A GPL counterpoise to Active Directory.

g.w@hurderos.org g.w at hurderos.org
Sun Jul 4 17:19:15 EDT 2004 

Good afternoon to everyone that may be listening, hope that your day
is going well.  After finishing a nice breakfast with home-made
hashbrown potatoes I thought I should get this note distributed to
people who may be interested.

On July 4th, 2004 the initial GPL source release of the Hurderos
Project occurred.  To cut to the chase, as the subject of this note
suggests, the purpose of this project is to produce a GPL based
alternative for identity, service and authorization management.

To expedite things for people who bore easily the following links will
be useful:

     Project WEB site:          http://www.hurderos.org
     FTP Server:                ftp://ftp.hurderos.org

A number of different motivations are behind this work.  First and
foremost was the desire to increase the ability of Open-Source and
Open-Architecture solutions to penetrate the enterprise.  Experiences
in enterprise architecture development have led us to the certain
belief that a robust solution in this space is essential for the
longevity of OSS in the enterprise.

Additional motivation was provided to me after sitting in Snowmass,
Colorado several years ago listening to the MACE/Shibboleth group
discuss problems in the identity federation space.  It became obvious
that one way to differentiate Open-Source was to provide a robust,
standards-based approach to the perennial problem of managing user
identities and the services they should have access to.

The final and perhaps most significant motivation was an extreme
concern over the potential hegemony that a product like Active
Directory may have in the enterprise.  There have been a number of
people that dismiss these concerns but anyone who works in the field
of enterprise architecture and middleware knows how encompassing and
exclusive middleware technology can be.

Open-Source has the potential to win very big in a field that has long
been confounded by proprietary applications and technology.  The
barrier to single-identity solutions in the past has always been
providing support for legacy and proprietary applications.  With the
industry moving head-long toward WEB based delivery technologies and
with the continued growth and acceptance of OSS as an enterprise
platform the community has the potential to solve this long standing
problem.

The initial source release of Hurderos provides sample functionality
of the four basic components of the system:

        1.) Identity and Services Management Engine (ISME)
        2.) Graphical Management Client (GUI)
        3.) Service Provisioning Layer (SPL)
        4.) API library (KerDAP)

ISME is managed via XML commands sent over a GSSAPI authenticated and
protected conduit.  In turn ISME drives service provisioning using
data encoded in various XML encapsulation dialects.  For example the
provisioning of directory services is encoded in the Directory
Services Markup Language (DSML).

ISME currently has the ability to provision Kerberos based
authentication identities in an MIT based KDC.  Since the provisioning
requests encode conceptual operations, ie. create principal with
designated password, alternate Kerberos implementations such as
Heimdal can be supported with an appropriate SPL plugin.  The desire
is to overcome the long standing problem of multiple and incompatible
management interfaces for KDC implementations.

It should be stressed at the outset that this is a very preliminary
release to demonstrate component functionality and the hierarchical
identity strategy that Hurderos is based on.  It should not be
considered for any type of production environment.  Patches to assist
in attaining the goal of production status will be welcomed.

The Project web-site has a white paper which extensively discusses the
identity generation and privacy model which we feel is a unique aspect
of Hurderos.  The authorization strategy flows naturally from the
identity model and leverages the strengths of LDAP and Kerberos
without requiring changes to these core system components or the use
of proprietary data authorization structures.

Hurderos was designed to provide enabling technology for initiatives
such as the Liberty Alliance and Shibboleth which are engaged in
solving problems in federated identity exchange.  The important issue
of targeted vs. non-targeted identities flows naturally from the
identity generation model.

The white paper discusses the Reciprocal Identity Management (RIM)
problem which must be overcome in order to provide bi-lateral user
control and authorization in a federated identity environment.  The
Hurderos identity model provides a strategy and mechanism for
instantiating privacy protected identities in a cooperative fashion.

A copy of this announcement is being sent to the MACE group for
distribution in whatever way it sees fit.  It was indicated to me that
the Shibboleth group may be interested in all this but it would appear
that there is not a general way of getting announcements to those
lists.

The Hurderos Project welcomes contributions from anyone who is
interested in participating in developing a solution in this space.
While a GPL project in and of itself it should be emphasized that the
architecture was designed to provide a system for interfacing with
proprietary directory technologies and applications.

Comments, questions and patches can be directed to:

          g.w at hurderos.org

Thank you and best wishes for a productive week.

As always,
GW

------------------------------------------------------------------------------
                         The Hurderos Project
         Open Identity, Service and Authorization Management
                       http://www.hurderos.org

More information about the Kerberos mailing list