Presentation is loading. Please wait.

Presentation is loading. Please wait.

Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago."— Presentation transcript:

1 Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago

2 TF-EMC2 2005-02 2 E-Authentication Problem: design an authentication service supporting access to applications at dozens of huge US Federal agencies by US citizens and others Solution: use federated identities –Many identity providers (IdPs) –Common federating technologies –Trust built through risk assessment, conformance testing, & audit processes

3 TF-EMC2 2005-02 3 Federating with E-Auth Two adopted authentication schemes –SAML 1.0 artifact profile –Bridged PKI ◦through FBCA – Federal Bridge Certificate Authority E-Authentication Interoperability Lab does conformance testing Shibboleth v1.2 is conformant federating product, and only privacy preserving one –Growing list of commercial SAML implementations are now also certified

4 TF-EMC2 2005-02 4 E-Auth LoAs NIST defined 4 levels of authentication assurance to be used by US Feds –LoA 1 - rudimentary –LoA 2 - basic –LoA 3 - medium –LoA 4 – high –risk assessment tool to know what LoA you need All available for PKI authentication Only LoA 1 and 2 available for SAML authentication

5 TF-EMC2 2005-02 5 So who are or will be the Identity Providers (IdPs)? US Federal agencies or their authentication service contractors (using PKI bridged with the FBCA) Large public IdPs like AOL, MSN, … –AOL in process at LoA 1 (LoA 2 might be value-add) Universities –University of Washington, Cornell, Penn State in process Banks –Fidelity Bank already, several others underway

6 TF-EMC2 2005-02 6 E-Auth IdP wannabees CAF – Credential Assessment Framework –Auditing standards for identity proofing and IdMS operations of an IdP –PIN, password, & PKI profiles –You must be CAFed to be an E-Auth IdP University CAF experiences –Early reports are that the GAO auditors doing the CAF audit are reasonable and accepting of identity proofing and IdMS operations at Universities –But will they be certified for LoA 2?

7 TF-EMC2 2005-02 7 Early E-Auth applications Grant submission –NSF, NIH Agricultural permits 30 US Federal agencies are required to each put up at least one application by end of 2005 –Maybe just the Department of the Interior blog, we’ll see

8 TF-EMC2 2005-02 8 Inter-federation issues: NSF’s FastLane as example How will National Science Foundation’s FastLane application (online grant proposal submission) trust a SAML authentication assertion from University of Washington? Will FastLane need any attributes about the proposal submitter in addition to their IdP’s LoA? –Currently hold an appropriate role at the submitting institution? –How to agree on schema, semantics, and bindings?

9 TF-EMC2 2005-02 9 E-Auth Federation Present model: eGovernance Certification Authority (eGCA) defines a single SAML federation –Two CAs issue AA certs to IdPs following CAF assessment. One for LoA 1, the other for LoA 2 –Another CA issues certs to Applications (SP’s) Shortcomings –Potential scaling issue –Attribute assertions aren’t used yet – at present it’s only about LoA for authentication Muse about an inter-federation future …

10 TF-EMC2 2005-02 10 Bridged PKI to support inter- federations? (ala Gettes)

11 TF-EMC2 2005-02 11 Extending federation model to digitally signed documents Proposed Phase 5 of PKI Interoperability Project –Demonstrate academic transcript delivery between InCommon members –Demonstrate InCommon member filing a report to a Federal Agency Issues to be examined & resolved –Digital signatures in federation and inter-federation contexts –Attributes about the document attached to the document

12 TF-EMC2 2005-02 12 Federated document preparation 1.Document routed intra-campus with local workflow, referencing local roles, using digital signatures local to campus PKI 2.Strip all local stuff 3.Sign doc using key verifiable by federation (“enterprise signature”) 4.Attach XML attribute blob (roles, digital rights & IP, archival status, whatever) to doc signed with enterprise signature 5.Sign combination to ensure integrity using enterprise signature

13 TF-EMC2 2005-02 13 Federated PKI for signed documents Signing certs (“enterprise signature”) issued not to servers, not to end users, but to federation member organizations Standardized roles (to be determined) expressed as attributes attached to the federation document. –Registrar –Purchasing Officer –… ?? Desirability of inserting 3 rd party “testamonial” artifact?? –Example: “American Council on Education attests that this signature belongs to the Registrar of an accredited university in good standing”

