Internet2 Middleware and the NSF Middleware Initiative: Meeting Milestones

Ken Klingenstein

Director,

Internet2 Middleware Initiative,

Co-PI, NSF Middleware Initiative

May 8, 2002

Topics

Internet2 Middleware Overview

Internet2 Middleware Activities

NSF Middleware Initiative

Grid Center and Release 1

EDIT Work and Release 1

Testbeds and Outreach

Year 2 Goals

Integration

May 8, 2002

A Map of Middleware Land

May 8, 2002

Core Middleware Scope

Identity and Identifiers – namespaces, identifier crosswalks, real world levels of assurance, etc.

Authentication – campus technologies and policies, interrealm interoperability via PKI, Kerberos, etc.

Directories – enterprise directory services architectures and tools, standard objectclasses, interrealm and registry services

Authorization – permissions and access controls, delegation, privacy management, etc.

Integration Activities – common management tools, use of virtual, federated and hierarchical organizations

May 8, 2002

Making it happen

Much as at the network layer, plumb a ubiquitous common, persistent and robust core middleware infrastructure for the R&E community

• Foster effective and consistent campus implementations• Motivate institutional funding and deployment strategies• Solve the real world policy issues• Integrate key applications to leverage the infrastructure• Nurture open-source solutions• Address scaling issues for the user and enterprise

In support of inter-institutional and interrealm collaborations, provide tools and services (e.g. registries, bridge PKI components, root directories) as required

May 8, 2002

Internet2 Middleware:Key Concepts

Use federated administration as the lever; have the security domain broker most services (authentication, authorization, resource discovery, etc.)

Provide security while not degrading privacy.

Foster interrealm trust fabrics for both legal and collaborative needs

Leverage campus expertise and build rough consensus

Influence the marketplace; develop where necessary

May 8, 2002

Internet2 Middleware: Areas of Activity

General Middleware: Roadmaps and Business Plans

Directories: directory services architectures, objectclasses, tools and techniques, affiliated directories

Shibboleth: interrealm exchange of attributes

PKI

Video on demand and digital rights management

Federated videoconferencing

Medical middleware: scenarios, objectclasses, privacy and security

May 8, 2002

PKI Activities

HEPKI-TAG (http://www.educause.edu/hepki/)

CP/CPS draft, S/MIME work

HEPKI-PAG

HEBCA, CP

First Annual Research Conference (http://www.cs.dartmouth.edu/~pki02/)

A Higher Ed Sector CA and CREN’s role

May 8, 2002

Access to Digital Materials

Several ways to use digital materials –

personal use – typically purchased by individuals on a subscription or per-use basis.

professional use – typically acquired (for fee or legal agreement) by an organization or university on a bulk basis, with access redistributed freely to members of the organization.

public use – as a citizen, entitled to an information commons, and other basic information rights, such as Fair Use and Freedom of Information

May 8, 2002

Digital rights technologies

The different uses of on-line materials have different requirements; they will likely require different technologies.

Requirements vary about the needs and controls for privacy, the economic recovery model, the needs and controls for security, etc.

Who is developing the digital rights technologies for professional and public use?

May 8, 2002

Vidmid

Supported by NSF, Internet2, and ViDe

Vidmid – the combined work

Vidmid-vc – led by Egon Verhoren (SURFnet), with conspicuous players Tyler Johnson (UNC), Samir Chatterjee (Claremont), Doug Sicker (Colorado) and Art Vandenburg (Georgia State)

Vidmid-VoD – led by Mairead Martin (UT-Knoxville) with conspicuous players Grace Trauner (Rutgers) and Jim DeRoest (Washington)

Parked work: Metadata, security cameras, hybrid forms

Key vendor participation

http://middleware.internet2.edu/video

May 8, 2002

NSF Middleware Initiative

GRID Consortium and Release 1

EDIT Consortium and Release 1

Testbeds and Outreach

Year 2 Goals

Integration

May 8, 2002

EDIT Consortium

Enterprise and Desktop Integration Technologies Consortium (EDIT)

• Internet2 – primary on grant and research• EDUCAUSE – primary on outreach• Southeastern Universities Research Association (SURA)

– testbed

May 8, 2002

NMI-EDIT Plan

• Foster the development of campus enterprise middleware to leverage both the academic and administrative missions.

• Coordinate a common substrate across higher ed middleware implementations that would permit inter-institutional efforts such as Grids, digital libraries, and collaboratories to scale and leverage

• In some instances, build collaboration tools for particularly important inter-institutional and government interactions, such as web services, PKI and video.

• Insure that distinctive higher ed requirements, from privacy and academic freedom to multi-realm portals, are served in the marketplace.

May 8, 2002

Sample NMI-EDIT Process (Directories )

MACE-DIR prioritizes needed materials

Subgroups established: • revision of basic documents (LDAP Recipe)• new best practices in groups and metadirectories• standards development for eduPerson 1.5 and eduOrg 1.0

Subgroups work in enhanced IETF approach, with scenarios, requirements, architectures and recommended standards stages.

WG Deliverables announced; input and conference call feedback processes start for RPR status; work groups reconvene as needed

Seems to take around 4-6 months, depending on product

6-8 people seem to drive, 15-50 schools participate

May 8, 2002

NMI-EDIT Development Stages

Works in Progress • Under development by working group; to shape directions• Labeled as Draft

Experimental • Reviewed within the working group; for review within the EDIT

Community • Labeled as EXP

Released for Public Review • For broad review, including international and vendor communities• Labeled as RPR

Final • Labeled as FIN

May 8, 2002

NMI-EDIT Participants

Higher Ed – 15-20 leadership institutions, with 50 more campuses members of working groups; readership around 2000 institutions.

