Presentation on theme: "A very brief history of Identity in Higher Education a short stroll down memory lane Michael R Gettes CMU, MIT, Internet2, Duke, Georgetown, Princeton,"— Presentation transcript:
A very brief history of Identity in Higher Education a short stroll down memory lane Michael R Gettes CMU, MIT, Internet2, Duke, Georgetown, Princeton, BostonU email@example.com Common Solutions Group May, 2014
In the beginning… Essentially no security on the Internet 1980’s, 1990’s various HE Univs pursue central ID stores. Andrew, Athena, others? 1991 – BITNET-III, a project to use home Univ creds to access remote modem pools and central bill the Univ – FAIL!
And then… 1994/6 – slapd emerges from uMich – Many Universities initiate LDAP services – 1998 OpenLDAP project started Most of uMich slapd team moves to Netscape First common mechanism exposing IDs emerge from various Universities in late 1990s Public Key + LDAP – cost effective “I” in PKI PKI first seen as 18 months away… (ha ha !)
Many SSO … Various SSO efforts: – MIT Kerberos – Yale CAS – Michigan CoSign – Washington PubCookie – Many WebAuth – Duke, Stanford, ??? WebISO – Initial Sign-On (cuz, SSO deemed not wise) – families of apps for Sign-On. CMU named their SSO WebISO using pubcookie (oops!).
September 1999 Directories, Identifiers, AuthN (DIA) “Early Harvest” – various University geeks, herded by Ken Klingenstein, met in Denver to start discussions around Identity Mgmt and Access problems. No volunteers for work except RL “Bob” Morgan. During dinner… first ideas of inter-org AuthN/AuthZ on the web discussed. Seeds for what would later become Shibboleth planted. Glueworkers: RL “Bob” Morgan, Mark Poepping, Michael Gettes, Bob Brentrup, Alan Crosswell, David Wasley, Paul Hill, Frank Grewe, Keith Hazelton, Steve Kellogg, Daniel Arrasjid, Bill Doster, Mark Bruhn, Steve Worona. Planning group: Morgan, Gettes, Carmody, Poepping, KJK
And then… 1998/9: MACE formed – first projects: DoDHE, eduPerson, Shibboleth proposal (generated from uWash Internet2 meeting). First minutes: May 22, 2000 – interesting read. MACE guides I2MI – and the work begins! – HEPKI collaboration with i2-PKILabs, VidMid (H.323), eduPerson, Shibboleth, GRID collab starts, JA-SIG collab, LDAP Recipe, URN/OID Registry, evangelism!!! Fed/Ed PKI meetings – HEBCA – Bridged PKI
U.S. Federal Viewpoint (2002-04) HSPD-12 (Homeland Security Presidential Directive 12): President Bush, August 2004: mandatory gov-wide secure IDs for all employees + contractors. Yielded NIST FIPS 201 – PIV – using PKI, LDAP/X.500 and friends. Fed E-Auth initiative by NIST spawns SP-800-63, guidance to implement OMB-04-04, in support of HSPD-12 pending. – This is where LoA 1-4 come from – guidance and technical controls. – InCommon Bronze/Silver != Fed 1-4 but comparable
NSF Middleware (NMI-EDIT) 2002 - 2006 – Supposed to be collab between I2MI and GRID. GRID got the $$$. We produced software that worked. Produced tons of stuff. Regular software package releases of many components. Documentation + experiences. TIER Version 1? – Can’t say enough good stuff about NMI-EDIT
We have much InCommon 2004 – InCommon is born. IBM tried to patent Shib/SAML. We have email with our IP. SAML largely developed by RLBob and Scott Cantor (editor). 10 Years later… InCommon is critical infrastructure to many Universities. CMU relies on InCommon for local federation. A huge success story! Born from “US”. Core group but many made it work well.
What worked/works… Shibboleth, simpleSAMLphp, SAML 2.0 by vendors – social2SAML gateways emerging LDAP (eduPerson, LDAP-Recipe) Grouper – still no vendor product like it. Middleware Research – See KJK work CAMPs (Always sold out). Global reach. Global Collaborations – critical to success! NMI-EDIT – made so much happen! InCommon! InCommon! InCommon! – Certificates service fashioned after Euro deal on certs – ~600 participants (>400 HE), >7.5M users, 10 years!
Not so much… Signet – a Priv Mgmt System… didn’t take off. DoDHE – Directory of Directories – “Wait, our public data will be THAT public? NO!” USHER – Root CA for HE (and HEBCA) – Couldn’t get it in the browsers! No $$$$ Voice/Video + AuthN/Z – still proprietary. EDDY – Distributed Diagnostics. Good ideas, but InCommon Bronze, Silver, Gold Assurance Levels. PKI is STILL only 18 months away!
It wouldn’t be possible without these People… In no particular order: Keith Hazelton (Wisconsin), Steve Carmody (Brown), Mark Poepping (CMU), Michael Gettes (various/All), Ann West (MTU/Internet2), David Wasley (UCOP/retired), Tom Barton (Memphis/Chicago), Renee Shuey (PSU), Scott Cantor (The Ohio State), Jim Jokl (uVa), Scotty Logan (Stanford/missing), Frank Grewe (Minn), Paul Hill (MIT/ind), Von Welch (IU/ind), & Ken Klingenstein (Internet2) Various liaisons from around the world and …
RL “Bob” Morgan (Stanford/Wash) We still miss him very much !!
And we move on… Shibboleth Consortium formed (funding?) REFEDs – locus for R+E Federation Operators CommIT project – change how students apply to college nationally Scalable Privacy Grant (KJK will discuss) IAM Test-bed emerging MFA – Multi-Factor Authentication everywhere Provisioning and integration – practices for all Still, so much to do… – Trusted Identity in Education and Research (TIER)