Posted 8:12 AM (1) comments

A herring of a different color

You almost had me, Kim. I read your latest entry and was ready to share that olive branch. Right up to the last paragraphs when you say (about me):

"...He keeps saying I propose 'a directory that gathers and holds ALL the data from ALL your other directories.' Dave, this is just untrue and unhelpful. “ALL” was never the goal - or the practice - of metadirectory, and you know it. The goal was to represent the 'object core' - the attributes shared across many applications and that need therefore to be kept consistent and synchronized if stored in multiple places. Our other goal was to maintain the knowledge about what objects 'were called' in different directories and databases (thus the existence of 'connector space').

Basically, the ”ALL” argument is a red herring..."

Not at all. Let's step back a pace or two, or a posting or two, and think about the reasons for having this meta/virtual directory. Yes, it helps to normalize the data and keep it in sync. But if that were all, than a couple of keyboard monkeys could handle the chore and, at least in the case of normalization, could do it more quickly than a semi-automated process.

But the real reason we want to do this is so that identity data is available to applications. Available to them using a single vocabulary and a single protocol. Not that there can't be multiple vocabularies and protocols, but any one application would only need to use one of each - each application programmer would only need to use the vocabulary and protocol she was most familiar with.

But for this to be effective, the programmer needs to know that any identity data they need is available through this mechanism. And the only way any data can be available is if all data is available. The identity data must be pervasive and ubiquitous - available whenever and wherever you need it.

From the application's point of view, it should appear to be a single silo but in reality, the data will be distributed throughout the fabric of the network both within and without the enterprise, the identity provider or other data store.

The promise of the meta/virtual directory is that it can serve up the current, correct data on demand from wherever it resides. And to do that, it has to aim to provide all identity data.

Now, to forestall some people, let me add that the security of this system is a given- there need to be strict and fine-grained access controls for the data. There need to be well designed mechanisms allowing for whoever controls a bit of data to authorize its release. Without these things the system is useless because no one would use it.

But this systems needs to aim to have available all identity data, every conceivable bit of it. Because without that, the application programmer can't be sure that the bit he needs is there and so will set up alternative storage for the bits that that application needs.

We're not there yet, but we need to go that way.

Labels: enterprise, IGF, metadirectory, virtual directory

Posted 9:58 AM (0) comments

Your mother was a hamster and your father smelt of elderberries!

Here I'd thought I'd offered Kim Cameron a bit of an olive branch in the virtual/meta/uber directory discussion. But did he take it? Yes, he did, then attempted to whack a bunch of folks about the head and shoulders with it!

In a further attempt to clarify what he meant, Kim says:

"By 'next generation application' I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and application developers must to be able to interact with them without knowing LDAP."

Why Kim feels that LDAP is beyond the ken of today's application developers is beyond me, but the darker part of this is that he seems to say that only through the use of the Microsoft-controlled WS-* protocols (you can read their propaganda at their web site) can this be achieved. Nonsense.

Still, if any developers feel that only XML based scripting is acceptable to use, then I'd suggest they consider the very good LDAP replacement, DSML which has, sadly, languished for a number of years. Or there's SPML (for provisioning services). Even XACML could be used (although it would need a bit more work). The point is that there are open protocols, openly arrived at, that will do the job and today's application designers are bright enough to know how to use them.

I'm reminded by Phil Hunt's post on this issue that his work on the Identity Governance Framework, now an OpenLiberty project, also satisfies the requirement of open protocols, openly arrived at.

Labels: IGF, liberty alliance, metadirectory, saas, virtual directory

Posted 1:42 PM (0) comments

Another one bites the dust

Well, that might be too strong, but another veteran independent Identity vendor has been acquired. M-Tech announced today that Hitachi had acquired a majority interest in the Calgary, Alberta firm.

M-Tech owns a large segment of the provisioning business in Canada, especially government (federal and provincial) provisioning. But beyond provisioning, M-Tech (now officially called Hitachi-ID) offered the full panoply of the Identity suite - password management, authentication and authorization, role management, audit and entitlement, etc. It'll be interesting to see how long it takes Hitachi to digest the acquisition (I don't think it will be very long) as well as how this will change the playing field (especially in Asia) for Sun, IBM and the others in this space. It could get very interesting.

Labels: acquisition, enterprise

Posted 8:55 AM (0) comments

The blind philosophes of Identity

Kim has now responded ("Through the looking glass") to my Humpty Dumpty post, and we're beginning to sound like a couple of old philosophes arguing about whether or not to include "le weekend" and "hamburguer" and other Franglais in the French dictionary.

We really aren't that far apart.

