02.23.07
The Internet Identity Explosion and the Bandit Project
There has been a huge flurry of activity in the Internet identity space in recent months mostly around convergence, working code, and actual deployments.
- OpenID continues to gain momentum.
- Microsoft and AOL announce support for OpenID.
- Higgins is solidifying its support for many identity systems, reaches major milestone
- Higgins gains some really cool technology that adds new capabilities for handling identity information.
- The Pamela Project emerges to fill needed hole in Relying Party territory
- Multiple open source projects show integration with Microsoft Cardspace and Liberty Alliance systems (shameless plug here)
- Real deployments of infocard and OpenID systems are happening in addition to existing Liberty systems.
- Perhaps the proverbial big bang of Internet identity will happen soon
Since I am an unashamed Bandit, I am sometimes asked “where does the Bandit project fit in all this?” I think that it fits in three ways:
First, Bandit supports the above mentioned projects and convergence points.
We participate in the community as much as we can, and we are one of the few projects I have seen that will actively contribute code to other projects. We NEED this stuff to work coherently and we work to accelerate convergence where possible.
In some ways the Bandit project is much like our close ally, the Higgins Project. Both projects write open source code that glues together existing and future systems. Neither project pushes a particular protocol family or identity system. Higgins provides a framework that supports a common interface to multiple identity systems and protocol families. Bandit needs such a framework, so we contribute to Higgins to help it get done faster. We work with Higgins on other shared components as well.
We are also excited to work with the new Pamela Project. It fills a very important need for consistent relying party code that is usable, robust, and handles evolutionary accounts from existing silos to the emerging identity systems. Relying parties need consistent user experience too.
Most projects that we work with are open source. I personally would want my identity information handled by open source software. I also think that open source development is particularly good at interoperable components of distributed systems — like identity systems.
.
Second, Bandit adds a layer of open source components for consistent authentication, authorization and audit capabilities.
You might say that accelerating convergence, contributing code to other projects, and some authentication code is necessary before we can build effective authorization and audit components. We need a cohesive, distributed identity system. But we also know that when we get such a system, some critical issues involving authentication, authorization, and audit will surface.
Bandit focuses on simple, reusable components for authentication, authorization, and audit. These capabilities are most recognized as needed in enterprise identity systems, but I think they will be needed in other places as well. The recent experiences of the Bandit team and others are confirming this. Once applications or services (web based or otherwise) start to actually be used by more than a few users and sources of identity, they immediately find they need a general, scalable solution for authorization and audit.
Authorization means determining whether a particular user can perform an operation. Most network services really support authorization based on something like a role. For example, a wiki may have a notion of an administrator, an editor, and a reader. The Bandit Role Engine will allow a sysadmin great power and flexibility in how to map security tokens, claims, and other information into the native roles of the system.
Auditing is needed to provide an record of who did what. In the case of most of the emerging Internet identity systems we are particularly interested in providing a record for the user of what a service has agreed to do for them. Think of it (in the insight of Bob Blakley) as the receipt from a Relying Party. Audit records are also needed (like a cash register receipt log) to help a service prove compliance with various accounting regulations.
Bandit is not limited to these components or use cases, but they illustrate the point. From the main project page:
Third, the Bandit Project is a conduit between developers and those who make these systems work in real deployments.
The Bandit Project works with Novell product teams, other vendors, current and future customers to determine what still needs to be done to make these identity systems work in real deployments. This will be an increasing emphasis of the Bandit Project this year.
More on this third point in the next post.
I've done a variety of things in my career, but always seem to
return to issues of identity and technology. Most of what's written
here will be about such things. I work for Novell, but this is my
personal blog. The views expressed on here are mine alone and do not
necessarily represent the position of my employer.
Kim Cameron’s Identity Weblog » Understanding Bandit said,
February 24, 2007 at 3:37 pm
[...] There’s so much going on around identity these days, that it’s easy to lose track of how the different pieces fit together. Here’s a posting by Novell’s Dale Olds that tells us all about Bandit. There has been a huge flurry of activity in the Internet identity space in recent months mostly around convergence, working code, and actual deployments. [...]
It’s all about Bandit, Higgins, OpenID and Microsoft but where is IBM? « Zingle by Semcon said,
February 26, 2007 at 1:47 am
[...] It’s all about Bandit, Higgins, OpenID and Microsoft but where is IBM? Dale Olds posted another great post about Bandit the other day. And as we all know by now AOL is supporting OpenID. Microsoft has their cardspace that is getting around more and more, well at least wordpress supports it. Seeing how Bandit, Higgins, OpenID etc more and more starts to co-operate with each other it makes me wonder which approach IBM will take to this. Does IBM have any plans to provide the world with any identity storage where the identity is owned by the user and not the system? How will TIM, TAM or any other Tivoli IAM product for that matter make sure that they provide this possibility to the end user? [...]
kevin said,
February 28, 2007 at 9:29 am
I’m trying to figure out where IBM and CA (SiteMinder/TransactionMinder) are too! Anyone?
dale said,
March 2, 2007 at 5:49 pm
Kevin and, um, Zingle,
Thanks for the comments! I really can’t speak for the overall strategy of either company mentioned, but both are active in the Higgins project.
IBM has been a major supporter and code contributor. A number of project and component leads are IBM employees. Please check out this page:
http://www.eclipse.org/higgins/team-leaders.php
As for CA, they are active as well and have contributed to weekly development calls and face-to-face meetings.
CQ2 » Novell and OpenID said,
March 6, 2007 at 11:06 am
[...] Posts here and here. [...]
dale olds’ virtualsoul » Bandit, Community, and Corporate Deployments said,
July 22, 2008 at 6:05 pm
[...] my last post, I talk about three ways that the Bandit Project is contributing to emerging Internet identity [...]