Home · About · A-Z Index · Search · Contacts · Press · Register · Login Plenary - Boundaryless Information Flow: Keeping IT Secure Day 3: Wednesday 5th February 2003

Conference Home Page Proceedings Index The Evolution of Identity Management in a Web Services World Justin Taylor Conference Home Page Proceedings Index

Keynote Presentation: The Evolution of Identity Management in a Web Services World Justin Taylor, Chief Strategist for Directory Services, Novell This presentation acted as a plenary introduction to the subsequent meeting on Identity Management. After a short video which brought together a variety of excerpts from previous conference presentations on the theme of messaging. One of the things driving identity management is the move to Web Services - a world where things are very loosely coupled.  Up until now the Directory Services world has assumed a more stable relationship between the client and the directory. The world is no longer made up of users - it is made up of identities, where an identity is a representation of an entity, such as a user, an organization, computer, PDA, cell phone, an item of software. An identity is made up of a principle, the credentials needed to authenticate and verify the principal - which may be made up of many different things - a smart card, a fingerprint; the roles that the entity can occupy; and the attributes that describe the entity, which may vary according to various roles. He introduced 'Taylor's Law of Directories': the value of a directory is measured by the number of relationships it manages and the new applications that result.  Given that the identities are many and varied, as already described, the real role of the directory is to manage the relationships between them. An identity in a Web Services world needs to be: Consumable by any service - currently there are many systems that are incompatible with each other and do not interoperate. Consumable over any protocol. Expandable to include many different types of data - pictures, for example. Capable of fitting into different hierarchies; one of the failures of X.500 was that it assumed that everything could fit into a single hierarchy; not that hierarchies are bad, but that they are too constraining. Controlled by policy, both business and personal.  Policies are needed for Web services, and this extends to identity, with policies that will be set up corporately in a business environment, managed by the individual for personal identity. Context driven - the context in which an identity is used will affect considerably the way in which it is used.  Identity management systems need to be flexible enough to reflect the complexity of the real world, in which the relationships between people and within organizations can be many and varied. The move to Web Services is helping to accelerate the change in deployment scenarios: integrated deployments using meta directories versus rip-and-display scenarios Starting deployments on a departmental basis and later integrating it into the whole Taking a federated identity approach to not only the locations of the identity principal, but also to where the data actually resides (ie Virtual Directory) New XML-based protocols are changing the market place for the better: XML will replace LDAP as the de facto standard for identity management over the next 3 to 5 years Open standards such as SAML and WS-Security will become the basis for access control solutions Technologies such as Liberty will dramatically change the way people view identity. At the same time we have to look at other standards.  Some customers have very fixed commitment to Liberty, others to Passport.  A business cannot avoid the millions of people that are using other systems. There are many challenges to making identity management work in the new Web services world.  One key challenge is that Web services standards are still new, and technology evolution needs to continue to support Web Services protocols.  Certification programs to certify deployment methodologies are still lacking - customers to not know whether or not they are conforming to a specification.  The overriding principle is that simplicity is key to it all. Questions Q: Marty Schleiff, Boeing: It is possible to authenticate a person: how can an application be authenticated. A: We're starting to adopt UDI as a standard for applications and to build it on top of directories.  I haven't seen anyone yet using a certificate for an application. Top