On Thu, Apr 10, 2025 at 10:02 PM Christian Huitema <huitema@xxxxxxxxxxx> wrote:
I think it depends what we are trying to achieve. If the problem is
"author of an IETF document has changed employers three times, I need to
get the current email", then ORCID works -- that's almost exactly what
they are designed to do. ORCID membership is limited to non profit
organizations, the type that publishes academic papers, but the IETF,
internet drafts and RFCs almost certainly are in scope.
ORCID is designed to meet a particular requirement - providing attribution so academics can advance in their careers.
While that is a security requirement, it is a rather peculiar one in that impersonation is not quite the same concern that it would be for a system accrediting (say) doctors and lawyers. While it is possible that someone would have a pecuniary motive for submitting a journal article under the name of someone else, this is not common.
Which is not to say we should ignore ORCID but it looks to me like infrastructure we should interface to rather than rely on.
But if the problem is "let's design an infrastructure so that an
arbitrary Alice can retrieve Bob's unique key", then that does not work
so well. Redesigning ORCID to handle the general public, would require a
change of mission, and would probably be rather expensive.
And that gets to the question of whether we build infrastructure for ourselves alone or for the wider audience that uses our work. The point for me in eating our dog food is so we can do the latter better.
But instead of the whole audience of Internet users, let's just focus on open source software developers which are an audience of folk with a lot of overlap with IETF and a community we have rather more need for interaction with than academics.
I am going to be presenting the EARL/JSContact work at the HOPE hacker conference in NYC. They may want to be involved in contributing to the open source code. But quite a few folk will be using pseudonyms.
So we have an 'identity' problem here that has nothing to do with government issued identity. I want to know that the 'CodeGrowler' who submitted a pull request is the same woman I met and exchanged contact info with. I do not need (or want) to know their government issued name.
What we need is a two level system:
* A chaos of the commons, an unstructured exchange of contact information amongst peers for 90% of uses.
* Accreditation organizations providing structure for the small number of cases that require it.
Note that the organizations is plural, ORCID isn't going to be checking up to see if I am a chartered engineer, that (in the UK) is more properly the job of the Engineering Council which my professional body, the BCS belongs. They certainly aren't going to be checking up that I am a current member.
Seems to me that JSContact with some tweaks plus the EARL scheme supports the chaos of the commons and provides a basis for interfacing to the accrediting organizations. I give them my EARL, either verbatim or via a DNS handle and they receive my contact updates just like everyone else. And they in turn can issue me accreditation credentials as X.509 attribute certs, SAML assertions or whatever.
In this model, I only need to update my personal contact info and all the accrediting organizations I might belong to can update their records.
So we should probably talk to some ORCID people. Anyone know who their technical folk are? Chances are we know them.
