The chaos surrounding the concepts and definitions of digital identities continues to grow. Many vendors, projects and organizations are trying to define the technologies that make up this space. In many ways, it reminds me of the network protocol explosion of the 1980s. The number of opinions are incalculable. Enumerable blogs, e-mail lists and Web sites are dedicated to this pursuit. As a result, we are seeing incredible, but disparate, inventions, technologies and standards being developed. The Bandit project creates a community that organizes and standardizes this expansion of identity-related technologies in an open way, promoting both interoperability and collaboration.
The Bandit project is the brainchild of Dale Olds, a Distinguished Engineer at Novell. It came from his experience in identity-related technologies such as Novell eDirectory, DNS and LDAP, as well as his participation in open source projects and standards. Dale realized that the technologies revolutionizing the digital world are based on open standards and projects, for example TCPIP, DNS, HTTP, HTML, XML and SSL. Applications developed based on these open standards enable interoperability, thus mainstreaming and popularlizing a TCP/IP-based network into the Internet as we now know it.
This network fabric is a fundamental part of modern networks, and we see this same phenomenon happening in the identity domain. This expansion of identity technologies is making the identity fabric. Like the network fabric, the identity fabric has many strands that make it functional. The Bandit project's purpose is to help build this fabric focusing on several threads of identity technologies. The maintainers and contributors of Bandit have expertise in: common identity, authentication, authorization, auditing and compliance. The Bandit project is not limited to these technologies and will do all it can to help the identity fabric grow. We are creating a community of individuals, projects and companies who are interested in sharing and promoting identity-related technologies and fostering an environment where everyone can contribute.
Over time, the name of the project became Bandit. The name was seeded by a comic strip from the New Yorker magazine entitle, "On the Internet, Nobody Knows You're a Dog."
It evolved further by incorporating the idea from the Internet Identity Workshop of a dog with a human mask sitting in front of a computer. After much deliberation, and following open source project naming practices, it was decided to focus on dog names. Bandit was chosen because it is a common dog name and also implies the nature of establishing identity by the masks we wear.
The current focus of Bandit is to create completely open source components or libraries, detailed below. These components are based on open standards and other open source projects. They will then be added to other projects and products to promote standardization and adoption.
The common identity component provides an API or object that normalizes identity data from different sources into a common identity –a virtual identity object. Originally called the Identity Abstraction, this component has evolved over the last six months. In some ways, it is similar to the Java Naming and Identity Interface (JNDI), but the project is developing an identity-related abstraction in all languages and on all platforms. In February, the Bandit team became involved with the Higgins open source project. Since Higgins has the same goals as the common identity component, we decided against creating a similar project, choosing instead to collaborate. Applications that use this framework get the benefit of being able to configure an identity from any identity vault (LDAP, SQL, XML, etc.).
As an example, many applications currently use LDAP APIs to retrieve identity information. This allows them to get identity data from any LDAP application. Similarly, when you use the common identity components you can retrieve data from any LDAP application as well as any other identity source. We are working with Higgins project to finalize the definition of the Higgins framework. Bandit will then sponsor the implementation of context providers (the pluggable mechanism of communicating to different vaults) and ports to different languages and platforms.
A year ago Novell started an open source project called the Common Authentication Services Adapter, CASA. CASA started by providing a common credential store for applications with a single GUI to manage secrets in various native stores. Thus CASA enabled applications to take advantage of SSO using a very simple API. Novell GroupWise, iPrint, iFolder, GnomeKeyRing in SUSE Linux Enterprise Desktop 10, Evolution e-mail client all use CASA for it's credential storage capability. CASA GUI provides users a single place where they can manage credentials (add, delete, view, etc.) for native stores like kwallet, GKring and Mozilla PasswordManager. This technology is being added to in order to support the ability to authenticate to various identity vaults, including LDAP and Kerberos, by providing an authentication selector mechanism. CASA will thus provide a common place for applications to use various authentication plug-ins without a major rewrite of their native client server architecture. We believe this will enhance overall security by allowing a natural evolutionary path from simple password based client-server architecture to a more robust token based authentication system. As the common identity component is completed, CASA will be used to authenticate common identities.
Bandit currently does not provide authorization enforcement, but it does provide the necessary tools. This component is called the Role Engine, an implementation of the NIST Role Based Access Control standard with its policy and definition of permissions based on XACML. Applications can use the Role Engine to determine which identities are in which roles and what permissions they have. Applications can then enforce those permissions in a standard way. Roles can contain and provide permissions for common identities however they are defined.
Auditing and Compliance
Bandit provides the tools for all applications to emit standard audit and compliance data pertaining to common identities. We are developing an Audit Record Framework component on all platforms and in all languages. The data model is based on the OASIS standard called Common Based Events (CBE). The Audit Record Framework will also provide a mechanism for collecting and reporting this data. While compliance has many aspects, our focus at this point is on the emitting of data. We will ensure that all applications emit the correct information at the correct time so that the state of the computing ecosystem can be properly evaluated.
Amongst the expanding world of identity technologies, Bandit builds a community where the identity fabric can be organized and standardized in an open way, promoting both interoperability and collaboration. Bandit is developing identity-related infrastructure components as well as supporting other open source projects and standards. You are invited to join this community and contribute whatever skills you might have in building the identity fabric. Please visit bandit-project.org, sign up for the mailing lists and join our chat groups.