[Auth]global authentication layer

dotgnu-auth
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Auth]global authentication layer

From:	Cequs Inc
Subject:	[Auth]global authentication layer
Date:	Fri, 28 Sep 2001 13:59:05 -0400
User-agent:	Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022
Hi,

Report to .gnu and Liberty Alliance project developers from c=US, Cequs Inc.
root Directory Manager.

I think there's going to be some sort of necessary "merging" of diverse
technologies and organization's involved for the national/global
authentication scheme to work properly. This includes the dot gnu efforts,
Liberty Alliance project, things like XNS, Handle System, MS Passport (now
that they have "opened" it up), AOL's Magic, security XML, and any other
technologies that should be plugged into this open and interoperable, and
distributed infrastructure layer which one of the inventors of DNS recently
described to me as this "vast vacuum" in the protocol layers. There's even
hooks that have been written to pull in Kerberos.

What I am offering up with this initial architecture effort is really quite
radical, :-) in that it combines a lot of different efforts into a global
layer. It will have to be inclusive to work, and bear fruit. I think it's a
logical approach to Identity Management. and one which can evolve.

Some of the fundamental problems involved in the architecture are social,
and not technical, how to provide privacy, how to make the system user
driven, issues that were surfaced with other people in the project as far
back as the  knowledge "foundation" at the  end of the Internet universe at
ds.internic.net. For those who don't follow Internet history, there were two
Internics, one for naming, one for knowledge funded by the NSF. The NSF also
funded LDAP at University of Michigan.

EEMA members, OpenGroup, & Cequs have been looking into putting "Rights of
the Digital Person" as a international law bedrock layer below the actual
technical implementation, spelling out freedom to travel the Internet
"without harm or molestation" as George Washington wrote on the first aerial
passport for Pierre Blanchard here in Philadelphia. It doesn't hurt to bring
a bottle of wine and Swiss Mountain dog along for the ride in case you land
in a farmer's field, (or get buzzed by a F16). We are all friendly here.

There have been no lack of commercial Directories such as Yahoo, white
pages, etc, accessible across the Internet, but this is a different goal
than creating infrastructure that adds unique value. So it is not meant to a
super secure DNS or be a "white pages", which is how the project started.

Certain problems in the design of DNS were tabled to be fixed "later", and
have, for the most part. That's because they skipped some of the things that
this new application protocol layer was meant to deal with, and others came
back and invented other things to address those issues.  We can't ask DNS to
bear the burden for things it was not designed to handle.  Yet, the design
criteria that made it easily digestible, (and made X.500 hard to swallow
until it was recreated as a new protocol, LDAP) also made DNS susceptible to
various security concerns, that are "still being worked out".

How, where, why, and when "Identity" gets put on the net, that's what I'm
talking about. Especially the "negation" of where it does not get put on the
net, and anonymous/blinded methods can be used successfully while still
meeting legal requirements. No one expects you to use your DNA to buy a
cheeseburger!

While rs.internic.net evolved to be the big DNS semantic land grab we know,
love/hate today, ...the other idea of supplying objects identifiers (such as
1.3.6.1.1) in the ISO/ITU tree  hit it off primarily in MIBS, protocol
numbering, and behind the scenes infrastructure stuff that is not "popular"
culture, but makes thing work in the back end. And "friendly naming" in LDAP
is not, really, compared to DNS. So user's have not really had the benefits
from this technology, except in ways that were hidden.

Of course we have been trying to do this semantic integration with both
X.500 and LDAP for years, and have been running into roadblocks which have
been patiently removed, one by one. The majority of success has been on the
enterprise level, corporations use LDAP (and other directories) as a key
component in Enterprise Application Integration, identity management, and
authentication and authorization.

It should be made clear that X.500 family protocols are already DeJure
(legal) international standards, but X.500 was delivered "top down" so to
speak to the early Internet community in a way that created a great deal of
resentment. It also was mistakenly perceived as a failure, when it was
really somewhat ahead of it's time for tech transfer. A solution for a
problem that did not (and now does) exist. These protocol developers are
much more closely aligned with the IETF these days.

I've been involved in discussions with many people attempting to gather
requirements for the proposed new global directory, and one of the
consistent themes I hearing is that the system should be "self generating"
and support "diversity".

It's likely that the Liberty Alliance group, (from what I've read so far)
will initially favor LDAP as one part of a core technology set.  I'd say
it's a safe bet, as a mature technology, and one that can be extended with
lots of new ideas and requirements.

And say what you will about DNS, but it's price is difficult to beat, it
generally works well, and once they started charging for domain names, the
price started dropping and domains have become very well accepted and
understood. The champagne price for registration @ c=US (although it's
permanent, so you would get a pay back in 100 years, and definitely would
get one beyond that :-) ) is around $2500.00 from ANSI. However since the
entire Internet is listed under o=Internet I'm sure I can fit you in there
somewhere. Don't forget the OpenLDAP efforts also, they run an experimental
root.

That folks, is how the International Standard for unique naming in this
space was set up. However, this registration cost has been a significant
barrier except for large organizations, if they want to be registered
directly under c=US.


However, once you are registered, and I put your listing in the c=US server,
then, your sub-delegations are up to you. Like DNS, there will be acceptable
guidelines for operation, especially security.  For the client are different
kinds of referral or chaining lookups, but all the data (like DNS) is really
not centrally located, more so the "superior knowledge" of how to get to the
directories that you are allowed to see or access.

Part of the original US root delegations while I was running Alpaca and
Fruit Bat servers (and which will likely be incorporated into the new design
of the global directory at Cequs) were as follows...(historically one can
look at RFC1943). I can accept valid listings under any of the following.


# Master DSA for o=Internet
# Master DSA for o=DMD under c=US
# Master DSA for address@hidden
# Master DSA for c=US
# Master DSA for l=North America

(there's more, also in regards to linking DNS names to Directory) which I
hold.

What else is different about this is I'm looking into ways that end users
will actually be able to get their data into the system, and revoke it from
the system in real time, create and use multiple identities, and in general
tailor the persistence of their identity data and how the world sees it!

-pb



-- 

Peter Bachman
CEO
Cequs Inc.
348 Vassar Ave.
Swarthmore, PA 19081

address@hidden

http://www.cequs.com (running on the http alt port)
[Prev in Thread]
Current Thread
[Next in Thread]
[Auth]global authentication layer, Cequs Inc <=
Prev by Date: Re: [Auth]Impressions of XNS
Next by Date: Re: [Auth]Impressions of XNS
Previous by thread: [Auth]Impressions of XNS
Next by thread: [Auth]DotGNU Catalogue
Index(es):
- Date
- Thread