Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch

Slides:

Advertisements

Similar presentations

Building Secure Mashups D. K. Smetters PARC Usable.

Advertisements

Identity Network Ideals – Heterogeneity & Co-existence

Use specific reasons and examples to support your opinion.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

From Authentication to Privilege Management to the Attribute Economy: Marketing runs amok…

Economic Tussles in Federated Identity Management Tyler Moore joint work with Susan Landau WEIS 2011.

Cloud Computing COMP 1631, Winter 2011 Yanggang Chen.

Polling Stations There are four questions posted in the classroom Indicate a “yes” response by placing a tally mark on the white board The results of the.

Friendships & Relationships

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

CoreGRID Workpackage 5 Virtual Institute on Grid Information and Monitoring Services Authorizing Grid Resource Access and Consumption Erik Elmroth, Michał.

 Guarantee that EK is safe  Yes because it is stored in and used by hw only  No because it can be obtained if someone has physical access but this can.

Forming a team. Which Competition? Environment YES is for researchers working in natural environmental sciences the science needed to provide solutions.

Copyright JNT Association 2009NorduNET, 18 th September Protecting Privacy in Global Networks Andrew Cormack Chief Regulatory Adviser, JANET(UK)

Modelling and Analysing of Security Protocol: Lecture 9 Anonymous Protocols: Theory.

Future Research Directions Jennifer Rexford Advanced Computer Networks Tuesdays/Thursdays 1:30pm-2:50pm.

Security Colin Armstrong School of Information Systems Curtin University

Safer Web Browsing Terry Labach Information Security Services IST.

Ch 20 Q and A IS333, Spring 2015 Victor Norman. Universal Service Means every computer can talk “directly” with every other one. A message is not addressed.

Happy Thursday! 1. Complete the review questions on the back! 2. Have out part 8 & 9. I will be checking that for completion. 3. We are going over Credit.

Internet Review Academic Talent Search. All About Networking DevicesDevices Packet TransferPacket Transfer HardwareHardware SoftwareSoftware Wiring/CablingWiring/Cabling.

Digital Citizenship By Bhavna. Plagiarism Plagiarism is illegal and can get you arrested. If a teacher finds out you used plagiarism he/she can fail you.

Lecture 18 Page 1 CS 111 Online Design Principles for Secure Systems Economy Complete mediation Open design Separation of privileges Least privilege Least.

National Science Foundation Chief Information Officer CIO Fall Update for the Advisory Committee for Business and Operations: Identity Management 2.0 George.

PAR-ty Time A Discussion of Stewardship For Use with Children.

Networked Information Systems 1 Advantages of and classified by their size & architecture or design.

Single Sign-On Multiple Benefits via Alaska K20 Identity Federation 20 May 2011 BTOP Partner Meeting Anchorage, Alaska 20 May 2011 BTOP Partner Meeting.

NENA Development Conference | October 2014 | Orlando, Florida Security Certificates Between i3 ESInet’s and FE’s Nate Wilcox Emergicom, LLC Brian Rosen.

Climate Sciences: Use Case and Vision Summary Philip Kershaw CEDA, RAL Space, STFC.

Architectural Considerations for GEOPRIV/ECRIT Presentation given by Hannes Tschofenig.

Integrating with UCSF’s Shibboleth system

Federation Strategy Robert Ricci GENI-FIRE Workshop September 2015.

@Yuan Xue CS 285 Network Security Fall 2008.

Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Working Connection Computer and Network Security - Introduction - Dr. Hwajung Lee Radford University.

Becoming a Digital Citizen Acknowledgments Thanks to UNC: The Graduate School for this PowerPoint Layout, Microsoft gallery for photos, and Commonsense.

Lecture 17 Page 1 CS 236 Online Network Privacy Mostly issues of preserving privacy of data flowing through network Start with encryption –With good encryption,

Another perspective on Network Security Network Security Essentials: Applications and Standards, 4/E William Stallings ISBN-10: ISBN-13:

, Josef NollNISnet NISnet meeting Mobile Applied Trusted Computing Josef Noll,

Scared Straight… if you want to go outside… Authenticate Locally, Act Globally.

Jan 24, 06William Rich, Pingtel Corp. IT Expo. Pingtel Corp., William Rich, IT Expo, Jan 24, 06 VoIP is Here… Source: IDC IP PBX vs. TDM PBX.

What do you know about your network Or maybe you don’t know who’s really there.

Building trust on the internet Extending Attribute Protocols for Status Management and “Other Things” Patrick Richard, Xcert International.

EResearchers Requirements the IGTF model of interoperable global trust and with a view towards FIM4R AAI Workshop Presenter: David Groep, Nikhef.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Mario Čagalj Sveučilište u Splitu 2014/15. Sigurnost računala i podataka.

Guide to web safety for Key Stage 1. Being safe on the internet is really important. If you follow these rules at all times you can still have lots of.

Cloud federation Are we there yet? Marek Denis CERN openlab Major Review Geneva, Switzerland › October

Grid Authorization Landscape and Futures Von Welch NCSA

Medical Advocacy and Advance Directives Session 3 Staying in the Circle of Life.

Internet Safety By: Justin, Jack, Mike. Tip #1 Don’t agree to everything you see on the internet. EX- There will be a lot of people that like to sell.

X.509 Proxy Certificates for Dynamic Delegation Ian Foster, Jarek Gawor, Carl Kesselman, Sam Meder, Olle Mulmo, Laura Perlman, Frank Siebenlist, Steven.

THE PARTS OF A COMPUTER WHAT ARE THE PARTS OF A COMPUTER THAT MAKE A COMPUTER A COMPUTER?

