mace: the untold story rl “bob” morgan university of washington and internet2 mace chair...

MACE: The Untold StoryMACE: The Untold Story

RL “Bob” MorganUniversity of Washington and Internet2MACE Chair

Internet2 Member MeetingChicago, IllinoisDecember 2006

2

TopicsTopics

How we work Who is involved Where we've been to Why we do it What we're up to When we'll be done

3

MACE OriginsMACE Origins

April 1999, a motel in Ann Arbor ...group considered work on “middleware” in

Internet2

driven by concerns in advanced networking about need for common application support (e.g. RFC 2768)

everyone said “I was told not to volunteer for anything”

core group of campus infrastructure architects hinted that maybe they could volunteer, a little, if everyone did

September 1999, a hotel in Denver ...“Early Harvest”, NSF-supported, ~20 campus

architects

clarified scope of work (vast), interest (intense but wary)

4

MACE conceivedMACE conceived

Middleware Architecture Committee for Educationmace: a spiked club used for breaking armor

mace: a staff borne as a symbol of authority

mace: a spice, “a thin leathery tissue between the stone and the pulp” of the same plant that produces nutmeg

Mace(tm): a liquid used for temporarily immoblizing

MACE members are called:MACEdonians

MACEochists

MACEtodons

5

... and it's a convenience store... and it's a convenience store

6

MACE structurallyMACE structurally

a committeeto direct and support the activities of the

Internet2 Middleware Initiative (I2MI)

and other activities as it sees fit

a self-organizing body (i.e., a club)work is supported by Internet2 in various ways

and by the institutions who donate participants' time

agenda formed by participant campus needs, in service of the broader community

higher-ed centric, but not higher-ed only

US-centric, but not US-only

7

MACE governanceMACE governance

membershipuniversity IT infrastructure architects who

have the background, expertise, and timeshow interest in the work by participatinghave the architectural and collaborative

perspectives

seek to cover a range of technical areas

small enough so everyone knows everyone

responsibility on members to keep reasonably active

some members are liaisons to important communities

e.g. non-US (EU, Australia), non-HE-IT (grids)

8

MACE processMACE process

attempt to be open and transparent in all activitiesthough not everything is documented ...

agenda set by members, other Internet2 programs/initiatives,

non-members, funding agencies; consensus process

real work happens via working groupsWG charter must describe work that is consistent

with initiative, has clear and achievable deliverables, has identified chair and workers, likely user community, MACE member liaison

rarely interested in research, generally in deployments

9

Internet2 Middleware InitiativeInternet2 Middleware Initiative

Important element of overall Internet2 programenvironment for making MACE agenda successful

working group support:mailing lists, conference calls, flywheels,

web presence, technical support, branding/PR, intellectual property framework and legal support, lifecycle

fundingsupport from NSF NMI program since 2001,

via NMI-EDIT consortiumand from Internet2 member supportprimarily for release time for campus

architects/developers

10

I2MI technical strategyI2MI technical strategy

Work products include:best practices docs, standards, schema, software,

tutorial/guidance, services, architecture proposals, ...

Many opportunities, few truly new ideasassess feasibility of systems/services by keeping

in touch with successful small-scale deployments in the community

encourage development of practices/packages that can be adopted by the broad HE community

influence projects/products/standards to conform

work is done by extended community, not MACE per se

11

Some special staff supportSome special staff support

... without whom none of this would be possibleAnn West: outreach coordinator for NMI-EDIT,

organizer of CAMP conferences (shared with EDUCAUSE)

Renee Frost: support of everything in making MACE effective

Nate Klingenstein: documentation wizard, training taskmaster

Steve Olshansky: the dictionary definition of “flywheel”

and oh yes, Ken ...

12

13

a resemblance has been a resemblance has been noted ...noted ...

14

OutreachOutreach

EDUCAUSEsupport CAMP conferences, broad HE outreach

co-sponsor eduPerson and HEPKI work

identity management work in net@edu

TERENAhome for middleware work in Europe

supports European liaisons to MACEUS MACE members participate in TERENA TFs

newly-formed ECAM group modeled on MACEsupporting European middleware collaboration

15

Industry standardsIndustry standards

OASIS SAML TC, Liberty Alliancehelped drive original SAML work in 2001 from

Shibboleth requirements

helped promote SAML adoption in Liberty, Liberty contributions to SAML 2.0

Scott Cantor is primary author of SAML 2.0 spec

worked with Microsoft on compatibility ...

other standards bodiesIETF, W3C

16

Testimonial: Eve Maler, SunTestimonial: Eve Maler, Sun

“ Sun is proud to support Internet2 and recognizes the importance of its innovations, such as Shibboleth, to Sun customers and partners. The external integration project run by FEIDE, the Norwegian education agency, shows one example of how Sun and its partners are able to use Shibboleth technologies to great benefit.

“ I'd like to especially thank Internet2 representatives Scott Cantor and RL "Bob" Morgan for their efforts to support the important identity management standards work taking place at the OASIS Security Services (SAML) Technical Committee and the Liberty Alliance. The effort to converge the Shibboleth, Liberty ID-FF, and SAML V1.x streams into SAML V2.0 could not have been done without them. “

- Eve Maler, Technology Director, Sun Microsystems

17

Testimonial: Kim Cameron, Testimonial: Kim Cameron, MicrosoftMicrosoft

“ Higher ed has always been among the essential innovators in distributed systems. This has been true both because of the research carried out in the university and the practice resulting from smart application of emerging technology.

