You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@directory.apache.org by g....@hurderos.org on 2006/11/28 11:46:32 UTC
Open architecture identity and authorization efforts.
Good morning to everyone, I hope your respective days are starting out
well.
Enrique Rodriguez and I have been discussing issues surrounding
identity in general and authorization in particular for some time. We
both feel the need for the Open-Source community to have a technology
strategy to counter Active Directory and its increasingly pervasive
influence on enterprise IT architectures.
I've been involved for almost a decade now in research and development
on the issue of identity generation and its role in defining
authorization. If I have learned nothing else over this time period
I've learned the field of identity is ill defined, conceptually
abstract, difficult to understand and in most organizations a
political minefield.... :-)
Our work has primarily focused on a methodology for defining
identity. This is in contrast to a large number of other initiatives
such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
on the problem of asserting identity between organizations and/or
individuals.
In a paradigm similar to the UNIX philosophy of 'everything is a file'
our strategy focused on the concept of 'everything is an identity'.
Interestingly, this has proven to be a very powerful paradigm and has
resulted in a methodology which has demonstrated considerable
flexibility as different usage scenarios have been poised against it.
For want of a better term we refer to our model as IDfusion.
Conceptually it involves the heirarchical combination of identities
within the context of an organization. Primitive identities (user,
services) are combined to form derived identities which represent a
users ability to access a service or role
One fruitful area of work has been the application of identity
generation technology to the problem of authorization. This has
proven to be particularly productive with respect to defining a
standardized scheme for implementing authorization.
I should emphasize that our focus is on 'implementing' authorization
rather than 'executing' authorization. IDfusion is best thought of as
a methodology on which higher levels of abstraction, for example
TripleSec, can be layered upon.
We currently have a working implementation of our authorization model
using payload injection into Kerberos tickets. All of our work is GPL
and has, up to this point, been based on MIT Kerberos and OpenLDAP.
The identity engine and management client are Java based. Multiple
licensing methods are certainly something we would have no issue
discussing.
Our hope is to work with Enrique and others in the Apache community
who are interested in furthering a standardized approach to identity
generation and authorization. Hence this note of introduction which
Enrique asked me to forward to the list which I have been quietly
reading for some time.
Anyone who is interested in reading a bit more can go to the
confluence site. The following URL has a link to a paper which I
presented at the Kerberos conference in Ann Arbor in June:
http://docs.safehaus.org/display/APACHEDS/Security+Initiatives
The project web-site is at the following location:
http://www.hurderos.org
The documentation section on the web-site has a link to a longer PDF
which discusses the overall system architecture in much greater
detail.
I'm trying to get a new release rolled up and out before the holidays.
The primary focus of this release will be a standardized ASN encoding
scheme for the authorization payload field of Kerberos tickets.
With this work in place I would be very much interested in
demonstrating compatibility between Kerberos tickets generated by the
Apache server and our plug-ins for the MIT Kerberos server.
I will keep the list advised on future releases. In the meantime I
would be happy to entertain any discussions or questions which people
may have, either privately or on the list.
Congratulations on your 1.0 release and best wishes for the continued
success of your project from the northern plains.
Greg
As always,
Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
4206 N. 19th Ave. Specializing in information infra-structure
Fargo, ND 58102 development.
PH: 701-281-1686
FAX: 701-281-3949 EMAIL: greg@enjellic.com
------------------------------------------------------------------------------
"When I am working on a problem I never think about beauty. I only
think about how to solve the problem. But when I have finished, if
the solution is not beautiful, I know it is wrong."
-- Buckminster Fuller
Re: Open architecture identity and authorization efforts.
Posted by Alex Karasulu <ak...@apache.org>.
Hello Greg,
It's finally good to hear from you. Enrique has been telling me a lot
about you and said you'd write to us at some point. Unfortunately you
just caught me as I was stepping out the door.
I'm very interested in what you have to say. Let me get back to you
shortly.
Regards,
Alex Karasulu
g.w@hurderos.org wrote:
> Good morning to everyone, I hope your respective days are starting out
> well.
>
> Enrique Rodriguez and I have been discussing issues surrounding
> identity in general and authorization in particular for some time. We
> both feel the need for the Open-Source community to have a technology
> strategy to counter Active Directory and its increasingly pervasive
> influence on enterprise IT architectures.
>
> I've been involved for almost a decade now in research and development
> on the issue of identity generation and its role in defining
> authorization. If I have learned nothing else over this time period
> I've learned the field of identity is ill defined, conceptually
> abstract, difficult to understand and in most organizations a
> political minefield.... :-)
>
> Our work has primarily focused on a methodology for defining
> identity. This is in contrast to a large number of other initiatives
> such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
> on the problem of asserting identity between organizations and/or
> individuals.
