Federal Initiatives in IdM - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Federal Initiatives in IdM

Description:

Title: Slide 1 Author: Peter Alterman Last modified by: Jerry Scott Created Date: 6/15/2005 8:10:04 PM Document presentation format: On-screen Show – PowerPoint PPT presentation

Number of Views:52
Avg rating:3.0/5.0
Slides: 16
Provided by: Peter989
Category:

less

Transcript and Presenter's Notes

Title: Federal Initiatives in IdM


1
Federal Initiatives in IdM
  • Dr. Peter Alterman
  • Chair, Federal PKI Policy Authority

2
HSPD-12
  • Mandates all Federal Agencies issue ID
    credentials using FIPS-201 identity proofing
    procedures beginning 10/05
  • Mandates all Federal Agencies begin issuing
    SmartCards with medium assurance digital certs by
    10/06
  • Authorization remains a local prerogative

3
E-Authentication
  • Initiatives
  • Assessment Framework for Credentials evaluating
    the level of assurance (LOA) of identity of
    credential service providers
  • Membership in Liberty Alliance
  • Frequent meetings with Microsoft
  • Interfederation Interoperability Project with
    Cybertrust and Internet2/Shibboleth team

4
E-Authentication CAF
  • Credential Assessment Framework consists of the
    following
  • A structured methodology and procedures for
    evaluating the LOA of a CSPs credentials
  • An assessment team that goes out and evaluates
    CSPs
  • A process for conflict resolution
  • Posting CSPs and their credential LOAs to a trust
    list (unfortunate term) on the website

5
E-Authentication Interfed Interop
  • inCommon Higher Education Identity Federation
  • Using Shibboleth middleware technical protocols
  • Policy-light
  • E-Authentication US Identity Federation
  • Using a variety of technical protocols
  • Policy intensive

6
What Are Electronic Identity Federations?
  • Associations of electronic identity credential
    providers and credential consumers (electronic
    service providers) who
  • Agree to trust each others credentials
  • Agree to hold credential providers authoritative
    for the validity of their credentials
  • Agree to use common communications protocols and
    procedures to enable interoperability
  • Agree to common business rules

7
Purpose of Electronic Identity Federations
  • To enable trusted electronic business
    transactions between end users and service
    providers where the service provider does not
    have to issue and manage identity credentials,
    including attributes.
  • Its all a matter of scaling..
  • No, its also a matter of control

8
Characteristics of Identity Federations
  • Credential providers
  • Service providers
  • Standards and protocols for technical
    interoperability among credential providers,
    services providers, end users and infrastructure
    utilities
  • A governance mechanism to assert common business
    rules, ensure credentials can be used and trusted
    by all members of the federation and a central
    control point for entry and exit of members

9
Accomplishments to Date
  • Demonstration of proof of concept for technical
    interoperability of identity credentials and
    utilities E-Authentication SAML 1.0 and
    Shibboleth 1.2
  • Production-level interoperability built into
    Shibboleth 1.3 (in beta)
  • Extensive groundwork done on identifying policy
    and procedure mapping/treaty requirements
  • Credential Assessment of 3 Universities, fourth
    scheduled

10
Work in Progress
  • Development of common SAML 2.0 schemes
  • Development of common USPerson profile and
    profile management infrastructure
  • Development of production-quality scheme
    translator
  • Ongoing work to enable cross-federation trust and
    interoperability
  • NSF FastLane to accept 3 universities
    Shibboleth-based identity and attribute
    credentials on or before December, 2005 (slippage)

11
Unresolved Issues
  • Mapping null attributes
  • Ensuring privacy of attribute information in a
    variety of instances
  • Portal integration
  • Scaling issues for listing credential providers
  • Issues of transitivity across federations
  • Multiple authoritative sources/conflicting
    authoritative sources
  • Vocabulary and data dictionary issues
  • Liability and indemnification issues

12
Federal PKI Architecture
  • Agency and other government PKIs required to
    cross-certify with the Federal Bridge CA
  • As of 12/05 no new agency PKIs agencies procure
    PKI services from vendors participating in the
    Shared Service Provider (SSP) program
  • Architecture issues TLS/SSL certs to credential
    service providers who CAF, to provide mutual
    authentication
  • Federal Bridge CA serves as point of insertion
    for external PKIs and other bridges.

13
Simplified Diagram of Federal PKI
Federal Bridge CA
Common Policy CA
Cross- Certified gov PKIs
Shared Service Provider PKIs (Common Policy
OID And root Cert)
C4 CA
E-Gov CAs (3)
Cross- Certified External PKIs
eAuth CSPs
14
LOA Mapping E-Auth to Fed PKI
15
Discussion
  • altermap_at_mail.nih.gov
Write a Comment
User Comments (0)
About PowerShow.com