Security and Privacy Renee Woodten Frost Program Manager, Middleware Initiatives, Internet2 I2 Middleware Liaison, University of Michigan Telemedicine.

Slides:



Advertisements
Similar presentations
PKI: A High Level View from the Trenches Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado.
Advertisements

EduPerson and Federated K-12 Activities InCommon/Quilts Pilot Group February 27, 2014 Keith Hazelton UW-Madison, InCommon/I2.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Certification Authority. Overview  Identifying CA Hierarchy Design Requirements  Common CA Hierarchy Designs  Documenting Legal Requirements  Analyzing.
Lecture 23 Internet Authentication Applications
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
PKI Activities at Virginia January 2004 CSG Meeting Jim Jokl.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Welcome Acknowledgments and thanks Security Acronymny: then and now What’s working What’s proving hard.
Identity Management and PKI Credentialing at UTHSC-H Bill Weems Academic Technology University of Texas Health Science Center at Houston.
CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
Shibboleth Update a.k.a. “shibble-ware”
1 USHER Update Fed/ED December 2007 Jim Jokl University of Virginia.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.
EDUCAUSE PKI Working Group Where Are We and Where are We Going.
1 PKI Update September 2002 CSG Meeting Jim Jokl
PKI 150: PKI Parts Policy & Progress Part 2 Jim Jokl University of Virginia David Wasley University of California.
Directory Services at UMass  Directory Services Overview  Some common definitions  What can a directory do or not do?  User Needs Assessment  What.
Introduction to Secure Messaging The Open Group Messaging Forum April 30, 2003.
Current Activities in Middleware Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
HEPKI-TAG UPDATE Jim Jokl University of Virginia
1 PKI & USHER/HEBCA Fall 2005 Internet2 Member Meeting Jim Jokl September 21, 2005.
X.509/PKI There is progress.... Topics Why PKI? Why not PKI? The Four Stages of X.509/PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 22 – Internet Authentication.
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
Of Security, Privacy, and Trust. Security Personal security is largely distinct from network security (modulo VPN’s and authentication to the network)
CAMP PKI UPDATE August 2002 Jim Jokl
PKI 101 Ken Klingenstein Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder David Wasley Technology.
Digital Signatures A Brief Overview by Tim Sigmon April, 2001.
HEPKI-PAG Policy Activities Group David L. Wasley University of California.
David L. Wasley Office of the President University of California Shibboleth Safe delivery of reliable authorization data David L. Wasley University of.
Secure Messaging Workshop The Open Group Messaging Forum February 6, 2003.
NSF Middleware Initiative Renee Woodten Frost Assistant Director, Middleware Initiatives Internet2 NSF Middleware Initiative.
Internet2 Middleware Initiative. Discussion Outline  What is Middleware why is it important why is it hard  What are the major components of middleware.
Identity in the Virtual World: Creating Virtual Certainty David L. Wasley Information Resources & Communications UC Office of the President.
Internet2 Middleware Initiatives: Early Harvest to Early Adopters and Beyond Renee Woodten Frost Project Manager, Middleware Early Adopters, Internet2.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Internet2 Middleware PKI: Oy-vey! Michael R. Gettes Principal Technologist Georgetown University
1 Protection and Security: Shibboleth. 2 Outline What is the problem Shibboleth is trying to solve? What are the key concepts? How does the Shibboleth.
Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce.
Leveraging Campus Authentication for Grid Scalability Jim Jokl Marty Humphrey University of Virginia Internet2 Meeting April 2004.
Claims-Based Identity Solution Architect Briefing zoli.herczeg.ro Taken from David Chappel’s work at TechEd Berlin 2009.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
“Trust me …” Policy and Practices in PKI David L. Wasley Fall 2006 PKI Workshop.
PKI Session Overview 1:30 pm edt - Welcome, etiquette, session outline 1:40 pm edt - HEPKI-TAG Update (Jim Jokl, Virginia) 2:00 pm edt - HEPKI-PAG Update.
Advanced CAMP: BoF Summaries. 2 Role-based Access Control (RBAC)
Security fundamentals Topic 5 Using a Public Key Infrastructure.
Day 3 Roadmap and PKI Update. When do we get to go home? Report from the BoFs CAMP assessment, next steps PKI technical update Break Research Issues in.
Welcome to Base CAMP: Enterprise Directory Deployment Ken Klingenstein, Director, Internet2 Middleware Initiative Copyright Ken Klingenstein This.
University of Washington Collaboration: Identity and Access Management Lori Stevens University of Washington October 2007.
Copyright Statement Copyright Robert J. Brentrup This work is the intellectual property of the author. Permission is granted for this material to.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Shibboleth Update January, 2001 Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of Colorado at Boulder.
InCommon® for Collaboration Institute for Computer Policy and Law May 2005 Renee Shuey Penn State Andrea Beesing Cornell David Wasley Internet 2.
2-Oct-0101 October 2001 Directories as Middleware Keith Hazelton, Senior IT Architect University of Wisconsin-Madison Keith Hazelton, Senior IT Architect.
01 October 2001 “...By Any Other Name…”. Consequences and Truths (Ken) The Pieces and the Processes (Bob) Directories (Keith) Shibboleth and SAML (Scott)
1 US Higher Education Root CA (USHER) Update Fed/Ed Meeting December 14, 2005 Jim Jokl University of Virginia.
Current Activities in Middleware
Data and Applications Security Developments and Directions
Michael R Gettes, Duke University On behalf of the shib project team
Fed/ED December 2007 Jim Jokl University of Virginia
Internet2 Middleware Activities Progress
September 2002 CSG Meeting Jim Jokl
Presentation transcript:

