By Doc Searls
for WEBsmith
April 24, 1996

Craig Burton Interview, Part 1
Craig Burton Interview, Part 2

Eric Hahn's fingerprints are all over the Internet. It started years ago, when he worked at Bolt, Beranek & Newman (BBN), where the Arpanet was being reshaped into the Internet we know today. Later, after working as vp and general manager of Convergent Technologies' server division, he became vp of engineering at cc:Mail, which succeeded in large measure because he helped make it the first (and still only) cross-platform e-mail software. He became general manager at Lotus after that company ate cc:Mail, and served as general manager there while working on message-interchange standards. He left Lotus to found Collabra Software, which gave new dimensions to e-mail and collaborative software. When Netscape purchased Collabra, he became Netscape's senior vice president of enterprise technologies, where he now sits in the driver's seat of what may be the biggest standard-setting vehicle since the formation of the Web itself. ( 1)

That vehicle is LDAP. Network guru Craig Burton calls LDAP a "bulldozer" that will open the Web to real directory services, and make it impossible for anybody to monopolize the way those services are rendered.

The Lightweight Directory Access Protocol (pronounced "L-Dapp") was the work of Tim Howes and a team at the University of Michigan, where LDAP directories currently take 5 million hits per day. Three people from that team, including House, are now working for Netscape, which has licensed LDAP and lined up 40 or more other companies to make LDAP the way to deliver directory services on the Internet. "ldap://" will soon become a familiar sight on browser windows everywhere; and the Web will have something it desperately needs: a way to organize things that change and multiply. Like you, for instance, with your bulging portfolio of email addresses, phone numbers and other identities, which in the absence of directory services are about as sane as Sybil. In fact, the absence of a sane and singular directory service is one reason why computing and communicating, for all their "power," are still highly labor-intensive.

After all, what's "powerful" about having to look stuff up all the time? What's so great about an "information highway" that connects everything in the world, but gives you no idea where to find most of it? How many times has a search engine led you to "404 Not Found?" Wouldn't it be nice if something could tell your computer where that link went? That something is a directory. Thanks to Netscape and LDAP, we can finally put directories on the Web.

I talked with Eric Hahn on April 22, the day Netscape announced the LDAP deal (along with several new Netscape products that will take advantage of it). ( 2) He had the enthusiastic sound one hears from developers who can feel real traction in the marketplace, and yet know they've just started to move in first gear.

DS: Craig Burton describes directory as a way to manage change. If a directory knows stuff about us, it is in a position to manage change.

EH: That's true. This is a very important point. To use a programmer's term, it de-references you from your directory entry. Anything about you can change, from your phone number to your e-mail to whatever, without penalty. Think of all those times you have to send out mailings telling people just one of your addresses has changed in some way. This whole problem is easily managed by directory. People just look you up and there you are. You stay the same, and the other stuff changes. Ultimately, you should be locatable on an up-to-the-minute basis, if you're willing to allow it.

DS: Was LDAP purchased from the University of Michigan?

EH: The University of Michigan is the source for a reference implementation of the LDAP code, and there is no charge for that. Netscape licensed the code, as many other parties before us have done. What is different maybe than other parties is that we are entering into a fairly intimate relationship with the University of Michigan, including the relocation of three of their top people who have been working on LDAP, so they can continue working on LDAP at Netscape. So, while there was not a purchase of software, there is a very rich relationship between the two organizations that does have some financial components. The point is, we're working to make sure the relationship with the university is first-rate, and we have every reason to believe that it is.

DS: I would like to explore Craig's view that the standardization of LDAP allows the Web to do a lot of things that could not be done before. In the absence of a directory standard, a lot of network intelligence could not take place because the directories on which that intelligence would rely did not exist.

EH: We view directory technology as enabling technology, as plumbing, as foundation. There are obviously application components of that, primarily exhibited in our case in the changes we are making to Navigator to accommodate directories; but the real story about directory is what it enables, the usage scenarios which I would agree with Craig were cumbersome at best and impossible at worst with basic HTML and HTTP before.

DS: And because there were so many independent and incompatible name spaces that were exterior to the Web.

EH: Yes. No programmatic interfaces, no interchange formats... There is a whole litany of reasons why we would agree that it is vitally important that an industry standard like LDAP come into play, because without it, many applications suffered, particularly those in corporate settings -- for intranets -- which is where Netscape's primary business is.

DS: Run down for me some sample applications or scenarios, and put them in the context that makes sense for Websmiths -- guys who will be doing the frame-up construction for Web sites that include directory services. Specifically, what kind of work will they be doing that they were not doing before?

EH: Technically speaking, the directory technology that we will be shipping, and that I assume others will ship, and that LDAP exposes, is a very robust attribute value database. Which means you can put almost anything you want in a directory. The most common things we expect are names and addresses and email addresses. But there's nothing to say you can't put in printers and addresses and URLs and GIF images. In other words, it's a fairly robust technology, and it's very extensible.

