1. Sponsored by the National Science Foundation Enabling Trusted Federation Marshall Brinn, GENI Program Office October 1, 2014

2. Sponsored by the National Science Foundation2 Introduction There is an opportunity for a market here. But enabling such a market requires fundamental mutual trust between the parties along these dimensions: –Authentication: Certainty of identity of who is requesting resources –Authorization: Establishment of rules on who may access services and resources –Accountability: Ability to determine who took what actions (for forensics, debugging) The act of federation entails: –Sharing trust roots (e.g. certificates) –Agreeing on policies –Establishing and trusting the enforcement mechanisms on these policies Federations are a group of resource owners and resource consumers who agree to share resources under certain conditions

3. Sponsored by the National Science Foundation3 Establishing a Federation Resources (A) Users (A) Authority(B) Users (B) Trust Roots (A) Trust Roots (B) PEP Authority(A) Resources (B) PEP Policies Our fundamental unit is a set of resources/aggregates, authority/CH and authorized users. An exchange of trust roots: I accept credentials signed by your authority. A set of AuthN/AuthZ policies is agreed on by the members of each federating party. These policies are codified and enforced in all accesses to the resources or authority services. Users of both groups can now access resources and services of either group subject to policy restrictions.

4. Sponsored by the National Science Foundation4 GENI Experiences GENI is essentially a federation of federations: –Federating among resources from GPO, Emulab and PlanetLab, each with their own credentials, users, policies –Plus a number of “pop-up” federations with EU, Japan, Brazil, Korea X509 Certificates has been the basis of identity Using SFA credentials for fundamental authorization of resource actions –ABAC has been used as a common language for expressing more detailed authorization policy at Federation services (SA, MA) and Resource services (AM)

5. Sponsored by the National Science Foundation5 GENI Experiences [2] X509 certificates are reliable and universal but require some work to support renewal, expiration, CRL’s SFA authorization is a fine standard, but limited in its expressivity (in GENI even more so) ABAC has been a good prototype for FOL-based policy statements/ provers –Proof-based, externalized (and exchange-able) –ABAC statements are signed by entities whose credentials are signed by a particular authority. The scope of “damage” any entity can do is thus limited to objects maintained by that authority. –Not the most intuitive syntax, limited in expressive power We have successfully limited actions taken by users at federation-level or resource-level based on properties that are: Static (e.g. user’s attributes, authority, role) or Dynamic (e.g. quotas and current allocations)

6. Sponsored by the National Science Foundation6 Challenges How can we best reflect these trust relationships and agreements in our software transactions? What software attributes can help make it easier to establish human/inter-organizational trust? How can we arrive at common mechanisms for –Exchanging identity –Expressing policy –Satisfying requirements for forensics and monitoring How do we approach ‘loose’ federation in which –Federations and aggregates may have different policies that need to be reconciled –Aggregates belong to a number of federations at once These are among the topics I hope we discuss at this week’s workshop. Trust and federation are essentially human activities. Policies codify trust relationships that already exist between people and organizations. Policy cannot create that trust, but can reinforce/sustain it.