID Consumer Ruby on Rails plugin from VeriSign, Inc. and
EastMedia Group.
 - PHP based OpenID Identity Provider from JanRain, Inc.
 - Patch to enable OpenID and LID support in MediaWiki from NetMesh
 - Yadis conformance test suite from NetMesh and VeriSign, Inc.

We will also be soliciting contributions of further plugins and patches
to various pieces of Open Source software.

Additional Submissions
 - Source of the Personal Identity Provider from VeriSign, Inc. and
EastMedia Group, Inc. ideally by August 1st, 2006.
 - XML DSIG libraries in Perl, PHP, Python, and Ruby from VeriSign, Inc.
and Sxip Identity, Corp. in mid-July, 2006.  We realize that it may make
more sense to contribute these libraries to a different ASF project such
as the TSIK subproject of Apache Web Services.


Resources
------------------
We foresee only standard Apache developer resources to be created.

Mailing lists:
 - heraldry-dev
 - heraldry-commits
 - heraldry-user

Subversion repository:
https://svn.apache.org/repos/asf/incubator/heraldry
Overtime, it may be worthwhile to split the project into multiple
repositories to make branching/tagging easier while developing plugins,
libraries, and full applications.

Jira project


Documentation
------------------
[1] Information on Yadis can be found at:
http://yadis.org
http://www.openidenabled.com

[2] Information on OpenID can be found at:
http://www.openid.net
http://www.openidenabled.com

The mailing list for both OpenID and Yadis is located at:
http://lists.danga.com/mailman/listinfo/yadis

[3] The OSIS mailing lists are located at:
http://mailman.netmesh.us/pipermail/osis-general/
http://mailman.netmesh.us/pipermail/osis-dev/

The OpenXRI mailing lists are located at:
http://mail.idcommons.net/mailman/listinfo/openxri

Initial Committers
------------------
David Recordon (drecordon@verisign.com)
Andy Dale (andy.dale@ootao.com)
Brad Fitzpatrick (bradfitz@sixapart.com)
Brian Ellin (brian@janrain.com)
Dan Lyke (danlyke@flutterby.com)
Dan Quelhorst (dan@abtain.com)
Drummond Reed (drummond.reed@cordance.net)
Johannes Ernst (jernst@netmesh.us)
Jonathan Daugherty (cygnus@janrain.com)
Josh Hoyt (josh@janrain.com)
Les Chasen (les.chasen@neustar.biz)
Matt Pelletier (matt@eastmedia.com)
Michael Graves (mgraves@verisign.com)
Paul Trevithick (paul@parityinc.net)
Steve Churchill (steven.churchill@ootao.com)
Trotter Cashion (cashion@gmail.com)
Wil Tan (william.tan@neustar.biz)


Apache Sponsor
------------------
We respectfully request that The Board of the Apache Software Foundation
sponsor this project.


Apache Champion
------------------
Ben Laurie (benl@google.com) - Champion


Contact
------------------
David Recordon, Innovator for Advanced Products and Research
VeriSign, Inc.
487 East Middlefield Road
M/S MV6-2-1
Mountain View, CA 94043

Email: drecordon@verisign.com
Phone: +1-650-426-4424

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[Leo Simons <ma...@leosimons.com>]

Cool! A proposal that incorporates by reference is always quite hard
to read. Here's some links I personally found relevant...

On Mon, Jun 19, 2006 at 04:04:16AM -0700, Recordon, David wrote:
> The project would start with Yadis [1] for URL/XRI-based service
> discovery, OpenID [2] for web based single-sign-on and the basis of
> exchanging profile data, and to create a desktop component with a
> standard look and feel, ideally working with the Open Source Identity
> Selector (OSIS) [3] project.

For the people wondering about the interaction between Yadis and OpenID:

  http://lists.danga.com/pipermail/yadis/2005-October/001534.html
  http://lists.danga.com/pipermail/yadis/2005-October/001525.html

(somewhat OT but nevertheless...For the people wondering about the
interaction between all this stuff and FOAF, see eg:

  http://wiki.www.videntity.org/wiki/Social_Networking_Unlimited
  http://lid.netmesh.org/wiki/LID_2.0_FOAF_Profile)

I wasn't able to quite figure out who/what OSIS "is" or where it "came" from
(the mailing lists are very new and don't have much traffic). What is OSIS,
and how is the question relevant?

