Presentation is loading. Please wait.

Presentation is loading. Please wait.

Identity Management Standards from OASIS Patrick Gannon President & CEO Patrick Gannon President & CEO Architecting Identity Management The Open Group,

Published byTerence Greer Modified over 9 years ago

Similar presentations

Presentation on theme: "Identity Management Standards from OASIS Patrick Gannon President & CEO Patrick Gannon President & CEO Architecting Identity Management The Open Group,"— Presentation transcript:

1 Identity Management Standards from OASIS Patrick Gannon President & CEO Patrick Gannon President & CEO Architecting Identity Management The Open Group, Boundaryless Information Flow San Francisco, 24 January 2005

2 n Future Shock – “De-perimiterization” n Why do standards matter? n What is a “standard”; how can you tell? n Key directions in Web Services Standards n What your company can do Open Standards for Identity Management

3 Businesses have to deal with “Future Shock” daily!

4 Orderly business systems suffer…

5 De-perimiterization

6 A smooth sailing business environment is transformed…

7 Into a fight for your business survival

8 It’s enough to make you want to…

9 Why then do standards matter?

10 Why do standards matter for e-business? n Businesses require expansion of the value chain into unlimited, de-perimiterized extranets n Support of multiple platforms is a business necessity n Must support multiple languages, taxonomies, semantics and business processes But… n Normalizing data, processes and users costs time and money

11 Why do standards matter? Risk Reduction for e-commerce Interoperable standards Diversity of business partners and technologies Unstable business and technical requirements Persistent technical base with stable versioning Evolving and converging standards New and emerging business requirements Need for long term support Reliable, fixed terms of availability

12 “Without standards, a technology cannot become ubiquitous, particularly when it is part of a larger network.” The Economist, 8 May 2003

13 What is a “standard” and how can you tell?

14 n Anything that a vendor publishes? Or on which a few vendors agree? l They may be “specifications” l Some call them “de facto” standards l But they are not necessarily open standards n Open standards are distinguishable: l Published, clear rules l Level playing field with public input l Transparent operations l Transparent output What is a Standard?

15 What’s an “Open Standard”? An open standard is: n publicly available in stable, persistent versions n developed and approved under a published process n open to input: public comments, public archives, no NDAs n subject to explicit, disclosed IPR terms Anything else is to some extent proprietary: n This is a policy distinction, not a pejorative n See the US, EU, WTO governmental & regulatory definitions of “standards”

16 Regulatory mandates for standards Increasingly, it matters to government buyers, users and regulators whether standards are “real” standards. l WTO Technical Barriers to Trade Agreement, Annex 3: n http://www.wto.org/english/docs_e/legal_e/final_e.htm. l National criteria, such as in the U.S. gov’t: n http://www.whitehouse.gov/omb/circulars/a119/a119.html. l These rules focus on desirable process attributes: public process, public archives, open to comment without NDA or non-compete restrictions, etc.

17 n OASIS is a member-led, international non-profit standards consortium concentrating on structured information and global e-business standards n Members of OASIS are l Vendors, users, academics and governments l Organizations, individuals and industry groups n Best known for e-business & security standards such as: UDDI SAML ebXML WS-Security WSRP WSRM SPML XACML UBL

18 n To be successful, a standard must be used n Adoption is most likely when the standard is l Freely accessible l Meets the needs of a large number of adopters l Flexible enough to change as needs change l Produces consistent results l Checkable for conformance, compatibility l Implemented and thus practically available n Sanction and Traction both matter Standards Adoption

19 Market Adoption Open Standardization Traction Sanction Proprietary JCVConsortiaSDO SGML ISO XML W3C SOAP v1.1 SOAP v1.2 W3C UDDI v2,3 UDDI.org WSDL v1.2 W3C ebXML(x4) OASIS WSDL v1.1 WS-Security BPEL4WS WS-BPEL OASIS WSS OASIS UDDI v2,3 OASIS ISO 15000

20 Formula for Sustainable Standards Market Adoption Open Standardization Traction Sanction Proprietary JCVConsortiaSDO SGML ISO XML W3C SOAP v1.1 SOAP v1.2 W3C UDDI v2,3 UDDI.org WSDL v1.2 W3C ebXML x4 OASIS WSDL v1.1 WS-S v1.0 BPEL4WS WS-BPEL OASIS WSS OASIS ebXML ISO 15000 UDDI v2,3 OASIS

