capstones: internet identy begins to bridge the gaps · 2017-05-30 · capstones: internet identy...
TRANSCRIPT
![Page 1: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/1.jpg)
Capstones:InternetIden.tyBeginstoBridgetheGaps
KenKlingenstein,Internet2
![Page 2: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/2.jpg)
• WhatisInternetiden2ty• Whatarethesuccesses• Addressingthegaps
– Stabilizingtheso<wareandstandards–TIER– Expandingfedera2onandstar2nginterfedera2on– Bridgingsocialandorganiza2onaliden2ty– Developingasetofincidenthandlingapproaches– SolvingtheaGributereleaseandconsentchallenges
• WhatamatureInternetiden2tyworldmightlooklike
Topics
![Page 3: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/3.jpg)
• HasevolvedasalayeroftheInternetoverthelast20years,providinguserswiththeabilitytoauthen2cateandgetaccesstoresourcesaroundtheworld
• Amixofsocial,organiza2onalandgovernmentaliden2typroviders,usingPKI,SAMLandOIDCprotocolstocarrypayloads– Iden2typroviders(IdP)andrelyingpar2es(RP)– Sovereigniden2tyadvocatespersist
• Amixofassurancelevels,fromunknowntoveryhigh• Thepayloadoftheasser2ons–aGributesandclaims(Booleanvalues)–arethemost
importantcomponent,forprivacy,accessibility,accesscontrol,etc.
Internetiden2ty
![Page 4: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/4.jpg)
KimCameron’sLawsofIden2ty
4
![Page 5: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/5.jpg)
• Federatediden2tyasaparadigm– Drama2cgrowthwithinR&Eandothersectors– Nowtheopera2onalmodelingovernmentsaroundtheworld– Hasbecomewithvariants,theInternetIden2tylayer
• Mul2factorauthen2ca2on• Interna2onaliza2on
– Workingwithprivacyandsecuritydifferences– Workingwithculturalandsocietaldifferences
• Ini2alintegra2onwithsocialiden22es
Successes
![Page 6: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/6.jpg)
• Stabilizingtheso<wareandstandards• Growingfedera2onandstar2nginterfedera2on• Bridgingsocialandorganiza2onaliden2ty• Developingasetofincidenthandlingapproaches• SolvingtheaGributereleaseandconsentchallenges
Capstones–AddressingtheGaps
![Page 7: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/7.jpg)
• Keyopensourcecomponentsoftheso<wareensemble,suchasShibbolethandJagger(themostcommonfedera2onmetadatamanager)areinadequatelysupported
• TIERisanInternet2effortintrustandiden2tytoleveragepreviousworkintoasustainablesetofbasicbutsufficientcomponentstoruncampusIAM– IncludesShibboleth,Grouper,Comanage,aGributereleaseandconsent,provisioning,etc.– TrustandIden2tyincludesmanagementofcommunitystandardssuchaseduPerson,Baseline
Prac2ces,etc.• Organiza2onssuchasKantaraandIETFarebeingusedtodis2llinteroperabilityspecs
aboutfederatedmetadata,themovetodynamicmetadata,etc.
Stabilizingtheso<wareandstandards
![Page 8: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/8.jpg)
• K-12StewardProgram– Allowsmemberstoregisterandmanagelocalorganiza2onsinInCommon,servingK-12,localnon-
profits,etc– Ascalingextensionofthetrustmodelthatmustbemanagedverycarefully
• BaselinePrac2cesbeingadopted– Sothatyoucancountonyourfederatedpartners– Someopsthoughts(keyrollover,so<warepatches,etc)– SomeIdMthoughts(iden2fiers)
• eduGAIN-Interna2onalinterfedera2on– 40+countries,2500IdP’sandthousandsofRelyingPar2es– Addressingcurrentstresses
• Metadatasize– Drivingtheneedfordynamicmetadataandmetadataquery
• Seman2candsyntac2cdifferences– Names,affilia2ons,etc.
• GDPRandinterna2onalprivacylaws
Growingfedera2onandstar2nginterfedera2on
![Page 9: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/9.jpg)
• Social2SAMLandSAML2SocialGateways– Allowsstudents,theirparents,thepublic,ci2zenscien2sts,etcaccesstoorganiza2onal
resources• Raiseslotsofdevilsinthedetails
– Iden2typroofing,authen2ca2onstrength,etc.– Iden2fierdiscrepancies–informatandpolicy
• Buildingfedera2onsthatincludeOpenIdConnect– OpenIdintendedforbi-lateralrela2onships– Mul2-lateralR&ESAMLfedera2onsdesigninginfrastructuretoaddrichertrust,iden2fier
mappings,etc.
BridgingSocialandOrganiza2onalIden2ty
![Page 10: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/10.jpg)
• Inafederatedworld,acri2calneedtoexchangeiden2tysecurityinforma2oninatrustworthyfashionamongpartners.– Accounttake-overinthesocialworld;passwordrecoveryimpacts– Federatedlogout– Malfunc2oningso<ware,e.g.theORCIDincident– AccountcompromiseatIdP
• Severaleffortsdevelopingelementstoimproveincidenthandling– SIRTFI
• CERN-ini2atedtrustmarkforsecuritycontacts,2melyresponses,etc
– Thesec-eventworkwithinIETF• JSONtokenandavarietyoftransportstocommunicateiden2tyevents(passwordreset,accounttakeover,etc)
Incidenthandling
![Page 11: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/11.jpg)
• TwoIdP’s(outof2000)discoveredtobemisconfiguredandpoten2allycompromisingtrustbyleavingadooropenthatcouldallowausertoclaimanother’sscholarlyrecord.
