middleware, ten years in: vapority into reality into virtuality
DESCRIPTION
Middleware, Ten Years In: Vapority into Reality into Virtuality. Dr. Ken Klingenstein, Senior Director, Middleware and Security, Internet2 Technologist, University of Colorado at Boulder. Topics. Middleware, Ten Years In From Vapor to Reality Some of the successes Some of the failures - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/1.jpg)
Middleware, Ten Years In: Vapority into Reality into Virtuality
Dr. Ken Klingenstein,Senior Director, Middleware and Security, Internet2
Technologist, University of Colorado at Boulder
![Page 2: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/2.jpg)
Topics
• Middleware, Ten Years In• From Vapor to Reality• Some of the successes• Some of the failures
• Middleware, Ten Years Forward• From Reality to Virtuality
• Organizations• Resources• Communities
• From Virtuality back to Reality
![Page 4: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/4.jpg)
First Vapors
• When end-user PKI was months away…
• When the big application houses didn’t care about middleware
• We knew it was something about authentication and authorization
• We couldn’t agree about much – payloads or protocols or spelling
![Page 7: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/7.jpg)
Filling out the portfolio
DirectoriesAuthentication
Groups
Privileges
Authorization
![Page 8: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/8.jpg)
Federation
AuthenticationDirectories
Authentication
Directories
Directories
Federation
F
ederation
Federation
![Page 9: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/9.jpg)
COmanage
AuthenticationDirectories
Authentication
Directories
Directories
Federation
F
ederation
Federation
Federation
![Page 10: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/10.jpg)
Vapors become Reality
• When end-user PKI was months away…
• When the big application houses care so much they have to own it• Middleware as the new lock-in point
• Federation as identity infrastructure and attributes as the payloads
• IdM not a local industry anymore
![Page 11: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/11.jpg)
Some of the successes
• Building a fundamental new layer of Internet infrastructure
• Engaging a broad and growing international group of expertise
• Crafting a larger world that works for the R&E needs• Proving that security and privacy can work together
![Page 12: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/12.jpg)
More successes
• Focusing on the schema early on• Coming together around SAML, and getting the
rest of the world to come along…• Working towards scaling (rough consensus and
running code)• Seeing parts of other worlds
![Page 13: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/13.jpg)
Some of the failures
• The directory of directories…
• End-to-end end-user PKI
• Establish resources to support the infrastructure
• Diagnostics
• The rest of the middleware stack
![Page 14: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/14.jpg)
Middleware, Ten Years Forward
• Working on Attributes and Federation• Growing our federations• Interfederation and Soup• The Attribute Ecosystem• Learning the Tao of Attributes
• Building and Managing the Virtual
• Integration, Integration, Integration
![Page 15: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/15.jpg)
Growing our Federations
• Deciding on the services• Core services – identity/attributes for access controls• Value added services – content aggregation, roaming,
PKI and SSL services, collaboration platforms, Silver
• Finding the business models• Finding the governance structures• Making a marketplace
![Page 16: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/16.jpg)
Interfederation and Soup
• Interfederation essential to scale• Across vertical sectors• Internationally• To the consumer marketplace
• Confederation and Overlays will also exist• Soup• Institutional groups that cut across segments – geography,
shared business purpose, etc• Mix of special purpose and infrastructure federations
tangled
![Page 17: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/17.jpg)
Attribute ecosystem use cases…
Obtaining student consent for information release
FEMA needing first responders attributes and qualifications dynamically
High-confidence attributes
Access-ability use cases
AAMC step-up authentication possibilities
Public input processes
Grid relying parties aggregating VO and campus
The “IEEE” problem
The “over legal age” and the difference in legal ages use cases
Self-asserted attributes – friend, interests, preferences, etc
![Page 18: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/18.jpg)
Attribute Ecosystem Key Issues
• Attribute Aggregation• Attribute Metadata• Sources of authority and delegation• Schema management, mapping, etc• User interface• Privacy and legal issues
![Page 19: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/19.jpg)
Attribute aggregation
• Gathering attributes from multiple sources• From IdP or several IdP• From other sources of authority• From intermediaries such as portals
• Static and dynamic acquisition• Many linking strategies• Will require a variety of standardized mechanisms –
• Bulk feeds, user activated links, triggers
![Page 20: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/20.jpg)
Attribute metadata• Federated attributes need common meaning• Representation of meaning• At a system level• At a user level
• LOA associated with the value assigned • “Code+data equals programs”• LOA itself faces “re-interpretations”
• Separation of components of LOA• Use of “step-up” authentication
![Page 21: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/21.jpg)
Sources of authority
• Who gets to assign semantics (and syntax) to an area?
