1 / 15

26 Weeks of Securitude, or ... ETAHA*

An in-depth analysis of cutting-edge internet security technologies discussed at the Internet2/Educause Advanced CAMP in Colorado. Explore Shibboleth, SAML, XACML, and the evolving landscape of web security frameworks.

conniev
Download Presentation

26 Weeks of Securitude, or ... ETAHA*

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 26 Weeks of Securitude, or ... ETAHA* RL “Bob” Morgan, University of Washington Internet2/Educause Advanced CAMP Boulder, Colorado July 2003 * (even the acronyms have acronyms)

  2. Topics Internet2 WGs: • Shibboleth and Federations • WebISO OASIS and related • SAML • XACML • WS-* • Liberty Alliance Open Source Application Foundation / Chandler Credential converter

  3. Shibboleth 1.0 Origin • Java-based Handle Service and Attribute Authority • flexible attribute resolver, attribute release policy expression • basic error-handling Target • binaries for Linux, Solaris; Apache module, separate SHAR process • sophisticated trust management for authn assertion validation • various options for distributed, replicated deployment • attribute definition, acceptance policies, mapping to env vars Other: Attribute naming, entitlements, PKI use

  4. Shibboleth community Library systems people • CNI, DLF, campus libraries Information providers • JSTOR, OCLC, EBSCO, others Learning-management system vendors • Blackboard, WebCT Campus infra architects European NRENs Many random adopters ...

  5. Shib marketing ramps up

  6. Shibboleth marketing ramps up Attributes

  7. Shibboleth Federations InCommon • the “production” federation • US Higher-Ed Institutions (probably) as origins • real authentication, real attributes, real membership agreement, real PKI • coming this fall InQueue • the “trial” federation • Any “organization of interest” trying Shib and federation • running now with a dozen origins Other federations: Swiss HE, various states, ...

  8. Shibboleth next steps “dot-release” by end of July • fixups and simplifications, better docs, Windows origin Attribute management • visibility for users, admins, GUI management for admins Federation support • federation data management tools, more consistent use Target • Java-based, better Windows, library support, policy mgt, vhosts Outreach to adopters to set directions

  9. WebISO project Documents in process • models/capabilities; target models and integration methods New releases of webiso-style products • Pubcookie, CAS (Yale), Cosign (UMich), A-Select (Surfnet), other Consideration of “Shibboleth integration” • plugging in a WebISO to Shib is easy • will all sites migrate to Shib target? to SAML? • does Shib meet (some, most) requirements for WebISO on its own? • extend Shib project to include weblogin component?

  10. OASIS work SAML (security-services TC) • SAML 1.1 approved, fixups based on experience • SAML 2.0 activity initiated • contributions from Liberty Alliance: metadata, etc • “credentials collector”, session management, alignment with XACML, etc XACML: access-control policy language • 1.0 approved, work begun on 1.1 • Sun provides open-source implementation in Java Web Services Security: protection of SOAP msgs • close to 1.0 approval

  11. Web Services Security Framework Microsoft, IBM, others defined “roadmap” • with large set of proposed specs, not all published yet • WS-Security: fundamental SOAP message protection • WS-Policy: statements about policy of WS entities • WS-SecureConversation: context establishment, msg streams • WS-Trust: security token request/response • WS-Federation: login/logout, with browser profile, pseudonymity • other non-security WS-* specs: routing, transaction, etc Standards story not clear • base spec worked on in OASIS TC, others?

  12. Liberty Alliance 1.1 specs published • now recast as “Identity Federation Framework” (ID-FF) • implementations available, but Liberty-based federations? • major PR win with EU privacy blessing • most SAML extensions contributed to OASIS SAML TC Next steps: Web-Services-based framework • ID-WSF: attribute exchange, discovery, info-sharing/protection • ID-SIS: interface for personal services, calendar, presence, etc(can you say “Hailstorm”?) • drafts available ...

  13. OSAF Founded by Mitch Kapor to do cool open-source applications for end-users First is Chandler, personal information manager • email, calendar, etc • based on peer-to-peer model, rich datastore Working with CSG universities, Mellon • extend model to consider enterprise (university) services • eg IMAP, CAP, SASL, Kerberos • campuses working on joint proposal for further work

  14. Credential converter Requirements for flexible “credential conversion” • more types of authn/authz systems appearing • more systems appearing that require one or another • interest in 3-tier support, implying proxy/delegation Some diverse examples • UMich KX509: map Kerberos cred into X.509 cert • Shib Attribute Authority: esp when doing “attribute derivation” • Microsoft TrustBridge “project” Can a generalized component be built? • we'll find out, with NMI support ...

  15. Conclusion Some very sophisticated infrastructure standards are being produced • the good news is there are many to choose from ... But as always it's about deployments • understanding how infrastructure services are interdependent • understanding costs and benefits • understanding what practices are implied/supported by technologies

More Related