21 Key Directions in Security Standards for Web Services

22 Common transport (HTTP, etc.) Common language (XML) Service Discovery Service Description Orchestration & Management Security & Access Messaging Data Content Web Services Security

23 Common transport (HTTP, etc.) Common language (XML) Service Discovery Service Description Orchestration & Management Security & Access Messaging Data Content DSS, PKI, SAML, WSS, XCBF [DSML], RLTC, XACML, SPML WSDM, WSRF, WSN ASAP, BTP, ebXML- BP, WSBPEL, WSCAF CAM

24 Web Services security n Most e-business implementations require a traceable, auditable, bookable level of assurance when data is exchanged n IT operations demand “transactional” level of reliable functionality, whether it’s an economic event (booking a sale) or a pure information exchange n Dealings between divisions often need security and reliability as much as deals between companies

25 Security: function by function n Identity authentication n Encryption and protection against interception n Control of access and authority

26 Identity authentication The latest e-business security standards implement the next generation of identity deployment l In the 1990’s, PKI assumed a universal network of official certification authorities l Newer federated / distributed identity models permit identity certification to be decentralized and shared among service providers and existing registrars SAML WS-Security XCBF

27 Identity authentication n SAML (Security Assertion Markup Language ) l A standard way to convey identity and authorization data l Winner of PC Magazine’s Technology Excellence Award in 2002 and Digital ID World 2003 award for innovation in 2003 l SAML 1.0 approved as an OASIS Standard in Nov. 2002; SAML 1.1 in Aug. 2003 l SAML 2.0 approved as Committee Draft in Dec. 2004; OASIS Standard in Q1 2005

28 Identity authentication n WS-Security (Web Services Security) l The standard method for attaching security data to a web services message l Wide support in web services tool-making l Profiles (modules) completed for: l WS-Security 2004 1.0 suite approved as an OASIS Standard in April 2004 Username-token/ password pairs X.509 PKI SAML Rights expression languages

29 Identity authentication n XCBF (eXtensible Common Biometric Format) l Method for conveying biometric identity data such as retina scans and fingerprints l Coordinated with other world efforts, including ITU-T standards and the ANSI X9.84 banking industry biometrics initiative l Expect to see more tools and devices commercially deployed soon l XCBF 1.1 approved as an OASIS Standard in August 2003

30 Encryption and protection against interception & intrusion n A key problem with encrypted messages travelling over a shared or public network: if you encrypt the wrong bits, it doesn’t arrive, or the recipient can’t process it n Shared and automated methods for managing security require a shared vocabulary about security weaknesses and risks DSS PKI TC AVDL WAS

31 Encryption and protection against interception & intrusion n DSS (Digital Signature Services) l Develop methods for processing production and consumption of digital signatures l Project underway n PKI TC (Public Key Infrastructure Technical Committee) l Promotion and research regarding industry use of PKI digital signatures and practical obstacles to deployment l Project underway

32 Encryption and protection against interception & intrusion n AVDL (Application Vulnerability Description Lang.) l Uniform method for describing appl. security vulnerabilities l AVDL 1.0 approved as an OASIS Standard in May 2004 n WAS (Web Application Security) l Threat model and classification scheme for web security vulnerabilities l WAS 1.0 is under development l Network Magazine started a petition campaign to support wide deployment of AVDL and WAS: http://www.networkmagazine.com/watchdog/avdl.jhtml

33 Control of access and authority n In transactional information exchanges, you often must apply l access lists, l directories of recipients, l levels of authority, and l access policies n So that you know who gets what, and who should get it XACML SPML

34 Control of access and authority n XACML (Digital Signature Services) l Method for conveying and applying data access policies & controls l Demo’ed at XML2003 in Philadelphia l XACML approved as OASIS Standard n v1.0 in Feb. 2003 n v2.0 in Sep. 2004 l Role-based access profile issued May 2004 n SPML (Service Provisioning Markup Language) l Disseminates and leverages directories and access lists, such as employee authorizations l Demo’ed at Burton Catalyst 2003 in SF l SPML 1.0 approved as OASIS Standard – Nov. 2003

35 What should your company be doing?

36 Reducing Risk Reducing Risk in new e-business technologies n Avoid reinventing the wheel l Stay current with emerging technologies n Influence industry direction l Ensure consideration of own needs n Realize impact of interoperability and network effects n Reduce development cost & time l save development on new technologies l share cost/time with other participants

37 What can my company do? n Participate l Understand the ground rules l Contribute actively Or… n Be a good observer In any case… n Make your needs known l Use cases, functions, platforms, IPR, availability, tooling n Be pragmatic: standardization is a voluntary process

38 Identity Management Standards from OASIS Patrick Gannon President & CEO OASIS Patrick Gannon President & CEO OASIS Patrick.Gannon@ oasis-open.org

Download ppt "Identity Management Standards from OASIS Patrick Gannon President & CEO Patrick Gannon President & CEO Architecting Identity Management The Open Group,"

Similar presentations

B2B standards REGNET INTEGRATION EAI B2B EAI ? A2A ? IAI ? B2B ? Set of processes and technologies dealing with the structural integration of software.

