R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.

Slides:

Advertisements

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

Advertisements

1 Use Cases Application provisioning (version control) Workload management/load-balancing (server consolidation) Data Federation/sharing E-utilities (provisioning.

GT 4 Security Goals & Plans Sam Meder

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.

Lecture 23 Internet Authentication Applications

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Trust Fabrics: Old Whine in New Battles Ken Klingenstein Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado, Boulder.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.

Shibboleth Update a.k.a. “shibble-ware”

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

SWITCHaai Team Federated Identity Management.

Stitching It All Together. Discussion Topics Peering and confederation Privacy principles Working with other sectors Virtual Organizations (VO's) Moving.

Copyright 2006 Archistry Limited. All Rights Reserved. SOA Federated Identity Management How much do you really need? Andrew S. Townley Founder and Managing.

Shib in the present and the future Ken Klingenstein Director, Internet2 Middleware and Security.

Mairéad Martin The University of Tennessee September 13, 2015 Federated Digital Rights Management.

External Identity and Authorization in GENI. Topics Federated identity and virtual organizations ABAC Creating and transporting attributes.

Innovation through participation Interfederation through eduGAIN - steps and challenges eduGAIN interfederation service Federated Identity Systems.

The Windows NT ® 5.0 Public Key Infrastructure Charlie Chase Program Manager Windows NT Security Microsoft Corporation.

Internet2 – InCommon and Box Marla Meehl Colorado CIO 11/1/11.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Federated Identity and the International Research Community Dr Ken Klingenstein Director, Internet2 Middleware and Security.

© 2008 IBM Corporation ® Atlas for Lotus Connections Unlock the power of your social network! Customer Overview Presentation An IBM Software Services for.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)

Stuff, including interfederation stuff Dr Ken Klingenstein, Director, Middleware and Security, Internet2.

NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.

Frontiers of Authentication and Authorization Copyright 2003 Kenneth J. Klingenstein Internet2 and UC-Boulder Camp Meeting, June 5 th, 2003.

Federal Acquisition Service U.S. General Services Administration eOffer/eMod Training eOffer/eMod Training Keonia Cobbins Systems Development Office of.

Rethinking Privacy As Bob Blakley says, “It’s not about privacy, it’s about discretion.” Passive privacy - The current approach. A user passes identity.

Shibboleth at Columbia Update David Millman R&D July ’05

1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.

Federations and Higher Education. Topics  Federations: What they may be and where they may fit The theory The practice: first instantiations –Ice9: Shibboleth.

Virtual Classes Provides an Innovative App for Education that Stimulates Engagement and Sharing Content and Experiences in Office 365 MICROSOFT OFFICE.

Intra- to Inter-institutional Use of Shibboleth Bruce Vincent, Stanford University June 28, 2006.

Fundamentals: Security, Privacy, Trust. Scenarios we’d like to see... Use of licensed library materials regardless of student’s location Signed .

The UK Access Management Federation John Chapman Project Adviser – Becta.

Shibboleth Trust Model Shibboleth/SAML Communities (aka Federated Administrations) Club Shib Club Shib Application process Policy decision points at the.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.

LEFIS ROVANIEMI MEETING 19TH 20TH JANUARY 2007 Privacy In The Web TATYANA STEFANOVA LEX.BG BULGARIA.

Identity Management, Federating Identities, and Federations November 21, 2006 Kevin Morooney Jeff Kuhns Renee Shuey.

Growth. Interfederation PKI is globally scalable Unfortunately, its not locally deployable… Federation is locally deployable Can it.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)

Illinois Health Network The 14th Global Grid Forum Chicago, Illinois June 27, 2005.

INTRODUCTION TO IDENTITY FEDERATIONS Heather Flanagan, NSRC.

Federal Initiatives in IdM Dr. Peter Alterman Chair, Federal PKI Policy Authority.

The Federal E-Authentication Initiative David Temoshok Director, Identity Policy GSA Office of Governmentwide Policy February 12, 2004 The E-Authentication.

Access Policy - Federation March 23, 2016

Context, Gaps and Challenges

Collaborative Technologies and Enterprise Middleware:

Shibboleth and Federations

“Ten Years Ago… on a cold dark night”

Presentation transcript:

R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt

Trust me Richard Nixon A person who trusts no one can't be trusted. Jerome Blattner I don't really trust a sane person. Lyle Alzado Nobody believes the official spokesman... but everybody trusts an unidentified source. Ron Nesen We’re willing to trust everyone until we find the rat Kevin Morooney This time for sure Bullwinkle J Moose

Topics A Trust Continuum Inter-institutional Trust Tools Applications that may need inter-institutional trust Trust Fabrics

