Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago

TF-EMC E-Authentication Problem: design an authentication service supporting access to applications at dozens of huge US Federal agencies by US citizens and others Solution: use federated identities –Many identity providers (IdPs) –Common federating technologies –Trust built through risk assessment, conformance testing, & audit processes

TF-EMC Federating with E-Auth Two adopted authentication schemes –SAML 1.0 artifact profile –Bridged PKI ◦through FBCA – Federal Bridge Certificate Authority E-Authentication Interoperability Lab does conformance testing Shibboleth v1.2 is conformant federating product, and only privacy preserving one –Growing list of commercial SAML implementations are now also certified

TF-EMC E-Auth LoAs NIST defined 4 levels of authentication assurance to be used by US Feds –LoA 1 - rudimentary –LoA 2 - basic –LoA 3 - medium –LoA 4 – high –risk assessment tool to know what LoA you need All available for PKI authentication Only LoA 1 and 2 available for SAML authentication

TF-EMC So who are or will be the Identity Providers (IdPs)? US Federal agencies or their authentication service contractors (using PKI bridged with the FBCA) Large public IdPs like AOL, MSN, … –AOL in process at LoA 1 (LoA 2 might be value-add) Universities –University of Washington, Cornell, Penn State in process Banks –Fidelity Bank already, several others underway

TF-EMC E-Auth IdP wannabees CAF – Credential Assessment Framework –Auditing standards for identity proofing and IdMS operations of an IdP –PIN, password, & PKI profiles –You must be CAFed to be an E-Auth IdP University CAF experiences –Early reports are that the GAO auditors doing the CAF audit are reasonable and accepting of identity proofing and IdMS operations at Universities –But will they be certified for LoA 2?

TF-EMC Early E-Auth applications Grant submission –NSF, NIH Agricultural permits 30 US Federal agencies are required to each put up at least one application by end of 2005 –Maybe just the Department of the Interior blog, we’ll see

TF-EMC Inter-federation issues: NSF’s FastLane as example How will National Science Foundation’s FastLane application (online grant proposal submission) trust a SAML authentication assertion from University of Washington? Will FastLane need any attributes about the proposal submitter in addition to their IdP’s LoA? –Currently hold an appropriate role at the submitting institution? –How to agree on schema, semantics, and bindings?

TF-EMC E-Auth Federation Present model: eGovernance Certification Authority (eGCA) defines a single SAML federation –Two CAs issue AA certs to IdPs following CAF assessment. One for LoA 1, the other for LoA 2 –Another CA issues certs to Applications (SP’s) Shortcomings –Potential scaling issue –Attribute assertions aren’t used yet – at present it’s only about LoA for authentication Muse about an inter-federation future …

TF-EMC Bridged PKI to support inter- federations? (ala Gettes)

TF-EMC Extending federation model to digitally signed documents Proposed Phase 5 of PKI Interoperability Project –Demonstrate academic transcript delivery between InCommon members –Demonstrate InCommon member filing a report to a Federal Agency Issues to be examined & resolved –Digital signatures in federation and inter-federation contexts –Attributes about the document attached to the document

TF-EMC Federated document preparation 1.Document routed intra-campus with local workflow, referencing local roles, using digital signatures local to campus PKI 2.Strip all local stuff 3.Sign doc using key verifiable by federation (“enterprise signature”) 4.Attach XML attribute blob (roles, digital rights & IP, archival status, whatever) to doc signed with enterprise signature 5.Sign combination to ensure integrity using enterprise signature

TF-EMC Federated PKI for signed documents Signing certs (“enterprise signature”) issued not to servers, not to end users, but to federation member organizations Standardized roles (to be determined) expressed as attributes attached to the federation document. –Registrar –Purchasing Officer –… ?? Desirability of inserting 3 rd party “testamonial” artifact?? –Example: “American Council on Education attests that this signature belongs to the Registrar of an accredited university in good standing”

TF-EMC HEBCA, USHER, FBCA, and InCommon in trust perspective USHER

TF-EMC US higher ed PKI and InCommon update USHER (US Higher Ed Root) –Internet2’s replacement for CREN CA, operated by Dartmouth –Starts up in May 2005 –Policy Authority is InCommon Steering Committee –Cert revocation service is … still jelling –Will cross certify with HEBCA (Higher Ed Bridge CA) InCommon CA –Operated by Internet2, for now –Same identity proofing framework as USHER (enhanced CREN) –Same one-time & continuing fee as USHER –Will either be signed by USHER or itself cross certify with HEBCA

TF-EMC US higher ed PKI and InCommon update HEBCA –Operated by Dartmouth –Production status June 2005?? InCommon –Open for business –12 members so far, including Elsevier & OCLC Scott Rea’s October 2004 DigitalIDWorld slides slides/1028_1000_E2.pdf

TF-EMC Discussion Are there potential use cases to motivate cross certification of some European CAs with HEBCA? Which CAs? TACAR+EUGridPMA contrast with bridge CA approach. Would a bridge provide better or worse support for expanding authentication to EU grids? Nothing TACAR-like in US. Should there be? Should TACAR go there?