The Last Six Months of Losers… Keith Hazelton, Wisconsin Ken Klingenstein, Colorado and I2 MI RL...

The Last Six Months of Losers…

Keith Hazelton, Wisconsin Ken Klingenstein, Colorado and I2 MIRL “Bob” Morgan, Washington

Base CAMP - February 5-7, 2003 2

Copyright Keith Hazelton, Kenneth J. Klingenstein, RL Bob Morgan 2003. This work is the intellectual property of the authors. Permission is granted for this material to be shared for non-commercial, educational purposes, provided that this copyright statement appears on the reproduced materials and notice is given that the copying is by permission of the author. To disseminate otherwise or to republish requires written permission from the author.


Agenda

• Keith – Directories (25 min)• RL “Bob” – Security and a few other things

(25 min)• Ken –PKI, Feds, desktop video, DRM,

HIPAA, Jabbar, etc. (20 min)

26 Weeks of Securitude, or ... ETAHA*

RL “Bob” Morgan, University of Washington

Internet2/Educause Advanced CAMPBoulder, ColoradoJuly 2003

* (even the acronyms have acronyms)


Topics●Internet2 WGs:

–Shibboleth and Federations–WebISO

●OASIS and related–SAML–XACML–WS-*–Liberty Alliance

●Open Source Application Foundation / Chandler●Credential converter


Shibboleth 1.0

●Origin–Java-based Handle Service and Attribute Authority–flexible attribute resolver, attribute release policy expression–basic error-handling

●Target–binaries for Linux, Solaris; Apache module, separate SHAR process–sophisticated trust management for authn assertion validation–various options for distributed, replicated deployment–attribute definition, acceptance policies, mapping to env vars

●Other: Attribute naming, entitlements, PKI use


Shibboleth community

●Library systems people–CNI, DLF, campus libraries

●Information providers–JSTOR, OCLC, EBSCO, others

●Learning-management system vendors–Blackboard, WebCT

●Campus infra architects●European NRENs●Many random adopters ...


Shibboleth Federations

● InCommon–the “production” federation–US Higher-Ed Institutions (probably) as origins

• real authentication, real attributes, real membership agreement, real PKI

–coming this fall

● InQueue–the “trial” federation–Any “organization of interest” trying Shib and federation–running now with a dozen origins

●Other federations: Swiss HE, various states, ...


Shibboleth next steps

●“dot-release” by end of July–fixups and simplifications, better docs, Windows origin

●Attribute management–visibility for users, admins, GUI management for admins

●Federation support–federation data management tools, more consistent use

●Target–Java-based, better Windows, library support, policy mgt, vhosts

●Outreach to adopters to set directions


WebISO project●Documents in process

–models/capabilities; target models and integration methods

●New releases of webiso-style products–Pubcookie, CAS (Yale), Cosign (UMich), A-Select (Surfnet), other

●Consideration of “Shibboleth integration”–plugging in a WebISO to Shib is easy

–will all sites migrate to Shib target? to SAML?

–does Shib meet (some, most) requirements for WebISO on its own?

–extend Shib project to include weblogin component?


OASIS work●SAML (security-services TC)

–SAML 1.1 approved, fixups based on experience–SAML 2.0 activity initiated

• contributions from Liberty Alliance: metadata, etc• “credentials collector”, session management, alignment with XACML, etc

●XACML: access-control policy language–1.0 approved, work begun on 1.1–Sun provides open-source implementation in Java

●Web Services Security: protection of SOAP msgs–close to 1.0 approval


Web Services Security Framework

●Microsoft, IBM, others defined “roadmap”–with large set of proposed specs, not all published yet–WS-Security: fundamental SOAP message protection–WS-Policy: statements about policy of WS entities–WS-SecureConversation: context establishment, msg streams–WS-Trust: security token request/response–WS-Federation: login/logout, with browser profile, pseudonymity–other non-security WS-* specs: routing, transaction, etc

●Standards story not clear–base spec worked on in OASIS TC, others?


Liberty Alliance

●1.1 specs published–now recast as “Identity Federation Framework” (ID-FF)–implementations available, but Liberty-based federations?–major PR win with EU privacy blessing–most SAML extensions contributed to OASIS SAML TC

●Next steps: Web-Services-based framework–ID-WSF: attribute exchange, discovery, info-sharing/protection–ID-SIS: interface for personal services, calendar, presence, etc(can you say “Hailstorm”?)

–drafts available ...


