Presentation is loading. Please wait.

Presentation is loading. Please wait.

R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt.

Published byKerry Little Modified over 8 years ago

Similar presentations

Presentation on theme: "R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt."— Presentation transcript:

1 R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt

2 Trust me Richard Nixon A person who trusts no one can't be trusted. Jerome Blattner I don't really trust a sane person. Lyle Alzado Nobody believes the official spokesman... but everybody trusts an unidentified source. Ron Nesen We’re willing to trust everyone until we find the rat Kevin Morooney This time for sure Bullwinkle J Moose

3 Topics A Trust Continuum Inter-institutional Trust Tools Applications that may need inter-institutional trust Trust Fabrics

4 The Continuum of Trust Collaborative trust at one end… can I videoconference with you? you can look at my calendar You can join this computer science workgroup and edit this computing code Students in course Physics 201 @ Brown can access this on-line sensor Members of the UWash community can access this licensed resource Legal trust at the other end… Sign this document, and guarantee that what was signed was what I saw Encrypt this file and save it Identify yourself to this high security area

5 Dimensions of the Trust Continuum Collaborative trust handshake consequences of breaking trust more political (ostracism, shame, etc.) fluid (additions and deletions frequent) shorter term structures tend to clubs and federations privacy issues more user-based Legal trust contractual consequences of breaking trust more financial (liabilities, fines and penalties, indemnification, etc.) more static (legal process time frames) longer term (justify the overhead) tends to hierarchies and bridges privacy issues more laws and rules

6 The Trust Continuum, Applications and their Users Applications and their user community must decide where their requirements fit on the trust continuum Some apps can only be done at one end of the continuum, and that might suggest a particular technical approach. Many applications fit somewhere in the middle and the user communities (those that trust each other) need to select a approach that works for them.

7 Inter-institutional Trust Tools Shibboleth Liberty (open source version might come from PingID) Federated Passport Classic PKI

8 Applications that may need inter-institutional trust S/MIME Enterprise, federated P2P LMS Grids Instant Messaging Inter-library loan Inter-institutional calendaring E-grants WebDAV …….

9 Trust and Assertion Transports At one level (run-time) X.509 identity certs and their mutants X.509 attribute certs SAML S-expressions, etc…. At another level (static storage and management) Roles Attributes Personal factors Information sources…

10 Trust Fabrics Hierarchies may assert stronger or more formal trust requires bridges and policy mappings to connect hierarchies appear larger scale Federated administration internal – within the subsidiaries of large corporations private – between several corporations for specific business needs Public – open to qualified enterprises for general uses Virtual organizations Shared resources among a sparse, distributed set of users Grids, virtual communities, some P2P applications Want to leverage other trust structures above

11 Federated Trust Definition An interrealm approach – enterprises are realms, and they mutually join into federations to conduct business For the consumer marketplace, users subscribe to commercial service offerings to interact with business federations; enterprises that might offer consumer services include desktop OS’s (Microsoft), ISP’s (AOL), Telecoms (Nokia, telco’s), consumer product vendors (Ford, United Airlines) and banks (Chase) Such Identity Service Providers (ECP) need to exchange trust amongst themselves and with others User brokers with local domain on the release of information within the federation User trusts local domain, local domain trusts federated member, federated member trusts local domain, all trust federation management Trust is used to accept or reject assertions or requests for attributes

12 Models and Architectures (Run-time) Where one makes the decision to trust (believe, reject, believe with constraints) The interrealm acquisition of trust info a priori Coming with the assertions Trust enforcement points Closely related to Authzanity

13 Federations A group of organizations (universities, corporations, content providers, etc.) who agree to exchange attributes using common transport protocols. In doing so they also agree to abide by common sets of rules. The required rules and functions could include: A registry to process applications and administer operations A set of best practices on associated technical issues, typically involving security and attribute management A set of agreements or best practices on policies and business rules governing the exchange and use of attributes. The set of attributes that are regularly exchanged (syntax and semantics), including namespaces. A mechanism (WAYF) to identify a user’s security domains Ways to federate and unfederate identities

