Presentation is loading. Please wait.

Presentation is loading. Please wait.

Internet2 Middleware Initiatives: Early Harvest to Early Adopters and Beyond Renee Woodten Frost Project Manager, Middleware Early Adopters, Internet2.

Published byMervin Haynes Modified over 9 years ago

Similar presentations

Presentation on theme: "Internet2 Middleware Initiatives: Early Harvest to Early Adopters and Beyond Renee Woodten Frost Project Manager, Middleware Early Adopters, Internet2."— Presentation transcript:

1 Internet2 Middleware Initiatives: Early Harvest to Early Adopters and Beyond Renee Woodten Frost Project Manager, Middleware Early Adopters, Internet2 Project Liaison, University of Michigan May 15, 2000

2 Middleware Initiatives Topics Internet2 Overview Middleware Application requirements - Digital libraries, Grids, IMS, Portals Early Harvest best practices Early Adopters Mace (Middleware Architectural Committee for Education) Experiments: the Directory of Directories, Eduperson, and Shibboleth PKI Medical middleware International Efforts

3 Middleware Initiatives Internet2 Overview Mission: Develop and deploy advanced network applications and technologies, accelerating the creation of tomorrow’s Internet. Goals: Enable new generation of applications Re-create leading edge R&E network capability Transfer technology and experience to the global production Internet

4 Middleware Initiatives Core Middleware A layer of software between the network and the applications Authentication - how you prove or establish that you are that identity each time you connect Identification - the first characteristics of who you (person, machine, service, group) are Directories - where the rest of an identity’s characteristics are kept Authorization - what an identity is permitted to do Security - ie, PKI - emerging tools for security services

5 Middleware Initiatives Application Requirements Digital libraries need scalable, interoperable authentication and authorization. The Grid as the new paradigm for a computational resource, with Globus the middleware, including security, location and allocation of resources, scheduling, etc. built on top of campus infrastructures. Instructional Management Systems (IMS) need authentication and directories Next-generation portals want common authentication and storage

6 Middleware Initiatives Partnerships EDUCAUSE CREN Globus, Legion, etc. Campuses Professional associations - AACRAO, NACUA, etc.

7 Middleware Initiatives The Early Harvest experiences Identifiers for people, objects, groups Authentication for people, objects and groups Directories to store common information Authorization services Applications that use all of the above Complex design and implementation tradeoffs at technical and policy levels

8 Middleware Initiatives Early Harvest Outputs Identifier mapping Good practice documents on middleware web site, to guide campus IT organizations Informational RFC in June May form part of the basis for an assurance model for higher ed PKI

9 Middleware Initiatives Identifier Mapping Map campus identifiers against a canonical set of functional needs For each identifier, establish its key characteristics, including revocation, reassignment, privileges, and opacity Shine a light on some of the shadowy underpinnings of middleware

10 Middleware Initiatives Major campus identifiers UUID Student and/or emplid Person registry id Account login id Enterprise-lan id Netid Email address Library/deptl id Publicly visible id (and pseudossn) Pseudonymous id

11 Middleware Initiatives Identifier Characteristics Revocation - can the subject ever be given a different value for the identifier Reassignment - can the identifier ever be given to another subject Privileges - what accesses does the authenticated identifier have Opacity - is the real world subject easily deduced from the identifier - privacy and use issues

12 Middleware Initiatives Identifier relationships Person registry ID Email address Library ID Acct login Pseudo ID Student ID PubVis ID Enterprise-LAN ID Departmental IDs UUID Empl ID ISO card ID

13 Middleware Initiatives Authentication Options Password based Clear text LDAP Kerberos Certificate based Others - challenge-response, biometrics

14 Middleware Initiatives Typical Good Practices Have a UUID that is non-revocable, non-reassignable, opaque No clear text passwords Precrack new passwords using foreign dictionaries as well as US Confirm new passwords are different than old Require password change if possibly compromised Use shared secrets or positive photo-id to reset forgotten passwords

15 Middleware Initiatives Typical Interoperability Standards Use of dc (domain component) instead of X.500 for naming of directory suffixes, certificate subjects, etc. Use of certain object class Future standardization of certificate profiles

