David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
Published byModified over 4 years ago
Presentation on theme: "David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware."— Presentation transcript:
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware
2 The Context v Institutional business is increasingly complex l Requires e-automation v Independent systems must interoperate l Requires standards and “trust” v Human resources are increasingly scarce l Requires efficiency and distributed responsibility v Some day much of our world may work this way l E-commerce and the information economy
3 We take a lot for granted today v Email used for business transactions(!) l No “validation on send” for email v Electronic documents used for contracts l What proves they haven’t been changed? l Which copy was accepted by both parties? v Even the network is run with loose “trust” l Domain name system l Routing protocols s IPSEC will fix this!
4 Middleware v A set of cooperating infrastructure services that provide other support a variety of applications v Some components include: l DNS, time, message queuing and forwarding l Authentication l Directories l Portals l Business workflow and policy services l Electronic notary and archive services
5 Credentials are the cornerstone v Management of access begins with sure knowledge of the entity requesting it v A digital credential binds a token to known entity l Who issues such credentials? v Required trustworthiness depends on application v Credentials alone are not enough l What does it mean to ask “Who is it?” l The answer depends on context
6 Directories are the glue v Directories will store most of what we need to know about credential holders l Attributes, e.g. characteristics, roles, affiliations … l As critical as the credential itself l Must be reliably populated and maintained v Some information is only meaningful locally v Some must be understood more broadly v Directories will also help locate resources
7 Distributed Systems are the Blocks v We’re not going to (re)build monolithic systems v Systems need to exchange information reliably l Business XML … l … validated with digital signatures l … encrypted when necessary v Systems need identity too l E.g. “server certs” l Portal as proxy for the User…
8 Portals provide views v Personalization is the basic idea v Could be based on roles and affiliations l Can support scalable & timely access management v Must render information from various systems l Data exchange standards, etc. v Must ‘speak for the User’ in accessing systems l Requires a digital credential to identify itself
9 Digital signatures and data security v “Signature” binds an entity’s identifying mark to specific information l Paper does this in the physical world l Asymmetric encryption does it in the e-world v PKI provides the basic elements l An encryption key known only to the signer l A decryption key tied to the same entity v By reversing the use of the keys we get data security
10 Automated Workflow v Ties together systems, Users, and business rules v Should be based on roles and responsibilities v Could streamline transaction oriented systems v For example, procurement: l Originator digitally signs request, fwds to AW svc l Budget authority adds fund info, countersigns, fwds l Purchasing agent reviews and feed into accounting & asset management systems and e-commerce agent l E-commerce partner submits invoice w/e-signature
11 Some current activities v CREN Higher Ed root CA v Educause Higher Ed Bridge v Middleware Activities for Education (MACE) l Sponsored by Internet2 l HEPKI s Technical planning for PKI s Certificate Policy and Practices definition l Shibboleth v PKI WG under Net@EDUNet@EDU
12 Shibboleth v Leverage current campus authentication systems to enable access to external resources v Complimentary to PKI l Will foster development of needed infrastructure s Directories !! s Attribute Authority server n Manages attribute release policy s Standard language for attribute assertions v Intended to interest content publishers (at least)
13 Further info v http://middleware.internet2.edu http://middleware.internet2.edu v email@example.com v Join the working groups!