14 Federations and PKI At one level, federations are enterprise-oriented PKI Pure server-server PKI XML DSig and SSL are perhaps the most widely used PKI today… Local authentication may well be end-entity certs Name-space control is a critical issue Can issue custom virtual organization certs as needed At another level, federations have differences with classic PKI End user authentication a local decision Flat set of relationships; little hierarchy Focus as much on privacy as security Web Services only right now: no other apps, no encryption

15 Types of federations Internal –within large corporations, among their subsidiaries Private (bilateral and small multilateral) – between trading partners, supply chains, etc. Public – InCommon, e-Authentication Key questions for Magic How are the GridPMA, DOEGRID, etc related to federations? Are they federations themselves? If not, what federations would be needed to support Grid instantiations? How much of the infrastructure for science need to interact with the infrastructure for management? E.g. e-Grants,

16 Public and Private Federations Public federations need to think more about: rules of engagement to participate in the federation and how it operates persistence of trust migration of installed base process for standardizing attributes that are exchanged privacy international issues

17 Our Goals A single infrastructure to support collaborative and legal trust perhaps multiple transports for trust multiple levels of security nurture rather than mandate Integrate PKI and SAML Strengthen the role of the enterprise Build a public sector marketplace for identity and attributes

18 Federating organizations organization (FOO) To explore the issues in federations, and multiple federations, and subclubs, and… Includes GM, Securities Industry, Johnson and Johnson, Microsoft, Fed e-AuthN, etc. Monthly discussions with minutes... Friends of foo as an email list to stay informed of the discussions

19 Overall Trust Fabric

20 Possible next steps A one-hour session at fall CSG on trust fabrics – discussion of requirements and approaches A workshop at winter CSG on secure collaboration – signed email, secure IM, middleware-enabled videoconferencing, etc…

Download ppt "R & Ethinking Trust Ken Klingenstein, custodian, InCommon and the CREN CAt."

Similar presentations

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.

The Basics of Federated Identity. Overview of Federated Identity and Grids Workshop Session 1 - for all Basics and GridShib Session 2 – more for developers.
1 Use Cases Application provisioning (version control) Workload management/load-balancing (server consolidation) Data Federation/sharing E-utilities (provisioning.

1 Use Cases Application provisioning (version control) Workload management/load-balancing (server consolidation) Data Federation/sharing E-utilities (provisioning.
GT 4 Security Goals & Plans Sam Meder

GT 4 Security Goals & Plans Sam Meder
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.

| Copyright© 2010 Microsoft Corporation Quick Start into Activating and Selling Office 365.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.

Welcome to CAMP! Ken Klingenstein, Director, Internet2 Middleware Initiative.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.

Information Resources and Communications University of California, Office of the President UCTrust David Walker Office of the President University of California.
Trust Fabrics: Old Whine in New Battles Ken Klingenstein Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado, Boulder.

Trust Fabrics: Old Whine in New Battles Ken Klingenstein Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado, Boulder.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,

Attributes, Anonymity, and Access: Shibboleth and Globus Integration to Facilitate Grid Collaboration 4th Annual PKI R&D Workshop Tom Barton, Kate Keahey,
Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.

Military Technical Academy Bucharest, 2006 SECURITY FOR GRID INFRASTRUCTURES - Grid Trust Model - ADINA RIPOSAN Department of Applied Informatics.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.

Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.

David L. Wasley Office of the President University of California Maybe it’s not PKI … Musings on the business case for PKI EDUCAUSEEDUCAUSE PKI Summit.
Shibboleth Update a.k.a. “shibble-ware”

Shibboleth Update a.k.a. “shibble-ware”
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.
Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Shibboleth and InCommon: Making Secure Collaboration a Reality Scott Cantor Internet2/MACE and The.

Similar presentations

Ads by Google