Draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman.

Slides:

Advertisements

Similar presentations

Open Grid Forum 19 January 31, 2007 Chapel Hill, NC Stephen Langella Ohio State University Grid Authentication and Authorization with.

Advertisements

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI AAI in EGI Status and Evolution Peter Solagna Senior Operations Manager

ABFAB for Internet-of-Things Rhys Smith, Janet Sam Hartman & Margaret Wasserman, Painless Security.

NRL Security Architecture: A Web Services-Based Solution

Trust Router. Note Well Any submission to the IETF intended by the Contributor for publication as all or part of an IETF Internet-Draft or RFC and any.

Trust Router Overview IETF 86, Orlando, FL Trust Router Bar BOF Margaret Wasserman

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E IEPG March 2000 APNIC Certificate Authority Status Report.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI GGUS user authentication Tiziana Ferrari/EGI.eu Peter Solagna/EGI.eu

Key Negotiation Protocol & Trust Router draft-howlett-radsec-knp ABFAB, IETF March, Prague.

HIT Standards Committee: Digital Certificate Trust – Policy Question for HIT Policy Committee March 29, 2011.

Sponsored by the National Science Foundation GENI Clearinghouse Panel GEC 12 Nov. 2, 2011 INSERT PROJECT REVIEW DATE.

DESIGNING A PUBLIC KEY INFRASTRUCTURE

U.S. Environmental Protection Agency Central Data Exchange EPA E-Authentication Pilot NOLA Network Node Workshop February 28, 2005.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

1 Trust Framework Portable Identity Schemes Trust Framework Portable Identity Schemes NIH iTrust Forum December 10, 2009 Chris Louden.

APNIC Trial of Certification of IP Addresses and ASes RIPE 52 Plenary George Michaelson Geoff Huston.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

A S I A P A C I F I C N E T W O R K I N F O R M A T I O N C E N T R E 36th RIPE Meeting Budapest 2000 APNIC Certificate Authority Status Report.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

ABFAB Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

Multihop Federations & Trust Router draft-mrw-abfab-multihop-fed-02.txt draft-mrw-abfab-trust-router-01.txt Margaret Wasserman

Credential Provider Operational Practices Statement CAMP Shibboleth June 29, 2004 David Wasley.

FIM-ig Federated Identity Management Interest Group.

Draft-ietf-abfab-aaa-saml Josh Howlett, JANET IETF 82.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Functional Model Workstream 1: Functional Element Development.

NSTIC ID Ecosystem A Conceptual Model v03 Andrew Hughes October October IDESG Version 1.

A DESCRIPTION OF CONCEPTS AND PLANS MAY 14, 2014 A. HUGHES FOR TFTM The Identity Ecosystem DISCUSSION DRAFT 1.

Elements of Trust Framework for Cyber Identity & Access Services CYBER TRUST FRAMEWORK Service Agreement Trust Framework Provider Identity Providers Credential.

1 EAP and EAI Alignment: FiXs Pilot Project December 14, 2005 David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:

Proposal for device identification PAR. Scope Unique per-device identifiers (DevID) Method or methods for authenticating that device is bound to that.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Europe's work in progress: quality of mHealth Pēteris Zilgalvis, J.D., Head of Unit, Health and Well-Being, DG CONNECT Voka Health Community 29 September.

Serving society Stimulating innovation Supporting legislation Danny Vandenbroucke & Ann Crabbé KU Leuven (SADL) AAA-architecture for.

ShibGrid: Shibboleth access to the UK National Grid Service University of Oxford and STFC.

Multihop Federations draft-mrw-abfab-multihop-fed-01.txt Margaret Wasserman

In-Band Access Control Framework Group Name: WG4 SEC Source: Qualcomm Meeting Date: Agenda Item:

AAI WG EMI Christoph Witzig on behalf of EMI AAI WG.

Shibboleth at Columbia Update David Millman R&D July ’05

Draft-ietf-abfab-aaa-saml Josh Howlett IETF 90. Remaining issues (recap from IETF 89) SAML naming of AAA entities The focus of this presentation Alejandro.

INTRODUCTION: THE FIRST TRY InCommon eduGAIN Policy and Community Working Group.

Shibboleth What is it and what is it good for? Chad La Joie, Georgetown University.

“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.

1 Federal Identity Management Initiatives Federal Identity Management Initatives David Temoshok Director, Identity Policy and Management GSA Office of.

Authentication and Authorisation for Research and Collaboration Peter Solagna Milano, AARC General meeting Current status and plans.

Higher Ed Bridge CA Extending Trust Across Higher Education - And Beyond David L. Wasley University of California.

Using Public Key Cryptography Key management and public key infrastructures.

JRA1.4 Models for implementing Attribute Providers and Token Translation Services Andrea Biancini.

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential.

