I wish that I had more hours in the day. I have been wanting to respond to an e-mail from Johannes Ernst (I swear I will! I’m reading the LID docs again!) for weeks now … and I also wanted to reply to this post that he wrote the other day.
In his post, he comments on some of the comments that I made about
directories, and I wanted to clarify a couple of points. He lists
three issues that I will address here:
- LID is decentralized and does not depend on any
directory (we’ll talk about some exciting consequences of that in a few
weeks… stay tuned)
I am in full agreement, and my directory solution is also fully
decentralized. Anyone that knew me at Novell during our years of
work on digitalMe knows that I was a maniac about a project out of our
labs in India called “Personal Directory.” You can still go and download a copy
and check it out. This is a full blown LDAP v3 directory service
that can run on your desktop. In my perspective of how
directories can be integrated and used for identity, I do not believe
in “one big directory in the sky”, nor “a bunch of directories”, but
instead see these running everwhere.
As I started to read the LID documentation, I realized that I could
probably put an LDAP directory behind the LID protocols, and serve
information directly from the directory. The benefit here is that
directories like this are already in use in thousands or millions of
businesses out there … so leveraging this existing base of identity
information just happens.
- access control “down to the attribute level” is all fine, but
unless the person owning the identity is in control, it won’t be used much
(most directories I’ve seen are all-or-nothing things, and maintaining all
of those rights centrally quickly becomes so expensive that few do it)
Yes! This was one of the core benefits we were working on with
digitalMe … a way for users to manage their own identity, and also
the synchronization of their attributes – selectively – into other
personal and community directories. The power that we were
exploiting was a standard feature of Novell’s directory implementations
… the ability to easily determine who could access/modify any object
down to the attribute level. We then worked on automating the
process of a local agent keeping your identity information up to date
with the personal and community directories where you had defined a
relationship.
- he doesn’t talk about how this would work across the boundaries of a
directory, or an organization.
Hopefully, some of my explanation above reveals some of what we were
exploring. With digitalMe, I would have my ‘personal directory’
where I would have an object representing me
to keep my own personal identity information, along with objects
representing friends, family, and associates that I have relationships
with. Corporations or other communities would then have their own
directories containing objects representing the identities of their
members and associates … one of those objects might represent me if I
have a relationship with that entity.
As part of our redundancy and fault tolerance plans, we had also looked
to the future where I might also replicate my directory to other
computers (my home computer?) or hosted directories (a bank?) so that
there is no single point of failure or loss.
One of the areas that I really like LID, and to think about integration
with directories, is the layers of abstraction that can be
implemented. I could easily modify the index.cgi (ok … if I had some spare time!)
so that it uses a directory to obtain the user attributes, instead of
the various vCard and FOAF xml files. If the LID request also
passes through the credentials of the requestor, then the directory
would automatically return only the attributes visible to that
requestor. If I still wanted the foaf.xml or vcard.xml files, I
could generate these dynamically on the fly – from the directory – as
an alternative. In a business environment, there might already be
a directory that contains a great deal of information about me.
Overall, I really like what I see with LID … I’m going to continue
reading and maybe play with the scripts. Maybe I’ll make the time
to do some modifications … 😉