> Initial Source
> ------------------

For the people wondering about all these different pieces of software and
if/how they fit, a sampling:

  http://lists.danga.com/pipermail/yadis/2006-January/002045.html

> Initial Committers 
> ------------------

For some idea of the interactions between people and background to this
proposal:

  http://brad.livejournal.com/2226738.html
  http://lists.danga.com/pipermail/yadis/2006-June/002631.html

--

Besides all the legal worries one can think of, integrating all these
different technologies, communities, specifications and implementations
is a big challenge that is not neccesarily made easier by creating an
apache project to do so. Setting up an apache-style open source project
is a lot of work and effort already even if its just about a single
implementation (in a single programming language) of a single specification.
Which of course, makes it even cooler if this stuff becomes a big success
(even if *I* personally think the technical direction is, uhm, well lets
not have that discussion here :) ). I hope y'all know exactly what you're
getting into, and I'll second "good luck" warmly!

LSD

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

["Roy T. Fielding" <fi...@gbiv.com>]

This space in OASIS is a festering pile of claimed patents.
Are all of the companies involved willing to sign the CCLA
and software grants necessary to assure distribution under
the Apache License?

....Roy

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: [PROPOSAL] Heraldry Identity Project

["Recordon, David" <dr...@verisign.com>]

Yes, my mistake about Lisa being a member.  Someone earlier in the week told me that she was and I never double checked that, no harm intended.
 
Agreed, using "the IETF" to represent the community that makes it up.  Certainly the predicted direction today can easily change and it will be very interesting to see what is said at the WAE BOF and what sort of charter a working group gets, if one is even chartered at this time.
 
Also agreed, while the community has never claimed OpenID to be perfect or to solve 100% of the problems, it is technology that can be deployed today and is useful in solving many people's problems.
 
--David

________________________________

From: Roy T. Fielding [mailto:fielding@gbiv.com]
Sent: Thu 6/29/2006 4:20 PM
To: general@incubator.apache.org
Subject: Re: [PROPOSAL] Heraldry Identity Project



On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:

> For the last IETF meeting, Dick Hardt of Sxip had created a mailing 
> list called DIX (http://dixs.org <http://dixs.org/> ) and had a BOF 
> under the same name. It was focused on the Sxip 2.0 protocol as a 
> way to move authentication and profile assertions. Sxip 2.0 is also 
> based upon OpenID 1.1 at a protocol level. During the BOF it was 
> clear that there was not consensus that the technology Dick was 
> proposing would meet the needs of everyone at the IETF, nor did 
> everyone really understand the problem they were trying to solve.
>
> After the BOF, Sxip documented a set of use cases as well as began 
> investigating the use of SAML assertions for exchanging profile 
> data. Their goal was to create a light-weight version of a SAML 
> profile, though took it to the extreme that the current DIX 
> proposal is not SAML compliant. For this upcoming IETF meeting in 
> July, two BOF requests we're received, one from DIX and one from 
> Sam Hartman called WARP. They have both been merged into a new BOF 
> called WAE (Web Authentication Enhancement) chaired by Pete Resnick.
>
> In talking with Lisa Dusseault, ASF member and IETF Applications 
> Area Director,

Lisa is not an ASF member.

> it sounds like the IETF would not be interested in standardizing a 
> protocol above the HTTP layer. Rather, they are looking at a 2-3 
> year process to modify something like TLS to support 
> authentication. Then once that is complete, it is possible using 
> the same assertion format to provide a solution above the HTTP 
> layer with the appropriate security considerations documented. 
> While this path certainly isn't set in stone, it seems to be the 
> direction the WAE BOF is going.

I am sure that is what some people in the IETF think they are doing.
The IETF itself does no such thing -- it is just a bunch of mailing 
lists
with a social hierarchy nudging from the top.  In general, the security
work within the IETF has failed miserably in every respect, especially
in regards to HTTP, and I would encourage you to focus on finding 
solutions
to actual problems instead of mythical frameworks that apply to every
problem but don't actually solve any of them.

