Hurderos/IDfusion is designed to be a general purpose identity generation and management solution. It was designed to be general purpose infra-structure to support intra-organizational identity management needs as well as the identity needs required to participate in a federated environment.
As I mentioned in the original posting a number of problems 'fall out' when the identity definition problem is answered. The thinking on how IDfusion can address the RIM problem was actually developed a couple of years after the original genetic hash chaining algorithms were designed. Its been a pleasant surprise to see the model continually adapt itself to new challenges posed to it.
IDfusion is very much based on a service oriented architecture model. Besides the identity fusion model the other powerful design paradigm has been the use of an Abstract Identity Tree to model an identity hierarchy. The model provides a very powerful model for not only controlling export of identities but for importing a foreign identity and managing the authorization of services for that identity.
Fundamental issues in identity.
on
The Case for OpenID
·
· Score: 2, Interesting
A number of other posts have alluded to 'whats the problem with identity'. In the FWIW department a summary of the important issues from someone who has spent a long time working
in the field:
1.) There is no standardized method for defining identity.
2.) Services of value impose the Reciprocal Identity Management (RIM) problem.
With respect to point 1, is your identity?
mdoe
112233
Mary Doe
mdoe@SOMETHING.ORG
http://www.something.org/mary_doe
All of the above 'representational identities' are very useful in different contexts. None of them are your identity. For better or worse your identity is ultimately a token, lets call it an 'intrinsic identity', which has a fiduciary or contractual value associated with it by a
third party.
Examples of intrinsic identities are things like social security numbers, credit card
numbers, employee identification numbers, visa numbers etc. Such tokens are extremely useful in information technology since they serve as unique and definable 'keys' for who someone is. They are also extremely dangerous since possession of these tokens allow the implementation of an identity.
Systems such as OpenID, Shibboleth, Liberty Alliance and a bunch of OASIS standards seek to solve the problem of 'identity assertion'. While useful in and of themselves they don't provide a fundamental definition for identity.
Federated identity systems solve a very useful and important problem but impose problem number 2 which is the RIM problem. If the service being vended has any value a system for authorizing access to it must be in place. If the identity assertion comes from an external site the accepting site needs to instantiate or manage the identity in order to regulate the use of the service by the requesting identity. One class of problem is addressed but a second and equally important problem still exists.
In the case of the 'real world' - blog and social networking sites notwithstanding, where one organization is asserting identity for the actions of one of its employees there is a need for the identity asserting site to regulate the actions of the identity on the remote site as well. The management problem becomes quickly apparent if there are hundreds of partners in a federated identity environment.
Getting the right answer to the identity definition question is actually very useful. A number of very important issues in information delivery tend to 'fall out' when the question gets answered properly. Unfortunately the field of identity theory is abstract, poorly defined, difficult to understand and laden with socio-political and privacy issues.
As is typical with most problems the low hanging fruit gets picked first. Various schemes such as OpenID for attacking the identity assertion problem are emblematic of those types of effort.
Having the former Netscape directory product released as OSS is positive to the community. Unfortunately this doesn't imply a replacement for Active Directory. In fact there is very little available in the form of an Open-Source solution to compete with AD. I'm not sure that people fully understand the significance or importance of that.
AD is actually a fusion of a number of technologies. Most notably Kerberos for authentication, LDAP for identification and dynamic DNS/DHCP. As is common with Microsoft architectures all of these have been amalgamated into one large reasonably amorphous blob. So the presence of a directory server, even one as formidable as the Netscape product, does not imply an AD replacement.
Perhaps most significantly AD provides an architecture for service authorization. When AD issues network credentials they contain a Privilege Authentication Certificate (PAC) which is loaded into the optional authorization payload field of the Kerberos tickets. There has been a fair amount written about the 'openness' of this approach but Microsoft's use of the field is consistent with the specification and intended use of the field.
I've railed onward for a number of years about the hazards that AD poses to OSS solutions in the enterprise. Unfortunately the field of identity implementation and middleware is fairly exotic and not well understood. Its also not very sexy to work on and thus doesn't attract much of a developer following.