3/12/2013Computer Engg, IIT(BHU)1 CLOUD COMPUTING-1.

A PC Wakes Up A STORY BY VICTOR NORMAN. Once upon a time…  a PC (we’ll call him “H”) is connected to a network and turned on. Aside: The network looks.

JSPG Update David Kelsey MWSG, Zurich 31 Mar 2009.

Private Information Stay Safe Online. Having Fun Online There are lots of websites where you can go to do fun things To participate on many websites,

NEGOTIATIONS, CONFLICT RESOLUTION ORAL ENGLISH: WEEK 14.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

1.  1. Introduction  2. Policy  3. Why Policy should be developed.  4. www policies 2.

Authorized But Anonymous: Taking Charge of Your Personal Data Anna Lysyanskaya Brown University.

@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.

Cybersecurity and People: Challenges in Predicting User Actions Joachim Meyer Dept. of Industrial Engineering Fleischman School of Engineering Tel Aviv.

Topics The simple life The Simple Life GUI The full IdM life

Another perspective on Network Security

Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Founded in 2002, Credit Abuse Resistance Education (CARE) educates high school and college students on the responsible use of credit and other fundamentals.

Presentation transcript:

Identity Federation: Some Challenges and Thoughts OGF 19 Jan 30, 2007 Von Welch

1/30/072GSI Credential Management OGF 19 Federated Identity Session Topics Identity Federation and Federated Identities Motivations Privacy Incident Response

1/30/073GSI Credential Management OGF 19 Federated Identity Session Identity Federation and Federated Identities We are talking both about two types of federation Federating identity systems –Allowing users at A, B, C, etc. to access Sites X, Y, Z, etc. Federating individual identities across systems –Allowing a user to have an identity composed of attributes from L, M, N, VO, etc.

1/30/074GSI Credential Management OGF 19 Federated Identity Session Motivation for Identity Federation Identity Federation is a lot of work –Ask anyone here… Why are we doing it? Yes, it’s cool. Copper plumbing is cool too, but not many have it. At the end of the day, how will it pay the bills?

1/30/075GSI Credential Management OGF 19 Federated Identity Session Motivations User: Holy grail of security - convenience Resource provider: Outsourcing of user management (If we can work out incident response) Virtual Organization: Another win, enable them to participate in identity Identity Provider: Get to be really nice guys?

1/30/076GSI Credential Management OGF 19 Federated Identity Session Privacy Kim Cameron’s laws of Identity –Sounds good Some resource providers want to keep users pseudo-anonymous –And we can help there What about in other cases? Plenty of other privacy leaks for SPs looking to circumvent it Identity today on the Internet is really IP addresses

1/30/077GSI Credential Management OGF 19 Federated Identity Session Privacy? This is really least privilege –And we haven’t had much success getting users interested there Will users care enough to read a pop up? Really, I think anonymization services are needed –E.g. Web Anonymizers Trust Negotiation may have a role to play here

1/30/078GSI Credential Management OGF 19 Federated Identity Session Who is going to represent the user? ``Humans are incapable of securely storing high-quality cryptographic keys, and they have unacceptable speed and accuracy when performing cryptographic operations. (They are also large, expensive to maintain, difficult to manage, and they pollute the environment. It is astonishing that these devices continue to be manufactured and deployed. But they are sufficiently pervasive that we must design our protocols around their limitations.)'’ –Network Security / PRIVATE Communication in a PUBLIC World by Charlie Kaufman, Radia Perlman, & Mike Speciner (Prentice Hall 2002)

1/30/079GSI Credential Management OGF 19 Federated Identity Session User Representation? Think we can agree users need help –Policies, attribute wallet, all that state Who will provide it? Current Identity Providers? –My University, ProtectNetwork, etc. My Bank? –Seems like they are going to have to be an IdP anyway, maybe they can make money at it? Local OS? –CardSpace/KeyChain/Higgins/etc. –Is there a difference between this and a network service any more? What is the agreement going to be between the user and this party?

1/30/0710GSI Credential Management OGF 19 Federated Identity Session Incident Response Everything is great until something goes wrong - Murphy’s 2nd Law When we start moving to valuable resources, it seems clear that incident response is going to be a big issue in all of this

1/30/0711GSI Credential Management OGF 19 Federated Identity Session Incident Response Theorem: Resource providers must have the ability to act locally, think globally It must be possible for a resource provider to cut off any user locally, without having to involve anyone else Then it must be must be possible for the process to proceed on the global stage

1/30/0712GSI Credential Management OGF 19 Federated Identity Session Incident Response What is the global process? –What are the separation of duties/SLA intersections? It seems resource provider is typically the wronged party and bears liability User may sometime bear some liability –E.g. my allocation got eaten! Different from physical world case of credit cards where user is the wronged party and credit provider bears ultimate liability

1/30/0713GSI Credential Management OGF 19 Federated Identity Session Incident Response Liability implies Resource Provider must drive Incident Response Comparison to current practice with ISP: wronged party must get court order to map Internet identity (IP address) to real world identity Our resource providers have SLA with IdPs, which helps But if this is going to work, IdPs must care about incidents

1/30/0714GSI Credential Management OGF 19 Federated Identity Session Incident Response Theorem: If this is going to work, IdPs must eat their own dog food - I.e. they must be as dependent on the Identity System as the resource providers Use of Identity System internally tells you more about its reliability that any policy statement Similar use to resource provider and you’re probably in good shape No policy will allow IdP to effectively run a system with external use unfamiliar to IdP

1/30/0715GSI Credential Management OGF 19 Federated Identity Session Thank you