320 likes | 500 Views
RL “Bob” Morgan University of Washington and Internet2 MACE Chair Internet2 Member Meeting Chicago, Illinois December 2006. MACE: The Untold Story. Topics. How we work Who is involved Where we've been to Why we do it What we're up to When we'll be done. MACE Origins.
E N D
RL “Bob” MorganUniversity of Washington and Internet2MACE Chair Internet2 Member MeetingChicago, IllinoisDecember 2006 MACE: The Untold Story
Topics How we work Who is involved Where we've been to Why we do it What we're up to When we'll be done
MACE Origins April 1999, a motel in Ann Arbor ... group considered work on “middleware” in Internet2 driven by concerns in advanced networking about need for common application support (e.g. RFC 2768) everyone said “I was told not to volunteer for anything” core group of campus infrastructure architects hinted that maybe they could volunteer, a little, if everyone did September 1999, a hotel in Denver ... “Early Harvest”, NSF-supported, ~20 campus architects clarified scope of work (vast), interest (intense but wary)
MACE conceived Middleware Architecture Committee for Education mace: a spiked club used for breaking armor mace: a staff borne as a symbol of authority mace: a spice, “a thin leathery tissue between the stone and the pulp” of the same plant that produces nutmeg Mace(tm): a liquid used for temporarily immoblizing MACE members are called: MACEdonians MACEochists MACEtodons
MACE structurally a committee to direct and support the activities of the Internet2 Middleware Initiative (I2MI) and other activities as it sees fit a self-organizing body (i.e., a club) work is supported by Internet2 in various ways and by the institutions who donate participants' time agenda formed by participant campus needs, in service of the broader community higher-ed centric, but not higher-ed only US-centric, but not US-only
MACE governance membership university IT infrastructure architects who have the background, expertise, and time show interest in the work by participating have the architectural and collaborative perspectives seek to cover a range of technical areas small enough so everyone knows everyone responsibility on members to keep reasonably active some members are liaisons to important communities e.g. non-US (EU, Australia), non-HE-IT (grids)
MACE process attempt to be open and transparent in all activities though not everything is documented ... agenda set by members, other Internet2 programs/initiatives, non-members, funding agencies; consensus process real work happens via working groups WG charter must describe work that is consistent with initiative, has clear and achievable deliverables, has identified chair and workers, likely user community, MACE member liaison rarely interested in research, generally in deployments
Internet2 Middleware Initiative Important element of overall Internet2 program environment for making MACE agenda successful working group support: mailing lists, conference calls, flywheels, web presence, technical support, branding/PR, intellectual property framework and legal support, lifecycle funding support from NSF NMI program since 2001, via NMI-EDIT consortium and from Internet2 member support primarily for release time for campus architects/developers
I2MI technical strategy Work products include: best practices docs, standards, schema, software, tutorial/guidance, services, architecture proposals, ... Many opportunities, few truly new ideas assess feasibility of systems/services by keeping in touch with successful small-scale deployments in the community encourage development of practices/packages that can be adopted by the broad HE community influence projects/products/standards to conform work is done by extended community, not MACE per se
Some special staff support ... without whom none of this would be possible Ann West: outreach coordinator for NMI-EDIT, organizer of CAMP conferences (shared with EDUCAUSE) Renee Frost: support of everything in making MACE effective Nate Klingenstein: documentation wizard, training taskmaster Steve Olshansky: the dictionary definition of “flywheel” and oh yes, Ken ...