It is where the future of information delivery is going to get won and lost though. Ultimately the only thing that is relevent is who someone is and what they have access to. Microsoft has positioned itself to have a controlling position of this high ground.
Besides not having an integrated solution there is basically no open standard for answering the authorization question. This has basically lead to a situation where Microsoft is in a position of defining the standard for the industry. The ability to determine whether or not a user can run an application is not inconsequential when the majority of the desirable applications are controlled by the company setting the de-facto standard for answering the question. The implications for application/server and infra-structure tying are, of course, considerable.
The team working on Samba4 development are grappling with some of these issues now. One of the primary issues being argued about is whether or not Samba4 should contain its own implementation of Kerberos. It already contains a minimalistic version of a directory server. The arguement from the Samba camp is that the technical amalgamation model that AD is predicated on forces a similar architecture in a work-alike product.
I respect the Samba team and understand their motivations but I harbor significant reservations about efforts to 'clone' Active Directory. Its a pathway which is already leading to compromises in technical design. Beyond that the potential implications of legally defending this type of project is potentially troublesome in the current intellectual property climate.
So a directory server does not imply an Active Directory replacement. That will require tight integration of a number of technologies, not the least of which is an architecture for answering authorization questions.
Our Hurderos Project was conceived to integrate these technologies and answer the authorization question. Actually the fundamental tenant that Hurderos is based on is a solution to the problem of how to 'implement' identity, a question which is largely unanswered in both the OSS and commercial venues. Interestingly the authorization problem conveniently falls out from answering the identity implementation question.
Our latest release has been slowed up a bit but that was due to making arrangement to have the intellectual property protected in the name of OSS. Now that an acronym is in a position to do that we hope to spend more time on the technology.
I do wish the authors success but OpenID is simply another protocol for asserting identity information. What is fundamentally missing, especially in OSS, is a mechanism for implementing identity. In truth implementing identity is something that is also missing in the plethora of commercial products which are seeking to provide solutions in this space.
Globus/GRID, Shibboleth, PubCookie, LID and a legion of others are already implementing mechanisms for making assertions about an identity. The fundamental problem with implementing any of these technologies are the back-end systems for implementing and protecting identity and a manageable system for tracking differential acesss (authorization) at a high level of granularity.
The Open-Source community is currently lacking any respectable effort in this arena. All the basic pieces are there with LDAP, Kerberos, SAML and a host of other technologies. What is required is a coherent framework which implements all these technologies in a manageable package of infra-structure. It will be where the real war for control of information delivery gets won or lost for OSS technologies over the remainder of the decade.
As I noted in the first paragraph what is fundamentally lacking across the spectrum, commercial or otherwise, is a fundamental definition of identity. Its interesting to see that a couple of other posters have noted this as well. Our Hurderos Project is trying to address that with an OSS solution in an attempt to turn the tide of everyone inventing their own solution.
Getting that type of basic infra-structure laid down is key to unlocking an entirely new generation of application and information delivery architectures. It is also fundamental to addressing the intrinsic problem with federated or distributed identity systems which is the very real and very thorny problem of target sites asserting authorization over remotely authenticated identities.
In the brave new world of highly distributed information delivery systems with a mobile consumption (client) base the only important thing is 'who you are and what do you have access rights to'. He who controls that will control everything.
Its good to see any type of book come out on Kerberos. Besides setup, configuration and management an even bigger challenge is programming to the API although GSSAPI/SASL is supposed to alleviate this problem for some definition of alleviate.
The whole arena of Single-Sign-On (SSO) is at once a great opportunity and a great challenge to the Open-Source community. Unfortunately its also an arena where Open-Source initiatives seem to be slow in getting traction. In part this may be due to the fact that this type of work isn't very sexy. Unfortunately its also the area where control of the enterprise is going to get won or lost.
Anybody who has been around Kerberos, SSO and other middleware initiatives know the frightful politics involved with this stuff at the organizational level. When technology like this gets deployed its extremely difficult to get organizations to change direction or try alternative solutions. The case can be made that the SSO middleware/identity solution that gets deployed is perhaps the single most important decision affecting the overall IT architecture of an organization.