“ Internet2 middleware, via projects like Shibboleth, has concretely helped move the industry forward, and set an example in confronting hard problems with real deployments. Since the early days of Shibboleth, I've worked to make sure that Microsoft's emerging identity systems meshed with it in a practical way, because I believed in and respected your goals. I want to support, work with you and learn from you as contributors to the metasystem that will enable an identity-aware cyber world.

“ I hope this helps explain how much Microsoft values its relationship with I2 middleware, and how much I personally have enjoyed and benefited from collaboration with the members of your community. “

- Kim Cameron, Chief Identity Architect, Microsoft

18

Outreach: CAMP WorkshopsOutreach: CAMP Workshops

15 CAMP workshops 2002-200631 other shorter workshops

2770 total attendees from 610 organizations, 93 non-US, HE, research, corporate

CAMP topicsBase: directories, authentication, PKI, medical

apps, federation, distributed authorization

Advanced: 3-tier architectures, authorization architectures, virtual organization support, workflow models

19

CAMP attendees by stateCAMP attendees by state

20

Outreach: NMI releasesOutreach: NMI releases

NMI program has semi-yearly releasesjoint work with Grids Center

software, standards, other documents

very useful discipline in completing/publicizing project work

venue for contributions from extended middleware community, i.e. not just MACE/I2MI projects

21

Outreach: extended Outreach: extended communitiescommunities

International:UK (JISC), China, Japan, Scandinavia, Australia, ...

US Federal governmentE-Authentication, NSF, NIH, DHS, etc etc

US state governments and K-12Wisconsin, Washington, Virginia, California, etc

Publishing/content industryAssociation of American Publishers, American

Mathematics and Chemical Societies, OCLC

almost all major academic publishers (Elsevier, Thomson, JSTOR, EBSCO, Proquest, OVID, etc)

22

Reflections on why we do itReflections on why we do it

Key Concepts: Identity, Institution, Reputation

Identity: not just identifiersspam says: Protect your identity! Project your

identity!

who cares about identifiers? only IdM geeks

identity is “sameness over time”, sameness for some individual or societal purpose

so identity is “stories” or relationships,potentially everything about you

repeatability and aggregation are essential

not only people have identities ...

23

InstitutionsInstitutions

Institution (defined):a significant practice, relationship, or organization

in a society or culture; an established organization or corporation (as a bank or university) especially of a public character

Institutions exist to create and maintain trustin activities in their area of business

via acting predictably, absorbing risk, doing reliable work

business of higher education institutions is creation and dissemination of knowledge, via practice of intellectual collaboration

24

ReputationReputation

reputation (defined):overall quality or character as seen or judged by

people in general; a place in public esteem or regard : good name

institutions support reputation of their membersif I were just plain Bob speaking, would you

believe me?

activities of members create reputation of institutionthat is, institutional activities, those activities

conducted in institutional role and setting

reputation is the reflection of identity in the community

25

Institutional reputation Institutional reputation managementmanagement

In an online worldreputation is under threat from online fraud, poor

controls, uncontrolled access, data tampering, etc

reputation is maintained by starting with our existing institutional nature, and extending and protecting it with digital techniques: identity and access management, cryptography, system management, trust federations

effective, consistent identity management is fundamental to to maintaining the social role of our institutions... and that's why we do it

26

Some directions: Some directions: schema/directoryschema/directory

MACE has had successdefining/promoting schema and directory

practices, extending LDAP practices into SAML space

now a brave new worldmany schema definers: national/academic

communities, technologies (e.g. CardSpace), applications

many attribute representation protocols, architectures, data flows

so: focus on information models, processes for attribute definition and adoption, flows to support business relationships and privacy, mappings

27

Directions: Directions: authentication/identityauthentication/identity

“Internet identity” movementMicrosoft CardSpace/metasystem, OpenID, XRI,

etc

personal identities not tied to particular institutions, adaptable to many technologies

Useful spectrum of authentication practicesinstitutions/apps must support a range of

methods, appropriate to risk/cost of services

standardized assessment of assurance levels

increased use of 2-factor/PKI as appropriate

federation becoming pervasive

advanced multi-party architectures more standardized

28

Directions: authorizationDirections: authorization

Signet/Grouper released, being adoptedcritical project phase to assemble adopter

community to take packages in useful directions, create sustainable project with many contributors

application integration is key: e.g. Sakai, Kuali

many vendor products in the space, need to keep models in alignment

applications to Grid/VO environments emerging, support of these scenarios is central in upcoming S/G work

support of diverse UIs, protocol access

XACML ready for prime time?

29

Directions: WorkflowDirections: Workflow

Emerging enterprise infrastructure serviceadministrative uses for approval/work routing

academic/research uses for composition of processing from multiple services

strong interaction with authorization management

depends on good enterprise role definition

some outstanding deployment examples, new vendor and open-source products

planning assessment activity to understand nature of potential work in this area

30

Directions: SOA/ESBDirections: SOA/ESB

Service-Oriented Architectureindustry hype victim, but kernels of truth

infrastructure architecture perspective has always been about modular services, directories

whether SOAP is the one protocol to end all others is questionable, but it is here to stay for many purposes

Enterprise Service Busa new name for message/event queue, pub/sub

key technology for integrating middleware services with many apps

discovery work still to be done ...

31

Reputation?Reputation?

32

The EndThe End