Fed-Ed Dec 08: Updates on Federations

1
Fed-Ed Dec 08Updates on Federations

• Dr. Ken Klingenstein,
• Senior Director, Middleware and Security,
  Internet2
• Technologist, University of Colorado at Boulder

2
Topics

• Internet identity update
• Technology updates
• ISOC, IETF Identity, Trust and the Internet
• Privacy and its implications for federation
• Federations
• US
• InCommon and Soup
• Planning the future of InCommon
• Liberty Alliance, International
• Applications update
• Collaboration apps
• Open source kumbaya

3
Internet identity

• Federated identity
• Enterprise centric, exponentially growing,
  privacy preserving, rich attribute mechanisms
• Requires lawyers, infrastructure, etc
• User centric identity
• P2P, rapidly growing, light-weight
• Marketplace is fractured products are getting
  heavier to deal with privacy, attributes, etc.
• Unifying layers emerging Cardspace, Higgins

4
Federated identity

• Convergence around SAML 2.0 even MS
• Exponential growth in national and international
  RE sectors
• Emerging verticals in the automobile industry,
  real-estate, government, medical
• Policy convergence for LOA, basic attributes
  (eduPerson), but all else, including
  interfederation, remains to be developed
• Application use growing steadily
• Visibility is about to increase significantly
  through end-user interactions with identity
  selectors and privacy managers

5
User-centric identity

• Driven by social networking Facebook, MySpace,
  etc and Google, AOL, MSN, growing rapidly
• Relatively lightweight to implement for both
  application developers and identity providers
• Separates unique identifier and trust (reputation
  systems, etc.)
• Fractured by lack of standards, vying corporate
  interests, lack of relying parties, etc.
• OpenId, Facebook Connect, Google Connect, AOL

6
Unifying the user experience

• Among various identity providers, including P2P,
  self-issued, federated
• Need to manage discovery, authentication, and
  attribute release
• Cardspace, Higgins, uApprove, etc.
• Consistent metaphors, somewhat different
  technical approaches
• Starting to deploy
• Integrating enterprise and social identity

7
Trust, Identity and the Internet

• ISOC initiative to introduce trust and
  identity-leveraged capabilities to many RFCs and
  protocols
• Acknowledges the assumptions of the original
  protocols about the fine nature of our friends on
  the Internet and the subsequent realities
• http//www.isoc.org/isoc/mission/initiative/trust.
  shtml
• First target area is DKIM subsequent targets
  include SIP and firewall traversal

8
Privacy

• A broad and complex term, like security,
  encompassing many different themes
• An important privacy issue - personal data
  release
• What is personal data?
• Release a function of national, EU, and local
  policy
• International transactions common and complex
• Roughly separates into required for transaction
  and needs consent

9
EU Privacy Laws

• Art 29 WG overarching but lots of confusion below
• IP address
• EPTID a non-correlating, opaque but persistent
  identifier
• For privacy and state e.g. searches, web blogs
• Critical to federated privacy

10
Some UK EU recommendations

• Identity Providers should
• Construct pseudonymous identifier values in ways
  that conceal as far as possible the identity of
  the user, for example by using one-way hash
  functions and providing different values to each
  service provider
• Declare that they will not disclose the identity
  of the person to which a particular identifier
  value was assigned, other than when required by
  law to do so.
• In particular, reports of misuse or other
  problems should be investigated by the Identity
  Provider, who is anyway most likely to be able to
  hold the user to account, and not the Service
  Provider.
• Service Providers should
• Not collect personally identifying information
  from a user who was otherwise only identified by
  a pseudonymous identifier
• Not seek to obtain information linking a
  pseudonymous identifier to a user from any other
  source in particular they should not aggregate
  information collected from different services
• Provide evidence to Identity Providers to permit
  them to investigate and deal with any misuse or
  other problem in the use of the service.

11
Federation Update

• RE federations sprouting at national, state,
  regional, university system, library alliance,
  and elsewhere
• Federated identity growing in business
• Many bilateral outsourced relationships
• Hub and spoke
• Multilateral relationships growing in some
  verticals

12
RE Federation Killer Apps

• Content access Elsevier, OCLC, JSTOR, iTunes
• Government access NIH ERA, CTSA, soon NSF and
  research.gov
• Access to collaboration tools wikis, moodle,
  foodle
• Roaming network access
• Outsourced services National Student Clearing
  House, student travel, plagarism, testing, travel
  accounting
• MS Dreamspark

13
InCommon

• Over 118 members and growing steadily
• More than two million users
• Most of the major research institutions
• New types of members
• Non usual suspects Lafayette, NITLE, Univ of
  Mary Washington, etc.
• National Institute of Health, soon NSF and
  research.gov
• Energy Labs, ESnet, TeraGrid
• MS, Apple, Elsevier, etc.
• Student service providers
• Steering Committee chaired by Clair Goldsmith of
  Univ of Texas Technical Committee chaired by
  Renee Shuey of Penn State