The issue that makes all this extremely important to the Open-Source community is the fact that whatever gets deployed tends to 'tie' the applications to the back-end server architecture. I don't think this fact is even remotely lost on those individuals or companies that prefer to see proprietary systems win control in the enterprise. Ultimately whoever or whatever defines who an individual is and what rights they have to access information has a pretty significant position of power in the information delivery world.
The basic tools exist in open-source form but tend to have extremely high individual learning curves and little margin for error once deployed. Whats required for Open-Source to win in this space is a credible integration of these technologies which allow them to be deployed and managed in a coherent and consistent fashion.
At the risk of getting in a plug the Hurderos Project is focused on these issues right now. Our goal is to provide an open-source based solution which is a superset of the functionality provided by Active Directory. The project web-site is at http://www.hurderos.org for anyone interested in learning a bit more.
One of the issues that the project has extensively focused on is developing an open-source/open-protocol alternative for authorization. Its fair to conclude that Kerberos answers the authentication problem but an even bigger issue is authorization, which is really the question that most people want answered at service delivery time.
Everyone concludes that LDAP directories should be used for authorization but no real methodology is articulated for doing this. The only real 'standard' unfortunately is Microsoft's use of Privilege Authentication Certificates (PAC) in Active Directory. Providing an authorization alternative to these is really at the heart of the project.
The Samba project is working diligently to provide an open-source alternative to Active Directory. Unfortunately this goal is potentially problematic from a couple of angles. The first being philosophical and the second much more pragmatic.
From a philosophical perspective the claim can be made that Open-Source doesn't innovate but rather clones. Thats certainly a topic for arguement in and of itself but an unbiased observer would have to conclude that 'cloning' has been a major focus of Open-Source initiatives. Cloning Active Directory, while useful, tends to perpetuate this notion.
A clone of Active Directory is also problematic in the increasingly troubled legal waters that OSS initiatives will be steering through. Casual infringement of Intellectual Property will be problematic in and of itself. I would anticipate that it will be much more difficult to defend when the stated goal is to create a working clone of another product.
The huge opportunity for Open-Source is to fix a fundamental problem that has vexed enterp
Slashdot Mirror
Hurderos/IDfusion is designed to be a general purpose identity generation and management solution. It was designed to be general purpose infra-structure to support intra-organizational identity management needs as well as the identity needs required to participate in a federated environment.
As I mentioned in the original posting a number of problems 'fall out' when the identity definition problem is answered. The thinking on how IDfusion can address the RIM problem was actually developed a couple of years after the original genetic hash chaining algorithms were designed. Its been a pleasant surprise to see the model continually adapt itself to new challenges posed to it.
IDfusion is very much based on a service oriented architecture model. Besides the identity fusion model the other powerful design paradigm has been the use of an Abstract Identity Tree to model an identity hierarchy. The model provides a very powerful model for not only controlling export of identities but for importing a foreign identity and managing the authorization of services for that identity.
A number of other posts have alluded to 'whats the problem with identity'. In the FWIW department a summary of the important issues from someone who has spent a long time working in the field:
1.) There is no standardized method for defining identity.
2.) Services of value impose the Reciprocal Identity Management (RIM) problem.
With respect to point 1, is your identity?
mdoe
112233
Mary Doe
mdoe@SOMETHING.ORG
http://www.something.org/mary_doe
All of the above 'representational identities' are very useful in different contexts. None of them are your identity. For better or worse your identity is ultimately a token, lets call it an 'intrinsic identity', which has a fiduciary or contractual value associated with it by a third party.
Examples of intrinsic identities are things like social security numbers, credit card numbers, employee identification numbers, visa numbers etc. Such tokens are extremely useful in information technology since they serve as unique and definable 'keys' for who someone is. They are also extremely dangerous since possession of these tokens allow the implementation of an identity.
Systems such as OpenID, Shibboleth, Liberty Alliance and a bunch of OASIS standards seek to solve the problem of 'identity assertion'. While useful in and of themselves they don't provide a fundamental definition for identity.
