[EMAIL PROTECTED] wrote:
Enrique Rodriguez and I have been discussing issues surrounding
identity in general and authorization in particular for some time. We
both feel the need for the Open-Source community to have a technology
strategy to counter Active Directory and its increasingly pervasive
influence on enterprise IT architectures.
First off I'm very glad you're approaching the entire community.
Community is at the heart of any great and successful OS project. Most
of us share a similar vision of handling various authZ concerns.
Regarding the AD influence on IT and a lack of a strong OS solution I
personally agree. The prevalence of AD in IT is IMO a double edged
sword in several respects. It has increased the understanding and
utilization of the LDAP/Kerberos duo which is a good thing. However
some protocol aspects have been bastardized in their implementation and
this is not so good.
I do think there is a lot of room for something better if some good
people are brave enough to build it.
However officially for the record I'm obligated to say the following:
<pmc-chair-hat-on>
Although we would like to offer the best directory and related security
solution we can, our primary goal is not to compete with any particular
implementation or implementor of directory/security solutions. Although
competition is fine and healthy we will not define our objectives on
that basis alone.
</pmc-chair-hat-on>
I've been involved for almost a decade now in research and development
on the issue of identity generation and its role in defining
authorization. If I have learned nothing else over this time period
I've learned the field of identity is ill defined, conceptually
abstract, difficult to understand and in most organizations a
political minefield.... :-)
I could not have said it better myself. Let me add just a little to
these shortcomings.
The identity problem is a subset of a greater more general problem: the
integration problem. It's the most wide reaching integration problem
modern IT organizations have been confronted with up until now and
they're completely messing it up.
Most solutions are difficult to comprehend, extremely convoluted, and
wind up introducing complex integration problems in themselves.
Our work has primarily focused on a methodology for defining
identity. This is in contrast to a large number of other initiatives
such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
on the problem of asserting identity between organizations and/or
individuals.
In a paradigm similar to the UNIX philosophy of 'everything is a file'
our strategy focused on the concept of 'everything is an identity'.
Interestingly, this has proven to be a very powerful paradigm and has
resulted in a methodology which has demonstrated considerable
flexibility as different usage scenarios have been poised against it.
For want of a better term we refer to our model as IDfusion.
Conceptually it involves the heirarchical combination of identities
within the context of an organization. Primitive identities (user,
services) are combined to form derived identities which represent a
users ability to access a service or role
Very interesting! Can you provide some example situation of how these
derived identities come in handy?
One fruitful area of work has been the application of identity
generation technology to the problem of authorization. This has
proven to be particularly productive with respect to defining a
standardized scheme for implementing authorization.
I should emphasize that our focus is on 'implementing' authorization
rather than 'executing' authorization. IDfusion is best thought of as
a methodology on which higher levels of abstraction, for example
TripleSec, can be layered upon.
Do you have more information available on IDfusion and how authorization
is implemented?
We currently have a working implementation of our authorization model
using payload injection into Kerberos tickets. All of our work is GPL
and has, up to this point, been based on MIT Kerberos and OpenLDAP.
The identity engine and management client are Java based. Multiple
licensing methods are certainly something we would have no issue
discussing.
That's most excellent.
Our hope is to work with Enrique and others in the Apache community
who are interested in furthering a standardized approach to identity
generation and authorization.
This is one of the primary concerns for us and the Triplesec effort
which we are currently moving over to the ASF from Safehaus.
Hence this note of introduction which
Enrique asked me to forward to the list which I have been quietly
reading for some time.
Anyone who is interested in reading a bit more can go to the
confluence site. The following URL has a link to a paper which I
presented at the Kerberos conference in Ann Arbor in June:
http://docs.safehaus.org/display/APACHEDS/Security+Initiatives
The project web-site is at the following location:
http://www.hurderos.org
The documentation section on the web-site has a link to a longer PDF
which discusses the overall system architecture in much greater
detail.
OK, this answers my question above. I will take a look at these materials.
I'm trying to get a new release rolled up and out before the holidays.
The primary focus of this release will be a standardized ASN encoding
scheme for the authorization payload field of Kerberos tickets.
We love ASN.1 :).
With this work in place I would be very much interested in
demonstrating compatibility between Kerberos tickets generated by the
Apache server and our plug-ins for the MIT Kerberos server.
Excellent.
I will keep the list advised on future releases. In the meantime I
would be happy to entertain any discussions or questions which people
may have, either privately or on the list.
Congratulations on your 1.0 release and best wishes for the continued
success of your project from the northern plains.
Thanks Greg. I'm sure I will be asking several questions.
BTW after a brief scan of the materials you've listed, I think there's a
lot of room for collaboration, and possibly consolidating our efforts.
I don't know if this is of interest to you but I would like to give you
an open invitation.
You're welcome to join us here to implement IDfusion within ApacheDS as
part of our Triplesec effort which will be a subproject of Apache
Directory for now.
Unlike the MIT Kerberos + OpenLDAP solution which involves two separate
moving parts, an ApacheDS solution would be integrated into a single
process and embeddable. These factors would allow the uptake of
IDfusion into several application servers and products on the market in
addition to a stand alone offering.
I'm glad you contacted us. There are some exciting possibilities here.
Regards,
Alex
begin:vcard
fn:Alex Karasulu
n:Karasulu;Alex
org:Apache Software Foundation;Apache Directory
adr:;;1005 N. Marsh Wind Way;Ponte Vedra ;FL;32082;USA
email;internet:[EMAIL PROTECTED]
title:Member, V.P.
tel;work:(904) 791-2766
tel;fax:(904) 808-4789
tel;home:(904) 808-4789
tel;cell:(904) 315-4901
note;quoted-printable:AIM: alexokarasulu=0D=0A=
MSN: [EMAIL PROTECTED]
Yahoo!: alexkarasulu=0D=0A=
IRC: aok=0D=0A=
PGP ID: 1024D/4E1370F8 BBCC E8D8 8756 2D51 C3D4 014A 3662 F96F 4E13 70F8=0D=0A=
x-mozilla-html:FALSE
url:http://people.apache.org/~akarasulu
version:2.1
end:vcard
