Post on 27-Dec-2015
transcript
Accelerating Events in Internet Identity and Privacy
Dr. Ken Klingenstein,Senior Director, Middleware and Security, Internet2
Technologist, University of Colorado at Boulder
kjk@internet2.edu
Topics
• Internet identity update• Technology updates• Privacy and its implications
• Federations • US – InCommon and Soup
• Planning the future of InCommon• Government, Liberty Alliance• International
• Applications update• Collaboration apps• Open source kumbaya
• A plea for CNI community participation
kjk@internet2.edu
Internet identity
• Federated identity• Enterprise centric, exponentially growing, privacy
preserving, rich attribute mechanisms• Requires lawyers, infrastructure, etc
• User centric identity• P2P, rapidly growing, light-weight• Marketplace is fractured; products are getting heavier
to deal with privacy, attributes, etc.
• Unifying layers emerging – Cardspace, Higgins
kjk@internet2.edu
Federated identity
• Convergence around SAML 2.0 – even MS• Exponential growth in national and international R&E
sectors• Emerging verticals in the automobile industry, real-estate,
government, medical• Policy convergence for LOA, basic attributes (eduPerson),
but all else, including interfederation, remains to be developed
• Application use growing rapidly• Visibility is about to increase significantly through end-user
interactions
kjk@internet2.edu
User-centric identity
• Driven by social networking {Facebook, MySpace, etc} and {Google, AOL, MSN}, growing rapidly
• Relatively lightweight to implement for both application developers and identity providers
• Separates unique identifier/authentication and trust (reputation systems, etc.)
• Fractured by lack of standards, vying corporate interests, lack of relying parties, etc.
• OpenId, Facebook Connect, Google Connect, AOL
kjk@internet2.edu
Unifying the user experience
• Among various identity providers, including P2P, self-issued, federated
• Need to manage discovery, authentication, and attribute release
• Cardspace, Higgins, uApprove, etc.• Consistent metaphors, different technical
approaches• Starting to deploy
kjk@internet2.edu
Trust, Identity and the Internet
• ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols
• Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities
• http://www.isoc.org/isoc/mission/initiative/trust.shtml• First target area is DKIM; subsequent targets include
SIP and firewall traversal
kjk@internet2.edu
Privacy
• A broad and complex term, like security, encompassing many different themes
• Privacy and personal data release• A function of national, EU, and local policy• International transactions common and
complex• Separates into “required for transaction” and
“needs consent”
kjk@internet2.edu
EU Privacy Laws
• Art 29 WG overarching but lots of confusion below
• IP address • EPTID – a non-correlating, opaque but
persistent identifier• For privacy and state – e.g. searches, web
blogs• Critical to federated privacy
kjk@internet2.edu
Some recommendationsIdentity Providers should • Construct pseudonymous identifier values in ways that conceal as far as possible the
identity of the user, for example by using one-way hash functions and providing different values to each service provider;
• Declare that they will not disclose the identity of the person to which a particular identifier value was assigned, other than when required by law to do so.
• In particular, reports of misuse or other problems should be investigated by the Identity Provider, who is anyway most likely to be able to hold the user to account, and not the Service Provider.
Service Providers should • Not collect personally identifying information from a user who was otherwise only
identified by a pseudonymous identifier; • Not seek to obtain information linking a pseudonymous identifier to a user from any
other source; in particular they should not aggregate information collected from different services;
• Provide evidence to Identity Providers to permit them to investigate and deal with any misuse or other problem in the use of the service.
kjk@internet2.edu
Federation Update
• R&E federations sprouting at national, state, regional, university system, library alliance, and elsewhere
• Federated identity extensive in business• Many bilateral outsourced relationships• Hub and spoke • Multilateral relationships growing in some
verticals
kjk@internet2.edu
Federation Killer Apps
• Content access – Elsevier, OCLC, JSTOR, iTunes• Government access – NIH ERA, CTSA, NSF and
research.gov• Access to collaboration tools – wikis, moodle,
foodle • Roaming network access• Outsourced services – National Student Clearing
House, student travel, plagarism, testing, travel accounting
• MS Dreamspark
kjk@internet2.edu
InCommon•Over 110 members and growing steadily
•More than two million “users”
•Most of the major research institutions
•New types of members• Non usual suspects – Lafayette, NITLE, Univ of Mary Washington, etc.• National Institute of Health, soon NSF and research.gov• Energy Labs, ESnet, TeraGrid• MS, Apple, soon Google• Student service providers
•Steering Committee chaired by Clair Goldsmith of Univ of Texas; Technical Committee chaired by Renee Shuey of Penn State
kjk@internet2.edu
InCommon Update
• Growth is quite strong; doubled in size for the fifth year straight…
• Potential size estimates (pre-interfederation) could grow > 5,000; revenue stream….