One of the very exciting early applications beyond SMTP addresses, and related to another product announcement today, is our X.509 keys. Certificates. So you can instantly enable things like secure email in a site without burdening users to manually swap keys. So you can imagine a webmaster at a corporate site setting up an LDAP directory, downloading it from the HR database, with people's email addresses and names, assigning them keys, and instantly enabling secure email within the site.

You can also imagine people using LDAP to write applications, such as workflow, where in order to route a document or an email address you have to look up a person's department and find their supervisor. All this is possible with LDAP technology.

You can also use it as a broker to connect parties who don't know each other by name. So for example you can have a field in your LDAP directory that remembers your interests or your hobbies or the job classifications, and then query the directory for everybody with similar interests.

So the generality of the directory approach is very exciting and enables a lot of new applications.

Technically the directory is also important to people who set these up because it replicates, and it is distributed. So another interesting opportunity is how LDAP, and specifically the Netscape Directory Server, will permit sites to create large distributed webs of directory information. This is particularly important either for large multinationals or noncorporate entities such as user groups, where the membership might be distributed over the whole globe.

There are lots of very exciting technical opportunities and challenges that replication brings to the picture. So I would say the generic nature of the database and support for replication are the two most technically compelling aspects of LDAP and the server we are announcing.

Now we are announcing three things here: the directory server, a 2.0 release of our mail server, and a 1.0 release of our X.509 Certificate Server. Those three taken together, let alone the previously announced SuiteSpot products, make a very interesting suite that rival the best of applications that could have been constructed with Back Office or Lotus Notes.

DS: Will LDAP open an addressing scheme in the same way HTTP does, so addresses will read 'ldap://, etc.'?

EH: There is a standard URL syntax for framing LDAP queries, and I think it is 'ldap://, then other terms that document the search filter for qualifying a search.

In the second half of this year we will release an LDAP-compliant client module for Navigator. If you are familiar with the 2.0 address book, that UI gets completely redone and made LDAP compliant, which means you can point your address book browser at any LDAP server, whether it is inside your company or out on the net. So browsing LDAP directories from a user perspective will commonly be done using the address book function of Navigator.

I can also imagine Java and other applet libraries out there as well, serving as directory-based resources.

EH: Yes on two counts. First, you could imagine a directory being used to hold Java applications, so there could be a directory of Java apps searchable by various components, and then the directory objects, which would be the Java apps, could be retrieved. Perhaps more interesting is the other case, where Netscape will eventually expose all the services we are announcing today as Java classes, so you will be able to access the directory by writing Java code, rather than by writing native LDAP code.

On your page, for example, you could have code that, when the user visited, looked up their entry in your directory and modified the page based on attributes set in their directory entry or in a similar user's directory entry.

How long will it be before we start seeing some of the obvious and visible LDAP compliant directories out on the Web, and the Navigator that will see them?

In answer to the first question is very soon. Months. We're privy to a bunch that are far along. A good place to look would be among the names in the announcement today. (See the Netscape Directory Server Press Release.) There are some obvious ones who need to get there quickly. The challenge isn't lost on them. With regard to Navigator, we're saying later this year, and we are definitely on track for that. Look for Q3.

Can we expect Microsoft to show up in this space, much as they did with Java? Their absence from the announcement is conspicuous.

The best answer comes from them. All I can say is that historically their directory strategy has been tough to divine. The Cairo directory that was much ballyhooed two years ago has been decommitted. The Exchange directory is a proprietary format. So maybe they will make that LDAP support to Exchange. But again it will probably be a layered veneer added to a proprietary product. Most of Netscape's products are obviously native at the core, and that is a big competitive advantage for us. But Microsoft needs to answer that question.

DS: It seems to me that by legitimizing what had been just another protocol you have opened the playing field for everybody. Not flattening the playing field as much as changing the game into one where everybody competes on virtues that do not exclude others. In other words, you end the proprietary game.

EH: The idea is to compete by offering the best products at attractive prices, rather than by locking customers into proprietary protocol, which is the way historically things have worked in the client-server world.

What does this imply in terms of new businesses that didn't exist before, in much the same way that HTTP implied new businesses when it was introduced?

The concept of identity doesn't exactly exist on the Web today, aside perhaps for someone's mailbox, which is the closest thing we have. WE are about to give corporations and Internet users the opportunity to establish and evangelize identity and location on the Internet. Because it is searchable and extensible, the identity of people, objects and other resources can now be located, searched and managed in a sane way. I think that's really a sea change for the Internet. Because the Internet has been, other than aggregated indexes like Yahoo and Infoseek and Lycos and those guys, without a notion of aggregation and location. We are about to do that primarily for people, with directory services. So insofar as you believe the Internet is a wonderful enabler of communication, coordination and collaboration -- to use Lotus's lingo -- this is a critical component. It is hard to imagine the Internet fulfilling those dreams without something like this. So anybody building communicative organization, whether they are physical or virtual ones, will find this an enabling technology. The Internet will become much more attractive for building those kinds of things in a viable way. Before this the Internet community was kind of silent on how to do that.

