pki, idm, & federations
DESCRIPTION
PKI, IdM, & Federations. Triumvirate for Security with Privacy David L. Wasley net@edu 2006. Outline. Why PKI Why identity management Why identity federations Why am I saying this?. What’s the problem?. - PowerPoint PPT PresentationTRANSCRIPT
PKI, IdM, & Federations
Triumvirate for Securitywith Privacy
David L. Wasley
net@edu 2006
Outline Why PKI Why identity management Why identity federations Why am I saying this?
What’s the problem? We need to manage access to certain
resources for our campus communities within & across organizations
We need to protect privacy We need to do this with sufficient
reliability We need this to scale
Why PKI PKI supports reliable, trustworthy digital
credentials Issued by a trusted authority Difficult to forge Difficult to “share” if on a smart-chip device
Also supports Document security, e.g. encryption Document validation, e.g. digital signatures
Why identity management Appropriate access management can
require different reliable information about individuals
What an organization needs to know about an individual is context specific
A rich set of information is hard to manage while maintaining policy and privacy
Why identity federation
Separates the meaning of a credential from the identity associated with it
Allows authoritative source to assert up-to-date identity information about a user
Streamlines user experience across a wide variety of resources
Can protect privacy by releasing only what information is appropriate & allowed
Triumvirate Credential asserts
binding between physical person and identity information
Identity Management ensures trustworthy information
Identity Federation supports privacy and appropriate access
To Buy or Build PKI Devil is in the details, e.g. -
Do you requiring broad distribution of a Trust Anchor? Do you require flexibility and generality in your PKI?
Minimizing the need for inter-organization PKI trust can affect the build/buy choice PKI “policy” is based on local business rules Federation rules and, where needed, bilateral
agreements define trust for IdP and SP
What’s the real problem We haven’t yet made it usable by the
average person We’ve insisted on a complex trust model Slow adoption discourages vendors
and results in awkward workarounds Some potential uses do not yet have
complete standards
What needs to be done Every computer should be able to read any
smart-chip device (at least of a given type) Standards are needed (these are emerging) Biometric PINs might be nice ...
Every O/S needs crypto API (this is happening) User interfaces need much improvement
and users need better education and training Functions need to be standardized Federation technology needs to be used ...