The directory as graph

The foundation for security and enterprise management

Last issue I left you with the tagline, "But what will that future directory look like?" At the recent European Identity Conference (EIC) Michael Schwartz, CEO of GLUU -- with help from Drummond Reed, co-chairman of two OASIS Technical Committees: XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) -- presented a workshop on "Directories & Federation." It was neither the so-called "LDAP model" of hierarchical, object-oriented directory, nor a standard Relational Database (RDBMS) model of data store.

Instead, Schwartz talked about the XRI/XDI model as the basis for the data we think of as being in a directory (identifiers and attributes).

IN DEPTH: XRIs resolve identity management dilemma

To continue reading, register here to become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Last issue I left you with the tagline, "But what will that future directory look like?" At the recent European Identity Conference (EIC) Michael Schwartz, CEO of GLUU -- with help from Drummond Reed, co-chairman of two OASIS Technical Committees: XRI (Extensible Resource Identifier) and XDI (XRI Data Interchange) -- presented a workshop on "Directories & Federation." It was neither the so-called "LDAP model" of hierarchical, object-oriented directory, nor a standard Relational Database (RDBMS) model of data store.

Instead, Schwartz talked about the XRI/XDI model as the basis for the data we think of as being in a directory (identifiers and attributes).

IN DEPTH: XRIs resolve identity management dilemma

In XDI, data is neither in a tree (like LDAP) or a table (like RDBMS), but is in a structure called a "graph." In many ways it resembles the structure of the semantic Web, or what we often see labeled as a "social graph" (connections between and among Facebook, Twitter, MySpace, Flickr, YouTube, etc. -- the "social networking" sites).

Reed published an excellent paper on this a couple of months ago ("XDI Graph Patterns") which you should read to get the full flavor (and to see the illustrations of the structure).

In essence, data (called "nodes") can be connected to other data in three ways: a relational link, a contextual link or a literal link. XDI statements take the form subject/predicate/object where the subject "connects" to the object in some way. An example that Schwartz gave was "=schwartz/+age/(data:,40)" - that is, Michael Schwartz has the attribute Age which has a value (currently) of 40.

In his presentation, Schwartz went through the various methods currently used for Federation and showed how each has drawbacks that can be overcome using XDI. He then showed the superior benefits of using XDI (See Reed's paper cited above for full definitions):

• Semantics

• Authorization

• Performance

• Privacy Protection

• Internet Scalability

• OASIS XRI 3.0 / XDI 1.0

He followed up by showing how easy it is to use XDI -- there are, for example, just five operations: $get, $add, $mod, $del, and $do.

I wasn't totally convinced that we can replace all of our directory datastores just yet, but Schwartz did make a strong case for using XDI for Federation. I'd be willing to give it a try.

Read more about security in Network World's Security section.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.