Managing Name-Value Pairs In Identity Systems
Johannes
Ernst in a recent blog post is trying to make the case that name-value
pairs are "a bad idea" for exchanging identity information.
I would argue that it's not name-value pairs are the problem, it's resolving relationships of different pairs.
And this isn't a new problem, all meta-data systems have this problem.
Successful meta-data systems make it so that you don't even understand
this is what is happening. Unsuccessful make dealing with these
relationships so cumbersome that only their designers can evn
comprehend (RDF comes to mind here).
The problem exists because meta-data systems are really referential
systems for describing "objects". And those objects are often comprised
of other objects.
In Johannes's blog he uses the example of referencing family
relationships. But let's use a more concrete example of person identity.
In the modern, physical world - my identity is in my wallet & is
comprised of multiple cards. Each card is effectively a carrier of
name-value pairs.
For example:
Driver's License:
- Name
- Drivers License Number
- Address
- Birthdate
- Vehicle Classification I'm Licensed For
- Am I an organ donor or not
- Expiration Date
Airline Rewards Card:
- Name
- Identification Number
Credit Card:
- Name
- Credit Card Number
- Expiration Date
Of course for Credit Cards, there's 1..N of those :).
In a physical sense it's very easy for me to provide 1 or more of
these, on a demand basis. Or even in combination (present a driver's
license and credit card).
Once we get into the digital world - this becomes a bit more complicated.
In LDAP we have been dealing with this problem (with various degrees of success) for over a decade (if you include X.500).
The basic solution in LDAP is something we can carry over to XML - that
is to store unique object identifiers (Distinguished Names in LDAP) as
values for certain name-value pairs.
For example in LDAP - you see this with Group Memberships where groups
store Distinguished Names of users in their membership attribute.
However, these solutions are ultimately very dependent upon how the
client-APIs deal with them. For example this can mean that the client
has to do a multiple calls to the server (if a wire protocol) or get
into some gnarly object-tree management.
On the other hand linking and redirects has worked remarkably well for the Web.
In conclusion - I would say the problem isn't the name-value pair
limitation, it's how can we improve upon our ability to make it easier
for developers to manage pointers as values in the name-pair use case.
