Transcript No Slide Title

Middleware, Ten Years In:
Vapority into Reality into Virtuality
Dr. Ken Klingenstein,
Senior Director, Middleware and Security, Internet2
Technologist, University of Colorado at Boulder
Topics
• Middleware, Ten Years In
• From Vapor to Reality
• Some of the successes
• Some of the failures
• Middleware, Ten Years Forward
• From Reality to Virtuality
• Organizations
• Resources
• Communities
• From Virtuality back to Reality
[email protected]
Before there was middleware
apps
[email protected]
First Vapors
• When end-user PKI was months away…
• When the big application houses didn’t care
about middleware
• We knew it was something about
authentication and authorization
• We couldn’t agree about much – payloads or
protocols or spelling
[email protected]
In the beginning
apps
Directories
Authentication
[email protected]
Dealing with the apps
apps
Directories
Authentication
[email protected]
Filling out the portfolio
Groups
Directories
Authentication
Privileges
Authorization
[email protected]
Federation
Directories
Authentication
Directories
Directories
Authentication
[email protected]
COmanage
Directories
Authentication
Directories
Directories
Authentication
[email protected]
Vapors become Reality
• When end-user PKI was months away…
• When the big application houses care so
much they have to own it
• Middleware as the new lock-in point
• Federation as identity infrastructure and
attributes as the payloads
• IdM not a local industry anymore
[email protected]
Some of the successes
• Building a fundamental new layer of Internet
infrastructure
• Engaging a broad and growing international group
of expertise
• Crafting a larger world that works for the R&E needs
• Proving that security and privacy can work together
[email protected]
More successes
• Focusing on the schema early on
• Coming together around SAML, and getting the
rest of the world to come along…
• Working towards scaling (rough consensus and
running code)
• Seeing parts of other worlds
[email protected]
Some of the failures
• The directory of directories…
• End-to-end end-user PKI
• Establish resources to support the infrastructure
• Diagnostics
• The rest of the middleware stack
[email protected]
Middleware, Ten Years Forward
• Working on Attributes and Federation
• Growing our federations
• Interfederation and Soup
• The Attribute Ecosystem
• Learning the Tao of Attributes
• Building and Managing the Virtual
• Integration, Integration, Integration
[email protected]
Growing our Federations
• Deciding on the services
• Core services – identity/attributes for access controls
• Value added services – content aggregation, roaming,
PKI and SSL services, collaboration platforms, Silver
• Finding the business models
• Finding the governance structures
• Making a marketplace
[email protected]
Interfederation and Soup
• Interfederation essential to scale
• Across vertical sectors
• Internationally
• To the consumer marketplace
• Confederation and Overlays will also exist
• Soup
• Institutional groups that cut across segments –
geography, shared business purpose, etc
• Mix of special purpose and infrastructure federations
tangled
[email protected]
Attribute ecosystem use cases…
Obtaining student consent for information release
FEMA needing first responders attributes and qualifications
dynamically
High-confidence attributes
Access-ability use cases
AAMC step-up authentication possibilities
Public input processes
Grid relying parties aggregating VO and campus
The “IEEE” problem
The “over legal age” and the difference in legal ages use cases
Self-asserted attributes – friend, interests, preferences, etc
[email protected]
Attribute Ecosystem Key Issues
• Attribute Aggregation
• Attribute Metadata
• Sources of authority and delegation
• Schema management, mapping, etc
• User interface
• Privacy and legal issues
[email protected]
Attribute aggregation
• Gathering attributes from multiple sources
• From IdP or several IdP
• From other sources of authority
• From intermediaries such as portals
• Static and dynamic acquisition
• Many linking strategies
• Will require a variety of standardized mechanisms –
• Bulk feeds, user activated links, triggers
[email protected]
Attribute metadata
• Federated attributes need common meaning
• Representation of meaning
• At a system level
• At a user level
• LOA associated with the value assigned
• “Code+data equals programs”
• LOA itself faces “re-interpretations”
• Separation of components of LOA
• Use of “step-up” authentication
[email protected]
Sources of authority
• Who gets to assign semantics (and syntax)
to an area?