• How can they delegate assignment of value?
• What needs to be retained for audit/diagnostic
![Page 22: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/22.jpg)
Schema management, mappings
• Registries for schema
• Role of national level schema
• How to avoid mappings
• How to handle mappings
![Page 23: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/23.jpg)
User Interface
• “It’s the attributes, urn:mace:incommon:entitlement:clue:zero”, deprecated…
• Needs include translation of oid to english, to inform of the consequences of release decision, recording consent and getting the defaults right so that this is seldom used
• Metaphors such as Infocard are useful, but will need extensions and utiization
![Page 24: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/24.jpg)
Privacy management
• Two approaches emerging• uApprove
• http://www.switch.ch/aai/support/tools/uApprove.html
• InfoCard/Higgins
• Who sets attribute release policies? Who overrides the settings? What logs are kept?
![Page 26: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/26.jpg)
GSA Workshop: 属性之道The Tao of Attributes
• Begin exploring the attribute issues• Using federal use cases, including• Citizenship, voting residency• Access-abilities• First responder capabilities• PI-person
• Motivate the larger requirements, drive privacy policies• Explore rich query languages, etc.• All-star cast at the end of September at NIH
![Page 27: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/27.jpg)
Virtuality
• Virtual Communities
• Virtual Machine Appliances
• Virtual Services
• Internet protocols with trust and identity
![Page 28: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/28.jpg)
Virtual Communities
• A virtual enterprise that wants to play real well with real enterprises.
• Needs coordinated identity management for collaboration and domain tools
![Page 29: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/29.jpg)
Virtual Machine Appliances
• Allows clueless groups and other VO’s to handle collaborations
• Brilliant way to handle peak load requirements• Vexing issues of application updates,
coordination of configuration among apps, etc.• Must fit fully in the attribute ecosystem and
reshape themselves on need
![Page 30: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/30.jpg)
Virtual Services
• Clouds as low-start-up, largely scalable cyber infrastructure• Cycles, storage, collaboration• Fits into the domestication paradigm
• Clouds as legally tangled, non-standard,confusion• Location and ownership of data• Ability to adapt to new protocols• Proprietary cloud internals
![Page 31: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/31.jpg)
Integration, Integration and Integration
• Of types of Internet identity
• Of identity with protocols
• Domestication of applications
![Page 32: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/32.jpg)
Internet identity
• Federated identity• Enterprise centric, exponentially growing, privacy
preserving, rich attribute mechanisms• Requires lawyers, infrastructure, etc
• User centric identity• P2P, rapidly growing, light-weight• Marketplace is fractured; products are getting heavier to
deal with privacy, attributes, etc.
• Unifying layers emerging – Cardspace, Higgins, OAuth
![Page 33: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/33.jpg)
Integration
• Different forms of Internet identity will exist, serving different purposes, arising from different constituencies
• The trick is the intelligent integration of the technologies, at user and application level
• Cross-overs are happening• Shib and Openid• SAML and high assurance PKI – holder of key• Infocard/Higgins as an overarching user experience• Federation and portal integration
![Page 34: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/34.jpg)
Integration of identity and protocols
• Trust, Identity and the Internet - ISOC initiative to introduce trust and identity-leveraged capabilities to many RFC’s and protocols
• Acknowledges the assumptions of the original protocols about the fine nature of our friends on the Internet and the subsequent realities
• http://www.isoc.org/isoc/mission/initiative/trust.shtml• First target area is DKIM; subsequent targets include
federated calendaring and sharing, firewall traversal
![Page 35: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/35.jpg)
Domestication of Applications
• Identity, groups, roles, privileges
• What else to integrate?
• At what layers to specify the integration?
• How to integrate across the layered domestication specifications
• How much domestication is too much?
![Page 36: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/36.jpg)
Virtuality back into Reality
• Our use cases continue to lead the corporate sector• Our needs are more urgent than they are
different• Our students become the new consumers
• The shared vision is more powerful than the individuals who share it
![Page 39: Middleware, Ten Years In: Vapority into Reality into Virtuality](https://reader035.vdocuments.us/reader035/viewer/2022062408/5681405c550346895dabcf3c/html5/thumbnails/39.jpg)
Final Thoughts
• Important, if somewhat invisible, work has been done
• There are significant opportunities ahead
• Its been a ride