Security and Privacy Renee Woodten Frost Program Manager, Middleware Initiatives, Internet2 I2 Middleware Liaison, University of Michigan Telemedicine Symposium, Ann Arbor August 24, 2001

Telemedicine Symposium August 24, 2001 Topics Security: based in Middleware technology Medical Middleware Core middleware: the basic technologies Issues, Good Practices, Current Activities Identifiers Authentication Directories Authorization PKI Shibboleth Video

Telemedicine Symposium August 24, 2001 Middleware Initiatives Acknowledgements Middleware Architecture Committee for Education (MACE) and the working groups Early Harvest - NSF catalytic grant and meeting Early Adopters – testbed campuses Higher Education partners - campuses, GRIDs, EDUCAUSE, CREN, AACRAO, NACUA, etc. Corporate partners - IBM, ATT, SUN, et al. Government partners - including NSF and the fPKI TWG International interactions

Telemedicine Symposium August 24, 2001 Remedial IT Architecture The proliferation of customizable applications requires a centralization of “customizations” The increase in power and complexity of the network requires access to user profiles Electronic personal security services is now an impediment to the next-generation computing grids Inter-institutional applications require inter-operational deployments of institutional directories and authentication

Telemedicine Symposium August 24, 2001 What is Middleware? Specialized networked services that are shared by applications and users A set of core software components that permit scaling of applications and networks Tools that take the complexity out of application integration A second layer of the IT infrastructure,sitting above the network A land where technology meets policy The intersection of what networks designers and applications developers each do not want to do

Telemedicine Symposium August 24, 2001 Specifically… Digital libraries need scalable, interoperable authentication and authorization. The Grid is a new paradigm for a computational resource; Globus provides middleware, including security, location and allocation of resources, and scheduling. This relies on campus-based services and inter-institutional standards. Instructional Management Systems need authentication and directories. Next-generation portals want common authentication and storage. Academic collaboration requires restricted sharing of materials between institutions. What Internet1 did with communication, Internet2 may do with collaboration.

Telemedicine Symposium August 24, 2001 Medical Middleware Unique requirements - HIPAA, disparate relationships, extended community, etc. Unique demands - 7x24, visibility PKI seen as a key tool MACEMed – representatives from academic medical centers - formed to explore the issues

Telemedicine Symposium August 24, 2001 The complex challenges of academic medical middleware Intra-realm issues - multiple vendors, proprietary systems, evolving regulations Enterprise issues - security, directories, authorization; balance of institutional and medical enterprises Inter-realm issues - standards, gateways, common operational processes and policies, performance Multiple communities of interest - institutional, medical center, affiliated hospitals, state and federal regulatory and certification organizations, insurance companies, medical researchers, etc.

