directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: Open architecture identity and authorization efforts.
Date Tue, 28 Nov 2006 14:35:51 GMT
Hello Greg,

It's finally good to hear from you.  Enrique has been telling me a lot 
about you and said you'd write to us at some point.  Unfortunately you 
just caught me as I was stepping out the door.

I'm very interested in what you have to say.  Let me get back to you 

Alex Karasulu wrote:
> Good morning to everyone, I hope your respective days are starting out
> well.
> Enrique Rodriguez and I have been discussing issues surrounding
> identity in general and authorization in particular for some time.  We
> both feel the need for the Open-Source community to have a technology
> strategy to counter Active Directory and its increasingly pervasive
> influence on enterprise IT architectures.
> I've been involved for almost a decade now in research and development
> on the issue of identity generation and its role in defining
> authorization.  If I have learned nothing else over this time period
> I've learned the field of identity is ill defined, conceptually
> abstract, difficult to understand and in most organizations a
> political minefield.... :-)
> Our work has primarily focused on a methodology for defining
> identity.  This is in contrast to a large number of other initiatives
> such as OpenID, Shibboleth, Liberty Alliance etc. which have focused
> on the problem of asserting identity between organizations and/or
> individuals.
> In a paradigm similar to the UNIX philosophy of 'everything is a file'
> our strategy focused on the concept of 'everything is an identity'.
> Interestingly, this has proven to be a very powerful paradigm and has
> resulted in a methodology which has demonstrated considerable
> flexibility as different usage scenarios have been poised against it.
> For want of a better term we refer to our model as IDfusion.
> Conceptually it involves the heirarchical combination of identities
> within the context of an organization.  Primitive identities (user,
> services) are combined to form derived identities which represent a
> users ability to access a service or role
> One fruitful area of work has been the application of identity
> generation technology to the problem of authorization.  This has
> proven to be particularly productive with respect to defining a
> standardized scheme for implementing authorization.
> I should emphasize that our focus is on 'implementing' authorization
> rather than 'executing' authorization.  IDfusion is best thought of as
> a methodology on which higher levels of abstraction, for example
> TripleSec, can be layered upon.
> We currently have a working implementation of our authorization model
> using payload injection into Kerberos tickets.  All of our work is GPL
> and has, up to this point, been based on MIT Kerberos and OpenLDAP.
> The identity engine and management client are Java based.  Multiple
> licensing methods are certainly something we would have no issue
> discussing.
> Our hope is to work with Enrique and others in the Apache community
> who are interested in furthering a standardized approach to identity
> generation and authorization.  Hence this note of introduction which
> Enrique asked me to forward to the list which I have been quietly
> reading for some time.
> Anyone who is interested in reading a bit more can go to the
> confluence site.  The following URL has a link to a paper which I
> presented at the Kerberos conference in Ann Arbor in June:
> The project web-site is at the following location:
> The documentation section on the web-site has a link to a longer PDF
> which discusses the overall system architecture in much greater
> detail.
> I'm trying to get a new release rolled up and out before the holidays.
> The primary focus of this release will be a standardized ASN encoding
> scheme for the authorization payload field of Kerberos tickets.
> With this work in place I would be very much interested in
> demonstrating compatibility between Kerberos tickets generated by the
> Apache server and our plug-ins for the MIT Kerberos server.
> I will keep the list advised on future releases.  In the meantime I
> would be happy to entertain any discussions or questions which people
> may have, either privately or on the list.
> Congratulations on your 1.0 release and best wishes for the continued
> success of your project from the northern plains.
> Greg
> As always,
> Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
> 4206 N. 19th Ave.           Specializing in information infra-structure
> Fargo, ND  58102            development.
> PH: 701-281-1686
> FAX: 701-281-3949           EMAIL:
> ------------------------------------------------------------------------------
> "When I am working on a problem I never think about beauty.  I only
>  think about how to solve the problem.  But when I have finished, if
>  the solution is not beautiful, I know it is wrong."
>                                 -- Buckminster Fuller

View raw message