mace: the untold story rl “bob” morgan university of washington and internet2 mace chair...
TRANSCRIPT
MACE: The Untold StoryMACE: The Untold Story
RL “Bob” MorganUniversity of Washington and Internet2MACE Chair
Internet2 Member MeetingChicago, IllinoisDecember 2006
2
TopicsTopics
How we work Who is involved Where we've been to Why we do it What we're up to When we'll be done
3
MACE OriginsMACE Origins
April 1999, a motel in Ann Arbor ...group considered work on “middleware” in
Internet2
driven by concerns in advanced networking about need for common application support (e.g. RFC 2768)
everyone said “I was told not to volunteer for anything”
core group of campus infrastructure architects hinted that maybe they could volunteer, a little, if everyone did
September 1999, a hotel in Denver ...“Early Harvest”, NSF-supported, ~20 campus
architects
clarified scope of work (vast), interest (intense but wary)
4
MACE conceivedMACE conceived
Middleware Architecture Committee for Educationmace: a spiked club used for breaking armor
mace: a staff borne as a symbol of authority
mace: a spice, “a thin leathery tissue between the stone and the pulp” of the same plant that produces nutmeg
Mace(tm): a liquid used for temporarily immoblizing
MACE members are called:MACEdonians
MACEochists
MACEtodons
5
... and it's a convenience store... and it's a convenience store
6
MACE structurallyMACE structurally
a committeeto direct and support the activities of the
Internet2 Middleware Initiative (I2MI)
and other activities as it sees fit
a self-organizing body (i.e., a club)work is supported by Internet2 in various ways
and by the institutions who donate participants' time
agenda formed by participant campus needs, in service of the broader community
higher-ed centric, but not higher-ed only
US-centric, but not US-only
7
MACE governanceMACE governance
membershipuniversity IT infrastructure architects who
have the background, expertise, and timeshow interest in the work by participatinghave the architectural and collaborative
perspectives
seek to cover a range of technical areas
small enough so everyone knows everyone
responsibility on members to keep reasonably active
some members are liaisons to important communities
e.g. non-US (EU, Australia), non-HE-IT (grids)
8
MACE processMACE process
attempt to be open and transparent in all activitiesthough not everything is documented ...
agenda set by members, other Internet2 programs/initiatives,
non-members, funding agencies; consensus process
real work happens via working groupsWG charter must describe work that is consistent
with initiative, has clear and achievable deliverables, has identified chair and workers, likely user community, MACE member liaison
rarely interested in research, generally in deployments
9
Internet2 Middleware InitiativeInternet2 Middleware Initiative
Important element of overall Internet2 programenvironment for making MACE agenda successful
working group support:mailing lists, conference calls, flywheels,
web presence, technical support, branding/PR, intellectual property framework and legal support, lifecycle
fundingsupport from NSF NMI program since 2001,
via NMI-EDIT consortiumand from Internet2 member supportprimarily for release time for campus
architects/developers
10
I2MI technical strategyI2MI technical strategy
Work products include:best practices docs, standards, schema, software,
tutorial/guidance, services, architecture proposals, ...
Many opportunities, few truly new ideasassess feasibility of systems/services by keeping
in touch with successful small-scale deployments in the community
encourage development of practices/packages that can be adopted by the broad HE community
influence projects/products/standards to conform
work is done by extended community, not MACE per se
11
Some special staff supportSome special staff support
... without whom none of this would be possibleAnn West: outreach coordinator for NMI-EDIT,
organizer of CAMP conferences (shared with EDUCAUSE)
Renee Frost: support of everything in making MACE effective
Nate Klingenstein: documentation wizard, training taskmaster
Steve Olshansky: the dictionary definition of “flywheel”
and oh yes, Ken ...
12
13
a resemblance has been a resemblance has been noted ...noted ...
14
OutreachOutreach
EDUCAUSEsupport CAMP conferences, broad HE outreach
co-sponsor eduPerson and HEPKI work
identity management work in net@edu
TERENAhome for middleware work in Europe
supports European liaisons to MACEUS MACE members participate in TERENA TFs
newly-formed ECAM group modeled on MACEsupporting European middleware collaboration
15
Industry standardsIndustry standards
OASIS SAML TC, Liberty Alliancehelped drive original SAML work in 2001 from
Shibboleth requirements
helped promote SAML adoption in Liberty, Liberty contributions to SAML 2.0
Scott Cantor is primary author of SAML 2.0 spec
worked with Microsoft on compatibility ...
other standards bodiesIETF, W3C
16
Testimonial: Eve Maler, SunTestimonial: Eve Maler, Sun
“ Sun is proud to support Internet2 and recognizes the importance of its innovations, such as Shibboleth, to Sun customers and partners. The external integration project run by FEIDE, the Norwegian education agency, shows one example of how Sun and its partners are able to use Shibboleth technologies to great benefit.
“ I'd like to especially thank Internet2 representatives Scott Cantor and RL "Bob" Morgan for their efforts to support the important identity management standards work taking place at the OASIS Security Services (SAML) Technical Committee and the Liberty Alliance. The effort to converge the Shibboleth, Liberty ID-FF, and SAML V1.x streams into SAML V2.0 could not have been done without them. “
- Eve Maler, Technology Director, Sun Microsystems
17
Testimonial: Kim Cameron, Testimonial: Kim Cameron, MicrosoftMicrosoft
“ Higher ed has always been among the essential innovators in distributed systems. This has been true both because of the research carried out in the university and the practice resulting from smart application of emerging technology.