In his post, Kim recalls launching the name "metadirectory" back in '95 with Craig Burton and I certainly don't dispute that. In fact, up until 1999, I even agreed somewhat with his definition:

"In my world, a metadirectory is one that holds metadata - not actual objects, but descriptions of objects and their locations in other physical directories."

But as I continued in that Network World column:

"Unfortunately, vendors such as Zoomit took the term 'metadirectory' and redefined it so it could be used to describe what I'd call an überdirectory - a directory that gathers and holds all the data from all your other directories."

Since no one took up my use of "uberdirectory," we started using "metadirectory" to describe the situations which required a new identity store and "virtual directory" for those that didn't.

So perhaps we're just another couple of blind men trying to describe an elephant.

Labels: Burton, identity, metadirectory, virtual directory

Posted 4:00 PM (0) comments

Get on the bus!

Everybody else is. Dale Olds has commented. So has Phil Hunt. Let's all get together at the European ID Conference in Munich later this month and talk about the Identity Hub, the Identity Bus, the death of the metadirectory and so much more. Suggestions for a suitable meeting place (i.e., biergarten) near the Deutsches Museum are welcome - post as comments to this post.

See you there!

Labels: EIC, Identity Bus, Identity Hub, metadirectory, virtual directory

Posted 3:57 PM (0) comments

Cardspace context UPDATE

Good post today ("No User Context Decisions in your Enterprise?") from Pam Dingle summarizing her panel at Brainshare (which I'm now sorry I missed). Cardspace and other user-centric ID schemes have a definite place in the enterprise, if only for the context-switching that Pamela outlines.

UPDATE: A video of the session ( with Pam Dingle, Patrick Harding, Kim Cameron and Dale Olds) has now been posted at the Bandit Project site.

We'll be exploring this same topic at the European Identity Conference when I host a panel of Dale olds (Bandit Project), Johannes Ernst (OpenID) and Robin Wilton (Liberty Alliance) called "Putting Context in Identity: User-Centric Context." It's an area that will heat up in the near future...

Labels: cardspace, context, EIC, enterprise, openid, user centric

Posted 10:22 AM (1) comments

Every day I get in the queue...

Eve Maler is a pretty good guitar player & singer who also happens to work for Sun and is a Liberty Alliance evangelista. She posts today about the Identity bus/hub and states, succinctly, "I don’t get it."

"I get that people would like identity information to be understandable across widely disparate systems, and that people would like services related to (deep breath) identity, authentication, attribute lookup, authorization, and auditing tasks to be widely available so that developers can concentrate on writing secure applications rather than security applications.

It’s fair to call this an “identity layer”. But that layer is more about semantics than about simple conveyance methods or syntax, because identity is way up in the stack. These aren’t random TCP/IP packets or HTTP messages, but information about us that we want our applications to understand and treat with care and consistency."

Exactly, Eve. And that's what the proposed "Identity Hub" would do - transform protocols and data from one system and schema to another. It's not a lightweight project, there's a great deal of heavy lifting that needs to be done. But we did it for email and we did it for databases - and identity isn't that much more difficult, if at all. In fact, it's more of a synthesis of those two.

But Eve doesn't just say that and leave it alone. Oh no. She then has to get all Microsoft on us. Not, I hasten to add, that she advocates the "identity metasystem" (one of her bête noires) but she goes on to claim that if we would only all adopt SAML and the Liberty Alliance specs all of our problems would be solved.

Well, rock musicians have always been idealists, but getting to everyone using SAML? World peace is probably easier to achieve.

Posted 10:18 AM (0) comments

Meta-directories? Your father's ID store...

Kuppinger Cole's Felix Gaehtgens posts today ("Meta-directories? I’d say quaint, but not quite dead.") on the demise of the metadirectory and the rise of virtualization. Felix should know, he's formerly the VP at Symlabs, a major Virtual Directory provider. He says:

"Microsoft has made an investment into that technology by rewriting MIIS pretty much from scratch. And Siemens to this date probably has the most comprehensive and advanced meta-directory implementation with its DirXmetahub component that is part of its Dir-X offering. Nevertheless, meta-directories are arguably still around mostly because Microsoft forces this technology onto its customers for what I think are political reasons: Several people working for Microsoft in the field have told me that is was in Microsoft’s interest to have Active Directory as a central component, and believe it against Microsoft’s interest to have a “filtered access”, such as a virtual directory in front of AD, abstracting information away from what should be the authoritative source. I never really understood this fear, but recently it seems that this brick wall may be slowly starting to crumble."

Read the rest of his post for a synthesis of the argument Kim and I have been having, a synthesis that could be close to a solution.

Labels: Microsoft, virtual directory