Federated identity systems solve a very useful and important problem but impose problem number 2 which is the RIM problem. If the service being vended has any value a system for authorizing access to it must be in place. If the identity assertion comes from an external site the accepting site needs to instantiate or manage the identity in order to regulate the use of the service by the requesting identity. One class of problem is addressed but a second and equally important problem still exists.
In the case of the 'real world' - blog and social networking sites notwithstanding, where one organization is asserting identity for the actions of one of its employees there is a need for the identity asserting site to regulate the actions of the identity on the remote site as well. The management problem becomes quickly apparent if there are hundreds of partners in a federated identity environment.
Getting the right answer to the identity definition question is actually very useful. A number of very important issues in information delivery tend to 'fall out' when the question gets answered properly. Unfortunately the field of identity theory is abstract, poorly defined, difficult to understand and laden with socio-political and privacy issues.
As is typical with most problems the low hanging fruit gets picked first. Various schemes such as OpenID for attacking the identity assertion problem are emblematic of those types of effort.
Having the former Netscape directory product released as OSS is positive to the community. Unfortunately this doesn't imply a replacement for Active Directory. In fact there is very little available in the form of an Open-Source solution to compete with AD. I'm not sure that people fully understand the significance or importance of that.
AD is actually a fusion of a number of technologies. Most notably Kerberos for authentication, LDAP for identification and dynamic DNS/DHCP. As is common with Microsoft architectures all of these have been amalgamated into one large reasonably amorphous blob. So the presence of a directory server, even one as formidable as the Netscape product, does not imply an AD replacement.
Perhaps most significantly AD provides an architecture for service authorization. When AD issues network credentials they contain a Privilege Authentication Certificate (PAC) which is loaded into the optional authorization payload field of the Kerberos tickets. There has been a fair amount written about the 'openness' of this approach but Microsoft's use of the field is consistent with the specification and intended use of the field.
I've railed onward for a number of years about the hazards that AD poses to OSS solutions in the enterprise. Unfortunately the field of identity implementation and middleware is fairly exotic and not well understood. Its also not very sexy to work on and thus doesn't attract much of a developer following.
It is where the future of information delivery is going to get won and lost though. Ultimately the only thing that is relevent is who someone is and what they have access to. Microsoft has positioned itself to have a controlling position of this high ground.
Besides not having an integrated solution there is basically no open standard for answering the authorization question. This has basically lead to a situation where Microsoft is in a position of defining the standard for the industry. The ability to determine whether or not a user can run an application is not inconsequential when the majority of the desirable applications are controlled by the company setting the de-facto standard for answering the question. The implications for application/server and infra-structure tying are, of course, considerable.
The team working on Samba4 development are grappling with some of these issues now. One of the primary issues being argued about is whether or not Samba4 should contain its own implementation of Kerberos. It already contains a minimalistic version of a directory server. The arguement from the Samba camp is that the technical amalgamation model that AD is predicated on forces a similar architecture in a work-alike product.
I respect the Samba team and understand their motivations but I harbor significant reservations about efforts to 'clone' Active Directory. Its a pathway which is already leading to compromises in technical design. Beyond that the potential implications of legally defending this type of project is potentially troublesome in the current intellectual property climate.
So a directory server does not imply an Active Directory replacement. That will require tight integration of a number of technologies, not the least of which is an architecture for answering authorization questions.
Our Hurderos Project was conceived to integrate these technologies and answer the authorization question. Actually the fundamental tenant that Hurderos is based on is a solution to the problem of how to 'implement' identity, a question which is largely unanswered in both the OSS and commercial venues. Interestingly the authorization problem conveniently falls out from answering the identity implementation question.
Our latest release has been slowed up a bit but that was due to making arrangement to have the intellectual property protected in the name of OSS. Now that an acronym is in a position to do that we hope to spend more time on the technology.
Over the last year we have de
I do wish the authors success but OpenID is simply another protocol for asserting identity information. What is fundamentally missing, especially in OSS, is a mechanism for implementing identity. In truth implementing identity is something that is also missing in the plethora of commercial products which are seeking to provide solutions in this space.
Globus/GRID, Shibboleth, PubCookie, LID and a legion of others are already implementing mechanisms for making assertions about an identity. The fundamental problem with implementing any of these technologies are the back-end systems for implementing and protecting identity and a manageable system for tracking differential acesss (authorization) at a high level of granularity.