14 TF-EMC2 2005-02 14 HEBCA, USHER, FBCA, and InCommon in trust perspective USHER

15 TF-EMC2 2005-02 15 US higher ed PKI and InCommon update USHER (US Higher Ed Root) –Internet2’s replacement for CREN CA, operated by Dartmouth –Starts up in May 2005 –Policy Authority is InCommon Steering Committee –Cert revocation service is … still jelling –Will cross certify with HEBCA (Higher Ed Bridge CA) InCommon CA –Operated by Internet2, for now –Same identity proofing framework as USHER (enhanced CREN) –Same one-time & continuing fee as USHER –Will either be signed by USHER or itself cross certify with HEBCA

16 TF-EMC2 2005-02 16 US higher ed PKI and InCommon update HEBCA –Operated by Dartmouth –Production status June 2005?? InCommon –Open for business –12 members so far, including Elsevier & OCLC Scott Rea’s October 2004 DigitalIDWorld slides http://conference.digitalidworld.com/2004/attendees/ slides/1028_1000_E2.pdf

17 TF-EMC2 2005-02 17 Discussion Are there potential use cases to motivate cross certification of some European CAs with HEBCA? Which CAs? TACAR+EUGridPMA contrast with bridge CA approach. Would a bridge provide better or worse support for expanding authentication to EU grids? Nothing TACAR-like in US. Should there be? Should TACAR go there?

Download ppt "Update on federations, PKI, and federated PKI for US feds and higher eds Tom Barton University of Chicago."

Similar presentations

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.

PKI and LOA Establishing a Basis for Trust David L. Wasley PKI Deployment Forum April 2008.
Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.

Overview of US Federal Identity Management Initiatives Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority and Asst. CIO E-Authentication, NIH.
Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.

Levels of Assurance: An Overview Peter Alterman, Ph.D. Chair, Federal PKI Policy Authority.
15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.

15June’061 NASA PKI and the Federal Environment 13th Fed-Ed PKI Meeting 15 June ‘06 Presenter: Tice DeYoung.
NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.

NSF Middleware Initiative: Managing Identity on Campus Michael R Gettes, Duke University Tom Barton, University of Chicago.
US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.

US E-authentication and the Culture of Compliance RL “Bob” Morgan University of Washington CAMP, June 2005.
NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.

NIH – EDUCAUSE PKI Interoperability Pilot Update Peter Alterman, Ph.D. Director of Operations, Office of Extramural Research, NIH and Senior Advisor to.
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
1 Issues in federated identity management Sandy Shaw EDINA IASSIST 24-27 May 2005, Edinburgh.

1 Issues in federated identity management Sandy Shaw EDINA IASSIST May 2005, Edinburgh.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.

US Higher Ed PKI Activities Internet2/EDUCAUSE ++ TF-EMC2 November, 2004 Amsterdam Michael R Gettes, Duke University TF-EMC2 November, 2004 Amsterdam Michael.
PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.

PKI: Glue of Middleware Michael R Gettes, Duke University EuroCAMP March, 2005 Michael R Gettes, Duke University EuroCAMP March, 2005.
EDUCAUSE Fed/Higher ED PKI Coordination Meeting

EDUCAUSE Fed/Higher ED PKI Coordination Meeting
The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.

The 4BF The Four Bridges Forum Higher Education Bridge Certificate Authority.
1 eAuthentication in Higher Education Tim Bornholtz Session #47.

1 eAuthentication in Higher Education Tim Bornholtz Session #47.
Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.

Federated Identity, Levels of Assurance, and the InCommon Silver Certification Jim Green Identity Management Academic Technology Services © Michigan State.
NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.

NIH-EDUCAUSE Interoperability Project, Phase 3: Fulfilling the Promise Dartmouth PKI Implementation Workshop Peter Alterman, Ph.D. Assistant CIO for E-Authentication.
NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.

NIH iTrust Peter Alterman/Debbie Bucci National Institutes of Health October 2010.
The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.

The E-Authentication Initiative: A Status Report Presented at Educause Meeting June 16, 2004 The E-Authentication Initiative.
The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

The E-Authentication Initiative An Overview Peter Alterman, Ph.D. Assistant CIO for e-Authentication, NIH and Chair, Federal PKI Policy Authority The E-Authentication.

Similar presentations

Ads by Google