why the identity messy-system sucks, and how to fix it. josh howlett, janet(uk) tnc 2008, bruges
TRANSCRIPT
Why the Identity messy-system sucks, and how to fix it.
Josh Howlett, JANET(UK)
TNC 2008, Bruges.
Overview
I. Why Identity matters
II. Origins of the Identity messy-system
III. Fixing it
I. Why Identity matters
An improbable perspective on Identity
inspired by Douglas Adams’ essay,
the “Ages of Sand”.
1st – “Understanding big things”
2nd – “Understanding little things”
3rd 3rd – “Computing these things”
4th – “Connecting these things”
5th ?
II. Origins of theIdentity messy-system
Why Protocol & Trust?
• Protocol– Saying things about an Identity requires a common
language.
• Trust– Acting on what is said often requires trust in who said
it and in what context.
• Consequently, it is often necessary to share a common understanding of protocol and trust.
II. Origins of theIdentity messy-system
Protocols
Allopatric speciation in birds
X509
SAML
TLS
EAP GSS-API
Kerberos
WS-SecurityWS-Trust
WS-Federation ID-WSF
ID-FF OpenIDOAuth
RADIUSDiameter
SASL
NTLM
LDAP
PGP
802.1X802.11i
Deployments
Pro
toco
l sta
ck
RADSec
VMPS
Infocard
IKE
Allopatric speciation in identity protocols
DNSSec
Failure of geological strata
Failure of Identity protocol strata
1. Burden: for both users and admins.
2. Disconnect: phishing, SPAM, IP & MAC address spoofing, DHCP abuse, root-kits, social engineering, …
DHCP abuse
• IEEE gave us 802.1X– Extensible media-independent security
framework for network admission.
• IETF gave us DHCP– No security– RFC 3118 … but mostly useless.
II. Origins of theIdentity messy-system
Trust
HumanResources
University of Padua University of Pisa
C17th – C20th trust
HumanResources
Letter ofIntroduction
(‘Authenticationassertion’)
Geography imposes friction
The network removes this friction
40 million users, a few hops away
1.3 billion users, a few more hops away
“But what if Ionly trust thesepeople?”
What is ‘Trust’ ?
• ‘Technical trust’ – Message and/or end-point authentication and
message integrity.
• ‘Behavioural trust’– Real life is more complicated.– ‘Trust is the belief in the good character of
one party, presumed to seek to fulfil policies, ethical codes, law and their previous promises’ (Wikipedia)
Evidential(Based on evidence)
Non-evidential(Not based on evidence)
Experiential(Based on experience)
eg. ID card, email white-list, firewall ACL, IM buddies, public phone-book, attributes …
eg. belief in someone’s good character, …
Non-experiential(Not based on experience)
eg. gossip, web of trust, TNC/NEA, PKI…
eg. prejudice, leap-of-faith, policy, contract, …
‘Trust metrics’
Trust fabrics
• Allow a community to share a common understanding of ‘trust’ within their community.
• Trust fabrics are assembled from ‘trust metrics’.• Significant diversity, owing to:
– Many types of metrics.– Different aims and objectives.
• Even R&E trust fabrics built from the same software can be quite different.
‘How do I love thee? Let me count the ways’
• Promiscuous federation (eg. OpenID)– “I trust you because I trust everyone”
• Bilateral federation (eg. ‘conventional’ federated identity)– “I trust you, and only you”
• Multilateral federation (eg. R&E Shibboleth federations)– “I trust you because I trust him and he trusts you”
• Peering (eg. content providers trusting different R&E MLFs)– “I trust you and you” (an org affiliated with two or more other MLFs)
• Leveraged federation (eg. Schools sector within UK federation)– A sub-group within an MLF sharing some additional common policy.
• Inter-federation (eg. Kalmar Union, InCommon & NIH)– An MLF peering with one or more other MLF(s)
• Confederation (eg. eduroam, eduGAIN)– An MLF of consisting of multiple MLFs.
• “Federation soup”
Consequences of diversity
• The Good– Allows different communities to address their
own requirements.
• The Bad– Increases redundancy and costs.
• The Ugly– Additional ‘burden’ & ‘disconnect’
III. Fixing it
Protocols
Link
Network
Application
Trust metricsTrust metrics
e.g. Userdirectory
e.g. Userdirectory
e.g. TNC/ NEA
e.g. TNC/ NEA
From Messy-system to Metasystem
• “The One Ring”
“One ring to rule them all,One ring to find them,
One ring to bring them alland in the darkness bind them,
In the land of Mordorwhere the shadows lie.”
‘Lord of the Rings’, J.R.R. Tolkien.
– Microsoft-backed WS-Trust and WS-Federation• Infocard
– Kerberos• “the universal authentication platform for the world’s
computer networks” – Kerberos Consortium
The Identity Metasystem (1)
• “The Four Horsemen of the Apocalypse”– Do nothing– Inter-work – eg. Concordia
• Only identity systems with a web focus– Gateway – eg. EduGAIN
• Pilot GN2 service connecting some European R&E identity federations.
– “SAML over Everything”• Use ‘legacy’ protocols to carry SAML.
• SAML used for expressing AuthN / AuthZ, replacing/supplementing semantics of the ‘legacy’ protocol.
• Focus of effort in R&E middleware development, with some successes:– OASIS V2.0 Attribute Sharing Profile for X.509
Authentication-based systems.– RADIUS-SAML, Internet2.– DAMe, GN2 JRA5.– Kerberos-bound SAML, University of Muni.
The Identity Metasystem (2)
III. Fixing it
Trust
Milled edges on coins An extremely unpleasant death
Establishing trust in currency
Technical trust Behavioural trust
Establishing trust in IdentityTechnical trust Behavioural trust
Improving technical and behavioural trust
• Technical– Trust fabric diversity many ways to establish
technical trust.– Desirable and perhaps possible to constrain the ways
in which technical trust can be established.– Dynamic metadata, Leif Johansson et al.
• Behavioural– REFEDS
A little policy goes a long way…
Perhaps a little more policy could go even further…?
Identity economies
• Self-asserted (‘user-centric’) Identity = barter– “I will swap my shiny stone for your pointy stick”– Value of identity is proportional to trust attributed to the user.
• Federated Identity = money– “I promise to pay the bearer on demand the sum of ten pounds
(of gold)”– Value of identity is proportional to trust attributed to the authority.
• Normalised Federated Identity = VISA– “It works in most places, with some constraints. But I don’t need
to know anything about the local currency.”– Value of identity is proportional to trust attributed to authority,
less the value removed due to normalisation process.”
Fixing it - Conclusions
• Protocol– We need fewer and smarter protocols.– The One Ring or The Four Horsemen?
• Trust– We need fewer and smarter policies.– Building the Identity economy
• common mechanism for technical trust establishment?• common policy framework(s) for trust fabrics?
Conclusions
• A robust Identity infrastructure is essential for realising advanced R&E applications.
• We have only just started.• Identity impacts all parts of the network
infrastructure. • We need informed protocol & policy
development.• Come to the BoF @ 1800 in the Strauss
room!
Thank you for your attention