Identity Services: Being vs Doing

Eric and Dave have recently written about their views of the waves of identity. Dave’s post gave me a wave of nostalgia since it mentioned both the NetWare Bindery and Novell Directory Services. Sometimes it feels like I’ve been around as long as Dave.

Mr Peabody, set the Wayback Machine for somewhere near 1990…

My first server-side coding assignment at Novell was to show that the Bindery could be separated from the core NetWare OS and into a loadable module (NLM) — thus showing that a directory services NLM could be developed by another team of engineers in parallel with the next version of NetWare. I think my prototype was initially done on the NetWare 3.0 codebase, but it was a long time ago. I do remember that, after my prototype worked, the task of doing it “for real” was assigned to a member of the core OS team, and they threw out my code. Sigh. Nevertheless, what became known as the “name services” interface in NetWare 3.1 enabled a team of misfits to start coding something called Global Directory Services. By the time it shipped it was called NetWare Directory Services, then Novell Directory Services, then eDirectory. I worked on that code for most of the 90s as it changed to support new upstart protocols like LDAP, and new platforms like Windows NT and Linux.

Now I work on Identity Services, including newfangled concepts like federation, information cards, OpenID, and OAuth, and projects like Bandit, Higgins, OSIS, etc.

I think I can see both Eric’s and Dave’s perspectives.

I don’t know how or if the waves should be divided up, but it seems to me that in the 90s we were working on Directory Services — i.e. a standard model for identity data (generally around x.500) and systems to access that identity data (LDAP, meta/virtual/directories). This roughly corresponds to Dave’s first 3 waves.  With the appearance of federation protocols and the Liberty Alliance, the industry started layering an Identity Provider Model on top of Directory Services. Information Cards and OpenID are more recent additions to that model.  This could be Eric’s first wave of Identity after 3 waves of Directory Services.

But what really matters to me is Eric’s point about identity state vs identity action. Right on. It  may be useful to make a distinction between Directory Services (which allow applications to access identity data), and Identity Services (which perform identity actions). The Identity Provider Model was necessary to get to identity services, if for no other reason than that it externalized authentication — but that’s a post for another day.

To do is to be – Nietzsche
To be is to do – Sartre
Do be do be do – Sinatra

The Bandit project has built an identity services interface layer called OTIS (Onramp to Identity Services). We have been asked how it differs from a virtual directory, and the answer is exactly relevant to this discussion. OTIS provides open interfaces to identity services (actions). A virtual directory gives access to identity data. Both have valid uses, and, in fact, identity services are generally layered on directory services (identity actions based on identity data).

So we have moved from Directory Services, to an Identity Provider Model. Now we need to determine what identity services are needed to enable network services to focus on doing useful things, rather than handling identity data, regardless of whether it’s wave 2 or 5.