• How can they delegate assignment of
value?
• What needs to be retained for
audit/diagnostic
[email protected]
Schema management, mappings
• Registries for schema
• Role of national level schema
• How to avoid mappings
• How to handle mappings
[email protected]
User Interface
• “It’s the attributes,
urn:mace:incommon:entitlement:clue:zero”,
deprecated…
• Needs include translation of oid to english, to
inform of the consequences of release decision,
recording consent and getting the defaults right
so that this is seldom used
• Metaphors such as Infocard are useful, but will
need extensions and utiization
[email protected]
Privacy management
• Two approaches emerging
• uApprove
• http://www.switch.ch/aai/support/tools/uApprove.ht
ml
• InfoCard/Higgins
• Who sets attribute release policies? Who
overrides the settings? What logs are kept?
[email protected]
[email protected]
GSA Workshop: 属性之道
The Tao of Attributes
• Begin exploring the attribute issues
• Using federal use cases, including
• Citizenship, voting residency
• Access-abilities
• First responder capabilities
• PI-person
• Motivate the larger requirements, drive privacy policies
• Explore rich query languages, etc.
• All-star cast at the end of September at NIH
[email protected]
Virtuality
• Virtual Communities
• Virtual Machine Appliances
• Virtual Services
• Internet protocols with trust and identity
[email protected]
Virtual Communities
• A virtual enterprise that wants to play real
well with real enterprises.
• Needs coordinated identity management
for collaboration and domain tools
[email protected]
Virtual Machine Appliances
• Allows clueless groups and other VO’s to handle
collaborations
• Brilliant way to handle peak load requirements
• Vexing issues of application updates,
coordination of configuration among apps, etc.
• Must fit fully in the attribute ecosystem and
reshape themselves on need
[email protected]
Virtual Services
• Clouds as low-start-up, largely scalable cyber
infrastructure
• Cycles, storage, collaboration
• Fits into the domestication paradigm
• Clouds as legally tangled, non-standard,confusion
• Location and ownership of data
• Ability to adapt to new protocols
• Proprietary cloud internals
[email protected]
Integration, Integration and Integration
• Of types of Internet identity
• Of identity with protocols
• Domestication of applications
[email protected]
Internet identity
• Federated identity
• Enterprise centric, exponentially growing, privacy
preserving, rich attribute mechanisms
• Requires lawyers, infrastructure, etc
• User centric identity
• P2P, rapidly growing, light-weight
• Marketplace is fractured; products are getting heavier
to deal with privacy, attributes, etc.
• Unifying layers emerging – Cardspace, Higgins,
OAuth
[email protected]
Integration
• Different forms of Internet identity will exist, serving
different purposes, arising from different constituencies
• The trick is the intelligent integration of the technologies, at
user and application level
• Cross-overs are happening
• Shib and Openid
• SAML and high assurance PKI – holder of key
• Infocard/Higgins as an overarching user experience
• Federation and portal integration
[email protected]
Integration of identity and protocols
• Trust, Identity and the Internet - ISOC initiative to
introduce trust and identity-leveraged capabilities to
many RFC’s and protocols
• Acknowledges the assumptions of the original
protocols about the fine nature of our friends on the
Internet and the subsequent realities
• http://www.isoc.org/isoc/mission/initiative/trust.shtml
• First target area is DKIM; subsequent targets include
federated calendaring and sharing, firewall traversal
[email protected]
Domestication of Applications
• Identity, groups, roles, privileges
• What else to integrate?
• At what layers to specify the integration?
• How to integrate across the layered
domestication specifications
• How much domestication is too much?
[email protected]
Virtuality back into Reality
• Our use cases continue to lead the
corporate sector
• Our needs are more urgent than they are
different
• Our students become the new consumers
• The shared vision is more powerful than
the individuals who share it
[email protected]
We’ve Lost Some Along the Way…
[email protected]
We’ve Picked Up Some New Ones…
[email protected]
Final Thoughts
• Important, if somewhat invisible, work has
been done
• There are significant opportunities ahead
• Its been a ride
[email protected]