Wednesday, February 02, 2005

Identity, Directories, and LID

I wish that I had more hours in the day. I have been wanting to respond to an e-mail from Johannes Ernst (I swear I will! I'm reading the LID docs again!) for weeks now ... and I also wanted to reply to this post that he wrote the other day.

In his post, he comments on some of the comments that I made about directories, and I wanted to clarify a couple of points. He lists three issues that I will address here:
  • LID is decentralized and does not depend on any directory (we'll talk about some exciting consequences of that in a few weeks... stay tuned)
I am in full agreement, and my directory solution is also fully decentralized. Anyone that knew me at Novell during our years of work on digitalMe knows that I was a maniac about a project out of our labs in India called "Personal Directory." You can still go and download a copy and check it out. This is a full blown LDAP v3 directory service that can run on your desktop. In my perspective of how directories can be integrated and used for identity, I do not believe in "one big directory in the sky", nor "a bunch of directories", but instead see these running everwhere.

As I started to read the LID documentation, I realized that I could probably put an LDAP directory behind the LID protocols, and serve information directly from the directory. The benefit here is that directories like this are already in use in thousands or millions of businesses out there ... so leveraging this existing base of identity information just happens.
  • access control "down to the attribute level" is all fine, but unless the person owning the identity is in control, it won't be used much (most directories I've seen are all-or-nothing things, and maintaining all of those rights centrally quickly becomes so expensive that few do it)
Yes! This was one of the core benefits we were working on with digitalMe ... a way for users to manage their own identity, and also the synchronization of their attributes - selectively - into other personal and community directories. The power that we were exploiting was a standard feature of Novell's directory implementations ... the ability to easily determine who could access/modify any object down to the attribute level. We then worked on automating the process of a local agent keeping your identity information up to date with the personal and community directories where you had defined a relationship.
  • he doesn't talk about how this would work across the boundaries of a directory, or an organization.
Hopefully, some of my explanation above reveals some of what we were exploring. With digitalMe, I would have my 'personal directory' where I would have an object representing me to keep my own personal identity information, along with objects representing friends, family, and associates that I have relationships with. Corporations or other communities would then have their own directories containing objects representing the identities of their members and associates ... one of those objects might represent me if I have a relationship with that entity.

As part of our redundancy and fault tolerance plans, we had also looked to the future where I might also replicate my directory to other computers (my home computer?) or hosted directories (a bank?) so that there is no single point of failure or loss.

One of the areas that I really like LID, and to think about integration with directories, is the layers of abstraction that can be implemented. I could easily modify the index.cgi (ok ... if I had some spare time!) so that it uses a directory to obtain the user attributes, instead of the various vCard and FOAF xml files. If the LID request also passes through the credentials of the requestor, then the directory would automatically return only the attributes visible to that requestor. If I still wanted the foaf.xml or vcard.xml files, I could generate these dynamically on the fly - from the directory - as an alternative. In a business environment, there might already be a directory that contains a great deal of information about me.

Overall, I really like what I see with LID ... I'm going to continue reading and maybe play with the scripts. Maybe I'll make the time to do some modifications ... ;-)


Post a Comment

<< Home