14
InCommon Update

• Growth is quite strong doubled in size for the
  fifth year straight
• Potential size estimates (pre-interfederation)
  could grow gt 5,000 enterprises revenue stream.
• Overarching MoU for federal agencies to join may
  happen
• Silver profile approved
• Major planning effort on the future of InCommon
  now underway, including governance, community
  served, pricing and packaging principles,
  business models

15
Grist for InCommon direction setting

• Comparison to other national RE federations
• Budget, basics
• Strength-weakness-opportunities-threats analysis
• Status of soup
• Growth and expense/revenue projections
• Effect of interfederation and soup on projections
• Other business opportunities

16
Principles to be established by process

• Community served
• Business opportunities
• Governance and representation
• Pricing and packaging principles membership
  models, working with soup, etc.
• Charge by cost or charge by value
• -------------
• The relationship between InCommon and Internet2

17
Federation Soup

• Within the US, federations happening in many ways
  state, university system, library, regional,
  etc
• Until we do interfederation, and probably
  afterwards, federations will form among
  enterprises that need to collaborate, regardless
  of their sector
• Common issues include business models, legal
  models, LOA and attributes, sustainability of
  soup
• Overlapping memberships and policy differences
  creates lots of complexity in user experience,
  membership models, business models, etc.
• One workshop in, so far
• https//spaces.internet2.edu/display/FederationSou
  p/Home

18
Liberty Alliance

• A locus for federation discussions
• eGov
• IAAF
• New Interfed SIG soon to start
• Dealing with policy aspects of Interfed
• Reaching out across sectors
• Trying to walk the walk as well multifederated
  wiki for discussions

19
International federations

• More than 25 national federations
• Several countries at 100 coverage, including
  Norway, Switzerland, Finland communities served
  varies somewhat by country, but all are
  multi-application and include HE
• UK intends a single federation for HE and Further
  Education tens of millions of users
• EU-wide identity effort now rolling out - IDABC
  and the Stork Project (www.eid-stork.eu)
• Key issues around EU Privacy and the EPTID
• Some interfederation Kalmar Union and US-UK

20
REfeds meeting

• Utrecht Dec 4-5
• All federations reporting tipping point phenomena
• Key issues include building the business,
  communities served, attribute development,
  interfederation, application integration, working
  with Liberty Alliance, international privacy, etc
• Integration with e-Science, CLARIN, etc.
• http//www.terena.org/activities/tf-emc2/meetings/
  12/index.html

21
Next Steps for the RE federation community

• Learning the business of federation -REfeds
• Attributes redux - ?
• LOA Liberty IAAF
• Application enablement MACE, TF-EMC2, etc
• Short-term metadata aggregation -?
• Long-term dynamic metadata development EMC2
• EGov Liberty eGov SIG
• Support of virtual organizations and
  collaborations - REfeds
• Outreach to emerging RE feds REfeds
• Outreach to other sectors - Liberty

22
More next steps

• Federated operator practices standards Liberty
  (but where)
• Common member-federated operator agreement
  IETF/ISOC
• Common member operational practices statement
  IETF/ISOC
• Interfederation Liberty Interfed SIG
• Technical common standards EMC2
• Attribute mapping, attributes into English,
  standard approaches to InfoCard, uApprove, etc.

23
Collaboration and Federated Identity

• Two powerful forces being leveraged
• the rise of federated identity
• the bloom in collaboration tools, most
  particularly in the Web 2.0 space but including
  file shares, email list procs, etc
• Collaboration management platforms provide
  identity services to domesticated applications
  that externalize their identity management
  dimensions to an general identity/group/privilege/
  etc repository (LDAP, MySQL, etc.)
• Results in user and collaboration centric
  identity, not tool-based identity
• COmanage is a collaboration management platform,
  supported in part by a NSF OCI grant, being
  developed by the Internet2 community, with
  Stanford as a lead institution

24
COmanage

• COmanage can provide authentication and
  authorization services (group membership,
  privilege management, etc) to apps
• Domesticated applications currently include wiki,
  listproc, Jira, Subversion, Al Fresco. Soon to
  add audioconferencing, IM and chat rooms, EC2,
  Fedora, web-based file share, etc.
• Can be launched as an image in the Amazon cloud.
• Not collaboration in a box. More collaboration
  in a fully permeable membrane. The stand-alone
  can be readily replumbed to be completely
  integrated into enterprise, federated or other
  attribute ecosystems as they develop
• Uses Shibboleth and Grouper and

25
Integration with Open Source Efforts

• Federated versions of Fedora and DSpace abound
  domesticated versions to come
• Sakai, Moodle, etc also federated
• Kuali and Rice/KIM are under active discussion
• Asterisk, Openwiki, other collaboration tools