directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ole Ersoy <ole_er...@yahoo.com>
Subject Re: Open architecture identity and authorization efforts.
Date Fri, 01 Dec 2006 04:05:13 GMT
Hi Greg,

Just wanted to see if I understand this part:

>>The derived identities serve as an identity/label
for >>an object which
>>encapsulates information on whether and how to
>>delivery, vend or
>>authorize a service.

So I have an object.  Suppose I express it in 
xml:

<hello>
  <ssn>4325552222<ssn>
</hello>

If I were to send this to someone, or someone 
were to get it, it could mean something unique
to them based on rules we have agreed to.

However I may wish to encrypt it first so that it's 
more compact, faster to read, send, etc.

So I produce a checksum out of it.

The other party also understands the checksum because
we shared the information upfront (So they already
know what it is without decrypting and then reading
values, etc).

So now the checksum becomes the derivation of this
object and it's a nice compact little guy.

And the other party knows what this is, so they can
map it to any API call they wish.

If I were to add some info:
<hello>
  <ssn>4325552222<ssn>
  <buy>sweater</buy>
</hello>

And produce another checksum...the other side would
also understand this because we shared the mapping
upfront...in other words we knew we would be talking
with these objects in the future, so we 
already setup the process for handling it as
efficiently as possible.

Thanks,
- Ole





--- greg@enjellic.com wrote:

> On Nov 29,  9:32am, "Apache Directory Developers
> List" wrote:
> } Subject: Re: Open architecture identity and
> authorization efforts.
> 
> Good evening Alex, thanks for the note.  Hope your
> day has gone well.
> 
> Apologies for the delay in responding.  I've been
> riding herd on a
> cranky fibre-channel problem this week.
> 
> > g.w@hurderos.org wrote:
> > > Enrique Rodriguez and I have been discussing
> issues surrounding
> > > identity in general and authorization in
> particular for some time.  We
> > > both feel the need for the Open-Source community
> to have a technology
> > > strategy to counter Active Directory and its
> increasingly pervasive
> > > influence on enterprise IT architectures.
> 
> > First off I'm very glad you're approaching the
> entire community.
> > Community is at the heart of any great and
> successful OS project.
> > Most of us share a similar vision of handling
> various authZ
> > concerns.
> 
> A common vision is certainly helpful.  It would be
> great if everyone
> could even agree a problem exists and Open-Source is
> the arena to fix
> it in.
> 
> > Regarding the AD influence on IT and a lack of a
> strong OS solution
> > I personally agree.  The prevalence of AD in IT is
> IMO a double
> > edged sword in several respects.  It has increased
> the understanding
> > and utilization of the LDAP/Kerberos duo which is
> a good thing.
> > However some protocol aspects have been
> bastardized in their
> > implementation and this is not so good.
> 
> There has been a positive impact on the acceptance
> of LDAP/Kerberos.
> Unfortunately a solution was essentially 'inflicted'
> on the industry.
> By and large no one has seemed to understand or take
> notice of the
> potential impact of a 'de-facto' solution in this
> arena.
> 
> But I've railed on this issue to a lot of luminaries
> in the OSS
> community to little avail so I just don't waste my
> time anymore.
> 
> The consensus of opinion is that Samba4 will simply
> ride in and fix
> the problem.  Unfortunately the model is different
> in the middleware
> arena.  The strategy which was effective for Linux,
> BIND, Apache
> webserver to work their way into the enterprise
> doesn't work in this
> venue.
> 
> > I do think there is a lot of room for something
> better if some good 
> > people are brave enough to build it.
> > 
> > However officially for the record I'm obligated to
> say the following:
> > 
> > <pmc-chair-hat-on>
> > Although we would like to offer the best directory
> and related security 
> > solution we can, our primary goal is not to
> compete with any particular 
> > implementation or implementor of
> directory/security solutions.  Although 
> > competition is fine and healthy we will not define
> our objectives on 
> > that basis alone.
> > </pmc-chair-hat-on>
> 
> Certainly understandable, your efforts are focused
> on building a
> directory server and the goal should be to build the
> best LDAP server
> possible.
> 
> The more fundamental problem is that the industry
> needs a complete and
> integrated solution which requires multiple and
> disparate technologies
> to be merged.  There is not a large body of
> individuals with the scope
> and skillsets needed to tackle such a problem.
> 
> > > I've been involved for almost a decade now in
> research and development
> > > on the issue of identity generation and its role
> in defining
> > > authorization.  If I have learned nothing else
> over this time period
> > > I've learned the field of identity is ill
> defined, conceptually
> > > abstract, difficult to understand and in most
> organizations a
> > > political minefield.... :-)
> 
> > I could not have said it better myself.  Let me
> add just a little to 
> > these shortcomings.
> > 
> > The identity problem is a subset of a greater more
> general problem: the 
> > integration problem.  It's the most wide reaching
> integration problem 
> > modern IT organizations have been confronted with
> up until now and 
> > they're completely messing it up.
> > 
> > Most solutions are difficult to comprehend,
> extremely convoluted, and 
> > wind up introducing complex integration problems
> in themselves.
> 
> Also an excellent analysis.
> 
> After watching and working on the problem for a long
> time I believe
> the problem comes down to the fact that no one has
> gotten the model
> right.
> 
> An interesting experiment is to ask technology
> people what an
> 'electronic identity' is.  I've done that multpiple
> times and most
> people can't answer the question.
> 
> So by and large the industry is confronted with
> developing
> sophisticated and complex solutions for managing
> something which no
> one can define.
> 
> > > Our work has primarily focused on a methodology
> for defining
> > > identity.  This is in contrast to a large number
> of other initiatives
> > > such as OpenID, Shibboleth, Liberty Alliance
> etc. which have focused
> > > on the problem of asserting identity between
> organizations and/or
> > > individuals.
> > > 
> > > In a paradigm similar to the UNIX philosophy of
> 'everything is a file'
> > > our strategy focused on the concept of
> 'everything is an identity'.
> > > Interestingly, this has proven to be a very
> powerful paradigm and has
> > > resulted in a methodology which has demonstrated
> considerable
> > > flexibility as different usage scenarios have
> been poised against it.
> > > 
> > > For want of a better term we refer to our model
> as IDfusion.
> > > Conceptually it involves the heirarchical
> combination of identities
> > > within the context of an organization. 
> Primitive identities (user,
> > > services) are combined to form derived
> identities which represent a
> > > users ability to access a service or role
> 
> > Very interesting!  Can you provide some example
> situation of how these 
> > derived identities come in handy?
> 
> The derived identities serve as an identity/label
> for an object which
> encapsulates information on whether and how to
> delivery, vend or
> authorize a service.
> 
> A pragmatic example can be taken from how an LDAP
> directory is
> populated in the IDfusion model.  Combining the
> identity of a user and
> service results in a unique N-bit number within the
> context 
=== message truncated ===



 
____________________________________________________________________________________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com

Mime
View raw message