{"id":970,"date":"2008-04-10T12:43:28","date_gmt":"2008-04-10T20:43:28","guid":{"rendered":"\/?p=970"},"modified":"2008-04-27T12:43:28","modified_gmt":"2008-04-27T20:43:28","slug":"converging-metadirectory-and-virtual-directory","status":"publish","type":"post","link":"https:\/\/www.identityblog.com\/?p=970","title":{"rendered":"Converging Metadirectory and Virtual Directory"},"content":{"rendered":"<p class=\"storycontent\">Phil Hunt, now at Oracle, is the visionary responsible for a lot of the innovation in Virtual Directory. From his <a href=\"http:\/\/independentidentity.blogspot.com\/2008\/04\/kim-cameron-on-new-generation-of.html\">recent response <\/a>to <a href=\"\/?p=969\">my ideas on second generation metadirectory<\/a>, it looks like we are actually thinking about things in similar ways, where meta and virtual work together.<\/p>\n<blockquote><p>As you may know, there has been an ongoing discussion on what does the next generation of meta-directory look like. Kim Cameron\u2019s latest <a href=\"\/?p=969\"><font color=\"#6699cc\">post elaborates<\/font><\/a> on what he thinks is needed for the next generation of \u201cmetadirectory\u201d.<\/p>\n<blockquote>\n<ul>\n<li>By \u201cnext generation application\u201d I mean applications based on web service protocols. Our directories need to integrate completely into the web services fabric, and application developers must to be able to interact with them without knowing LDAP.<\/li>\n<li>Developers and users need places they can go to query for \u201ccore attributes\u201d. They must be able to use those attributes to \u201clocate\u201d object metadata. Having done so, applications need to be able to understand what the known information content of the object is, and how they can reach it.<\/li>\n<li>Applications need to be able to register the information fields they can serve up.<\/li>\n<\/ul>\n<\/blockquote>\n<p>These are actually some of the key reasons I have been advocating for a new approach to developing identity services APIs for developers. We are actually very close in our thinking. Here are my thoughts:<\/p>\n<ul>\n<li>There should be a new generation of APIs that de-couple developers from dependence on particular vendor implementations, protocols, and potentially even data schemas when it comes to accessing identity information. Applications should be able to define their requirements for data and simply let the infrastructure deal with how to deliver it.<\/li>\n<li>Instead of thinking of core attributes as those attributes that are used in common (e.g. such as surname is likely the same everywhere). I would like to propose we alter the definition slightly in terms of \u201cauthoritativeness\u201d. Application developers should think about what data is core to their application. What data is the application authoritative for? If an application isn\u2019t authoritative over an attribute, it probably shouldn\u2019t be storing or managing that attribute. Instead, this \u201cnon-core\u201d attribute should be obtained from the \u201c<a href=\"http:\/\/independentidentity.blogspot.com\/2008\/03\/identity-network.html\"><font color=\"#6699cc\">identity network<\/font><\/a>\u201d (or metaverse as Kim calls it). An application\u2019s \u201ccore\u201d data should only be the data for which the application is authoritative. In that sense, I guess I may be saying the opposite of Kim. But the idea is the same, an application should have a sense of what is core and not core.<\/li>\n<li>Applications need to register the identity data they consume, use, and update. Additionally, applications need to register the transactions they intend to perform with that data. This enables identity services to be built around an application that can be performant to the application\u2019s requirements.<\/li>\n<\/ul>\n<p>What I have just described was actually part of the original inspiration behind <a href=\"http:\/\/www.projectliberty.org\/liberty\/strategic_initiatives\/identity_governance\" class=\"broken_link\"><font color=\"#666699\">CARML<\/font><\/a> (Client Attributes Requirements Markup Language) put forward by Oracle that the Liberty Alliance is working on now. It was our belief that in order to enable applications to connect to diverse identity service infrastructures, something like CARML was needed to make the identity network both possible, adaptive, and intelligent.<\/p>\n<p>But, while CARML was cool in itself, the business benefit to CARML was that knowing how an application consumes and uses identity data would not only help the identity network but it would also greatly improve the ability of auditors to perform privacy impact assessments.<\/p>\n<p>We\u2019ve recently begun an open source project at OpenLiberty called the <a href=\"http:\/\/www.openliberty.org\/wiki\/index.php\/IGF_Introduction\"><font color=\"#6699cc\">IGF Attribute Services API<\/font><\/a> that does exactly what Kim is talking about (by the way, I\u2019m looking for nominations for a cool project name &#8211; let me know your thoughts). The Attribute Services API is still in early development stages &#8211; we are only at milestone 0.3. But that said, now is a great time for broader input. I think we are beginning to show that a fully de-coupled API that meets the requirements above is possible and dramatically easier to use and yet at the same time, much more privacy centric in its approach.<\/p>\n<p>The key to all of this is to get as many applications as possible in the future to support CARML as a standard form of declaration. CARML makes it possible for identity infrastructure product vendors and service providers to build the <span>identity network<\/span> or next generation of metadirectory as described by Kim.