The Last Six Months of Losers…
Keith Hazelton, Wisconsin
Ken Klingenstein, Colorado and I2 MI
RL “Bob” Morgan, Washington
Copyright Keith Hazelton, Kenneth J. Klingenstein,
RL Bob Morgan 2003. This work is the intellectual
property of the authors. Permission is granted for this
material to be shared for non-commercial,
educational purposes, provided that this copyright
statement appears on the reproduced materials and
notice is given that the copying is by permission of
the author. To disseminate otherwise or to republish
requires written permission from the author.
Base CAMP - February 5-7, 2003
2
Agenda
• Keith – Directories (25 min)
• RL “Bob” – Security and a few other things
(25 min)
• Ken –PKI, Feds, desktop video, DRM, HIPAA,
Jabbar, etc. (20 min)
Base CAMP - February 5-7, 2003
3
26 Weeks of Securitude, or ...
ETAHA*
RL “Bob” Morgan, University of Washington
Internet2/Educause Advanced CAMP
Boulder, Colorado
July 2003
* (even the acronyms have acronyms)
Topics
●Internet2 WGs:
–Shibboleth and Federations
–WebISO
●OASIS and related
–SAML
–XACML
–WS-*
–Liberty Alliance
●Open Source Application Foundation / Chandler
●Credential converter
Base CAMP - February 5-7, 2003
5
Shibboleth 1.0
● Origin
–Java-based Handle Service and Attribute Authority
–flexible attribute resolver, attribute release policy expression
–basic error-handling
● Target
–binaries for Linux, Solaris; Apache module, separate SHAR process
–sophisticated trust management for authn assertion validation
–various options for distributed, replicated deployment
–attribute definition, acceptance policies, mapping to env vars
● Other: Attribute naming, entitlements, PKI use
Base CAMP - February 5-7, 2003
6
Shibboleth community
●Library systems people
–CNI, DLF, campus libraries
●Information providers
–JSTOR, OCLC, EBSCO, others
●Learning-management system vendors
–Blackboard, WebCT
●Campus infra architects
●European NRENs
●Many random adopters ...
Base CAMP - February 5-7, 2003
7
Shibboleth Federations
● InCommon
–the “production” federation
–US Higher-Ed Institutions (probably) as origins
• real authentication, real attributes, real membership agreement,
real PKI
–coming this fall
● InQueue
–the “trial” federation
–Any “organization of interest” trying Shib and federation
–running now with a dozen origins
● Other federations: Swiss HE, various states, ...
Base CAMP - February 5-7, 2003
8
Shibboleth next steps
● “dot-release” by end of July
–fixups and simplifications, better docs, Windows origin
● Attribute management
–visibility for users, admins, GUI management for admins
● Federation support
–federation data management tools, more consistent use
● Target
–Java-based, better Windows, library support, policy mgt, vhosts
● Outreach to adopters to set directions
Base CAMP - February 5-7, 2003
9
WebISO project
● Documents in process
–models/capabilities; target models and integration methods
● New releases of webiso-style products
–Pubcookie, CAS (Yale), Cosign (UMich), A-Select (Surfnet),
other
● Consideration of “Shibboleth integration”
–plugging in a WebISO to Shib is easy
–will all sites migrate to Shib target? to SAML?
–does Shib meet (some, most) requirements for WebISO on its own?
–extend Shib project to include weblogin component?
Base CAMP - February 5-7, 2003
10
OASIS work
●SAML (security-services TC)
–SAML 1.1 approved, fixups based on experience
–SAML 2.0 activity initiated
• contributions from Liberty Alliance: metadata, etc
• “credentials collector”, session management, alignment with
XACML, etc
●XACML: access-control policy language
–1.0 approved, work begun on 1.1
–Sun provides open-source implementation in Java
●Web Services Security: protection of SOAP
msgs
Base CAMP - February 5-7, 2003
–close to 1.0 approval
11
Web Services Security Framework
● Microsoft, IBM, others defined “roadmap”
–with large set of proposed specs, not all published yet
–WS-Security: fundamental SOAP message protection
–WS-Policy: statements about policy of WS entities
–WS-SecureConversation: context establishment, msg streams
–WS-Trust: security token request/response
–WS-Federation: login/logout, with browser profile, pseudonymity
–other non-security WS-* specs: routing, transaction, etc
● Standards story not clear
–base spec worked on in OASIS TC, others?
Base CAMP - February 5-7, 2003
12
Liberty Alliance
●1.1 specs published
–now recast as “Identity Federation Framework” (ID-FF)
–implementations available, but Liberty-based federations?
–major PR win with EU privacy blessing
–most SAML extensions contributed to OASIS SAML TC
●Next steps: Web-Services-based framework
–ID-WSF: attribute exchange, discovery, info-sharing/protection
–ID-SIS: interface for personal services, calendar, presence, etc
(can you say “Hailstorm”?)
–drafts available ...