Telemedicine Symposium August 24, 2001 The applications view of medical upperware Server (in this scenario) DoD Clinical System Client (in this scenario) VA Clinical System Request lab data, This Soldier, this time frame Who’s asking? What role? What is need to know? Resource Access Decision (RAD) Who is this person? Who knows this person? Person Identification Service (PIDS) Where is lab info on this person? Health Information Locator Service (HILS) Convert to server’s terms Terminology Query Service (TQS) outbound Clinical Observation Access Service (COAS) Request observation

Telemedicine Symposium August 24, 2001 The Grid A model for a distributed computing environment, addressing diverse computational resources, distributed databases, network bandwidth, object brokering, security, etc. Globus ( is the software that implements most of these components; Legion is another such software environment Needs to integrate with campus infrastructure Gridforum ( umbrella activity of agencies and academics Look for grids to occur locally and nationally, in physics, earthquake engineering, etc.

Telemedicine Symposium August 24, 2001 A Map of Middleware

Telemedicine Symposium August 24, 2001 Core Middleware Identity - unique markers of who you (person, machine, service, group) are Authentication - how you prove or establish that you are that identity Directories - where an identity’s basic characteristics are kept Authorization - what an identity is permitted to do PKI, etc - emerging tools for security services

Telemedicine Symposium August 24, 2001 Major Campus Identifiers UUID Student and/or emplid Person registry ID Account login ID Enterprise-LAN ID Student ID card Net ID address Library/departmental ID Publicly visible ID (and pseudo-SSN) Pseudonymous ID

Telemedicine Symposium August 24, 2001 General Identifier Characteristics Uniqueness (within a given context) Dumb vs intelligent (i.e. whether subfields have meaning) Readability (machine vs human vs device) Affordance (centrally versus locally provided) Resolver approach (how identifier is mapped to its associated object) Metadata (both associated with the assignment and resolution of an identifier) Persistence (permanence of relationship between identifier and specific object) Granularity (degree to which an identifier denotes a collection or component) Format (checkdigits) Versions (can the defining characteristics of an identifier change over time) Capacity (size limitations imposed on the domain or object range) Extensibility (the capability to intelligently extend one identifier to be the basis for another identifier).

Telemedicine Symposium August 24, 2001 Important Characteristics Semantics and syntax - what it names and how does it name it Domain - who issues and over what space is identifier unique Revocation - can the subject ever be given a different value for the identifier Reassignment - can the identifier ever be given to another subject Opacity - is the real world subject easily deduced from the identifier - privacy and use issues

Telemedicine Symposium August 24, 2001 Identifier Mapping Process Map campus identifiers against a canonical set of functional needs For each identifier, establish its key characteristics, including revocation, reassignment, privileges, and opacity A key first step towards the loftier middleware goals

Telemedicine Symposium August 24, 2001 Authentication Options Password-based Clear text LDAP Kerberos (Microsoft or K5 flavors) Certificate-based Others: challenge-response, biometrics Inter-realm is now the interesting frontier

Telemedicine Symposium August 24, 2001 Authentication Issues User side management - crack, change, compromise Central-side password management - change management, OS security First password assignment - secure delivery Policies - restrictions or requirements on use

Telemedicine Symposium August 24, 2001 Authentication Good Practices Precrack new passwords Precrack using foreign dictionaries as well as US Confirm new passwords are different than old Require password change if possibly compromised Use shared secrets or positive photo ID to reset forgotten passwords US Mail a one-time password (time-bomb) In-person with a photo ID (some require two) For remote faculty or staff, an authorized departmental representative in person, coupled with a faxed photo ID Initial identification/authentication will emerge as a critical component of PKI

Telemedicine Symposium August 24, 2001 User ID/Password Authentication Risky Too, too many user ID/password pairs to remember Too easy to share passwords User’s perception as to password’s importance Passwords used online can easily be captured Separate user ID/password pairs used to determine authorization rights Too many individuals other than a user can alter a user’s password