The Open-Source community is currently lacking any respectable effort in this arena. All the basic pieces are there with LDAP, Kerberos, SAML and a host of other technologies. What is required is a coherent framework which implements all these technologies in a manageable package of infra-structure. It will be where the real war for control of information delivery gets won or lost for OSS technologies over the remainder of the decade.
As I noted in the first paragraph what is fundamentally lacking across the spectrum, commercial or otherwise, is a fundamental definition of identity. Its interesting to see that a couple of other posters have noted this as well. Our Hurderos Project is trying to address that with an OSS solution in an attempt to turn the tide of everyone inventing their own solution.
Getting that type of basic infra-structure laid down is key to unlocking an entirely new generation of application and information delivery architectures. It is also fundamental to addressing the intrinsic problem with federated or distributed identity systems which is the very real and very thorny problem of target sites asserting authorization over remotely authenticated identities.
In the brave new world of highly distributed information delivery systems with a mobile consumption (client) base the only important thing is 'who you are and what do you have access rights to'. He who controls that will control everything.
Its good to see any type of book come out on Kerberos. Besides setup, configuration and management an even bigger challenge is programming to the API although GSSAPI/SASL is supposed to alleviate this problem for some definition of alleviate.
The whole arena of Single-Sign-On (SSO) is at once a great opportunity and a great challenge to the Open-Source community. Unfortunately its also an arena where Open-Source initiatives seem to be slow in getting traction. In part this may be due to the fact that this type of work isn't very sexy. Unfortunately its also the area where control of the enterprise is going to get won or lost.
Anybody who has been around Kerberos, SSO and other middleware initiatives know the frightful politics involved with this stuff at the organizational level. When technology like this gets deployed its extremely difficult to get organizations to change direction or try alternative solutions. The case can be made that the SSO middleware/identity solution that gets deployed is perhaps the single most important decision affecting the overall IT architecture of an organization.
The issue that makes all this extremely important to the Open-Source community is the fact that whatever gets deployed tends to 'tie' the applications to the back-end server architecture. I don't think this fact is even remotely lost on those individuals or companies that prefer to see proprietary systems win control in the enterprise. Ultimately whoever or whatever defines who an individual is and what rights they have to access information has a pretty significant position of power in the information delivery world.
The basic tools exist in open-source form but tend to have extremely high individual learning curves and little margin for error once deployed. Whats required for Open-Source to win in this space is a credible integration of these technologies which allow them to be deployed and managed in a coherent and consistent fashion.
At the risk of getting in a plug the Hurderos Project is focused on these issues right now. Our goal is to provide an open-source based solution which is a superset of the functionality provided by Active Directory. The project web-site is at http://www.hurderos.org for anyone interested in learning a bit more.
One of the issues that the project has extensively focused on is developing an open-source/open-protocol alternative for authorization. Its fair to conclude that Kerberos answers the authentication problem but an even bigger issue is authorization, which is really the question that most people want answered at service delivery time.
Everyone concludes that LDAP directories should be used for authorization but no real methodology is articulated for doing this. The only real 'standard' unfortunately is Microsoft's use of Privilege Authentication Certificates (PAC) in Active Directory. Providing an authorization alternative to these is really at the heart of the project.
The Samba project is working diligently to provide an open-source alternative to Active Directory. Unfortunately this goal is potentially problematic from a couple of angles. The first being philosophical and the second much more pragmatic.
From a philosophical perspective the claim can be made that Open-Source doesn't innovate but rather clones. Thats certainly a topic for arguement in and of itself but an unbiased observer would have to conclude that 'cloning' has been a major focus of Open-Source initiatives. Cloning Active Directory, while useful, tends to perpetuate this notion.
A clone of Active Directory is also problematic in the increasingly troubled legal waters that OSS initiatives will be steering through. Casual infringement of Intellectual Property will be problematic in and of itself. I would anticipate that it will be much more difficult to defend when the stated goal is to create a working clone of another product.
The huge opportunity for Open-Source is to fix a fundamental problem that has vexed enterp