Monthly Archives: January 2009

First Identity Selector in a Linux Distribution: DigitalMe in OpenSUSE 11.1

As my last post shows, I’ve been thinking a lot lately about the evolution of identity services over time. I’m currently researching and thinking about how identity services should integrate with the emerging cloud computing paradigm. However, sometimes we get working in the daily grind, the months and years go by, and we can miss significant milestones, like this one:

geekoWhen OpenSUSE 11.1 was released on December 18th 2008, it included the DigitalMe identity selector in the main repository.

I guess it could be said that OpenSUSE 11.0 was the first Linux distribution to support an identity selector, but it wasn’t in the main repository when 11.0 was released, so I’m going with OpenSUSE 11.1.

digitalme logoWhat this means is that users of OpenSUSE 11.1 can install and run DigitalMe as easily as Firefox or Open Office or any other package. Just open up the package manager, search for digitalme and install. There are actually two packages that start with digitalme. One is the identity selector itself and the other is the Firefox addon. If you install the digitalme-firefox package, the selector is installed automatically. And you are automatically notified of updates!

Thanks to Andrew Hodgkinson for making DigitalMe happen, and getting it packaged for OpenSUSE!

(Andy, I think you may be due to update your blog. Your regular rate of one post every 1.5 years appears to have slowed.)

As always, thanks to the Higgins project for hosting most of the source code used to build digitalme, and for their support and collaboration.

Identity Services: Being vs Doing

Eric and Dave have recently written about their views of the waves of identity. Dave’s post gave me a wave of nostalgia since it mentioned both the NetWare Bindery and Novell Directory Services. Sometimes it feels like I’ve been around as long as Dave.

Mr Peabody, set the Wayback Machine for somewhere near 1990…

My first server-side coding assignment at Novell was to show that the Bindery could be separated from the core NetWare OS and into a loadable module (NLM) — thus showing that a directory services NLM could be developed by another team of engineers in parallel with the next version of NetWare. I think my prototype was initially done on the NetWare 3.0 codebase, but it was a long time ago. I do remember that, after my prototype worked, the task of doing it “for real” was assigned to a member of the core OS team, and they threw out my code. Sigh. Nevertheless, what became known as the “name services” interface in NetWare 3.1 enabled a team of misfits to start coding something called Global Directory Services. By the time it shipped it was called NetWare Directory Services, then Novell Directory Services, then eDirectory. I worked on that code for most of the 90s as it changed to support new upstart protocols like LDAP, and new platforms like Windows NT and Linux.

Now I work on Identity Services, including newfangled concepts like federation, information cards, OpenID, and OAuth, and projects like Bandit, Higgins, OSIS, etc.

I think I can see both Eric’s and Dave’s perspectives.

I don’t know how or if the waves should be divided up, but it seems to me that in the 90s we were working on Directory Services — i.e. a standard model for identity data (generally around x.500) and systems to access that identity data (LDAP, meta/virtual/directories). This roughly corresponds to Dave’s first 3 waves.  With the appearance of federation protocols and the Liberty Alliance, the industry started layering an Identity Provider Model on top of Directory Services. Information Cards and OpenID are more recent additions to that model.  This could be Eric’s first wave of Identity after 3 waves of Directory Services.

But what really matters to me is Eric’s point about identity state vs identity action. Right on. It  may be useful to make a distinction between Directory Services (which allow applications to access identity data), and Identity Services (which perform identity actions). The Identity Provider Model was necessary to get to identity services, if for no other reason than that it externalized authentication — but that’s a post for another day.

To do is to be – Nietzsche
To be is to do – Sartre
Do be do be do – Sinatra

The Bandit project has built an identity services interface layer called OTIS (Onramp to Identity Services). We have been asked how it differs from a virtual directory, and the answer is exactly relevant to this discussion. OTIS provides open interfaces to identity services (actions). A virtual directory gives access to identity data. Both have valid uses, and, in fact, identity services are generally layered on directory services (identity actions based on identity data).

So we have moved from Directory Services, to an Identity Provider Model. Now we need to determine what identity services are needed to enable network services to focus on doing useful things, rather than handling identity data, regardless of whether it’s wave 2 or 5.

Information Card breakthrough with Novell Access Manager 3.1

There have been a number of articles in the press over past few weeks about the release of Novell’s Access Manager 3.1. The articles by John Fontana at NetworkWorld and by Sean Michael Kerner at are well worth reading. Both articles mention new features in the product, it’s interoperability with Microsoft products via open standards, and (my favorite) how code from the Bandit project relates to the product.

Yesterday, Dave Kearns posted his comments about Novell Access Manager 3.1 from his popular newsletter. Some excerpts:

The real breakthrough for me, at least in terms of Microsoft services, was Novell’s inclusion of Windows CardSpace as an authentication type for its multifactor authentication. Novell, through its sponsorship of the Bandit Project, has been in the forefront of information card technology, and this release of Access Manager makes it easy for identity technology managers to add this factor to their risk-based authentication schemes.

This may well be the first CardSpace implementation in a business-focused product by a non-Microsoft vendor. Now that is “ground breaking”.

A solid enterprise product, supported by a leading IAM vendor, and implementing open standards in conjunction with open source implementations — this does seem to me to be another significant step in moving to new-paradigm identity systems.

What are the next steps for 2009?