>
> In a paradigm similar to the UNIX philosophy of 'everything is a file'
> our strategy focused on the concept of 'everything is an identity'.
> Interestingly, this has proven to be a very powerful paradigm and has
> resulted in a methodology which has demonstrated considerable
> flexibility as different usage scenarios have been poised against it.
>
> For want of a better term we refer to our model as IDfusion.
> Conceptually it involves the heirarchical combination of identities
> within the context of an organization. Primitive identities (user,
> services) are combined to form derived identities which represent a
> users ability to access a service or role
>
> One fruitful area of work has been the application of identity
> generation technology to the problem of authorization. This has
> proven to be particularly productive with respect to defining a
> standardized scheme for implementing authorization.
>
> I should emphasize that our focus is on 'implementing' authorization
> rather than 'executing' authorization. IDfusion is best thought of as
> a methodology on which higher levels of abstraction, for example
> TripleSec, can be layered upon.
>
> We currently have a working implementation of our authorization model
> using payload injection into Kerberos tickets. All of our work is GPL
> and has, up to this point, been based on MIT Kerberos and OpenLDAP.
> The identity engine and management client are Java based. Multiple
> licensing methods are certainly something we would have no issue
> discussing.
>
> Our hope is to work with Enrique and others in the Apache community
> who are interested in furthering a standardized approach to identity
> generation and authorization. Hence this note of introduction which
> Enrique asked me to forward to the list which I have been quietly
> reading for some time.
>
> Anyone who is interested in reading a bit more can go to the
> confluence site. The following URL has a link to a paper which I
> presented at the Kerberos conference in Ann Arbor in June:
>
> http://docs.safehaus.org/display/APACHEDS/Security+Initiatives
>
> The project web-site is at the following location:
>
> http://www.hurderos.org
>
> The documentation section on the web-site has a link to a longer PDF
> which discusses the overall system architecture in much greater
> detail.
>
> I'm trying to get a new release rolled up and out before the holidays.
> The primary focus of this release will be a standardized ASN encoding
> scheme for the authorization payload field of Kerberos tickets.
>
> With this work in place I would be very much interested in
> demonstrating compatibility between Kerberos tickets generated by the
> Apache server and our plug-ins for the MIT Kerberos server.
>
> I will keep the list advised on future releases. In the meantime I
> would be happy to entertain any discussions or questions which people
> may have, either privately or on the list.
>
> Congratulations on your 1.0 release and best wishes for the continued
> success of your project from the northern plains.
>
> Greg
>
> As always,
> Dr. G.W. Wettstein, Ph.D. Enjellic Systems Development, LLC.
> 4206 N. 19th Ave. Specializing in information infra-structure
> Fargo, ND 58102 development.
> PH: 701-281-1686
> FAX: 701-281-3949 EMAIL: greg@enjellic.com
> ------------------------------------------------------------------------------
> "When I am working on a problem I never think about beauty. I only
> think about how to solve the problem. But when I have finished, if
> the solution is not beautiful, I know it is wrong."
> -- Buckminster Fuller
>
Re: Open architecture identity and authorization efforts.
Posted by Quanah Gibson-Mount <qu...@stanford.edu>.
--On Wednesday, November 29, 2006 9:32 AM -0500 Alex Karasulu
<ak...@apache.org> wrote:
> Unlike the MIT Kerberos + OpenLDAP solution which involves two separate
> moving parts, an ApacheDS solution would be integrated into a single
> process and embeddable. These factors would allow the uptake of IDfusion
> into several application servers and products on the market in addition
> to a stand alone offering.
What MIT Kerberos + OpenLDAP solution? One can currently use Heimdal
Kerberos with OpenLDAP as its backend data store, but that is still
something under development with MIT last I checked. ;)
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
Re: Open architecture identity and authorization efforts.
Posted by Alex Karasulu <ak...@apache.org>.
g.w@hurderos.org wrote:
> Enrique Rodriguez and I have been discussing issues surrounding
> identity in general and authorization in particular for some time. We
> both feel the need for the Open-Source community to have a technology
> strategy to counter Active Directory and its increasingly pervasive
> influence on enterprise IT architectures.
First off I'm very glad you're approaching the entire community.
Community is at the heart of any great and successful OS project. Most
of us share a similar vision of handling various authZ concerns.
Regarding the AD influence on IT and a lack of a strong OS solution I
personally agree. The prevalence of AD in IT is IMO a double edged
sword in several respects. It has increased the understanding and
utilization of the LDAP/Kerberos duo which is a good thing. However
some protocol aspects have been bastardized in their implementation and
this is not so good.