Telemedicine Symposium August 24, 2001 Digital IDs (Certificates) Authentication Password known only to “owner” Password never transmitted on the network Digital ID verified by a third party Digital ID globally recognized Multiple mechanisms for detecting revoked digital ID Can be a strong, two factor authentication process

Telemedicine Symposium August 24, 2001 Directories To store certificates To store Certificate Revocation Lists (CRL) To store private keys, for the time being To store attributes Implement with border directories, or Access Control Lists (ACLs) within the enterprise directory, or proprietary directories

Telemedicine Symposium August 24, 2001 Directory Issues Applications Overall architecture chaining and referrals, redundancy and load balancing, replication, synchronization, directory discovery The Schema and the DIT (Directory Tree) attributes, organizational units (ou), naming, object classes, groups Attributes and indexing Management clients, delegation of access control, data feeds

Telemedicine Symposium August 24, 2001 A Campus Directory Architecture metadirectory enterprise directory database departmental directories OS directories (MS, Novell, etc) border directory registries source systems

Telemedicine Symposium August 24, 2001 Directory Management Good Practices No trolling permitted; more search than read LDAP client access versus web access Give deep thought to who can update Give deep thought to when to update LDIF likely to be replaced by XML as exchange format Delegation of control - scalability “See also”, referrals, replication, synchronization in practice Replication should not be done tree-based but should be filtered by rules and attributes

Telemedicine Symposium August 24, 2001 Current Activities in Directories LDAP Recipe eduPerson MACE-DIR working group Directory of Directories for Higher Education Metadirectories

Telemedicine Symposium August 24, 2001 LDAP Recipe How to build and operate a directory in higher education 1 Tsp. DIT planning 1 Tbsp. schema design 3 oz. configuration 1000 lbs. of data Good details, such as tradeoffs/recommendations on indexing, how and when to replicate, etc.

Telemedicine Symposium August 24, 2001 eduPerson A directory object class intended to support inter- institutional applications Fills gaps in traditional directory schema For existing attributes, states good practices where known Specifies several new attributes and controlled vocabulary to use as values Provides suggestions on how to assign values, but leaves it to the institution to choose Version 1.0 standard; v 1.5 under discussion

Telemedicine Symposium August 24, 2001 Issues about Upper Class Attributes EduPerson inherits attributes from Person, inetOrgPerson Some of those attributes need conventions about controlled vocabulary (e.g. telephones) Some of those attributes need ambiguity resolved via a consistent interpretation (e.g. address) Some of the attributes need standards around indexing and search (e.g. compound surnames) Many of those attributes need access control and privacy decisions (e.g. JPEG photo, address, etc.)

Telemedicine Symposium August 24, 2001 New eduPerson Attributes edupersonAffiliation edupersonPrimaryAffiliation edupersonOrgDN edupersonOrgUnitDN edupersonPrincipalName edupersonNickname

Telemedicine Symposium August 24, 2001 eduPersonAffiliation Multi-valued list of relationships an individual has with institution Controlled vocabulary includes: faculty, staff, student, alum, member, affiliate, employee Applications that use: Shibboleth, digital libraries, Directory of Directories for Higher Ed

Telemedicine Symposium August 24, 2001 eduPersonPrincipalName EPPN may look like an address, but it is used by different systems One must be able to authenticate against the EPPN Used in inter-realm authentication such as Shibboleth In some situations, it can be used for access control lists; if used, a site should make sure what the reassignment policy is

Telemedicine Symposium August 24, 2001 MeduPerson Is there a need for a MeduPerson? New initiative to define a Medical Person specification for use with AAMC’s faculty roster system application Ultimate goal of leveraging registry and directory efforts

Telemedicine Symposium August 24, 2001 Key Issues for Mace-Dir Revisions to eduPerson 1.0 Internationalization of eduPerson; extension to GridPerson, MeduPerson Affiliated Directories Groups within directories Groups between institutions

Telemedicine Symposium August 24, 2001 A Directory of Directories (DoDHE) An experiment to build a combined directory search service To show the power of coordination Will highlight the inconsistencies between institutions Technical investigation of load and scaling issues, centralized and decentralized approaches Human-interface issues - searching large name spaces with limits by substring, location, affiliation, etc... Sun donated server and iPlanet license (6,000,000 DN’s) Michael Gettes of Georgetown is project lead

Telemedicine Symposium August 24, 2001 Metadirectories is now Metamerge Higher Education Contact for USA Keith Hazelton, University of Wisconsin – Madison This product is available free of charge to Higher Ed in USA Source code will be in escrow.