• MoU for federal agencies to join in the works• Silver profile approved• Major planning effort on the future of InCommon now
underway, including governance, community served, pricing and packaging principles, business models
kjk@internet2.edu
Grist for InCommon background
• Comparison to other national R&E federations
• Budget, basics
• Strength-weakness-opportunities-threats analysis
• Status of soup
• Growth and expense/revenue projections• Effect of interfederation and soup on projections
• Other business opportunities
kjk@internet2.edu
Principles to be established
• Community served• Business opportunities• Governance and representation• Pricing and packaging principles – membership models,
working with soup, etc.• Charge by cost or charge by value
• -------------• The relationship between InCommon and Internet2
kjk@internet2.edu
Federation Soup
• Within the US, federations happening in many ways – state, university system, library, regional, etc
• Triage among federations needs to cross several communities – higher ed, k-12, government agencies, MS, etc.
• Common issues include business models, legal models, LOA and attributes, user experience
• Initial gathering in Seattle in June • Web site is at
https://spaces.internet2.edu/display/FederationSoup/Home
kjk@internet2.edu
Government and EAuthentication
• NIH prime mover – large scale cancer trials, electronic grants management, genome database access
• GSA promoting community of interest federations and interfederation
• NSF, research.gov and the Department of Ed
kjk@internet2.edu
International federations
• More than 25 national federations;• Several countries at 100% coverage, including Norway,
Switzerland, Finland; communities served varies somewhat by country, but all are multi-application and include HE
• UK intends a single federation for HE and Further Education ~ tens of millions of users
• EU-wide identity effort now rolling out - IDABC and the Stork Project (www.eid-stork.eu)
• Key issues around EU Privacy and the EPTID
kjk@internet2.edu
REfeds meeting
• Utrecht Dec 4-5• All federations reporting tipping point phenomena• Key issues include building the business,
communities served, attribute development, interfederation, application integration, working with Liberty Alliance, international privacy, etc
• Integration with e-Science, CLARIN, etc.• http://www.terena.org/activities/tf-emc2/meetings/1
2/index.html
kjk@internet2.edu
Next Steps
• Learning the business of federation• Attributes redux• LOA• Application enablement• Buckets of metadata• EGov• Support of virtual organizations and collaborations• Outreach to other sectors• Interfederation
kjk@internet2.edu
Interfederation
• Happening in some quadrants• Kalmar Union among Nordic countries• US-UK Interfederation agreement
• Space but no time yet at Liberty Alliance for cross-sector and corporate engagement
• REfeds will continue as default interfed setting and discussion forum for R&E specific issues (VO’s, attributes, etc.)
kjk@internet2.edu
COmanage
• COmanage can provide authentication and authorization services (group membership, privilege management, etc) to apps
• Domesticated applications currently include wiki, listproc, Jira, Subversion, Al Fresco. Soon to add audioconferencing, IM and chat rooms, EC2, Fedora, web-based file share, etc.
• Can be launched as an image in the Amazon cloud.• Not “collaboration in a box”. More collaboration in a fully
permeable membrane. The “stand-alone” can be readily replumbed to be completely integrated into enterprise, federated or other attribute ecosystems as they develop
• Uses Shibboleth and Grouper and…
kjk@internet2.edu
Collaboration and Federated Identity
• Two powerful forces being leveraged• the rise of federated identity• the bloom in collaboration tools, most particularly in the Web 2.0
space but including file shares, email list procs, etc• Collaboration management platforms provide identity services to
“domesticated” applications that externalize their identity management dimensions to an general identity/group/privilege/etc repository (LDAP, MySQL, etc.)
• Results in user and collaboration centric identity, not tool-based identity
• COmanage is a collaboration management platform, supported in part by a NSF OCI grant, being developed by the Internet2 community, with Stanford as a lead institution
kjk@internet2.edu
Integration with Open Source Efforts
• Federated versions of Fedora and DSpace abound; domesticated versions to come
• Sakai, Moodle, etc also federated
• Kuali and Rice/KIM are under active discussion
• Asterisk, Openwiki, other collaboration tools
kjk@internet2.edu
Plea for CNI Community Participation
• User interface and design
• Privacy managers
• Helping users to manage the metadata of collaboration
kjk@internet2.edu
User interface
• Two levels – presentation and mental maps• Presentation – accommodating disabilities,
multilingual and multicultural requirements• Mental maps – helping navigate between
roles, privileges
• Early engagement with fluid
kjk@internet2.edu
Privacy managers
• Helping users to understand least privilege, minimal release, state and privacy
• Training vendors and content providers on what to ask for
kjk@internet2.edu
Helping users to manage the metadata of collaboration
• Roles, privileges and access management in virtual organizations
• Metadata across tools - tagging
• Metadata across content
• Archiving and provenance