Directories, PKI, - CREN | Corporation for Research and
Download
Report
Transcript Directories, PKI, - CREN | Corporation for Research and
Directories and PKI
Basic Components of Middleware
David L. Wasley
Information Resources & Communications
Office of the President
University of California
The Context
Institutional
Requires e-automation
Independent
resources are increasingly scarce
Requires efficiency and distributed responsibility
Some
systems must interoperate
Requires standards and “trust”
Human
business is increasingly complex
day much of our world may work this way
E-commerce and the information economy
2
We take a lot for granted today
Email
used for business transactions(!)
No “validation on send” for email
Electronic
What proves they haven’t been changed?
Which copy was accepted by both parties?
Even
documents used for contracts
the network is run with loose “trust”
Domain name system
Routing protocols
IPSEC will fix this!
3
Middleware
A set
of cooperating infrastructure services that
provide other support a variety of applications
Some components include:
DNS, time, message queuing and forwarding
Authentication
Directories
Portals
Business workflow and policy services
Electronic notary and archive services
4
Credentials are the cornerstone
Management
of access begins with sure
knowledge of the entity requesting it
A digital credential binds a token to known entity
Who issues such credentials?
Required
trustworthiness depends on application
Credentials alone are not enough
What does it mean to ask “Who is it?”
The answer depends on context
5
Directories are the glue
Directories
will store most of what we need to
know about credential holders
Attributes, e.g. characteristics, roles, affiliations …
As critical as the credential itself
Must be reliably populated and maintained
Some
information is only meaningful locally
Some must be understood more broadly
Directories will also help locate resources
6
Distributed Systems are the Blocks
We’re
not going to (re)build monolithic systems
Systems need to exchange information reliably
Business XML …
… validated with digital signatures
… encrypted when necessary
Systems
need identity too
E.g. “server certs”
Portal as proxy for the User…
7
Portals provide views
Personalization
is the basic idea
Could be based on roles and affiliations
Can support scalable & timely access management
Must
Data exchange standards, etc.
Must
render information from various systems
‘speak for the User’ in accessing systems
Requires a digital credential to identify itself
8
Digital signatures and data security
“Signature”
binds an entity’s identifying mark
to specific information
Paper does this in the physical world
Asymmetric encryption does it in the e-world
PKI
provides the basic elements
An encryption key known only to the signer
A decryption key tied to the same entity
By
reversing the use of the keys we get data
security
9
Automated Workflow
Ties
together systems, Users, and business rules
Should be based on roles and responsibilities
Could streamline transaction oriented systems
For example, procurement:
Originator digitally signs request, fwds to AW svc
Budget authority adds fund info, countersigns, fwds
Purchasing agent reviews and feed into accounting &
asset management systems and e-commerce agent
E-commerce partner submits invoice w/e-signature10
Some current activities
CREN
Higher Ed root CA
Educause Higher Ed Bridge
Middleware Activities for Education (MACE)
Sponsored by Internet2
HEPKI
Technical planning for PKI
Certificate Policy and Practices definition
Shibboleth
PKI
WG under Net@EDU
11
Shibboleth
Leverage
current campus authentication systems
to enable access to external resources
Complimentary to PKI
Will foster development of needed infrastructure
Directories !!
Attribute Authority server
Manages attribute release policy
Standard language for attribute assertions
Intended
to interest content publishers (at least)
12
Further info
http://middleware.internet2.edu
[email protected]
Join
the working groups!
13