New%20Developments%20in%20Authentication%20and%20Access%20Management - PowerPoint PPT Presentation

About This Presentation
Title:

New%20Developments%20in%20Authentication%20and%20Access%20Management

Description:

Authentication problems and progress. Authorisation problems ... JISC is actively working with Internet2-MACE in the US and TERENA in Europe. 24 June 2002 ... – PowerPoint PPT presentation

Number of Views:48
Avg rating:3.0/5.0
Slides: 19
Provided by: Alexis50
Category:

less

Transcript and Presenter's Notes

Title: New%20Developments%20in%20Authentication%20and%20Access%20Management


1
New Developments in Authentication and Access
Management
  • Alan Robiette
  • JISC Development Group
  • JISC-NSF-DLI2 Meeting, 2002

2
Outline
  • Overview and terminology
  • Authentication problems and progress
  • Authorisation problems and progress
  • Summary and conclusions

3
The High-Level Problem
  • We need national-scale services for
  • Authentication (linking people to electronic IDs)
  • Authorisation (linking IDs to privileges)
  • Profiling (linking IDs to personal preferences)
  • Accounting (in the sense of tracking and
    recording usage, whether or not for actual
    billing)
  • All in an interoperable framework which can be
    realistically implemented by our institutions
  • Not to mention all our third-party suppliers

4
Authentication
  • On a local scale, largely a solved problem
  • Various solutions exist, some with single sign-on
    (Internet2 promoting WebISO for web resources)
  • Digital certificates are on the increase
  • Not least because Grid environments require them
  • Public-key technology will itself evolve
  • XML-based schemes are likely to emerge
  • E.g. XKMS, Web Services Security

5
Authentication Issues on a National Scale
  • Naming and name-space management
  • How is uniqueness assured nationally?
  • What happens in the case of multiple
    affiliations?
  • Location of the authentication process
  • Universally agreed that this is best carried out
    at and by the institution itself
  • Should real IDs be generally visible to off
    campus providers?
  • Trade-offs between privacy, convenience and
    accountability

6
Authorisation Issues
  • Determining an individuals privileges
  • What attributes (roles) is it useful to consider?
  • Which are generic and which application-specific?
  • How many could be defined sector-wide?
  • Location of the access control decision
  • At the resource itself (greatest provider
    control)?
  • At the institution (i.e. devolution of trust)?
  • At some intermediate point (e.g. as in the
    present case in the UK, at the Athens server)?

7
Where Should Control Be Applied?
  • Logically at the resource itself
  • The resource owner should determine who gets
    access and who does not but this may require
    more user information to be disclosed
  • For electronic information, this is often
    delegated (e.g. on the basis of a contract)
  • A better model for a bibliographic database than
    for a supercomputer? Or even a telescope?
  • Where third party services are involved, are
    there legal issues to consider?

8
Where is the Complexity Felt?
  • Do we best achieve interoperability by having the
    same software interface at
  • All service providers servers?
  • All campuses?
  • All users local environments (wherever they
    are)?
  • More than one of these?
  • And where the complexity ends up, so do most of
    the costs

9
Other Concerns
  • The single sign-on question
  • How important is seamlessness?
  • The portal problem
  • To address this properly is quite hard
  • Standards and interoperability
  • There arent many, especially for authorisation
  • The international scene
  • A system for JISC services is all very well, but
    what about integrating resources from the wider
    world?

10
Current UK Developments
  • EduServs development plan for Athens
  • Single sign-on introduced Spring 2002
  • Distributed authentication will be trialled this
    summer
  • JISC call for projects issued Summer 2002
  • With the objective of exploring a range of
    emerging technologies
  • JISC is actively working with Internet2-MACE in
    the US and TERENA in Europe

11
Authentication Goals
  • To investigate practical and management issues in
    embedding X.509 certificate regimes in
    institutions of varying kinds
  • With some particular technology options to be
    explicitly specified for piloting
  • To investigate mixed economy approaches in
    which X.509 certificates are used alongside (say)
    Athens IDs and passwords

12
Authorisation Goals
  • To explore a range of authorisation schemes and
    assess their applicability in both Grid and
    Information Environment scenarios
  • To include trialling of (at least)
  • Globus CAS (Globus Project)
  • Akenti (Lawrence Berkeley Lab)
  • PAPI (Spanish academic and research network)
  • NB Evaluation of Shibboleth (Internet2) already
    planned

13
Developments Elsewhere (1)
  • Shibboleth (Internet2)
  • Devolves authentication and attribute assertion
    to campuses
  • Resource owner requests attributes from campus
    and makes decisions based on the response
  • Model allows both campus and user control over
    attribute release (strong emphasis on privacy)
  • Open source reference implementation due to be
    released Autumn 2002
  • Publishers getting involved in trial programme

14
Developments Elsewhere (2)
  • PAPI (Spanish national network)
  • Distributed architecture authentication and
    authorisation both carried out at campus (i.e.
    campuses have to be trusted by resource owners)
  • Multi-tier architecture easy to interface to
    existing publishers services
  • Open source and in use in a number of
    sites/consortia in Spain, including some
    publisher involvement

15
PAPI Architecture
Basic PAPI architecture with PoA only
16
Is a Common View Emerging?
  • What is clearly needed is a single, widely
    accepted vendor-independent scheme
  • At first sight the different projects (PAPI,
    Shibboleth, AthensNG) look very distinct
  • However they share many components and a common
    architecture appears feasible
  • PAPI plans to investigate adding support for
    Shibboleth resource providers
  • Proprietary nature of Athens remains problematic

17
And What About the Grid?
  • Currently the Grid communitys problems appear
    more complex
  • Grid middleware relies heavily on X.509 identity
    certificates, which are far from universal
    otherwise
  • Even in the longer term, it may not be possible
    to standardise on one single Grid authorisation
    solution
  • But there may be analogies with other relatively
    complex problems, e.g. medical middleware

18
Conclusions
  • Authorisation in particular remains a tough
    problem
  • But some of the emerging solutions look
    promising, for quite large sets of commonly
    encountered applications
  • And the extent of international cooperation in
    this area is also encouraging!
Write a Comment
User Comments (0)
About PowerShow.com