Telemedicine Symposium August 24, 2001 Public Key Infrastructure (PKI) Software, protocols, and legal agreements necessary to effectively use certificates: - Certificate Authority - Registration Authorities - PKI management tools - Directories to store certs, public keys, maybe private - Database and key-management software - Applications – certificate-enabled - Trust models (hierarchy and bridges) - Policies

Telemedicine Symposium August 24, 2001 Current State of PKI Why PKI? The Four Stages of PKI Other sectors Federal Activities - fBCA, NIH Pilot, ACES, other Healthcare - HIPAA State governments - E-Sign, Draft CP Corporate Deployments European activities The Industry Higher Ed – PAG, TAG, PKI Labs

Telemedicine Symposium August 24, 2001 Why PKI? Single infrastructure to provide all security services Established technology standards, though little operational experience Elegant technical underpinnings Serves dozens of purposes - authentication, authorization, object encryption, digital signatures, communications channel encryption Low cost in mass numbers

Telemedicine Symposium August 24, 2001 Why Not PKI? High legal barriers Lack of mobility support Challenging user interfaces, especially with regard to privacy and scaling Persistent technical incompatibilities Overall complexity

Telemedicine Symposium August 24, 2001 D. Wasley’s PKI Puzzle

Telemedicine Symposium August 24, 2001 The Four Planes of PKI On the road to general purpose inter-realm PKI The planes represent different levels of simplification from the dream of a full inter-realm, intercommunity, multipurpose PKI Simplifications in policies, technologies, applications, scope Each plane provides experience and value

Telemedicine Symposium August 24, 2001 The Four Planes are Full inter-realm PKI - (Boeing 777) - multipurpose, spanning broad and multiple communities, bridges to unite hierarchies, unfathomed directory issues Simple inter-realm PKI - (Regional jets) - multipurpose within a community, operating under standard policies and structured hierarchical directory services PKI-light - (Corporate jets) - containing all the key components of a PKI, but many in simplified form; may be for a limited set of applications; can be extended within selected communities PKI-ultralight (Ultralights) - easiest to construct and useful conveyance; ignores parts of PKI and not for use external to the institution; learn how to fly, but not a plane...

Telemedicine Symposium August 24, 2001 Examples of Areas of Simplification Spectrum of Assurance Levels Signature Algorithms Permitted Range of Applications Enabled Revocation Requirements and Approaches Subject Naming Requirements Treatment of Mobility...

Telemedicine Symposium August 24, 2001 PKI-Light example CP: Wasley, etal. Draft HE Certificate Policy reduced to basic/rudimentary CRL: ? Applications: (Signed ) Mobility: Password enabled Signing: md5RSA Thumbprint: sha1 Naming: dc Directory Services needed: InetOrgPerson

Telemedicine Symposium August 24, 2001 PKI-Ultralight CP: none CRL: limited lifetime Applications: VPN, Internal web authentication Mobility: not specified Signing: not specified Thumbprint: sha1 Naming: not specified Directory Services needed: none

Telemedicine Symposium August 24, 2001 Federal Activities fBCA NIH Pilot fPKI TWG others Internet2/NIH/NIST research conference...

Telemedicine Symposium August 24, 2001 Healthcare HIPAA - Privacy specs issued HIPAA - Security specs not yet done Two year compliance phase-ins Little progress in community trust agreements Non-PKI HIPAA Compliance Options

Telemedicine Symposium August 24, 2001 Corporate deployments Success stories within many individual corporations for VPN, authentication No current community ABA guidelines Others...

Telemedicine Symposium August 24, 2001 State Governments UCITA NECCC Draft State Certificate Policy

Telemedicine Symposium August 24, 2001 Other countries EuroPKI Extensive work in the Netherlands Inter-governmental discussions?

Telemedicine Symposium August 24, 2001 The Industry What's the problem with PKI then? It all boils down to one thing: Complexity.