16 Middleware Initiatives Directories: Core of the Core Overall campus directory services model Enterprise directory design and implementation Departmental directories Security and directories

17 Middleware Initiatives Enterprise directory issues Schema, referrals and redundancy Naming Attributes Replication and synchronization Groups

18 Middleware Initiatives Early Adopters: The Campus Testbed Phase A variety of roles and missions Commitment to move implementation forward Provided some training and facilitated support Develop national models of deployment alternatives Address policy standards

19 Middleware Initiatives Early Adopter Participants Dartmouth Univ of Hawaii Johns Hopkins Univ Univ of Maryland, BC Univ of Memphis Univ of Michigan Michigan Tech Univ Univ of Pittsburgh Univ of Southern California Tufts Univ Univ of Tennessee, Memphis

20 Middleware Initiatives Primary Goals To facilitate the campus deployments of core middleware technologies To identify reasonable approaches - both technical and policy - and design issues and factors that influence institutional selection of a particular approach To enrich the technical contents of Early Harvest To inform larger community (NSF, Education, NIH, etc) of requirements for deployment and interoperability

21 Middleware Initiatives Secondary Goals Explore medical middleware issues Generic - how is this expressed in the core deployment Specific - what medical data structures need integration into campus environment Outreach to encourage other institutions Research into options for authorization services Evaluate new tools and technologies

22 Middleware Initiatives Basic Approaches Technology sharing and workshops Policy sharing champions data owners professional associations - EDUCAUSE, CUMREC, CNI, NACUA, NACUBO, AACRAO, ALA External experts Vendor interactions

23 Middleware Initiatives MACE (Middleware Architecture Committee for Education) Purpose - to provide advice, create experiments, foster standards, etc. on key technical issues for core middleware within higher ed Membership - Bob Morgan (UW) Chair, Steven Carmody (Brown), Michael Gettes (Georgetown), Keith Hazelton (Wisconsin), Paul Hill (MIT), Mark Mara (Cornell), Mark Poepping (CMU) Current working Groups DIR - eduperson, the Uber-directory experiment PKI - campus operational issues, trust models, fPKI involvement Shibboleth - inter-institutional resource sharing

24 Middleware Initiatives A Directory of Directories An experiment, now encompassing 10 schools, to build a combined directory search service to show the power of coordination to show the existing barriers to cooperation –standard object classes -standard display formats -standard meta-data to investigate load and scaling issues - on the clients and the servers to suggest the service to follow

25 Middleware Initiatives Edu-person An objectclass for higher education Contains suggested attributes for instructional, research and administrative inter-institutional use Presumes campuses to add local person objectclass. A joint effort of EDUCAUSE and I2

26 Middleware Initiatives Edu-person 0.9a Parent objectclass=inetorgperson Intends to integrate with Grid, IMS, and other upper-middleware Includes: primary affiliation (fac/stu/staff) enrolledcurrentterm (binary true/false) withdrawnpreviousterm (binary) schoolcollegename, (multivalued case ignore strings)

27 Middleware Initiatives Shibboleth Inter-institutional web authentication and perhaps authorization Use local credentials for remote services; enable user@ logins; fosters best practices; encourage transition from simple ht controls to LDAP-based Uses records in DNS and several forms of authentication; authorization via directories IBM to analyze, several schools to participate in pilot

28 Middleware Initiatives Authorization How an individual’s attributes are carried from an individual or a central store to an application Move from a per-application basis to an infrastructural service Options include Kerberos tickets LDAP calls RPC’s long-term certificates attribute certificates

29 Middleware Initiatives PKI Public Key Certificates are a remarkably simple and powerful tool for signing documents, authentication, encrypting email, building secure channels across the Internet, non-repudiation, conveying authorizations, and more Infrastructure to support this is little understood mobility, user interface, internal formats, trust chains, revocation, policy expression

30 Middleware Initiatives Uses for Certificates Authentication and pseudo-authentication Signing docs Encrypting docs and mail Non-repudiation Secure channels across a network Authorization and attributes and more...