Base CAMP - February 5-7, 2003
13
OSAF
●Founded by Mitch Kapor to do cool opensource applications for end-users
●First is Chandler, personal information manager
–email, calendar, etc
–based on peer-to-peer model, rich datastore
●Working with CSG universities, Mellon
–extend model to consider enterprise (university)
services
–eg IMAP, CAP, SASL, Kerberos
–campuses working on joint proposal for further work
Base CAMP - February 5-7, 2003
14
Credential converter
● Requirements for flexible “credential conversion”
–more types of authn/authz systems appearing
–more systems appearing that require one or another
–interest in 3-tier support, implying proxy/delegation
● Some diverse examples
–UMich KX509: map Kerberos cred into X.509 cert
–Shib Attribute Authority: esp when doing “attribute derivation”
–Microsoft TrustBridge “project”
● Can a generalized component be built?
–we'll find out, with NMI support ...
Base CAMP - February 5-7, 2003
15
Conclusion
●Some very sophisticated infrastructure
standards are being produced
–the good news is there are many to choose from ...
●But as always it's about deployments
–understanding how infrastructure services are
interdependent
–understanding costs and benefits
–understanding what practices are implied/supported
by technologies
Base CAMP - February 5-7, 2003
16
Others…
• Grids (and Cyberinfrastructure)
• PKI
– CREN Cat ->…
– HEBCA
– Federations
• Desktop video
• DRM/VoD
• P2P
Base CAMP - February 5-7, 2003
17
Grid Basics
• Complex software environments for the
sharing of cycles, storage, remote
instrumentation, etc.
• The more general the software, the more that
is left to the reader…
Base CAMP - February 5-7, 2003
18
Facts about Grids
• There are many distributed computing and resources
sharing environments besides Grids.
• Much big science and medicine will be based on
Grids
• Grids come in many flavors
• Global Grid Forum attempts to coordinate flavors
• Among the flavors, there is a predominant strain
– Developed out of ISI, Argone, etc by Kesselman, Foster, et
al
– Current instantiation is Globus Toolkit 2.0 (part of NMI)
– Next generation is Open Grid Services Architecture (OGSA)
Base CAMP - February 5-7, 2003
19
More facts about Grids
• Grids are stand-alones, tending not to recognize
firewalls, enterprise services, usability requirements,
privacy, politics of resource sharing, etc.
• Two distinct types of Grids are emerging
– Intragrids – users on the outside access an
internal grid that supplies cycles, storage, etc
transparently
– Intergrids – a shared mesh of resources among
autonomous enterprises
Base CAMP - February 5-7, 2003
20
PKI
• Didn’t it die?
• There is no substitute for many services that
PKI can provide
• It is not a universal panacea
• It will continue to evolve until we get it right
Base CAMP - February 5-7, 2003
21
PKI in the last year
•FPKI efforts and the FBCA
•The HEBCA
•The demise of CREN
•Sean Smith and his interesting research…
•
faking security…macros and screen
manipulation
•
faking privacy…unlocking the cert
store and playing Go Fish
Base CAMP - February 5-7, 2003
22
Relating PKI to the federated approach
• Well, at one level, PKI identities should
anchor federated activities.
• At a more operational level, federated
activities need to either
– Peer with PKI activities (at a bridge?)
– Interact with other federated activities
Base CAMP - February 5-7, 2003
23
HE CA Planning
• A HE root – “Usher”, operated by I2, operated
out of a member campus
• Signing institutional multipurpose certs, with
strong institutional vetting
• Signing the InCommon CA
– Which signs institutional Shib server certs, with
strong institutional vetting
• Being worked in HEPKI-TAG for profile, policy
• Timeframe – ask Neal
Base CAMP - February 5-7, 2003
24
Federations in the last year
•Communicator Hub ID is one of the pioneering Liberty
•Alliance-based services on the market, supporting vertical-industry
B2B
•offerings such as SecuritiesHub. SecuritiesHub, which is sponsored
by eight leading Wall Street investment firms, including Credit Suisse
First Boston, Goldman Sachs, JPMorgan, Lehman Brothers, Merrill
Lynch, Morgan Stanley, Salomon Smith Barney and UBS Warburg.
•Liberty Alliance (http://www.projectliberty.org/)
•Federal e-Authentication Initiative
(http://www.cio.gov/eauthentication/)
•Shibboleth and InCommon
(http://middleware.internet2.edu/shibboleth)
Base CAMP - February 5-7, 2003
25
Federating organizations
organization (FOO)
•To explore the issues in federations, and
multiple federations, and subclubs, and…
•Includes GM, Johnson and Johnson, Bechtel,
Liberty, Microsoft, Fed e-AuthN
•Discussions just started...
•Friends of foo as an email list to stay informed
of the discussions
Base CAMP - February 5-7, 2003
26
Other PKI work
• Maybe a recipe for campus use of
institutional cert
• Credential converter and H.323…
• Citizen and Commerce CP/CPS (C4)
• Signed and/or encrypted email
Base CAMP - February 5-7, 2003
27
DRM
Base CAMP - February 5-7, 2003
28
Desktop video
• Resource discovery going well, see H.350
• Authentication …
– H.323 – PKI without a clue for location, profile, etc
– SIP – moving towards federation
• VoIP
• Authorization?
Base CAMP - February 5-7, 2003
29
P2P
• Enterprising, federated Jabber
• Enterprising, federated Lionshare (Penn
State)
Base CAMP - February 5-7, 2003
30