Names are one of the first things you think about when the subject of identity comes up. Of course, identity is about more than names , but we name almost every object around us, and so names become one of the most common attributes stored in an identity.
Once you've got a bunch of objects with names, you want to be able to find them. Consequently, information technology systems are full of directories . There are directories for files, directories for email addresses, directories for domain names, and even directories for running processes. The simplest directories associate a name with something else, such as a file, address, IP number, or process.
This chapter will discuss names, directories, and the role that these play in digital identity.
When I was CIO of Utah, directory issues seemed to take up a lot of our time and effort. When I became CIO, the state had been using the domain name http://state.ut.us. This domain name was not particularly easy to remember, and when you tacked on one or two subdomains to identify a department or agency, the affect was almost comical. For example, my email address was pwindley@gov.state.ut.us. The Governor remarked that he could almost feel people start to dance to the rhythm when he told them his email address.
In addition to the official domain name, agencies in state government had gotten into the habit of registering domain names in the .org TLD (top-level domain) for every publicly facing web site they started, and Utah managed over 100 domain names outside the official one. This created a huge problem in building brand awareness around the state's web site and meant that it was impossible to know when you were on an official state web site and when you were not.
Shortly after I came on board, I discovered that we owned the domain name http://utah.gov—much shorter, much easier to remember, and more authoritative. By fiat and with the Governor's support, I declared that Utah was moving to http://utah.gov. Now, this is not a strategy I'd recommend as a way to endear yourself to people, but it did accomplish the goal: within a month, we were using http://utah.gov as the domain name for our primary web server and contemplating how to migrate the rest of the organization.
There were two primary issues.
http://Utah.gov represented a namespace that had been delegated to the State of Utah and within which we could manage things like server names and email addresses.
The State had never had an enterprise strategy for naming, and each department and agency ran its own directory service for email and passwords—some ran many with each division controlling its own directories.
The first problem called for the creation of a registration process and the appointment of a registrar through whom organizations within the State could reserve subdomains within http://utah.gov. In essence, the job of the registrar was to create namespaces within http://utah.gov, and ensure that the names were unique, meaningful, and correctly recorded.
The second problem was more difficult. The first step was to create a voluntary program through which people who wanted a http://utah.gov email address could reserve a name. A simple program forwarded email sent to that name on to their real mailbox. That step was only temporary while we went through the difficult process of creating a naming procedure for assigning unique names (which would become email addresses) to each employee. We finally settled on a first initial/last name scheme with a series of fallback schemes for duplicates. The policy specifically prohibited names not associated with a person's real name to prevent people having email addresses like dumbo@utah.gov (unless this person's real name happened to be Doug Umbo, of course).
We also set up a metadirectory (more on this later) so that the directories in the agencies could cooperate to form a single large logical directory. This wasn't as easy as it should have been, because software running many of the directories hadn't been updated for years and didn't support metadirectory linking. Thus, creating a single directory included upgrade projects for a number of directories around the state. Further, creating this logical directory from already existing directories meant that the names in those directories first had to be normalized according to the naming scheme we'd come up with earlier.
The use of multiple distributed directories had advantages in performance and local control, but caused some difficulties with integration to other enterprise systems such as the HR system. The ultimate goal is to provision entries in the directory and even access-control rights based on the employee's status within the HR system.
The technical problems faced in creating an enterprise directory pale in comparison to the political challenges. To begin with, you're asking many people to change their email addresses—some of which had been in use for many years. This has personal and organizational costs. Second, some people, for political reasons, cannot be asked to change their email addresses. They get first pick of email addresses if there's a conflict. One executive director even insisted on having every possible permutation of her name and initials assigned to her to prevent anyone from accidentally sending mail intended for her to someone else with a similar name.
Ultimately we were successful in establishing a single namespace within http://utah.gov for all email and logins. We even converted the State's many web servers to subdomains within the http://utah.gov domain. The effort took almost two years to complete, but once done, it enhanced our ability to brand the State's web services and gave people email addresses that they could give to people without having to break out the bongo drums.