31 Middleware Initiatives Certificate Profiles Per field description of certificate contents - both standard and extension fields, including criticality flags Syntax of values permitted per field Semantics specified Spreadsheet format by R. Moskowitz, XML and ANS alternatives for machine use Centralized repository for higher ed being set up

32 Middleware Initiatives Certificate Policies Legal responsibilities and liabilities (indemnification issues) Operations of Certificate Management systems Best practices for core middleware Assurance levels - varies according to I/A processes and other operational factors

33 Middleware Initiatives Certificate Practice Statements Operational aspects that allow lawyers to decide who to trust must cover I/A, Cert Management, underlying operations

34 Middleware Initiatives PKI Activities DLF: UCOP, Columbia, soon Minnesota FPKI (http://csrc.nist.gov/pki/twg/welcome.html) PKI for NGI, Globus net@edu within EDUCAUSE CREN CA In-sources - MIT, Michigan Out-sources - Pittsburgh, Texas PKIforum W2K

35 Middleware Initiatives Next Steps PKI Labs long-term research agenda, includes path math, open standards and reference implementations ATT catalyst funding with other investments expected a national advisory board RFP next month Net@edu Fed-ed meetings workshops

36 Middleware Initiatives Next Steps HEPKI - Technical Activities Group universities actively working on technical issues topics include kerberos-PKI integration, public domain CA, profiles will sponsor regular conference calls, email archives HEPKI - Policy Activities Group universities actively deploying PKI topics include certificate policies, RFP sharing, interactions with state governments will sponsor regular conference calls, email archives

37 Middleware Initiatives Medical Middleware The intersection of higher ed and health care services Worst case requirements in I/A HIPAA - new privacy and security requirements Must integrate with higher level objects - CORBA Med Work will consist of problem structuring, technologies, and policy/process issues

38 Middleware Initiatives International Aspects Identifier agreements International trust models Shared expertise Workshop this summer in Europe

39 Middleware Initiatives Where to watch www.internet2.edu/middleware net@edu www.cren.org fPKI work www.Globus.org

Download ppt "Internet2 Middleware Initiatives: Early Harvest to Early Adopters and Beyond Renee Woodten Frost Project Manager, Middleware Early Adopters, Internet2."

Similar presentations

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.

04 June 2002, TERENA, Limerick MACE: Directories at Work Keith Hazelton, Senior IT Architect, Univ. of Wisconsin-Madison Chair, MACE-Dir Working Group.
The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.

The Internet2 NET+ Services Program Jerry Grochow Interim Vice President CSG January, 2012.
Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.

Federated Digital Rights Management Mairéad Martin The University of Tennessee TERENA General Assembly Meeting Prague, CZ October 24, 2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl

HEPKI-TAG Activities January 2002 CSG Meeting Jim Jokl
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.

PKI in US Higher Education TAGPMA Meeting, March 2006 Rio De Janeiro, Brazil.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.

PKI: News from the Front and views from the Back Ken Klingenstein, Project Director, Internet2 Middleware Initiative Chief Technologist, University of.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library

CNI Fall 1998 Access Management Requirements and Approaches Joan Gargano California Digital Library
PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.

PKI Update. Topics Background: Why/Why Not, The Four Planes of PKI, Activities in Other Communities Technical activities update S/MIME Pilot prospects.
Understanding Active Directory

Understanding Active Directory
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.

Copyright JNT Association 20051OptionalCopyright JNT Association 2007 Overview of the UK Access Management Federation Josh Howlett.
Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –

Identity and Access Management IAM A Preview. 2 Goal To design and implement an identity and access management (IAM) middleware infrastructure that –
CAMP - June 4-6, 2003 1 Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin 2003. This work is the intellectual property of the authors.

CAMP - June 4-6, Copyright Statement Copyright Robert J. Brentrup and Mark J. Franklin This work is the intellectual property of the authors.
9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.

9/20/2000www.cren.net1 Root Key Cutting and Ceremony at MIT 11/17/99.
InCommon Policy Conference April 2005. 2 Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.

InCommon Policy Conference April Uses  In order to encourage and facilitate legal music programs, a number of universities have contracted with.
Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Welcome to CAMP Identity Management Integration Workshop Ann West NMI-EDIT EDUCAUSE/Internet2.

Similar presentations

Ads by Google