1 / 10

Authentication Panel Session

Authentication Panel Session. Framework. Technological Political Practical Identity accounts Using standards (whenever possible) Need for implementations. UK Federation. “Section 6” (accountability) ePPN not reissued within 24 months ePTI not reissued within 24 months

roy
Download Presentation

Authentication Panel Session

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Authentication Panel Session

  2. Framework • Technological • Political • Practical • Identity accounts • Using standards (whenever possible) • Need for implementations

  3. UK Federation • “Section 6” (accountability) • ePPN not reissued within 24 months • ePTI not reissued within 24 months • Is it easier to not reuse ePTI? • How to store the eXXX to prevent reuse • Advisory – only 35% guarantee section 6 • But these are typically institution IdPs • Cf. CP/CPS: Trust based on policy

  4. UK Federation • Migration issues • SPs require personal information • Dual sign-on (once only)…? Email linking it? • With Shib-to-Athens gateway, SP doesn’t always recognise user (anonymised) • Confusingly called the Athens Shib gateway • IdP uid -> Athens PUID • With Athens-to-Shib gateway, SPs don’t always get the relevant attrs • ScopedAffiliation, ePTI, SAML2PersistentID

  5. UK Federation • Users should be aware of attrs • release/block individually • How to ensure “due diligence” • Auditing process?

  6. Technology in AUC • Always (almost) pass UUID, for logging • Along with magic bits for AUZ • Standards are good, but • Need licence to allow us to use it • And convince us it remains usable • “Free” implementations help, too • Open Source best – we can help (sometimes) • Preferably in languages we use

  7. Technology • Different things are good but, • Need interop – and conversions • Technical, assurance, political, practical,… • It’s all very well until something goes wrong • Intruder alert • The people factor against us • Boss’ demo stops working • Your nation stops working…

  8. AUC tokens • What are we authenticating • Who I am (e.g. person or host certs) • What I am (e.g. affiliation attrs, VOMS roles) • What I do (service certs) • Robots should say what they are, not what they do • Usability vs Security • Very occasionally, there is a win-win • SSO, hardware tokens over software

  9. People • Make it usable • People sharing tokens • Try to make it legally binding… • And pray it doesn’t go to court, ever • Particularly not in another country • Insurance? Liability? • Prohibit difficult stuff (financial)?

  10. Policies • Policies are good • Early implementers feedback req’d • IdPs and SPs shortcut via appropriate policies • UK (Shib) Federation rules of membership • IGTF for Grid CAs • Commit institutions to policies? • Update IdPs when policies change!?

More Related