Post on 18-Jan-2018
description
Growth
kjk@internet2.edu
Interfederation
• PKI is globally scalable• Unfortunately, its not locally deployable…
• Federation is locally deployable• Can it scale globally?
• Inter-federation• Like BGP, only 1000 times harder
kjk@internet2.edu
Interfederation• Connecting autonomous identity federations• Critical for global scaling, accommodating local
federations, integration across vertical sectors• Has technical, financial and policy dimensions• Several operational instances – Kalmar2 Union,
eduGAIN, ad hocs (UC Trust, Texas)• Use cases now numerous, across sectors, within sectors• Short-term and long-term approaches• If its called the Internet, shouldn’t we start talking about
Interfederated identity
kjk@internet2.edu
Interfederation: Short-term/long-term
• Long-term is starting to be worked, mostly technically, some ad hoc policy
• Short-term has happened and should continue, but be informed/inform by long-term
• Both short-term and long-term need to address same buckets of issues
• Long-term has potentially disruptive service models
kjk@internet2.edu
Buckets of interfed issues
Both short-term and long-term approaches must address:
• Exchange, and massage, of metadata• Policy alignment• Alignment of payloads (attributes)• Operational issues – error handling, incident
handling, legal and contractual, etc
kjk@internet2.edu
UK Access Federation Metadata processing
kjk@internet2.edu
Future metadata flows in Interfederation
Org
Registrar
Aggregator
Aggregator
Aggregator
Local trust oracle
kjk@internet2.edu
Multiple trust contexts in interfederation
Org
Registrar
Aggregator
Aggregator
Aggregator
Application auditor
Local trust oracle
kjk@internet2.edu
Trust and Metadata
• Trusting that the metadata was provided by an authorized entity• Secure deposit
• Trusting that the “organizationally vetted” metadata is correct• Self-certified
• Trusting that the “externally vetted” metadata is true• Certified apps• E.g. an app listed as R&S is in fact right
kjk@internet2.edu
Emerging key software and protocols
• MDA – metadata aggregator• PEER – metadata registry management software
• There may be multiple PEER services instances
• MDX – the query protocol(s) to request metadata; return via normal publishing protocols
• Improved discovery services – accountchooser, discojuice, embedded discovery services
• End-entity categories – an important new type of metadata, allowing for certified apps and IdP’s.
kjk@internet2.edu
Meta-meta-data
• Metadata has its own metadata – e.g. who supplied it, when, terms of use, etc.
• Meta-meta-data may be contained in metadata stream, peeled off to help processing the other metadata, then reinserted as regular metadata into products
• No real discussions yet on normalizing meta-meta-data• Likely little or no need for meta-meta-meta-data,
thankfully…
kjk@internet2.edu
Policy Points in Interfederation
• How the federation manages verification of both the organizations and their (perhaps delegated) authorized submitters (the FOP)
• How does the federation manage verification of other richer end-entity attributes it asserts, such as classification of applications (e.g. R&S), recommended attribute release policies, etc.
• How the federation operates, in terms of signing metadata approaches, legal status, etc.
• Aligning the LOA at basic and higher levels for authentication• Aligning the relationships between IdP and SP when they are not in the
same federation• Direct contracts should govern where applicable• If the contractual flow is member to fed, and then across interfed to
an SP in another…
kjk@internet2.edu
Interfed policy areas• Federation operations
• Legal status and bone fides • Operational issues – signing key and metadata protection, incident
handling, etc• Federation to member relationships
• Contractual • Vetting of members and delegation of metadata
• Community standards• LOA • End-entities and vetting values• Attribute bundles
• IdP-SP direct relationships • What issues do they work directly? If they have a contract? If they don’t
kjk@internet2.edu
Interfed policy areas – status/need• Federation operations
• Legal status and bone fides – normative format• Operational issues – REFEDS Ops or ?
• Federation to member relationships• Contractual – normative format+normalization• Vetting of members and delegation of metadata - normalization
• Community standards• LOA – basic ok. Silver and Bronze need normalization• End-entities and vetting values – good informal start; registry and
best practices• Attribute bundles - good informal start; registry and best practices
• IdP-SP direct relationships - ????• Privacy, consent, etc handled somewhat by above
kjk@internet2.edu
Is there a financial dimension to interfed
• Potential for some federations who charge will lose certain SP’s• Seems like a small subset might, but modest
financial impacts• Charging for registration? For publication of metadata?
For use of metadata?• Costs of operating the interfed coordination
infrastructure – schema, registries, etc.• We shall see, sigh…
kjk@internet2.edu
Is interfederation getting harder?
• Or, as Ian says, do we just understand the problem better?
• In the old days, just exchange signing keys• Now, do you understand my metadata? My attribute
bundles? My application categories and how I assess apps? My policies
• And do I understand yours?• And with more use cases every day…