directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject Open architecture identity and authorization efforts.
Date Tue, 28 Nov 2006 10:46:32 GMT
Good morning to everyone, I hope your respective days are starting out

Enrique Rodriguez and I have been discussing issues surrounding
identity in general and authorization in particular for some time.  We
both feel the need for the Open-Source community to have a technology
strategy to counter Active Directory and its increasingly pervasive
influence on enterprise IT architectures.

I've been involved for almost a decade now in research and development
on the issue of identity generation and its role in defining
authorization.  If I have learned nothing else over this time period
I've learned the field of identity is ill defined, conceptually
abstract, difficult to understand and in most organizations a
political minefield.... :-)

Our work has primarily focused on a methodology for defining
identity.  This is in contrast to a large number of other initiatives
such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
on the problem of asserting identity between organizations and/or

In a paradigm similar to the UNIX philosophy of 'everything is a file'
our strategy focused on the concept of 'everything is an identity'.
Interestingly, this has proven to be a very powerful paradigm and has
resulted in a methodology which has demonstrated considerable
flexibility as different usage scenarios have been poised against it.

For want of a better term we refer to our model as IDfusion.
Conceptually it involves the heirarchical combination of identities
within the context of an organization.  Primitive identities (user,
services) are combined to form derived identities which represent a
users ability to access a service or role

One fruitful area of work has been the application of identity
generation technology to the problem of authorization.  This has
proven to be particularly productive with respect to defining a
standardized scheme for implementing authorization.

I should emphasize that our focus is on 'implementing' authorization
rather than 'executing' authorization.  IDfusion is best thought of as
a methodology on which higher levels of abstraction, for example
TripleSec, can be layered upon.

We currently have a working implementation of our authorization model
using payload injection into Kerberos tickets.  All of our work is GPL
and has, up to this point, been based on MIT Kerberos and OpenLDAP.
The identity engine and management client are Java based.  Multiple
licensing methods are certainly something we would have no issue

Our hope is to work with Enrique and others in the Apache community
who are interested in furthering a standardized approach to identity
generation and authorization.  Hence this note of introduction which
Enrique asked me to forward to the list which I have been quietly
reading for some time.

Anyone who is interested in reading a bit more can go to the
confluence site.  The following URL has a link to a paper which I
presented at the Kerberos conference in Ann Arbor in June:

The project web-site is at the following location:

The documentation section on the web-site has a link to a longer PDF
which discusses the overall system architecture in much greater

I'm trying to get a new release rolled up and out before the holidays.
The primary focus of this release will be a standardized ASN encoding
scheme for the authorization payload field of Kerberos tickets.

With this work in place I would be very much interested in
demonstrating compatibility between Kerberos tickets generated by the
Apache server and our plug-ins for the MIT Kerberos server.

I will keep the list advised on future releases.  In the meantime I
would be happy to entertain any discussions or questions which people
may have, either privately or on the list.

Congratulations on your 1.0 release and best wishes for the continued
success of your project from the northern plains.


As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL:
"When I am working on a problem I never think about beauty.  I only
 think about how to solve the problem.  But when I have finished, if
 the solution is not beautiful, I know it is wrong."
                                -- Buckminster Fuller

View raw message