Transcript Slides - TERENA Networking Conference 2008

Why the Identity messy-system
sucks, and how to fix it.
Josh Howlett, JANET(UK)
TNC 2008, Bruges.
Overview
I.
Why Identity matters
II.
Origins of the Identity messy-system
III. Fixing it
I.
Why Identity matters
An improbable perspective on Identity
inspired by Douglas Adams’ essay,
the “Ages of Sand”.
1st – “Understanding big things”
2nd – “Understanding little things”
3rd – “Computing these things”
4th – “Connecting these things”
5th ?
II. Origins of the
Identity messy-system
Why Protocol & Trust?
• Protocol
– Saying things about an Identity requires a common
language.
• Trust
– Acting on what is said often requires trust in who said
it and in what context.
• Consequently, it is often necessary to share a
common understanding of protocol and trust.
II. Origins of the
Identity messy-system
Protocols
Allopatric speciation in birds
Allopatric speciation in identity protocols
WS-Federation
Protocol stack
OAuth
ID-WSF
SAML
ID-FF
OpenID
PGP
SASL
Infocard
LDAP
TLS
X509
NTLM
Kerberos
WS-Security
WS-Trust
DNSSec VMPS
Diameter RADSec
IKE
802.11i
EAP
GSS-API
RADIUS
802.1X
Deployments
Failure of geological strata
Failure of Identity protocol strata
1. Burden: for both users and admins.
2. Disconnect: phishing, SPAM, IP & MAC
address spoofing, DHCP abuse, rootkits, social engineering, …
DHCP abuse
• IEEE gave us 802.1X
– Extensible media-independent security
framework for network admission.
• IETF gave us DHCP
– No security
– RFC 3118 … but mostly useless.
II. Origins of the
Identity messy-system
Trust
C17th – C20th trust
University of Padua
University of Pisa
Human
Resources
Human
Resources
Letter of
Introduction
(‘Authentication
assertion’)
Geography imposes friction
The network removes this friction
40 million users, a few hops away
1.3 billion users, a few more hops away
“But what if I
only trust these
people?”
What is ‘Trust’ ?
• ‘Technical trust’
– Message and/or end-point authentication and
message integrity.
• ‘Behavioural trust’
– Real life is more complicated.
– ‘Trust is the belief in the good character of
one party, presumed to seek to fulfil policies,
ethical codes, law and their previous
promises’ (Wikipedia)
‘Trust metrics’
Experiential
(Based on experience)
Non-experiential
(Not based on experience)
Evidential
Non-evidential
(Based on evidence)
(Not based on evidence)
eg. ID card, email eg. belief in
white-list, firewall someone’s good
ACL, IM buddies,
character, …
public phonebook, attributes …
eg. gossip, web of eg. prejudice, leaptrust, TNC/NEA,
of-faith, policy,
PKI…
contract, …
Trust fabrics
• Allow a community to share a common
understanding of ‘trust’ within their community.
• Trust fabrics are assembled from ‘trust metrics’.
• Significant diversity, owing to:
– Many types of metrics.
– Different aims and objectives.
• Even R&E trust fabrics built from the same
software can be quite different.
‘How do I love thee? Let me count
the ways’
• Promiscuous federation (eg. OpenID)
– “I trust you because I trust everyone”
• Bilateral federation (eg. ‘conventional’ federated identity)
– “I trust you, and only you”
• Multilateral federation (eg. R&E Shibboleth federations)
– “I trust you because I trust him and he trusts you”
• Peering (eg. content providers trusting different R&E MLFs)
– “I trust you and you” (an org affiliated with two or more other MLFs)
• Leveraged federation (eg. Schools sector within UK federation)
– A sub-group within an MLF sharing some additional common policy.
• Inter-federation (eg. Kalmar Union, InCommon & NIH)
– An MLF peering with one or more other MLF(s)
• Confederation (eg. eduroam, eduGAIN)
– An MLF of consisting of multiple MLFs.
• “Federation soup”
Consequences of diversity
• The Good
– Allows different communities to address their
own requirements.
• The Bad
– Increases redundancy and costs.
• The Ugly
– Additional ‘burden’ & ‘disconnect’
III.
Fixing it
Protocols
From Messy-system to Metasystem
Application
Network
e.g. User
directory
Trust metrics
e.g.
TNC/
NEA
Link
The Identity Metasystem (1)
•
“The One Ring”
“One ring to rule them all,
One ring to find them,
One ring to bring them all
and in the darkness bind them,
In the land of Mordor
where the shadows lie.”
‘Lord of the Rings’, J.R.R. Tolkien.
–
Microsoft-backed WS-Trust and WS-Federation
•
–
Infocard
Kerberos
•
“the universal authentication platform for the world’s
computer networks” – Kerberos Consortium
The Identity Metasystem (2)
•
“The Four Horsemen of the Apocalypse”
–
–
Do nothing
Inter-work – eg. Concordia
•
–
Only identity systems with a web focus
Gateway – eg. EduGAIN
•
–
Pilot GN2 service connecting some European
R&E identity federations.
“SAML over Everything”
•
Use ‘legacy’ protocols to carry SAML.
•
SAML used for expressing AuthN / AuthZ,
replacing/supplementing semantics of the
‘legacy’ protocol.
•
Focus of effort in R&E middleware
development, with some successes:
–
–
–
–
OASIS V2.0 Attribute Sharing Profile for X.509
Authentication-based systems.
RADIUS-SAML, Internet2.
DAMe, GN2 JRA5.
Kerberos-bound SAML, University of Muni.
III.
Fixing it
Trust
Establishing trust in currency
Technical trust
Milled edges on coins
Behavioural trust
An extremely unpleasant death
Establishing trust in Identity
Technical trust
Behavioural trust
Improving technical and
behavioural trust
• Technical
– Trust fabric diversity  many ways to establish
technical trust.
– Desirable and perhaps possible to constrain the ways
in which technical trust can be established.
– Dynamic metadata, Leif Johansson et al.
• Behavioural
– REFEDS
A little policy goes a long way…
Perhaps a little more policy could go even further…?
Identity economies
• Self-asserted (‘user-centric’) Identity = barter
– “I will swap my shiny stone for your pointy stick”
– Value of identity is proportional to trust attributed to the user.
• Federated Identity = money
– “I promise to pay the bearer on demand the sum of ten pounds
(of gold)”
– Value of identity is proportional to trust attributed to the authority.
• Normalised Federated Identity = VISA
– “It works in most places, with some constraints. But I don’t need
to know anything about the local currency.”
– Value of identity is proportional to trust attributed to authority,
less the value removed due to normalisation process.”
Fixing it - Conclusions
• Protocol
– We need fewer and smarter protocols.
– The One Ring or The Four Horsemen?
• Trust
– We need fewer and smarter policies.
– Building the Identity economy
• common mechanism for technical trust establishment?
• common policy framework(s) for trust fabrics?
Conclusions
• A robust Identity infrastructure is essential
for realising advanced R&E applications.
• We have only just started.
• Identity impacts all parts of the network
infrastructure.
• We need informed protocol & policy
development.
• Come to the BoF @ 1800 in the Strauss
room!
Thank you for your attention