100 likes | 188 Views
Authentication Panel Session. Framework. Technological Political Practical Identity accounts Using standards (whenever possible) Need for implementations. UK Federation. “Section 6” (accountability) ePPN not reissued within 24 months ePTI not reissued within 24 months
E N D
Framework • Technological • Political • Practical • Identity accounts • Using standards (whenever possible) • Need for implementations
UK Federation • “Section 6” (accountability) • ePPN not reissued within 24 months • ePTI not reissued within 24 months • Is it easier to not reuse ePTI? • How to store the eXXX to prevent reuse • Advisory – only 35% guarantee section 6 • But these are typically institution IdPs • Cf. CP/CPS: Trust based on policy
UK Federation • Migration issues • SPs require personal information • Dual sign-on (once only)…? Email linking it? • With Shib-to-Athens gateway, SP doesn’t always recognise user (anonymised) • Confusingly called the Athens Shib gateway • IdP uid -> Athens PUID • With Athens-to-Shib gateway, SPs don’t always get the relevant attrs • ScopedAffiliation, ePTI, SAML2PersistentID
UK Federation • Users should be aware of attrs • release/block individually • How to ensure “due diligence” • Auditing process?
Technology in AUC • Always (almost) pass UUID, for logging • Along with magic bits for AUZ • Standards are good, but • Need licence to allow us to use it • And convince us it remains usable • “Free” implementations help, too • Open Source best – we can help (sometimes) • Preferably in languages we use
Technology • Different things are good but, • Need interop – and conversions • Technical, assurance, political, practical,… • It’s all very well until something goes wrong • Intruder alert • The people factor against us • Boss’ demo stops working • Your nation stops working…
AUC tokens • What are we authenticating • Who I am (e.g. person or host certs) • What I am (e.g. affiliation attrs, VOMS roles) • What I do (service certs) • Robots should say what they are, not what they do • Usability vs Security • Very occasionally, there is a win-win • SSO, hardware tokens over software
People • Make it usable • People sharing tokens • Try to make it legally binding… • And pray it doesn’t go to court, ever • Particularly not in another country • Insurance? Liability? • Prohibit difficult stuff (financial)?
Policies • Policies are good • Early implementers feedback req’d • IdPs and SPs shortcut via appropriate policies • UK (Shib) Federation rules of membership • IGTF for Grid CAs • Commit institutions to policies? • Update IdPs when policies change!?