Paradise Lost?

August 2013

During the late 1980’s and early 1990’s I spent a great deal of my time, and European Research funding, working on the Paradise project. Was it worth the effort?

Paradise (or more formally Cosine Paradise, then NameFLOW Paradise) was a European led, but worldwide initiative, to pilot the use of X.500 technology to build a distributed directory service, as a follow on from “THe Obviously Required Nameserver” project – Thorn. Paradise was the largest distributed deployment of X.500, by 1996 extending to nearly 800 servers, representing 5250 organisations (according to the last published statistics I could find). The project was criticised for being too focused on one implementation (the open source Quipu), but was open to other X.500 DSAs, notably from Siemens and Inria.

The project was a research project, to establish if distributed directories (based on X.500) could be made to work – which it successfully achieved. However, despite this success, the project never really gained momentum outside of the academic community. Why?

X.500 used a full OSI stack, and despite running over TCP/IP (using RFC 1006) was too heavyweight for the Internet (I first wrote about this in 1993, “You cannot promote OSI applications over OSI Networks”). To overcome this, as part of the research undertaking, LDAP was developed as a lightweight access protocol – while overcoming the issues Paradise had, it was also the beginning of the end for Paradise.

As well as implementing LDAP as a protocol, Tim Howes implemented a standalone LDAP server, an approach used in many LDAP products we see today. This rapidly led to a model where a distributed directory service was not needed as LDAP clients connected directly to the appropriate server. To find the LDAP servers, the clients made use of DNS which had become a hugely successful distributed directory in its own right (when Paradise started, DNS was in its infancy).

The one feature the standalone LDAP model has not been able to replicate has been distributed search across servers – Paradise did this well – but with the advent of Google, this too became redundant.

So, was all the effort worth it? Yes – without it LDAP would not exist in the form it does today (I will let the reader determine if this is good or bad).

Finally, why “Paradise” – “Piloting a
Research Directory in an OSI Environment” – of course!

See Also

• Pre History of LDAP

Author Bio – Colin Robbins

Colin Robbins is Nexor’s Managing Security Consultant. He is a Fellow of the IISP, and a NCSC certified Security and Information Risk Adviser (Lead CCP) and Security Auditor (Senior CCP). He has specific technical experience in Secure Information Exchange & Identity Systems and is credited as the co-inventor of LDAP. He also has a strong interest in security governance, being a qualified ISO 27001 auditor.

• LinkedIn profile
• View all of Colin's posts