Outreach EDUCAUSE support CAMP conferences, broad HE outreach co-sponsor eduPerson and HEPKI work identity management work in net@edu TERENA home for middleware work in Europe supports European liaisons to MACEUS MACE members participate in TERENA TFs newly-formed ECAM group modeled on MACEsupporting European middleware collaboration
Industry standards OASIS SAML TC, Liberty Alliance helped drive original SAML work in 2001 from Shibboleth requirements helped promote SAML adoption in Liberty, Liberty contributions to SAML 2.0 Scott Cantor is primary author of SAML 2.0 spec worked with Microsoft on compatibility ... other standards bodies IETF, W3C
Testimonial: Eve Maler, Sun “ Sun is proud to support Internet2 and recognizes the importance of its innovations, such as Shibboleth, to Sun customers and partners. The external integration project run by FEIDE, the Norwegian education agency, shows one example of how Sun and its partners are able to use Shibboleth technologies to great benefit. “ I'd like to especially thank Internet2 representatives Scott Cantor and RL "Bob" Morgan for their efforts to support the important identity management standards work taking place at the OASIS Security Services (SAML) Technical Committee and the Liberty Alliance. The effort to converge the Shibboleth, Liberty ID-FF, and SAML V1.x streams into SAML V2.0 could not have been done without them. “ - Eve Maler, Technology Director, Sun Microsystems
Testimonial: Kim Cameron, Microsoft “ Higher ed has always been among the essential innovators in distributed systems. This has been true both because of the research carried out in the university and the practice resulting from smart application of emerging technology. “ Internet2 middleware, via projects like Shibboleth, has concretely helped move the industry forward, and set an example in confronting hard problems with real deployments. Since the early days of Shibboleth, I've worked to make sure that Microsoft's emerging identity systems meshed with it in a practical way, because I believed in and respected your goals. I want to support, work with you and learn from you as contributors to the metasystem that will enable an identity-aware cyber world. “ I hope this helps explain how much Microsoft values its relationship with I2 middleware, and how much I personally have enjoyed and benefited from collaboration with the members of your community. “ - Kim Cameron, Chief Identity Architect, Microsoft
Outreach: CAMP Workshops 15 CAMP workshops 2002-2006 31 other shorter workshops 2770 total attendees from 610 organizations, 93 non-US, HE, research, corporate CAMP topics Base: directories, authentication, PKI, medical apps, federation, distributed authorization Advanced: 3-tier architectures, authorization architectures, virtual organization support, workflow models
Outreach: NMI releases NMI program has semi-yearly releases joint work with Grids Center software, standards, other documents very useful discipline in completing/publicizing project work venue for contributions from extended middleware community, i.e. not just MACE/I2MI projects
Outreach: extended communities International: UK (JISC), China, Japan, Scandinavia, Australia, ... US Federal government E-Authentication, NSF, NIH, DHS, etc etc US state governments and K-12 Wisconsin, Washington, Virginia, California, etc Publishing/content industry Association of American Publishers, American Mathematics and Chemical Societies, OCLC almost all major academic publishers (Elsevier, Thomson, JSTOR, EBSCO, Proquest, OVID, etc)
Reflections on why we do it Key Concepts: Identity, Institution, Reputation Identity: not just identifiers spam says: Protect your identity! Project your identity! who cares about identifiers? only IdM geeks identity is “sameness over time”, sameness for some individual or societal purpose so identity is “stories” or relationships,potentially everything about you repeatability and aggregation are essential not only people have identities ...
Institutions Institution (defined): a significant practice, relationship, or organization in a society or culture; an established organization or corporation (as a bank or university) especially of a public character Institutions exist to create and maintain trust in activities in their area of business via acting predictably, absorbing risk, doing reliable work business of higher education institutions is creation and dissemination of knowledge, via practice of intellectual collaboration
Reputation reputation (defined): overall quality or character as seen or judged by people in general; a place in public esteem or regard : good name institutions support reputation of their members if I were just plain Bob speaking, would you believe me? activities of members create reputation of institution that is, institutional activities, those activities conducted in institutional role and setting reputation is the reflection of identity in the community
Institutional reputation management In an online world reputation is under threat from online fraud, poor controls, uncontrolled access, data tampering, etc reputation is maintained by starting with our existing institutional nature, and extending and protecting it with digital techniques: identity and access management, cryptography, system management, trust federations effective, consistent identity management is fundamental to to maintaining the social role of our institutions ... and that's why we do it
Some directions: schema/directory MACE has had success defining/promoting schema and directory practices, extending LDAP practices into SAML space now a brave new world many schema definers: national/academic communities, technologies (e.g. CardSpace), applications many attribute representation protocols, architectures, data flows so: focus on information models, processes for attribute definition and adoption, flows to support business relationships and privacy, mappings
Directions: authentication/identity “Internet identity” movement Microsoft CardSpace/metasystem, OpenID, XRI, etc personal identities not tied to particular institutions, adaptable to many technologies Useful spectrum of authentication practices institutions/apps must support a range of methods, appropriate to risk/cost of services standardized assessment of assurance levels increased use of 2-factor/PKI as appropriate federation becoming pervasive advanced multi-party architectures more standardized
Directions: authorization Signet/Grouper released, being adopted critical project phase to assemble adopter community to take packages in useful directions, create sustainable project with many contributors application integration is key: e.g. Sakai, Kuali many vendor products in the space, need to keep models in alignment applications to Grid/VO environments emerging, support of these scenarios is central in upcoming S/G work support of diverse UIs, protocol access XACML ready for prime time?
Directions: Workflow Emerging enterprise infrastructure service administrative uses for approval/work routing academic/research uses for composition of processing from multiple services strong interaction with authorization management depends on good enterprise role definition some outstanding deployment examples, new vendor and open-source products planning assessment activity to understand nature of potential work in this area
Directions: SOA/ESB Service-Oriented Architecture industry hype victim, but kernels of truth infrastructure architecture perspective has always been about modular services, directories whether SOAP is the one protocol to end all others is questionable, but it is here to stay for many purposes Enterprise Service Bus a new name for message/event queue, pub/sub key technology for integrating middleware services with many apps discovery work still to be done ...