> The OpenID community is not interested in circumventing the formal 
> standards process, I can say with my VeriSign hat on that we're 
> also interested in a lower level solution, but the community sees 
> the need for something like OpenID today.

That's because OpenID solves a problem.  Technology should be 
implemented
first and standardized later.  Phill Hallam-Baker can tell you how many
times people have tried to solve a simple security problem in the IETF
and been stymied by the "it doesn't solve everyone's problem" sillyness.
You can learn from the discussion, but don't pay any attention
to claims that the IETF working group process is any more "standardized"
than collaborative development at Apache.

....Roy

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Erik Abele wrote:
> 
> On 30.06.2006, at 15:22, William A. Rowe, Jr. wrote:
> 
>> robert burrell donkin wrote:
>>> On 6/30/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>>> <snip>
>>> One thing that bothers me is that there is a very small handful of ASF
>>>> people
>>>> (committers and members) participating in standards efforts.
>>> perhaps one way to reduce the friction would be for somene to add a FAQ
>>> somewhere in the apache documentation about the right way to go about 
>>> this.
>>
>> Better yet, www.apache.org/standards.html to explain in in general 
>> with some
>> pages on related implementations of RFC's, JSR's etc etc ad nasum.
> 
> How about http://projects.apache.org/indexes/standards.html ?
> 
> This is manangeable by every projects itself through their respective 
> DOAP file(s)...

Yes - for the datum and assembled lists.

For the FAQ and Introduction topics, I agree on www.apache.org/dev/standards/

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[Erik Abele <er...@codefaktor.de>]

On 30.06.2006, at 15:22, William A. Rowe, Jr. wrote:

> robert burrell donkin wrote:
>> On 6/30/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
>> <snip>
>> One thing that bothers me is that there is a very small handful of  
>> ASF
>>> people
>>> (committers and members) participating in standards efforts.
>> perhaps one way to reduce the friction would be for somene to add  
>> a FAQ
>> somewhere in the apache documentation about the right way to go  
>> about this.
>
> Better yet, www.apache.org/standards.html to explain in in general  
> with some
> pages on related implementations of RFC's, JSR's etc etc ad nasum.

How about http://projects.apache.org/indexes/standards.html ?

This is manangeable by every projects itself through their respective  
DOAP file(s)...

Cheers,
Erik

Re: [PROPOSAL] Heraldry Identity Project

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

robert burrell donkin wrote:
> On 6/30/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
> <snip>
> 
> One thing that bothers me is that there is a very small handful of ASF
>> people
>> (committers and members) participating in standards efforts.
> 
> perhaps one way to reduce the friction would be for somene to add a FAQ
> somewhere in the apache documentation about the right way to go about this.

Better yet, www.apache.org/standards.html to explain in in general with some
pages on related implementations of RFC's, JSR's etc etc ad nasum.  If each
body, JSCs, IATA wgs, W3C wgs each were given a page with 'standards
implemented by project', and 'standards reference implementations', and finally
several paragraphs with pointers to the relevant information about participating
in that standards body, that would really rock.

And I have two days of my life free between now and September :(  But I'd sure
try to accomplish the draft IETF page and get the right people to write the
right descriptions and provide FAQ pointers, while I'd work to collect what the
relation of IETF standards are to our projects.  Once that's done, that's about
all I can commit to.

But if others would jump on the relevant W3C and JSR pages and begin collecting
that in a 'big way' on our foundation site, this could be very interesting and
informative for our contributor and user communities.



---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

[robert burrell donkin <ro...@gmail.com>]

On 6/30/06, William A. Rowe, Jr. <wr...@rowe-clan.net> wrote:
<snip>

One thing that bothers me is that there is a very small handful of ASF
> people
> (committers and members) participating in standards efforts.  Once you
> have
> created the implementation of something novel, there are people in both
> the
> IETF and W3C spheres who would gladly help you to understand their
> specific
> processes of authoring a standards document, and navigating the
> standardization
> process.


perhaps one way to reduce the friction would be for somene to add a FAQ
somewhere in the apache documentation about the right way to go about this.