DS: Well, the Internet community members took for granted that a lot of work needed to be done in a space where directory will now take care of business. We thought it was okay to do that work, and it really wasn't. Right now I am burdened with knowing a lot of stuff -- such as what gyrations I need to go through to get a file from here to there -- that some software ought to be burdened with.

EH: There is no reason your Navigator shouldn't bear some of that burden.

This whole notion of you as a person, as an entity, as an identity, can be captured very robustly. How many times have you stumbled over trying to pronounce somebody's name? Why can't your software pronounce that in the person's own voice? These are questions that directory kinds of technologies over time will handle easily. Why can't you replicate your entire Novell or Netscape organization directory, so far as it is public, around in your laptop as you're travelling around, and keep it in synch by robust directory services. Now, this kind of thing is enabled by Lotus Notes, but then the whole world needs to run Notes, and that's probably not going to happen.

I should add that the other two announcements today -- Mail 2.0, which is an IMAP4 release, and Certificate Server 1.0, which is an in-house CA -- are also enablers in their own right. IMAP4 is primarily for mobile or low bandwidth-connected mail users or people doing advanced folder management... I could go on.

The directory story behind these two product's stories is interesting. With the certificate product, when a certificate is issued it will automatically populate and manage the certificate entry for corresponding directory entry. So, if you sign up for a public key it will be recorded in your directory entry automatically. This is the directory-centric view of the Certificate Server. The mail server also knows how to query the directory server for doing mail hub routing. So if you had 100 or 1000 people at WEBsmith, you could all be, but the mail server could automatically query the directory server to reroute so that you are really

DS: Will we see a reduction in the number of name spaces in the world?

EH: In practice it will in the same way SMTP has done so, and HTTP has unified proprietary document spaces and maybe come at the expense of other file names a bit. LDAP does come with a syntax it likes to traffic in. And I think that syntax will be preferred. But remember directories by their nature have the opportunity to expand the amount of name space. For example, if somebody had a particularly obscure email address, I could find it by their friendly name -- their given name and surname -- in an LDAP directory. But that's a roundabout way of looking at it. In practice, I think you'll see a lot of LDAP conforming representations of names and queries. And what pops out will be what people look for. So if you're looking for an email address, you'll get an SMTP address. If you're looking for a home page, you'll get an HTTP pointer or URL. So in practice you'll see some collapsing of the name space on the Net.

Now there are efforts like XFN, which, at a higher level than LDAP, try to standardize on a mechanism for implementing arbitrary families of what they call federated name spaces. So there is still work to be done. Sun and others are pioneering on kind of metadirectories like XFN, which are not directories at all but representations of arbitrarily diverse directories in one umbrella. We're not tackling that problem yet, because it's still a bit rarefied. One thing at a time.

But there are exciting things we are working on, such as LDAP metadirectories.

LDAP is in a sense a metadirectory, in that it can contain other LDAP entries. There is a lot of work going on at the University of Michigan and here at Netscape on how to do directory forwarding efficiently, so I can search for you across the whole planet without pinging on every server. Very exciting, but still LDAP-centric in its name space.

DS: So we're talking about a smaller forest of name spaces, but with bigger trees.

EH: Yes, that's right. I don't think you'll see a whole lot of internet traffic in native StreetTalk or NDS names. Those guys in their announcement today will move their syntax to be more in line with LDAP, so their users don't need to do one kind of lookup inside the LAN and another on the internet.


(1) A more extensive biography of Eric Hahn can be found at the Collabra site.

(2) Netscape is not playing this as a Big Deal. They put three product press releases on the company Web site, plus some product briefs. I do hear the company has a white paper on the subject, but I haven't seen it yet. The Wall Street Journal mentioned the announcement in their coverage of Netscape's stock movement (it went up about two points on the announcement day, and about ten points in the days that followed, probably due mostly to strong earnings reports). The computer trade weeklies barely noticed it.

By their nature, press releases have an opaque and legalistic quality that makes for hard reading. You're always looking for stuff between the lines. Netscape's releases are no exception. What Craig calls "ground zero for the biggest explosion of new site construction activity since the Web was created," a Netscape release calls "simplifying global user management in heterogeneous environments." But the company does have some useful background material. Here are links to the three releases on the Netscape site, plus a convincingly flattering report by Forrester Research:

For some good nuts and bolts, here are links to the product briefs:

To the top
To Craig Burton Interview, Part 1
To Craig Burton Interview, Part 2
To WEBsmith
To Reality 2.0