OSAF

●Founded by Mitch Kapor to do cool open-source applications for end-users

●First is Chandler, personal information manager–email, calendar, etc

–based on peer-to-peer model, rich datastore

●Working with CSG universities, Mellon–extend model to consider enterprise (university) services

–eg IMAP, CAP, SASL, Kerberos

–campuses working on joint proposal for further work


Credential converter●Requirements for flexible “credential conversion”

–more types of authn/authz systems appearing–more systems appearing that require one or another–interest in 3-tier support, implying proxy/delegation

●Some diverse examples–UMich KX509: map Kerberos cred into X.509 cert–Shib Attribute Authority: esp when doing “attribute derivation”–Microsoft TrustBridge “project”

●Can a generalized component be built?–we'll find out, with NMI support ...


Conclusion

●Some very sophisticated infrastructure standards are being produced–the good news is there are many to choose from ...

●But as always it's about deployments–understanding how infrastructure services are interdependent

–understanding costs and benefits–understanding what practices are implied/supported by technologies


Others…

• Grids (and Cyberinfrastructure)• PKI

– CREN Cat ->…– HEBCA– Federations

• Desktop video• DRM/VoD• P2P


Grid Basics

• Complex software environments for the sharing of cycles, storage, remote instrumentation, etc.

• The more general the software, the more that is left to the reader…


Facts about Grids

• There are many distributed computing and resources sharing environments besides Grids.

• Much big science and medicine will be based on Grids• Grids come in many flavors• Global Grid Forum attempts to coordinate flavors • Among the flavors, there is a predominant strain

– Developed out of ISI, Argone, etc by Kesselman, Foster, et al

– Current instantiation is Globus Toolkit 2.0 (part of NMI)

– Next generation is Open Grid Services Architecture (OGSA)


More facts about Grids

• Grids are stand-alones, tending not to recognize firewalls, enterprise services, usability requirements, privacy, politics of resource sharing, etc.

• Two distinct types of Grids are emerging– Intragrids – users on the outside access an

internal grid that supplies cycles, storage, etc transparently

– Intergrids – a shared mesh of resources among autonomous enterprises


PKI

• Didn’t it die?• There is no substitute for many services that

PKI can provide• It is not a universal panacea • It will continue to evolve until we get it right


PKI in the last year

•FPKI efforts and the FBCA•The HEBCA•The demise of CREN•Sean Smith and his interesting research…• faking security…macros and screen manipulation• faking privacy…unlocking the cert store and playing Go Fish


Relating PKI to the federated approach

• Well, at one level, PKI identities should anchor federated activities.

• At a more operational level, federated activities need to either– Peer with PKI activities (at a bridge?)– Interact with other federated activities


HE CA Planning

• A HE root – “Usher”, operated by I2, operated out of a member campus

• Signing institutional multipurpose certs, with strong institutional vetting

• Signing the InCommon CA– Which signs institutional Shib server certs, with

strong institutional vetting

• Being worked in HEPKI-TAG for profile, policy• Timeframe – ask Neal


Federations in the last year

•Communicator Hub ID is one of the pioneering Liberty•Alliance-based services on the market, supporting vertical-industry B2B•offerings such as SecuritiesHub. SecuritiesHub, which is sponsored by eight leading Wall Street investment firms, including Credit Suisse First Boston, Goldman Sachs, JPMorgan, Lehman Brothers, Merrill Lynch, Morgan Stanley, Salomon Smith Barney and UBS Warburg.•Liberty Alliance (http://www.projectliberty.org/)•Federal e-Authentication Initiative (http://www.cio.gov/eauthentication/)•Shibboleth and InCommon (http://middleware.internet2.edu/shibboleth)


Federating organizations organization (FOO)

•To explore the issues in federations, and multiple federations, and subclubs, and…•Includes GM, Johnson and Johnson, Bechtel, Liberty, Microsoft, Fed e-AuthN•Discussions just started...•Friends of foo as an email list to stay informed of the discussions


Other PKI work

• Maybe a recipe for campus use of institutional cert

• Credential converter and H.323…• Citizen and Commerce CP/CPS (C4)• Signed and/or encrypted email


DRM


Desktop video

• Resource discovery going well, see H.350• Authentication …

– H.323 – PKI without a clue for location, profile, etc– SIP – moving towards federation

• VoIP

• Authorization?


P2P

• Enterprising, federated Jabber • Enterprising, federated Lionshare (Penn

State)

The Last Six Months of Losers… Keith Hazelton, Wisconsin Ken Klingenstein, Colorado and I2 MI RL...

Documents

Transcript of The Last Six Months of Losers… Keith Hazelton, Wisconsin Ken Klingenstein, Colorado and I2 MI RL...