- robert (who thinks FAQs should contain answers to questions that should be
asked frequently as well as those which are)

Re: [PROPOSAL] Heraldry Identity Project

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Roy T. Fielding wrote:
> On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:
> 
>> it sounds like the IETF would not be interested in standardizing a 
>> protocol above the HTTP layer. Rather, they are looking at a 2-3 year 
>> process to modify something like TLS to support authentication. Then 
>> once that is complete, it is possible using the same assertion format 
>> to provide a solution above the HTTP layer with the appropriate 
>> security considerations documented. While this path certainly isn't 
>> set in stone, it seems to be the direction the WAE BOF is going.
> 
> I am sure that is what some people in the IETF think they are doing.
> The IETF itself does no such thing -- it is just a bunch of mailing lists
> with a social hierarchy nudging from the top.  In general, the security
> work within the IETF has failed miserably in every respect, especially
> in regards to HTTP, and I would encourage you to focus on finding solutions
> to actual problems instead of mythical frameworks that apply to every
> problem but don't actually solve any of them.

Also, be aware that there are fuzzy lines between the IETF and W3C that are
generally well respected and well recognized, and it's the fuzziness in the
middle that causes issues on occasion.

>> The OpenID community is not interested in circumventing the formal 
>> standards process, I can say with my VeriSign hat on that we're also 
>> interested in a lower level solution, but the community sees the need 
>> for something like OpenID today.
> 
> That's because OpenID solves a problem.  Technology should be implemented
> first and standardized later.  Phill Hallam-Baker can tell you how many
> times people have tried to solve a simple security problem in the IETF
> and been stymied by the "it doesn't solve everyone's problem" sillyness.
> You can learn from the discussion, but don't pay any attention
> to claims that the IETF working group process is any more "standardized"
> than collaborative development at Apache.

And to elaborate Roy's point, Apache creates many reference implementations.
Sometimes we implement the specification.  Other times we build one specific
implementation, and then seek ratification in the form of a standard.  We seem
to have been more obsessed with the former, and not paying enough attention
to the later.

One thing that bothers me is that there is a very small handful of ASF people
(committers and members) participating in standards efforts.  Once you have
created the implementation of something novel, there are people in both the
IETF and W3C spheres who would gladly help you to understand their specific
processes of authoring a standards document, and navigating the standardization
process.

bill


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

Re: [PROPOSAL] Heraldry Identity Project

["Roy T. Fielding" <fi...@gbiv.com>]

On Jun 29, 2006, at 6:50 AM, Recordon, David wrote:

> For the last IETF meeting, Dick Hardt of Sxip had created a mailing  
> list called DIX (http://dixs.org <http://dixs.org/> ) and had a BOF  
> under the same name. It was focused on the Sxip 2.0 protocol as a  
> way to move authentication and profile assertions. Sxip 2.0 is also  
> based upon OpenID 1.1 at a protocol level. During the BOF it was  
> clear that there was not consensus that the technology Dick was  
> proposing would meet the needs of everyone at the IETF, nor did  
> everyone really understand the problem they were trying to solve.
>
> After the BOF, Sxip documented a set of use cases as well as began  
> investigating the use of SAML assertions for exchanging profile  
> data. Their goal was to create a light-weight version of a SAML  
> profile, though took it to the extreme that the current DIX  
> proposal is not SAML compliant. For this upcoming IETF meeting in  
> July, two BOF requests we're received, one from DIX and one from  
> Sam Hartman called WARP. They have both been merged into a new BOF  
> called WAE (Web Authentication Enhancement) chaired by Pete Resnick.
>
> In talking with Lisa Dusseault, ASF member and IETF Applications  
> Area Director,

Lisa is not an ASF member.

> it sounds like the IETF would not be interested in standardizing a  
> protocol above the HTTP layer. Rather, they are looking at a 2-3  
> year process to modify something like TLS to support  
> authentication. Then once that is complete, it is possible using  
> the same assertion format to provide a solution above the HTTP  
> layer with the appropriate security considerations documented.  
> While this path certainly isn't set in stone, it seems to be the  
> direction the WAE BOF is going.

