340 likes | 352 Views
Observations. The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common http://www.thebricktestament.com/judges/42000_ephraimites_killed/jg12_05-06.html. Next Year at CAMP.
E N D
Observations The phases of Internet-scale invention and the role of market-makers Skill sets for the new world order and nurturing its seed corn in common http://www.thebricktestament.com/judges/42000_ephraimites_killed/jg12_05-06.html
The things we didn’t get to this year at CAMP Archery Braiding lanyards Head lice
For next year’s camp • The new newbies • The Enterprise Frontiers • Framing the new world order for stakeholders • Bronze and Silver, Signing, roles, auditors • The User Experience • Discovery • uApprove, privacy managers and informed consent • Collaboration management • New Technologies and their Implications • Access control and domestication • Interfederation, Non-web applications • The Attribute Ecosystem
The new newbies • It’s still early in the federation roll-out • From early adopters to early majority • It’s still early in the application adoption phase • We’ll see more outsourcing of identity operations, more variety of software used, etc. • Adjacent verticals – K-12, medical centers, financials
Talking the Enterprise Walk Framing discussions with stakeholders Bronze and Silver Certificates and Signing Roles Auditors
Framing the discussions with stakeholders A common model and vocabulary A handle on risk assessment A handle on attributes and access control The art of shaping the technology to fit the policy
A Common Vocabulary • Identity and identifiers • “Credentials” • Acts of authentication • Acts of identity proofing • Services • Sources of authority • Provides definitive attribute values to identities • May have a delegated authority
A Handle on Risk Assessment • NIST guidelines on risk assessment – • Somewhat dated, somewhat abstract, somewhat not relevant • App owners tend to overestimate risk; users tend to underestimate • Weak link applications can expose data if not credentials
Attributes and access control • Getting stakeholders to think of themselves in specific roles • As sources of authority • As vetters of identity • The emergence of roles for scaling • The limits of gestalt semantics and the “value” of regulation
The art of “teching” a policy • Policy is soft; code is hard • Forcing the policy discussions • Where to store attributes • At the SoA or at the IdP or at the RP • Where to authorize • at the IdP (compute an entitlement) • at the RP (pass attributes) • Who should issue credentials versus issue attributes • Identity linking/crosswalking – strategies and exposures
InCommon Bronze and Silver • Revisions as time goes by • Particularly in privacy • Gold • The apps? • The technical options • Certs • SMS as a second factor • Others
Certificate Services • National, flexible arrangement with Comodo, a commercial CA in all web browsers • Unlimited SSL and personal certs for a flat fee, based on the size of the institution or system; typically saves campus 30-50% • Limited to .edu affiliated; requires InCommon membership • The personal certs are the prize in the crackerjack box • SSL certs saves significant money and allows campus security to be improved • Personal certs introduces powerful capabilities for signed docs/email and two factor authentication
Signing A long-term Holy Grail Signing email and docs; not encryption for key escrow issues A lot easier than it was: better clients, rooted certs, federation to leverage, revocation processes Still really hard: enterprise deployment issues, LOA, including attributes and roles
New InCommon Initiative in Signing • Several phases • Enterprise deployment issues – clients, mobility, desktop, discovery, LOA • Innovation – inter-institutional, signing roles and attributes • Business leveraging – working with the verticals- Registrars, financial offices, legal, etc. • Campus-driven with I2 flywheels and collab support services; watch incommon-participants for info • International and other verticals coordination
Roles • The key ingredient to scaling, to inter-realm work, to audit and compliance • Roles are mostly roll-ups of permission sets • With qualifiers, pre-requisites, etc • Roles are mostly group information but… • Regulation or federation can help define roles
Auditors • How much auditing – Kantara and reality • http://kantarainitiative.org/ • Institutional leverage to get engagement • Finding the righteous auditors and training the rest • Visibility of audit results
Talking User experience Discovery Privacy Managers Collaboration Management
Discovery The process of directing an unauthenticated user back to an organization to be authenticated (happens at new browser launch, not at new window, etc.); already authenticated users are taken directly to the resource A non-scalable aspect, especially as the number of federations and IdP’s grows exponentially An issue to be addressed by an SP Today done by the federation WAYF; users can set cookies to default to IdP, good for up to a year. The future is much better – see https://spaces.internet2.edu/display/SHIB2/DSRoadmap
Privacy managers • Translating geek to English • Translating English into other languages • Bundles of commonly used attributes • The collab package (eppn + display name) • The privacy package (epTId + nickname) • ??