“ Internet2 middleware, via projects like Shibboleth, has concretely helped move the industry forward, and set an example in confronting hard problems with real deployments. Since the early days of Shibboleth, I've worked to make sure that Microsoft's emerging identity systems meshed with it in a practical way, because I believed in and respected your goals. I want to support, work with you and learn from you as contributors to the metasystem that will enable an identity-aware cyber world.
“ I hope this helps explain how much Microsoft values its relationship with I2 middleware, and how much I personally have enjoyed and benefited from collaboration with the members of your community. “
- Kim Cameron, Chief Identity Architect, Microsoft
18
Outreach: CAMP WorkshopsOutreach: CAMP Workshops
15 CAMP workshops 2002-200631 other shorter workshops
2770 total attendees from 610 organizations, 93 non-US, HE, research, corporate
CAMP topicsBase: directories, authentication, PKI, medical
apps, federation, distributed authorization
Advanced: 3-tier architectures, authorization architectures, virtual organization support, workflow models
19
CAMP attendees by stateCAMP attendees by state
20
Outreach: NMI releasesOutreach: NMI releases
NMI program has semi-yearly releasesjoint work with Grids Center
software, standards, other documents
very useful discipline in completing/publicizing project work
venue for contributions from extended middleware community, i.e. not just MACE/I2MI projects
21
Outreach: extended Outreach: extended communitiescommunities
International:UK (JISC), China, Japan, Scandinavia, Australia, ...
US Federal governmentE-Authentication, NSF, NIH, DHS, etc etc
US state governments and K-12Wisconsin, Washington, Virginia, California, etc
Publishing/content industryAssociation of American Publishers, American
Mathematics and Chemical Societies, OCLC
almost all major academic publishers (Elsevier, Thomson, JSTOR, EBSCO, Proquest, OVID, etc)
22
Reflections on why we do itReflections on why we do it
Key Concepts: Identity, Institution, Reputation
Identity: not just identifiersspam says: Protect your identity! Project your
identity!
who cares about identifiers? only IdM geeks
identity is “sameness over time”, sameness for some individual or societal purpose
so identity is “stories” or relationships,potentially everything about you
repeatability and aggregation are essential
not only people have identities ...
23
InstitutionsInstitutions
Institution (defined):a significant practice, relationship, or organization
in a society or culture; an established organization or corporation (as a bank or university) especially of a public character
Institutions exist to create and maintain trustin activities in their area of business
via acting predictably, absorbing risk, doing reliable work
business of higher education institutions is creation and dissemination of knowledge, via practice of intellectual collaboration
24
ReputationReputation
reputation (defined):overall quality or character as seen or judged by
people in general; a place in public esteem or regard : good name
institutions support reputation of their membersif I were just plain Bob speaking, would you
believe me?
activities of members create reputation of institutionthat is, institutional activities, those activities
conducted in institutional role and setting
reputation is the reflection of identity in the community
25
Institutional reputation Institutional reputation managementmanagement
In an online worldreputation is under threat from online fraud, poor
controls, uncontrolled access, data tampering, etc
reputation is maintained by starting with our existing institutional nature, and extending and protecting it with digital techniques: identity and access management, cryptography, system management, trust federations
effective, consistent identity management is fundamental to to maintaining the social role of our institutions... and that's why we do it
26
Some directions: Some directions: schema/directoryschema/directory
MACE has had successdefining/promoting schema and directory
practices, extending LDAP practices into SAML space
now a brave new worldmany schema definers: national/academic
communities, technologies (e.g. CardSpace), applications
many attribute representation protocols, architectures, data flows
so: focus on information models, processes for attribute definition and adoption, flows to support business relationships and privacy, mappings
27
Directions: Directions: authentication/identityauthentication/identity
“Internet identity” movementMicrosoft CardSpace/metasystem, OpenID, XRI,
etc
personal identities not tied to particular institutions, adaptable to many technologies
Useful spectrum of authentication practicesinstitutions/apps must support a range of
methods, appropriate to risk/cost of services
standardized assessment of assurance levels
increased use of 2-factor/PKI as appropriate
federation becoming pervasive
advanced multi-party architectures more standardized
28
Directions: authorizationDirections: authorization
Signet/Grouper released, being adoptedcritical project phase to assemble adopter
community to take packages in useful directions, create sustainable project with many contributors
application integration is key: e.g. Sakai, Kuali
many vendor products in the space, need to keep models in alignment
applications to Grid/VO environments emerging, support of these scenarios is central in upcoming S/G work
support of diverse UIs, protocol access
XACML ready for prime time?
29
Directions: WorkflowDirections: Workflow
Emerging enterprise infrastructure serviceadministrative uses for approval/work routing
academic/research uses for composition of processing from multiple services
strong interaction with authorization management
depends on good enterprise role definition
some outstanding deployment examples, new vendor and open-source products
planning assessment activity to understand nature of potential work in this area
30
Directions: SOA/ESBDirections: SOA/ESB
Service-Oriented Architectureindustry hype victim, but kernels of truth
infrastructure architecture perspective has always been about modular services, directories
whether SOAP is the one protocol to end all others is questionable, but it is here to stay for many purposes
Enterprise Service Busa new name for message/event queue, pub/sub
key technology for integrating middleware services with many apps
discovery work still to be done ...
31
Reputation?Reputation?
32
The EndThe End