Corporate - (IBM, Microsoft, SUN, Intel, Liberty Alliance, DST, MitreTek, Radvision, Polycom, EBSCO, Elsevier, OCLC, Metamerge, Baltimore, etc.)

Government – NSF, NIST, NIH, Federal CIO Council, etc

International – Terena, JISC, REDIRIS, AARnet, etc.

May 8, 2002

A Few Year One Milestones

Sept 1, 2001 – Grant awarded

Oct 2001– eduPerson 1.0 finalized; outreach begins with multiple full day workshops

Jan 2002 – HEBCA tested; first CAMP held

Feb 2002 – PKI Lite CP/CPS; e-Gov and Management and Leadership Best Practice Awards

April 2002 – Shibboleth alpha ships; testbeds selected; NIST/NIH PKI workshop

May 2002 – NMI release, with eduPerson 1.5, pubcookie, KX.509, groups and metadirectories, video white papers

June 2002 – affiliated directories to begin; basic CAMP; testbed kickoff

July 2002 – Shibboleth beta to ship; advanced CAMP

May 8, 2002

Specific Deliverables Release 1

Software• KX.509 and KCA• Certificate Profile Maker• Pubcookie

Object Classes• eduPerson 1.0• eduPerson 1.5• eduOrg 1.0• commObject 1.0

Service• Certificate Profile Registry

May 8, 2002

Specific Deliverables Release 1

Conventions and Practices• Practices in Directory Groups 1.0• LDAP Recipe 2.0• Metadirectory Practices for the Enterprise Directory in

Higher Education 1.0

White Papers• Shibboleth Architecture v4

Policies• Campus Certificate Policy for use at the Higher Education

Bridge Certificate Authority (HEBCA)• Lightweight Campus Certificate Policy and Practice

Statement (PKI-Lite)• Sample Campus Account Management Policy

May 8, 2002

Specific Deliverables Release 1

Works in Progress: White Papers• Role of Directories in Video-on-Demand• Resource Discovery for Videoconferencing• commObject: Directory Services Architecture for Video

and Voice Conferencing over IP

May 8, 2002

NMI Participation

CONTRIBUTORS

DEVELOPERS

- Develop NMI-related or derived components- Support NMI components

SUPPORTERS

- Repackage NMI components and distribute under own label

USERS

- Campuses- GriPhyN, NEES, etc

Targeted User

Communities

Other Interested

Implementers- Campuses- Industry- Government

NMI TestbedParticipants

- Determined by Call For Participation

NMI Outreach:Participation Opportunities

May 8, 2002

Networking and Education

Held four workshops

Reached 117 U.S. schools • Participants include CIOs, management, and technical IT

staff• Additional participants from international, research, and

vendor communities• Not just the usual suspects

– Denison University– Clark Atlanta University– Ogala Lakota College

May 8, 2002

Networking and Education:Next Steps

Campus Architectural and Middleware Planning – June and July– CIOs and technical staff– Introductory/advanced workshops held twice per

year

Tutorials – Annual and regional EDUCAUSE/Internet2

meetings– Others upon request and as schedules permit

Email lists– EDUCAUSE and Internet2 email lists

May 8, 2002

NMI Integration Testbed: Overview

Focus on the integration of released middleware components with real life use and conditions

Elements: Sites, Manager, Workshop

Integration is the point - could think of it as…• Where “EDIT” meets “GRIDS”• Where enterprise needs meet research needs• Where NMI components meet reality

May 8, 2002

NMI Outreach:Participation Opportunities

• NSF-middleware.org (NMI site)• www.nmi-edit.org (EDIT site)• www.grids-center.org (GRIDs Center site)

May 8, 2002

Year Two Work Areas

Authorization, Authorization, Authorization

Shibboleth and PKI

Integration with the Grid

HEBCA

Affiliated directories

Federated digital rights management

Video

Registry Services

Research medical middleware

May 8, 2002

Some Year 2 Deliverables

Options and Architectures for the N-Tier Problem -white paper August 2002

Federated DRM workshop – August 2002

Affiliated directories – white paper Aug 2002; pilots end of 2002

Registry services – as needed; first one in Sept 2002

Shibboleth 1.0 – code released in NMI 1.5

eduOrg 1.0 - final, end 2002

2nd PKI Research Conference – April 2003

May 8, 2002

Issue: International

Our technologies are international but our standards, best practices, etc are largely US centric, by authority and in order to facilitate convergence.

Grids and other networked science activities are international

International trust structures are undefined, in particular the role of governments as trust intermediaries

May 8, 2002

Issue: Integration

We understand, somewhat, the technical issues involved in integration.

how can we get technical consensus

how can we meet in the future versus retrofit the existing

who will plug the gaps

We do not understand the policy issues:

who will fund and support the integration

how will institutional policies affect the management decisions for networked resources

how do governments participate

May 8, 2002

Integration Issues

What needs integration?• Core middleware components• Plumbing the campus core for Grids• New NMI components into the existing base

What are the desired outcomes of integration• To the user

– Relatively single-sign on/limited credentials– Enterprise directory data supplied to Grids and other

apps• Behind the scenes

– Integrated accounting, security, management

May 8, 2002

Integration Issues

What are the barriers to integration• Embedded bases• Different priorities• Gaps

May 8, 2002

Coexistence, then integration

Coexistence• Converting campus Kerberos tickets to temporary X.509

certs• Classification of NMI deliverables• Testbeds for multiple agendas• Identifier cross-walks

Integration• Web services• Metadirectories• Identifier reduction• Accounting and resource control

May 8, 2002

The pieces fit together…

Campus infrastructure• Name space and identifiers• Directories• Enterprise authentication and authorization

Inter-realm infrastructure• edu object classes• Exchange of attributes

Inter-realm Upperware• Grids• Digital libraries• Video