Identity Management Standards from OASIS - PowerPoint PPT Presentation

Loading...

PPT – Identity Management Standards from OASIS PowerPoint presentation | free to download - id: 1a4aa2-ZDc1Z



Loading


The Adobe Flash plugin is needed to view this content

Get the plugin now

View by Category
About This Presentation
Title:

Identity Management Standards from OASIS

Description:

The Open Group, Boundaryless Information Flow. San Francisco, 24 ... Anything else is to some extent proprietary: This is a policy distinction, not a pejorative ... – PowerPoint PPT presentation

Number of Views:25
Avg rating:3.0/5.0
Slides: 39
Provided by: patrick5
Category:

less

Write a Comment
User Comments (0)
Transcript and Presenter's Notes

Title: Identity Management Standards from OASIS


1
Identity Management Standards from OASIS
  • Patrick Gannon
  • President CEO

Architecting Identity Management The Open Group,
Boundaryless Information Flow San Francisco, 24
January 2005
2
Open Standards for Identity Management
  • Future Shock De-perimiterization
  • Why do standards matter?
  • What is a standard how can you tell?
  • Key directions in Web Services Standards
  • What your company can do

3
Businesses have to deal with Future Shock daily!
4
Orderly business systems suffer
5
De-perimiterization
6
A smooth sailing business environment is
transformed
7
Into a fight for your business survival
8
Its enough to make you want to
9
Why then do standards matter?
10
Why do standards matter for e-business?
  • Businesses require expansion of the value chain
    into unlimited, de-perimiterized extranets
  • Support of multiple platforms is a business
    necessity
  • Must support multiple languages, taxonomies,
    semantics and business processes
  • But
  • Normalizing data, processes and users costs time
    and money

11
Why do standards matter?Risk Reduction for
e-commerce
12
Without standards, a technology cannot become
ubiquitous, particularly when it is part of a
larger network. The Economist, 8 May 2003
13
What is a standard and how can you tell?
14
What is a Standard?
  • Anything that a vendor publishes? Or on which a
    few vendors agree?
  • They may be specifications
  • Some call them de facto standards
  • But they are not necessarily open standards
  • Open standards are distinguishable
  • Published, clear rules
  • Level playing field with public input
  • Transparent operations
  • Transparent output

15
Whats an Open Standard?
  • An open standard is
  • publicly available in stable, persistent versions
  • developed and approved under a published process
  • open to input public comments, public archives,
    no NDAs
  • subject to explicit, disclosed IPR terms
  • Anything else is to some extent proprietary
  • This is a policy distinction, not a pejorative
  • See the US, EU, WTO governmental regulatory
    definitions of standards

16
Regulatory mandates for standards
  • Increasingly, it matters to government buyers,
    users and regulators whether standards are real
    standards.
  • WTO Technical Barriers to Trade Agreement, Annex
    3
  • http//www.wto.org/english/docs_e/legal_e/final_e.
    htm.
  • National criteria, such as in the U.S. govt
  • http//www.whitehouse.gov/omb/circulars/a119/a119.
    html.
  • These rules focus on desirable process
    attributes public process, public archives,
    open to comment without NDA or non-compete
    restrictions, etc.

17
  • OASIS is a member-led, international non-profit
    standards consortium concentrating on structured
    information and global e-business standards
  • Members of OASIS are
  • Vendors, users, academics and governments
  • Organizations, individuals and industry groups
  • Best known for e-business security standards
    such as
  • UDDI
  • SAML
  • ebXML
  • WS-Security
  • WSRP
  • WSRM
  • SPML
  • XACML
  • UBL

18
Standards Adoption
  • To be successful, a standard must be used
  • Adoption is most likely when the standard is
  • Freely accessible
  • Meets the needs of a large number of adopters
  • Flexible enough to change as needs change
  • Produces consistent results
  • Checkable for conformance, compatibility
  • Implemented and thus practically available
  • Sanction and Traction both matter

19
Traction
XML W3C
SOAP v1.1
SOAP v1.2 W3C
Market Adoption
WSDL v1.1
WSDL v1.2 W3C
ISO 15000
ebXML(x4) OASIS
WS-Security
WSS OASIS
UDDI v2,3 OASIS
UDDI v2,3 UDDI.org
SGML ISO
BPEL4WS
WS-BPEL OASIS
Proprietary
JCV
Consortia
SDO
Sanction
Open Standardization
20
Formula for Sustainable Standards
Traction
XML W3C
ebXML ISO 15000
SOAP v1.1
SOAP v1.2 W3C
Market Adoption
ebXML x4 OASIS
WSDL v1.1
WSDL v1.2 W3C
WS-S v1.0
WSS OASIS
UDDI v2,3 OASIS
UDDI v2,3 UDDI.org
SGML ISO
BPEL4WS
WS-BPEL OASIS
Proprietary
JCV
Consortia
SDO
Sanction
Open Standardization
21
Key Directions in Security Standards for Web
Services
22
Web Services Security
23
CAM
ASAP, BTP, ebXML-BP, WSBPEL, WSCAF
WSDM, WSRF, WSN
DSML, RLTC, XACML, SPML
DSS, PKI, SAML, WSS, XCBF
Common language (XML)
Common transport (HTTP, etc.)
24
Web Services security
  • Most e-business implementations require a
    traceable, auditable, bookable level of assurance
    when data is exchanged
  • IT operations demand transactional level of
    reliable functionality, whether its an economic
    event (booking a sale) or a pure information
    exchange
  • Dealings between divisions often need security
    and reliability as much as deals between companies