Telemedicine Symposium August 24, 2001 The Industry Baltimore Technologies in peril PKIforum slows down OASIS-SAML work gains buzz RSA buys Securant

Telemedicine Symposium August 24, 2001 The Industry Browsers that don’t take community roots Communications tools that want certificates we don’t want to give them Path math that sometimes doesn’t compute Technology that doesn’t interoperate...

Telemedicine Symposium August 24, 2001 Higher Education HEBCA HEPKI-TAG HEPKI-PAG PKI Labs Shibboleth Campus successes

Telemedicine Symposium August 24, 2001 Bridgework Federal Federal production Bridge Intended to blend several existing agency PKI (DoD, Energy) and new agency efforts (NIH, Energy, GAO) Needs a killer app Wants to peer with other bridges, e.g. HEBCA Higher Ed In principle, to be operated by EDUCAUSE May be one-off software at first, and out-sourced as feasible Has a draft policy modeled after FBCA Needs software Needs CA’s to bridge among - commercial, CREN, Globus, etc.

Telemedicine Symposium August 24, 2001 HEPKI HEPKI - Technical Activities Group (TAG) universities actively working technical issues topics include Kerberos-PKI integration, public domain CA, profiles will sponsor regular conf calls, archives HEPKI - Policy Activities Group (PAG) universities actively deploying PKI topics include certificate policies, RFP sharing, interactions with state governments will sponsor regular conf calls, archives

Telemedicine Symposium August 24, 2001 HEPKI-TAG Chaired by Jim Jokl, Virginia Certificate profiles survey of existing uses development of standard presentation identity cert standard recommendation Mobility options - SACRED scenarios Public domain software alternatives Protection of the institutional private key Discussions of CA software

Telemedicine Symposium August 24, 2001 HEPKI-PAG David Wasley, prime mover Draft certificate policy for a campus HEBCA certificate policy FERPA State Legislatures Gartner Decision Driver software

Telemedicine Symposium August 24, 2001 Internet2 PKI labs At Dartmouth and University of Wisconsin in computer science departments and IT organizations Doing the deep research - two to five years out Policy languages, path construction, attribute certificates, etc. National Advisory Board of leading academic and corporate PKI experts provides direction Catalyzed by startup funding from ATT Research conference with NIST this fall

Telemedicine Symposium August 24, 2001 Of Security, Privacy, and Trust Is it security or is it liability? Liability has other remedies, including disclaimers, contractual sharing of responsibilities, indemnification, etc… Is it privacy or is it discretion? How much can privacy be protected? When do we want our privacy given up? Is it trust or is it contractual? Our notions of trust are soft, contradictory, volatile, intuitive, and critical to how we act in the world.

Telemedicine Symposium August 24, 2001 Inter-organizational trust model components Certificate Policy- uses of particular certs, assurance levels for I/A, audit and archival requirements Certificate Practices Statement- the nitty gritty operational issues CA- CA Trust - Hierarchies vs Bridges a philosophy and an implementation issue the concerns are transitivity and delegation hierarchies assert a common trust model bridges pairwise agree on trust models and policy mappings

Telemedicine Symposium August 24, 2001 Certificate policies (CP) address Legal responsibilities and liabilities (indemnification issues) Obligations of issuing, user, and relying parties Operations of Certificate Management systems Assurance levels - varies according to I/A processes and other operational factors The goal is to limit the number of different policies; differences require bridges

Telemedicine Symposium August 24, 2001 Major Parts of a CP The community to whom the policy is applicable (campuses and members of the campus) Roles, responsibilities and liabilities for CAs, RAs, end-entities, relying parties Operational and technical requirements on CA Identification and authentication requirements for each level of certificate Certificate profile

Telemedicine Symposium August 24, 2001 Certificate practice statements (CPS) Site specific details of operational compliance with a Cert Policy A single practice statement can support several policies (CHIME) A Policy Management Authority (PMA) determines if a CPS is adequate for a given CP. The goal is to have a CPS that you can live with and be audited against.