The Emergence of Collaboration Management IdM is a critical dimension of collaboration, crossing many applications and user communities Virtual organizations represent critical communities of researchers sharing domain resources and applications as well as general collaboration tools. Providing a unified identity management platform for collaboration is essential in a multi-domain, multi-tool world. Lots of activities in domesticating applications to work in a federated world, moving from tool-based identity to collaboration-centric identity.
Collaboration Platforms • Integrated set of collaboration apps (wikis, listprocs, CVS, file share, calendaring, etc) • Integration of at least identity and access control via group memberships • Extends consistent identity and access controls to domain apps • Repackages successful enterprise technologies for a collaborative/project/VO setting • Federated identity, group management, directories, and security token services (aka credential convertors) • Allows integration of VO and enterprise IdM
Examples of Collaborative Platforms • COmanage • http://middleware.internet2.edu/co/ • http://www.surfnet.nl/Documents/indi-2009-07-020%20(Report%20Collaboration%20Infrastructure).pdf • Commercial offerings – Sharepoint, Adobe Connect, Google Sites, Google Wave, Google Apps • Can be integrated with enterprise IdM • Don’t integrate with domain apps
COManage Elements Data Store Applications
Relying Party Flows of attributes - 1 Enterprise Project comanage Data Store Enterprise
Talking new technologies Interfederation Thinking beyond the web The Attribute Ecosystem and the Tao of Attributes
Interfederation Connecting autonomous federations Critical for global scaling, accommodating state and local federations, integration across vertical sectors Has technical, financial and policy dimensions Elegant technical solution (MDX) being developed in the eduGAIN project of Geant Policy activities in Kalmar2 Union, Kantara, Terena
MDX – metadata exchange protocol Institutions and organizations will pick a registrar to give their metadata to Institutions and organizations will pick an aggregator (or several) to get their partners metadata from Aggregators exchange metadata with each other and registrars If this sounds like DNS registration and routing, it is, one layer up In the land of data, metadata is king; imagine many new kinds of metadata
Thinking beyond the web • All those mobile devices • All those infrastructure elements – routers, firewalls • Lots of apps want to leverage federated identity • Several approaches at work • Using Oauth to pass a token from web to app • Project Moonshot effort in Europe to extend basic IETF protocols (GSSAPI, EAP, etc) to provide a broad set of app opportunities
The Attribute Ecosystem Authentication is very important, but identity is just one of many attributes And attributes provide scalable access control, privacy, customization, linked identities, federated roles and more We now have our first transport mechanisms to move attributes around – SAML and federations There will be many sources of attributes, many consumers of attributes, query languages and other transport mechanisms Together, this attribute ecosystem is the “access control” layer of the Internet
Attribute use cases are rapidly emerging Disaster “first responders” attributes and qualifications dynamically Access-ability use cases Public input processes – anonymous but qualified respondents Grid relying parties aggregating VO and campus attributes The “IEEE” problem The “over legal age” and the difference in legal ages use cases Self-asserted attributes – friend, interests, preferences, etc
The Tao of Attributes workshop 属性之道 Purpose of workshop was to start to explore the federal use case requirements for attributes, aggregation, sources of authority, delegation, query languages, etc. Participants were the best and brightest – the folks who invented LDAP, SAML, OpenId, etc. Webcast at http://videocast.nih.gov/PastEvents.asp Twittered at TAOA http://middleware.internet2.edu/tao-of-attributes/
Back to Ann With much thanks to her, the Internet2 and InCommon staff who helped And much thanks to the program committee And great thanks to you with your great problems and your willingness to talk about them