Monday, May 29, 2006

Notes on Laws of Identity (Part 3)

It's been a while, but I'm going to work on finishing unfinished business...

  • The definition layed out thus far is flexible enough to cover all the known digital identity systems, allowing for the emergence of a metasystem embracing multiple implementations/ways of doing things.
  • The usefulness of the claim is not inherent in the claim, but its evaluation/decision by the relying party.

The Laws (finally...):

1. User Control and Consent: Technical identity systems must only reveal information identifying a user with the user's consent. The system should also protect the user against deception, verifying the identity of any parties who ask for information, ensuring submitted information goes to the right place, and informing the user the reason for which the information is requested.

2. Minimal Disclosure for a Constrained Use: To mitigate risk, the solution should release the least amount of identifying information as possible. This ensures that there is less of a chance identifying a person accross multiple contexts.

3. Justifiable Parties: Information is only disclosed to those parties that have a "justifiable" place in the identity transaction. Although what exactly qualifies as "justifiable" is open to interpretation, this law does provide for a transparent transaction.

Friday, May 26, 2006

A Well Written Post on Common Virtual Directory Scenarios

Matt Flynn has written a concise post on VD scenarios... I've cut and pasted below:

Common Virtual Directory Scenarios

The discussion
regarding possible uses for Virtual Directory is on-going. The following are 8
easy-to-understand scenarios for Virtual Directory in no particular order. This
is by no means an exhaustive list, but I think it covers the simplest scenarios.
I look forward to questions or comments.

Protocol Translation - Provide
access to relational and other non-standardized data over standard LDAP and Web
Services protocols without altering the data.

Web Service Enablement -
Respond to identity data requests made via DSML, SPML or any other
service-oriented data format (standards-based or custom).

Multi-Repository Search - Enable a single search over standard protocols
to return a single clean result-set containing identity data that resides in
multiple repositories in multiple formats.

Joined Identity View - Enable
a search that returns a view of single identities that are comprised of data
from multiple repositories. e.g.) A single user record is presented with name
and phone number from the HR system and the email address from Active Directory.

Permission-Based Results - Enable a customized view into a single data
universe based on which application or which user is performing the search.
e.g.) Employees inside the corporate firewall see a full view of fellow
employees while customers accessing an external-facing application see a reduced
set of attributes and phone number is formatted using the (toll-free +
extension) format.

Dynamic DIT - Build an on-the-fly Directory
Information Tree based on identity data attributes. e.g.) The application calls
for LDAP views based on job title so the virtual directory dynamically presents
an OU for each job title in the database and presents employees within the
appropriate OU based on their job title.

Authentication - Enable
pass-through authentication from a single point of entry into multiple identity
data stores. e.g.) Authentication requests are directed to a single point. The
Virtual Directory authenticates non-employees against a back-end Sun Directory
and employees against Active Directory.

Real-Time Data Access - Provide
real-time access into back-end systems. Because requests are passed to the
originating data source, the search results can be as real-time as required.


Virtual Directory technologies eliminate boundaries.
Hassles related to LDAP object types, attribute definitions and other
schema-related issues are eliminated by virtualizing the view into the backend
identity stores. You're no longer limited by the existing data format or
database branding. There's no requirement to migrate the data from a relational
database into an LDAP directory in order to make the data LDAP- or Web Service-

Thursday, May 25, 2006

Sun, Identity Management, and Storage

I think this is going to be huge. I place my bet that Sun's Storage market share will increase significantly because of Identity. Unfortunately I'm not a betting man.

"For example, Sun has integrated the identity-management capabilities obtained via its Waveset acquisition with its StorageTek Enterprise Storage Manager software, allowing customers to discover, monitor, report and charge-back users for storage use. The company also is adding encryption to StorageTek storage devices and providing centralized key management for data and tapes via Waveset's technology."