• Therewasnoknowncompromise,buttheeventexposedasetofgapsinprocess.– IdPfederatedintegritytes2ng– Eventno2fica2onfromIdP– Responsibili2esoffederatedoperator,interfedera2onoperatorandcampusIdPnot
understood.– Measuredresponsemechanismsbyrelyingpar2es
• Aninteres2ng,andoverdue,opportunitytomature
TheORCIDincident
![Page 12: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/12.jpg)
• AGributereleasehasproventobeanunexpectedchallenge– (Over-)Protec2vedatastewards– Lackofconsentinfrastructure– Primi2vepolicymanagementtools
• Policiesandprac2cesvarywidely– Europeanpoliciesinconsistent;GDPRchangeseverything– TrustmarkssuchasR&Shavelimitedsuccess– Socialappsincentbadprivacy
• Hub-and-spokefedera2onsandhomogeneouscountriesdobeGer
SolvingaGributereleaseandconsentchallenges
![Page 13: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/13.jpg)
• Componentstocreateascalableconsentexperienceandinfrastructure– Aninfrastructurethatdeliversthecapabili2esandtheinforma2onto
allowusersandadministratorsmanagetheiraGributereleasefromtheiriden2typrovideratscale
– Auserinterfacethatenablesausertomakeeffec2veandinformeddecisionsaboutaGributerelease
– Toolsforanenterprisetomanagethatuserexperience• CatalyzedbyanNSTICgrantfromNIST,becomingpartoftheTIER
suite• Website
– hGps://spaces.internet2.edu/display/ScalableConsent/Scalable+Consent+Home
ScalableConsent
13
![Page 14: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/14.jpg)
Next-genUIEnterpriseManagement
Console
AGributeSource
Consent-informedAGributeRelease
Manager(CARMA)
AGributeReleasePolicyServiceForIns2tu2ons(ARPSI)
ConsentEventrecords
ConsentPolicyServiceForUsers
(COPSU)
IdPTOSP
User
InformedContentManager
CARMA
![Page 15: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/15.jpg)
• Thefuelthatdriveseffec2veandinformeduserconsentdecisions• Limited,thoughextensiblesetsofmarks,assessments,policies,etc.thatarepartofthe
UX– IconsforIdPandSP– SPIsRequiredandOp2onalAGributeNeeds– Display-namesanddisplay-valuesforaGributes– Trustmarkinforma2on– Explanatoryapplica2on-specificdialogueboxes(e.g.whyaGributeisneeded)– Privacyandthird-partyusepolicypointer– Addi2onalinforma2onfeeds
• VeGed,self-asserted,reputa2onsystems,etc• Far-reachinginsights-hGps://arxiv.org/abs/1608.05661
InformedContent
![Page 16: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/16.jpg)
• ”Youarewhatyourelease”• Blindclickthroughisnotthegoal;Aninformedandeffec2vedecision.
– Goodfirst2medwellexperience;goodfurthersuppressionorrevoca2onop2ons• Originalnext-geninterfacedesignedbyCMUResearchersinUsablePrivacy• AdaptedandenhancedbyDukeUI/UXgroupwithitera2veusertes2ng
– hGp://people.duke.edu/~mkm16/projects/consent/• Somesurprisingresults
– Usersunderstandwhat’shappening– InbothUSandEuropeantes2ng,usersshowsomeinterestincontrollingconsent
Gepngtherightuserexperience
![Page 17: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/17.jpg)
• Consistent,informeduserexperienceacrossavarietyofplaqormsandprotocols• Integra2onofins2tu2onalandindividualaGributes
– Loca2on– Emergencycontactandmedicalinforma2on– Personalschedules
• Teachingstudentshowtomanagetheirprivacy– Well-designedapproachesappeartobewell-received– Byshapingtheirexpecta2ons,wehelpthemshapeamarketplace
• Providingnewop2onsforaccessibility– AccessibilitywithPrivacy
CARMAopeningupnewcapabili2es
![Page 18: Capstones: Internet Identy Begins to Bridge the Gaps · 2017-05-30 · Capstones: Internet Identy Begins to Bridge the Gaps Ken Klingenstein, Internet2 ... sustainable set of basic](https://reader034.vdocuments.us/reader034/viewer/2022042220/5ec6373486b09e247e15947a/html5/thumbnails/18.jpg)
• Usershaveinformedandeffec2vetoolsformanagingtheiriden22esandaGributereleasepreferences
• Applica2onsbecomeaGribute-awareandimplementprivacystrategiessuchasdataminimiza2onandtargetedopaqueiden2fiers
• Iden2typrovidersoperateschemaandbusinessprocessestosupportrichuseraGributeinforma2on,includingci2zenandaccessibilityneeds,andadoptiden2typortabilityapproachesforcrea2ngamarketplace
• Trustmarksprovideuserswithvaluableinforma2oninmakingcontentandtrustmarkissuersusestandardauditapproachesforvalida2ngmarkholders
Wherewe’reheaded