<\/p><\/blockquote>\n<p>I haven\u2019t seen CARML &#8211; perhaps it is still a private proposal? [UPDATE: I\u2019ve been advised that CARML and the IGF Attribute Servces API are the same thing.] I think having a richer common representation for people will be the most important ingredient for success. I\u2019m a little bit skeptical about confining developers to a single API &#8211; is this likely to fly in a world where people want to innovate? But details aside, it sounds like CARML will be a helpful input to an important industry discussion. Above all, this needs to be a wide-ranging and inclusive discussion, where we take lots of input. To get \u201cas many applications as possible\u201d involved we need to win the participation and support of application developers &#8211; this is not just an \u201cinfrastructure\u2019 problem.<\/p>\n<p><strong>Now for something completely different.<\/strong><\/p>\n<p><img border=\"0\" align=\"right\" src=\"\/wp-content\/images\/2008\/04\/french.jpg\" alt=\"French Guards\" \/>It looks like Dave Kearns might be (?) mad at me\u2026 His recent post was entitled <a href=\"http:\/\/vquill.com\/2008\/04\/your-mother-was-hamster-and-your-father.html\" class=\"broken_link\">Your mother was a hamster and your father smelt of elderberries!<\/a> Of course I would have taken that as a compliment except that I recognized it from <a href=\"http:\/\/www.mwscomp.com\/movies\/grail\/grail-08.htm\">The Holy Grail Scene 8<\/a>, where the \u201cFrench Guard\u201d precedes it with, \u201c<em>I don\u2019t wanna talk to you no more, you empty headed animal food trough wiper! I fart in your direction.<\/em>\u201c<\/p>\n<p>The olive branch (or was it a birch rod?) to which Dave refers is this:<\/p>\n<blockquote><p>Kim has now responded (<a href=\"\/?p=947\"><font color=\"#0069c3\">\u201cThrough the looking glass<\/font><\/a>\u201c) to my Humpty Dumpty post, and we\u2019re beginning to sound like a couple of old <a href=\"http:\/\/en.wikipedia.org\/wiki\/Philosophes\"><font color=\"#0069c3\">philosophes<\/font><\/a> arguing about whether or not to include \u201cle weekend\u201d and \u201chamburguer\u201d and other <a href=\"http:\/\/www.btinternet.com\/~homepage\/sign23.htm\" class=\"broken_link\"><font color=\"#0069c3\">Franglais<\/font><\/a> in the French dictionary.<\/p>\n<p>We really aren\u2019t that far apart.<\/p>\n<p>In his post, Kim recalls launching the name \u201cmetadirectory\u201d back in \u201895 with <a href=\"http:\/\/www.craigburton.com\/about\"><font color=\"#0069c3\">Craig Burton<\/font><\/a> and I certainly don\u2019t dispute that. In fact, up until 1999, I even agreed somewhat with his definition:<\/p>\n<blockquote><p><em>\u201cIn my world, a metadirectory is one that holds metadata &#8211; not actual objects, but descriptions of objects and their locations in other physical directories.\u201d<\/em><\/p><\/blockquote>\n<p>But as I continued in that Network World <a href=\"http:\/\/www.networkworld.com\/archive\/1999b\/0719kearns.html\" class=\"broken_link\"><font color=\"#0069c3\">column<\/font><\/a>:<\/p>\n<blockquote style=\"font-style: italic\"><p>\u201cUnfortunately, vendors such as Zoomit took the term \u2018metadirectory\u2019 and redefined it so it could be used to describe what I\u2019d call an \u00fcberdirectory &#8211; a directory that gathers and holds all the data from all your other directories.\u201d<\/p><\/blockquote>\n<p>Since no one took up my use of \u201cuberdirectory,\u201d we started using \u201cmetadirectory\u201d to describe the situations which required a new identity store and \u201cvirtual directory\u201d for those that didn\u2019t.<\/p>\n<p>So perhaps we\u2019re just another couple of <a href=\"http:\/\/www.wordinfo.info\/words\/index\/info\/view_unit\/1\/?letter=B&amp;spage=3\"><font color=\"#0069c3\">blind men trying to describe an elephant<\/font><\/a>.<\/p><\/blockquote>\n<p>Gee &#8211; have we been having this discussion ever since 1999? Look &#8211; I agree that we are both dealing with legitimate aspects of the elephant. Olive branch accepted.<\/p>\n<p>Now that that\u2019s out of the way, maybe I can call upon Dave to lay down his birch rod too. He keeps saying I propose \u201da directory that gathers and holds <strong><em>ALL<\/em><\/strong> the data from <strong><em>ALL<\/em><\/strong> your other directories.\u201d Dave, this is just untrue and unhelpful. \u201c<em><strong>ALL\u201d<\/strong><\/em> was <em>never<\/em> the goal &#8211; or the practice &#8211; of metadirectory, and you know it. The goal was to represent the \u201cobject core\u201d &#8211; the attributes shared across many applications and that need therefore to be kept consistent and synchronized if stored in multiple places. Our other goal was to maintain the knowledge about what objects \u201cwere called\u201d in different directories and databases (thus the existence of \u201cconnector space\u201d).<\/p>\n<p>Basically, the \u201dALL\u201d argument is a red herring (and if you want, you can say <strong><em>hareng rouge<\/em><\/strong> instead\u2026)<\/p>\n","protected":false},"excerpt":{"rendered":"<p>To get \u201cas many applications as possible\u201d involved, we need to win the participation and support of application developers &#8211; this is not just an \u201cinfrastructure\u2019 problem.<\/p>\n","protected":false},"author":68,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,58],"tags":[],"_links":{"self":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/970"}],"collection":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/users\/68"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=970"}],"version-history":[{"count":0,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=\/wp\/v2\/posts\/970\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=970"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identityblog.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}