Telemedicine Symposium August 24, 2001 Trust chains Verifying sender-receiver assurance by finding a common trusted entity Must traverse perhaps branching paths to establish trust paths Must then use CRLs etc. to validate assurance If policies are in certificate payloads, then validation can be quite complex Constraints makes things even harder Bridges makes things even harder

Telemedicine Symposium August 24, 2001 Trust chains Path construction to determine a path from the issuing CA to a trusted CA heuristics to handle branching that occurs at bridges Path validation uses the path to determine if trust is appropriate should address revocation, key usage, basic constraints, policy mappings, etc.

Telemedicine Symposium August 24, 2001 Trust chains When and where to construct and validate off-line - on a server - at the discretion of the application depth of chain Some revocations better than others - major (disaffiliation, key compromise, etc.) and minor (name change, attribute change) Sometimes the CRL can’t be found or hasn’t been updated

Telemedicine Symposium August 24, 2001 Mobility options Smart cards USB dongles Passwords to download from a store or directory Proprietary roaming schemes abound - Netscape, VeriSign, etc. SACRED within IETF recently formed for standards Difficulty in integration of certificates from multiple stores (hard drive, directory, hardware token, etc.)

Telemedicine Symposium August 24, 2001 Moving along CA software Medical requirements for certificates Simple path construction and validation A draft certificate policy for campuses, finally

Telemedicine Symposium August 24, 2001 Where to follow activities in other communities PKIX ( Federal PKI work ( State Governments ( Medical community (Tunitas, CHIME, HIPAA, Healthkey) Automobile community (ANX) Overseas Euro government - qualifying certs EuroPKI for Higher Ed (

Telemedicine Symposium August 24, 2001 Where to watch for HE

Telemedicine Symposium August 24, 2001 Shibboleth A word which was made the criterion by which to distinguish the Ephraimites from the Gileadites. The Ephraimites, not being able to pronounce sh, called the word sibboleth. See --Judges xii. Hence, the criterion, test, or watchword of a party; a party cry or pet phrase. - Webster's Revised Unabridged Dictionary (1913):Webster's Revised Unabridged Dictionary (1913)

Telemedicine Symposium August 24, 2001 Shibboleth An initiative to analyze & develop mechanisms (architectures,frameworks, protocols & implementations) for inter-institutional web access control “Authenticate locally, act globally” Facilitated by MACE (a committee of leading higher-ed IT architects) & I2 Designed by key campus and IBMTivoli IT architects, with other corporate involvement Coding an open source reference implementation based on Apache Oriented towards privacy and complements corporate standards efforts

Telemedicine Symposium August 24, 2001 Isn’t This What PKI Does? PKI does this and a whole lot more; as a consequence, PKI does very little right now End-to-end PKI fits the Shibboleth model, but other forms of authentication do as well Uses a lightweight certificate approach for inter-institutional communications - uses the parts of PKI that work today (server side certificates) and avoids the parts of PKI that don’t work today (eg client certificates). Allows campuses to use other forms of authentication locally May actually have benefits over the end-user-to-target-site direct interactions...

Telemedicine Symposium August 24, 2001 Relationship - Shibboleth to Portals PDP AuthN Dir Shibboleth Portal Shibboleth Portal Apps Web Res Web Login Dir Web Resource Shibboleth

Telemedicine Symposium August 24, 2001 Related Work Previous DLF work OASIS Technical Committee (vendor activity, kicked off 1/2001) UK - Athens and Sparta projects Spain - rediris project

Telemedicine Symposium August 24, 2001 Assumptions Use federated administration as the model Leverage vendor and standards activity wherever possible Disturb as little of the existing campus infrastructure as possible Work with common, minimal authorization systems (e.g. htaccess) Encourage good campus behaviors Learn through doing Create a marketplace and reference implementations Avoid being another dead guppy Build in at the core protections for personal privacy

Telemedicine Symposium August 24, 2001 Development Process Scenarios leading to requirements Establish model architectures for common services and scenario-specific services Develop service and protocol requirements Identify service options, begin protocol development Produce open implementations of missing service components; provide external services as needed

Telemedicine Symposium August 24, 2001 Stage 1 - Addressing Three Scenarios Member of campus community accessing licensed resource Anonymity required Member of a course accessing remotely controlled resource Anonymity required Member of a workgroup accessing controlled resources Controlled by unique identifiers (e.g. name) Taken individually, each of these situations can be solved in a variety of straightforward ways. Taken together, they present the challenge of meeting the user's reasonable expectations for protection of their personal privacy.