25
Security function by function
  • Identity authentication
  • Encryption and protection against interception
  • Control of access and authority

26
Identity authentication
  • The latest e-business security standards
    implement the next generation of identity
    deployment
  • In the 1990s, PKI assumed a universal network of
    official certification authorities
  • Newer federated / distributed identity models
    permit identity certification to be decentralized
    and shared among service providers and existing
    registrars
  • SAML
  • WS-Security
  • XCBF

27
Identity authentication
  • SAML
  • (Security Assertion Markup Language )
  • A standard way to convey identity and
    authorization data
  • Winner of PC Magazines Technology Excellence
    Award in 2002 and Digital ID World 2003 award for
    innovation in 2003
  • SAML 1.0 approved as an OASIS Standard in Nov.
    2002 SAML 1.1 in Aug. 2003
  • SAML 2.0 approved as Committee Draft in Dec.
    2004 OASIS Standard in Q1 2005

28
Identity authentication
  • WS-Security
  • (Web Services Security)
  • The standard method for attaching security data
    to a web services message
  • Wide support in web services tool-making
  • Profiles (modules) completed for
  • Username-token/ password pairs
  • X.509 PKI
  • SAML
  • Rights expression languages
  • WS-Security 2004 1.0 suite approved as an OASIS
    Standard in April 2004

29
Identity authentication
  • XCBF
  • (eXtensible Common Biometric Format)
  • Method for conveying biometric identity data such
    as retina scans and fingerprints
  • Coordinated with other world efforts, including
    ITU-T standards and the ANSI X9.84 banking
    industry biometrics initiative
  • Expect to see more tools and devices commercially
    deployed soon
  • XCBF 1.1 approved as an OASIS Standard in August
    2003

30
Encryption and protection against interception
intrusion
  • A key problem with encrypted messages travelling
    over a shared or public network if you encrypt
    the wrong bits, it doesnt arrive, or the
    recipient cant process it
  • Shared and automated methods for managing
    security require a shared vocabulary about
    security weaknesses and risks
  • DSS
  • PKI TC
  • AVDL
  • WAS

31
Encryption and protection against interception
intrusion
  • DSS
  • (Digital Signature Services)
  • Develop methods for processing production and
    consumption of digital signatures
  • Project underway
  • PKI TC
  • (Public Key Infrastructure Technical Committee)
  • Promotion and research regarding industry use of
    PKI digital signatures and practical obstacles to
    deployment
  • Project underway

32
Encryption and protection against interception
intrusion
  • AVDL
  • (Application Vulnerability Description Lang.)
  • Uniform method for describing appl. security
    vulnerabilities
  • AVDL 1.0 approved as an OASIS Standard in May 2004
  • WAS
  • (Web Application Security)
  • Threat model and classification scheme for web
    security vulnerabilities
  • WAS 1.0 is under development
  • Network Magazine started a petition campaign to
    support wide deployment of AVDL and WAS
    http//www.networkmagazine.com/watchdog/avdl.jhtml

33
Control of access and authority
  • In transactional information exchanges, you often
    must apply
  • access lists,
  • directories of recipients,
  • levels of authority, and
  • access policies
  • So that you know who gets what, and who should
    get it
  • XACML
  • SPML

34
Control of access and authority
  • SPML
  • (Service Provisioning Markup Language)
  • Disseminates and leverages directories and access
    lists, such as employee authorizations
  • Demoed at Burton Catalyst 2003 in SF
  • SPML 1.0 approved as OASIS Standard Nov. 2003
  • XACML
  • (Digital Signature Services)
  • Method for conveying and applying data access
    policies controls
  • Demoed at XML2003 in Philadelphia
  • XACML approved as OASIS Standard
  • v1.0 in Feb. 2003
  • v2.0 in Sep. 2004
  • Role-based access profile issued May 2004

35
What should your company be doing?
36
Reducing Risk in new e-business technologies
  • Avoid reinventing the wheel
  • Stay current with emerging technologies
  • Influence industry direction
  • Ensure consideration of own needs
  • Realize impact of interoperability and network
    effects
  • Reduce development cost time
  • save development on new technologies
  • share cost/time with other participants

37
What can my company do?
  • Participate
  • Understand the ground rules
  • Contribute actively
  • Or
  • Be a good observer
  • In any case
  • Make your needs known
  • Use cases, functions, platforms, IPR,
    availability, tooling
  • Be pragmatic standardization is a voluntary
    process

38
Identity Management Standards from OASIS
  • Patrick Gannon
  • President CEO
  • OASIS

Patrick.Gannon_at_oasis-open.org
About PowerShow.com