The Continuum of Trust Collaborative trust at one end… can I videoconference with you? you can look at my calendar You can join this computer science workgroup and edit this computing code Students in course Physics Brown can access this on-line sensor Members of the UWash community can access this licensed resource Legal trust at the other end… Sign this document, and guarantee that what was signed was what I saw Encrypt this file and save it Identify yourself to this high security area

Dimensions of the Trust Continuum Collaborative trust handshake consequences of breaking trust more political (ostracism, shame, etc.) fluid (additions and deletions frequent) shorter term structures tend to clubs and federations privacy issues more user-based Legal trust contractual consequences of breaking trust more financial (liabilities, fines and penalties, indemnification, etc.) more static (legal process time frames) longer term (justify the overhead) tends to hierarchies and bridges privacy issues more laws and rules

The Trust Continuum, Applications and their Users Applications and their user community must decide where their requirements fit on the trust continuum Some apps can only be done at one end of the continuum, and that might suggest a particular technical approach. Many applications fit somewhere in the middle and the user communities (those that trust each other) need to select a approach that works for them.

Inter-institutional Trust Tools Shibboleth Liberty (open source version might come from PingID) Federated Passport Classic PKI

Applications that may need inter-institutional trust S/MIME Enterprise, federated P2P LMS Grids Instant Messaging Inter-library loan Inter-institutional calendaring E-grants WebDAV …….

Trust and Assertion Transports At one level (run-time) X.509 identity certs and their mutants X.509 attribute certs SAML S-expressions, etc…. At another level (static storage and management) Roles Attributes Personal factors Information sources…

Trust Fabrics Hierarchies may assert stronger or more formal trust requires bridges and policy mappings to connect hierarchies appear larger scale Federated administration internal – within the subsidiaries of large corporations private – between several corporations for specific business needs Public – open to qualified enterprises for general uses Virtual organizations Shared resources among a sparse, distributed set of users Grids, virtual communities, some P2P applications Want to leverage other trust structures above

Federated Trust Definition An interrealm approach – enterprises are realms, and they mutually join into federations to conduct business For the consumer marketplace, users subscribe to commercial service offerings to interact with business federations; enterprises that might offer consumer services include desktop OS’s (Microsoft), ISP’s (AOL), Telecoms (Nokia, telco’s), consumer product vendors (Ford, United Airlines) and banks (Chase) Such Identity Service Providers (ECP) need to exchange trust amongst themselves and with others User brokers with local domain on the release of information within the federation User trusts local domain, local domain trusts federated member, federated member trusts local domain, all trust federation management Trust is used to accept or reject assertions or requests for attributes

Models and Architectures (Run-time) Where one makes the decision to trust (believe, reject, believe with constraints) The interrealm acquisition of trust info a priori Coming with the assertions Trust enforcement points Closely related to Authzanity

Federations A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using common transport protocols. In doing so they also agree to abide by common sets of rules. The required rules and functions could include: A registry to process applications and administer operations A set of best practices on associated technical issues, typically involving security and attribute management A set of agreements or best practices on policies and business rules governing the exchange and use of attributes. The set of attributes that are regularly exchanged (syntax and semantics), including namespaces. A mechanism (WAYF) to identify a user’s security domains Ways to federate and unfederate identities

Federations and PKI At one level, federations are enterprise-oriented PKI Pure server-server PKI XML DSig and SSL are perhaps the most widely used PKI today… Local authentication may well be end-entity certs Name-space control is a critical issue Can issue custom virtual organization certs as needed At another level, federations have differences with classic PKI End user authentication a local decision Flat set of relationships; little hierarchy Focus as much on privacy as security Web Services only right now: no other apps, no encryption

Types of federations Internal –within large corporations, among their subsidiaries Private (bilateral and small multilateral) – between trading partners, supply chains, etc. Public – InCommon, e-Authentication Key questions for Magic How are the GridPMA, DOEGRID, etc related to federations? Are they federations themselves? If not, what federations would be needed to support Grid instantiations? How much of the infrastructure for science need to interact with the infrastructure for management? E.g. e-Grants,

Public and Private Federations Public federations need to think more about: rules of engagement to participate in the federation and how it operates persistence of trust migration of installed base process for standardizing attributes that are exchanged privacy international issues

Our Goals A single infrastructure to support collaborative and legal trust perhaps multiple transports for trust multiple levels of security nurture rather than mandate Integrate PKI and SAML Strengthen the role of the enterprise Build a public sector marketplace for identity and attributes

Federating organizations organization (FOO) To explore the issues in federations, and multiple federations, and subclubs, and… Includes GM, Securities Industry, Johnson and Johnson, Microsoft, Fed e-AuthN, etc. Monthly discussions with minutes... Friends of foo as an list to stay informed of the discussions

Overall Trust Fabric

Possible next steps A one-hour session at fall CSG on trust fabrics – discussion of requirements and approaches A workshop at winter CSG on secure collaboration – signed , secure IM, middleware-enabled videoconferencing, etc…