Telemedicine Symposium August 24, 2001 Model Local Authentication Local Entity Willing to Create and Sign Entitlement set of assertions about the user (attribute/value pairs) user has control over disclosure attributes may be personally identifiable (e.g Name) or translucent (e.g. “active member of community”, “Associated with Course XYZ”) Target Responsible for Authorization Rules engine Matches contents of entitlements against rule set associated with target object Cross-Domain Trust Previously created between origin and target Perhaps there is a contract (information providers...)

Telemedicine Symposium August 24, 2001 Target Web Server Origin SiteTarget Site Browser Attribute Server Shib htaccess plugin Club Shib Server (holds certs and contracts) Shibboleth Architecture Concepts #1 (managing trust)

Telemedicine Symposium August 24, 2001 OASIS/SAML Effort SAML is a standards effort functioning under the multi-corporate OASIS XML business group. SAML is slowly grappling with many of the issues in inter-realm exchanges of information about authentication and authorization, but with a B2B perspective. SAML appears capable of standardizing some pieces: an XML format for "assertions" of both names/identities and entitlements/privileges/attributes a request/response protocol for obtaining assertions transport bindings for this protocol to HTTP, S/MIME, RMI, etc. SAML and Shibboleth are interacting in development and should interoperate

Telemedicine Symposium August 24, 2001 Personal Privacy Personal Information is released to site X based on: Contract provisions Current request from the target User control! Getting the defaults right on privacy will be very important and very hard. (Or, 15 pop-up questions before getting to a web page may not be well-received…)

Telemedicine Symposium August 24, 2001 Campus and Resource Requirements To Participate in Shibboleth, a site must have: Campus-wide authentication service Campus-wide identifier space (EPPN) Implementation of eduPerson objectclass Ability to generate attributes (eg “active member of the community”) Apache web server The ability to reach agreements with other campuses and information providers

Telemedicine Symposium August 24, 2001 Issues Personal Privacy (reasonable expectation, laws) Relation to local web login (Single Sign On) Portals Use of Shibboleth framework by services beyond the web Grid resources and users

Telemedicine Symposium August 24, 2001 Project Status/Next Steps Requirements and Scenarios document finished Internet2 intends to have an Apache web module developed Internet2 intends to develop supporting materials (documentation, installation, etc.) and web tools (for htaccess construction, filter and access control, remote resource attribute discovery) Technical design completed - architecture and specifications Coding to begin soon Pilot site start-up - August 2001

Telemedicine Symposium August 24, 2001 VidMid - video working group Recently formed international working group Looking at a variety of tools - vic/vat, H.323, MPEG-2, HDTV Point-to-point and MCU options H.323 desktop video within reach at physical layer Lacks identifiers and authentication; ePPN and Shibboleth-type flow could address within the framework of SIP.

Telemedicine Symposium August 24, 2001 Activities MACE - RL “Bob” Morgan (Washington) Early Harvest / Early Adopters - Renee Frost (Michigan) LDAP Recipe - Michael Gettes (Georgetown) eduPerson - Keith Hazelton (Wisconsin) Directory of Directories - Michael Gettes (Georgetown) metadirectories - Keith Hazelton (Wisconsin) Shibboleth - Steven Carmody (Brown) PKI Labs - Dartmouth and Wisconsin HEPKI-TAG and -PAG - Jim Jokl (Virginia) and Ken Klingenstein (Colorado) HEBCA - Mark Luker (EDUCAUSE) Vidmid - International leadership Opportunities - the Grid, K-12

Telemedicine Symposium August 24, 2001 More information Early Harvest / Early Adopters - MACE - middleware.internet2.edu LDAP Recipe - recipe/ eduPerson - Directory of Directories - middleware.internet2.edu/dodhe Shibboleth - middleware.internet2.edu/shibboleth HEPKI-TAG - HEPKI-PAG - Medical Middleware - web site to follow Opportunities - video, the Grid, K-12