I do think there is a lot of room for something better if some good
people are brave enough to build it.
However officially for the record I'm obligated to say the following:
<pmc-chair-hat-on>
Although we would like to offer the best directory and related security
solution we can, our primary goal is not to compete with any particular
implementation or implementor of directory/security solutions. Although
competition is fine and healthy we will not define our objectives on
that basis alone.
</pmc-chair-hat-on>
> I've been involved for almost a decade now in research and development
> on the issue of identity generation and its role in defining
> authorization. If I have learned nothing else over this time period
> I've learned the field of identity is ill defined, conceptually
> abstract, difficult to understand and in most organizations a
> political minefield.... :-)
I could not have said it better myself. Let me add just a little to
these shortcomings.
The identity problem is a subset of a greater more general problem: the
integration problem. It's the most wide reaching integration problem
modern IT organizations have been confronted with up until now and
they're completely messing it up.
Most solutions are difficult to comprehend, extremely convoluted, and
wind up introducing complex integration problems in themselves.
> Our work has primarily focused on a methodology for defining
> identity. This is in contrast to a large number of other initiatives
> such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
> on the problem of asserting identity between organizations and/or
> individuals.
>
> In a paradigm similar to the UNIX philosophy of 'everything is a file'
> our strategy focused on the concept of 'everything is an identity'.
> Interestingly, this has proven to be a very powerful paradigm and has
> resulted in a methodology which has demonstrated considerable
> flexibility as different usage scenarios have been poised against it.
>
> For want of a better term we refer to our model as IDfusion.
> Conceptually it involves the heirarchical combination of identities
> within the context of an organization. Primitive identities (user,
> services) are combined to form derived identities which represent a
> users ability to access a service or role
Very interesting! Can you provide some example situation of how these
derived identities come in handy?
> One fruitful area of work has been the application of identity
> generation technology to the problem of authorization. This has
> proven to be particularly productive with respect to defining a
> standardized scheme for implementing authorization.
>
> I should emphasize that our focus is on 'implementing' authorization
> rather than 'executing' authorization. IDfusion is best thought of as
> a methodology on which higher levels of abstraction, for example
> TripleSec, can be layered upon.
Do you have more information available on IDfusion and how authorization
is implemented?
> We currently have a working implementation of our authorization model
> using payload injection into Kerberos tickets. All of our work is GPL
> and has, up to this point, been based on MIT Kerberos and OpenLDAP.
> The identity engine and management client are Java based. Multiple
> licensing methods are certainly something we would have no issue
> discussing.
That's most excellent.
> Our hope is to work with Enrique and others in the Apache community
> who are interested in furthering a standardized approach to identity
> generation and authorization.
This is one of the primary concerns for us and the Triplesec effort
which we are currently moving over to the ASF from Safehaus.
Hence this note of introduction which
> Enrique asked me to forward to the list which I have been quietly
> reading for some time.
>
> Anyone who is interested in reading a bit more can go to the
> confluence site. The following URL has a link to a paper which I
> presented at the Kerberos conference in Ann Arbor in June:
>
> http://docs.safehaus.org/display/APACHEDS/Security+Initiatives
>
> The project web-site is at the following location:
>
> http://www.hurderos.org
>
> The documentation section on the web-site has a link to a longer PDF
> which discusses the overall system architecture in much greater
> detail.
OK, this answers my question above. I will take a look at these materials.
> I'm trying to get a new release rolled up and out before the holidays.
> The primary focus of this release will be a standardized ASN encoding
> scheme for the authorization payload field of Kerberos tickets.
We love ASN.1 :).
> With this work in place I would be very much interested in
> demonstrating compatibility between Kerberos tickets generated by the
> Apache server and our plug-ins for the MIT Kerberos server.
Excellent.
> I will keep the list advised on future releases. In the meantime I
> would be happy to entertain any discussions or questions which people
> may have, either privately or on the list.
>
> Congratulations on your 1.0 release and best wishes for the continued
> success of your project from the northern plains.
Thanks Greg. I'm sure I will be asking several questions.
BTW after a brief scan of the materials you've listed, I think there's a
lot of room for collaboration, and possibly consolidating our efforts.
I don't know if this is of interest to you but I would like to give you
an open invitation.
You're welcome to join us here to implement IDfusion within ApacheDS as
part of our Triplesec effort which will be a subproject of Apache
Directory for now.
Unlike the MIT Kerberos + OpenLDAP solution which involves two separate
moving parts, an ApacheDS solution would be integrated into a single
process and embeddable. These factors would allow the uptake of
IDfusion into several application servers and products on the market in
addition to a stand alone offering.
I'm glad you contacted us. There are some exciting possibilities here.
Regards,
Alex