I am sure that is what some people in the IETF think they are doing.
The IETF itself does no such thing -- it is just a bunch of mailing  
lists
with a social hierarchy nudging from the top.  In general, the security
work within the IETF has failed miserably in every respect, especially
in regards to HTTP, and I would encourage you to focus on finding  
solutions
to actual problems instead of mythical frameworks that apply to every
problem but don't actually solve any of them.

> The OpenID community is not interested in circumventing the formal  
> standards process, I can say with my VeriSign hat on that we're  
> also interested in a lower level solution, but the community sees  
> the need for something like OpenID today.

That's because OpenID solves a problem.  Technology should be  
implemented
first and standardized later.  Phill Hallam-Baker can tell you how many
times people have tried to solve a simple security problem in the IETF
and been stymied by the "it doesn't solve everyone's problem" sillyness.
You can learn from the discussion, but don't pay any attention
to claims that the IETF working group process is any more "standardized"
than collaborative development at Apache.

....Roy

---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: [PROPOSAL] Heraldry Identity Project

["Recordon, David" <dr...@verisign.com>]

For the last IETF meeting, Dick Hardt of Sxip had created a mailing list called DIX (http://dixs.org <http://dixs.org/> ) and had a BOF under the same name. It was focused on the Sxip 2.0 protocol as a way to move authentication and profile assertions. Sxip 2.0 is also based upon OpenID 1.1 at a protocol level. During the BOF it was clear that there was not consensus that the technology Dick was proposing would meet the needs of everyone at the IETF, nor did everyone really understand the problem they were trying to solve.

After the BOF, Sxip documented a set of use cases as well as began investigating the use of SAML assertions for exchanging profile data. Their goal was to create a light-weight version of a SAML profile, though took it to the extreme that the current DIX proposal is not SAML compliant. For this upcoming IETF meeting in July, two BOF requests we're received, one from DIX and one from Sam Hartman called WARP. They have both been merged into a new BOF called WAE (Web Authentication Enhancement) chaired by Pete Resnick.

In talking with Lisa Dusseault, ASF member and IETF Applications Area Director, it sounds like the IETF would not be interested in standardizing a protocol above the HTTP layer. Rather, they are looking at a 2-3 year process to modify something like TLS to support authentication. Then once that is complete, it is possible using the same assertion format to provide a solution above the HTTP layer with the appropriate security considerations documented. While this path certainly isn't set in stone, it seems to be the direction the WAE BOF is going.

The OpenID community is not interested in circumventing the formal standards process, I can say with my VeriSign hat on that we're also interested in a lower level solution, but the community sees the need for something like OpenID today.

Hopefully that helps answer your questions, but please let me know if not.

--David


________________________________

From: Noel J. Bergman [mailto:noel@devtech.com]
Sent: Wed 6/28/2006 3:56 PM
To: general@incubator.apache.org
Subject: RE: [PROPOSAL] Heraldry Identity Project



David Recordon wrote:

> This is a proposal to create a project within the Apache Software
> Foundation to develop technologies around the emerging user-centric
> identity space.

> The project would start with [Yadis, OpenID, OSIS]

> Yadis is currently being standardized within OASIS as part of the XRI
> effort, OpenID has emerged as a de-facto specification, and OSIS does
> not depend on a specification

Can you speak about this vis-a-vis the fledgling IETF standards for
identity?

        --- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org

RE: [PROPOSAL] Heraldry Identity Project

["Noel J. Bergman" <no...@devtech.com>]

David Recordon wrote:

> This is a proposal to create a project within the Apache Software
> Foundation to develop technologies around the emerging user-centric
> identity space.

> The project would start with [Yadis, OpenID, OSIS]

> Yadis is currently being standardized within OASIS as part of the XRI
> effort, OpenID has emerged as a de-facto specification, and OSIS does
> not depend on a specification

Can you speak about this vis-a-vis the fledgling IETF standards for
identity?

	--- Noel


---------------------------------------------------------------------
To unsubscribe, e-mail: general-unsubscribe@incubator.apache.org
For additional commands, e-mail: general-help@incubator.apache.org