B2B standards REGNET INTEGRATION EAI B2B EAI ? A2A ? IAI ? B2B ? Set of processes and technologies dealing with the structural integration of software.
OASIS and Web Services Standards: Patrick J. Gannon President and CEO www.oasis-open.org.

OASIS and Web Services Standards: Patrick J. Gannon President and CEO
Copyright OASIS, 2001 OASIS Recent Technical Developments John Borras Office of e-Envoy Cabinet Office UK Government June 2003.

Copyright OASIS, 2001 OASIS Recent Technical Developments John Borras Office of e-Envoy Cabinet Office UK Government June 2003.
UDDI v3.0 (Universal Description, Discovery and Integration)

UDDI v3.0 (Universal Description, Discovery and Integration)
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
WS-Security TC Christopher Kaler Kelvin Lawrence.

WS-Security TC Christopher Kaler Kelvin Lawrence.
UDDI Overview Web Services Registry SOA Enabler. What Is UDDI? Universal Description, Discovery, and Integration Protocols for web services registry Public.

UDDI Overview Web Services Registry SOA Enabler. What Is UDDI? Universal Description, Discovery, and Integration Protocols for web services registry Public.
Prescriptive Guidance for SOA Peter Roden Director of Technology Development OASIS.

Prescriptive Guidance for SOA Peter Roden Director of Technology Development OASIS.
A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that Web services are likely.

A New Computing Paradigm. Overview of Web Services Over 66 percent of respondents to a 2001 InfoWorld magazine poll agreed that "Web services are likely.
Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.

Creating a Secured and Trusted Information Sphere in Different Markets Giuseppe Contino.
B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.

B2B e-commerce standards for document exchange In350: week 13: Nov. 19,2001 Judith A. Molka-Danielsen.
XML’s Role as a Standard for Building Automation Patrick Gannon President & CEO Patrick Gannon President & CEO CABA XML Symposium Orlando, 9 February 2005.

XML’s Role as a Standard for Building Automation Patrick Gannon President & CEO Patrick Gannon President & CEO CABA XML Symposium Orlando, 9 February 2005.
© OASIS 2010 Managing the Maze of SmartGrid standards Jamie Clark, OASIS Dave Wollman, NIST Zahra Makoui, Pacific Gas & Electric Santa Clara, CA May 2010.

© OASIS 2010 Managing the Maze of SmartGrid standards Jamie Clark, OASIS Dave Wollman, NIST Zahra Makoui, Pacific Gas & Electric Santa Clara, CA May 2010.
Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.

Secure Systems Research Group - FAU Web Services Standards Presented by Keiko Hashizume.
OASIS and Web Services Karl Best OASIS Director of Technical Operations.

OASIS and Web Services Karl Best OASIS Director of Technical Operations.
Just a collection of WS diagrams… food for thought Dave Hollander.

Just a collection of WS diagrams… food for thought Dave Hollander.
Mapping OASIS Technical Work: Where’s Reliability? New Orleans, April 2004.

Mapping OASIS Technical Work: Where’s Reliability? New Orleans, April 2004.
The Postsecondary Electronic Standards Council (PESC), XML Forum, and Standards Setting in Higher Education Jim Farmer University of Delaware instructional.

The Postsecondary Electronic Standards Council (PESC), XML Forum, and Standards Setting in Higher Education Jim Farmer University of Delaware instructional.
Web Service Standards, Security & Management Chris Peiris www.ChrisPeiris.com.

Web Service Standards, Security & Management Chris Peiris
© OASIS 2004 Overview of OASIS Process and Technical Work ITU-T SG17 meeting Geneva, 11 March 2004 Karl Best, OASIS.

© OASIS 2004 Overview of OASIS Process and Technical Work ITU-T SG17 meeting Geneva, 11 March 2004 Karl Best, OASIS.

Similar presentations

Ads by Google