Transforming Government Federal e-Authentication Initiative David Temoshok Director, Identity Policy and Management GSA Office of Governmentwide Policy.

Interfederation RL “Bob” Morgan University of Washington and Internet2 Internet2 Member Meeting Chicago, Illinois December 2006.

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Evolution of AAI for e- infrastructures Peter Solagna Senior Operations Manager.

IETF 78 Maastricht 27 July 2010 Josh Howlett, JANET(UK)

Federated Identity Fundamentals Ann Harding, SWITCH Cambridge July 2014.

Trust Router Overview IETF 86, Orlando, FL Routing Area Meeting Margaret Wasserman

Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.

A Study of Certification Authority Integration Model in a PKI Trust Federation on Distributed Infrastructures for Academic Research Eisaku SAKANE, Takeshi.

Project Moonshot Daniel Kouřil EGI Technical Forum

EGI-InSPIRE RI EGI-InSPIRE EGI-InSPIRE RI Enabling SSO capabilities in the EGI Cloud services Peter Solagna – EGI.eu.

CLASSe PROJECT: IMPROVING SSO IN THE CLOUD Alejandro Pérez Rafael Marín Gabriel López

Federate Locally, Federate Globally RL “Bob” Morgan University of Washington and Internet2 European Advanced CAMP Málaga, Spain October 2006 RL “Bob” Morgan.

WLCG Update Hannah Short, CERN Computer Security.

Law Enforcement Information Sharing Program (LEISP) Federated Identity Management Pilot February 27, 2006.

Federation Systems, ADFS, & Shibboleth 2.0

EDUCAUSE Fed/Higher ED PKI Coordination Meeting

UK Access Management Federation

Community AAI with Check-In

Appropriate Access InCommon Identity Assurance Profiles

WS Standards – WS-* Specifications

Presentation transcript:

draft-howlett-abfab-trust-router-ps ABFAB, IETF83 Josh Howlett & Margaret Wasserman

Background ABFAB uses AAA infrastructure to connect RPs and IdPs AAA technologies currently use shared secret or certificate based mechanisms to establish trust We believe that these mechanisms impose barriers to the deployment and use of ABFAB We are proposing a complementary trust establishment mechanism Other documents describe the proposed mechanism; this document describes the motivations

Barriers that concern us Cost – The costs associated with a trust infrastructure should be bourn predominantly by those that benefit from it – This encourages adoption by actors that have less to gain – Shared secrets and certificates impose non-trivial costs on actors; e.g. Purchase certificates from a commercial CA Set up a special purpose CA Configuration churn where there are many partners Credentials should be selected for their intrinsic advantages in particular usage scenarios, and not for the convenience of the trust infrastructure – Credentialing is expensive and so should be minimised

Barriers that concern us Scaling – A trust infrastructure should be able to scale up, down and sideways – Scale up: An actor should bear the costs of connection to a trust infrastructure. Other actors that might also happen to be part of the same infrastructure should not. – Scale down: Communities come in all shapes and sizes. What works for the US Federal Government may not be practical for much smaller communities. – Scale sideways: Communities often become more inclusive or exclusive over time.

Terminology Partner – An organization that participates in an ABFAB federation as an IdP, an RP or both. Community – A group of IdPs and RPs that are associated with each other for a specific purpose. Community of Interest (CoI) – A community that is formed to share a set of resources and services. Community of Registration (CoR) – A community that provides registration and authentication services for its members.

Roles CoRs are responsible for asserting authentication of partners that it has registered (i.e., identified and credentialed) CoIs are responsible for asserting a partner’s membership a community Partners apply for membership to one or more CoIs, and register with those CoRs necessary to meet the requirements of the CoIs.  Explicit separation of ‘technical trust’ (CoR) and ‘behavioral trust’ (CoI)

“Dave’s Shoes” CoI Application Shoe Trade Association CoR Registration (e.g., LoA 1) CoR Registration (e.g., LoA 2) RP Retailer RP DoD CoI Approved DoD Suppliers Application Business interaction

Some goals Establishing a CoI should be sufficiently trivial that anyone can operate one (or out-source at negligible cost) – This is not generally true of public key based infrastructures Registration is non-trivial, and so it will always be expensive. So, a registration should be useful for interactions in many contexts – Public key based infrastructures bind policy (community) information to the public key. It can be difficult to persuade issuers to include policy identifiers that are not relevant to them The credential technology used within a trust infrastructure should be selected on the basis of business need, and not because the trust infrastructure requires it for interoperability – If the properties of your credential and my credential satisfy the abstract security requirements required by our use case, we should be able to use them to establish trust even if they are different technologies There are examples where trust infrastructures have been combined to achieve a separation of CoR (e.g., a vanilla PKI) and CoI (e.g., a SAML attribute authority or LDAP directory), but it would be cleaner if a single trust infrastructure supported both functions