Session Middleware
Chair Yasuo Okabe-chair (Middleware)
Kento Aida - chair (Grid middleware)
James Sankar - Chair(Middleware)
Support from hideaki sone (to be confirmed)
Objective This session will encourage the collaborations of middleware developers and those responsible for identity management and directory services to discuss ways to get campuses ready for middleware technologies so that end users can connect to the network and access resources (online journals, collaborative services, grid applications, physical instruments, data) in a secure, scalable and manageable way. This workshop may also include some Grid Middleware talks.
Target Audience Middleware developers, identity management administrators, application developers, IT management
Program Details

Yasuo Okabe - chair (middleware) - speaker topics on Id Mgt, Directories, Federations,
Kento Aida - chair (Grid middleware) to be confirmed, topics to be confirmed
Support from hideaki sone (to be confirmed)

1. Community SSL/TLS Server Certificates download
Jan Meijer, UNINETT, Norway

Abstract: Since around March 2006 the European NREN community has a service at its disposal that offers large amounts of popup-free SSL server certificates against a very competitive price. In the previous year, 8 NRENs (ACONET, CARNet, CESNET, RENATER(CRU), RedIRIS, SURFnet, SWITCH and UNI-C) joined forces to define and acquire this service.

This talk will tell the story about the rationale behind the service, the process by which the service was built, and how the service works. It will also point out a surprising side effect the service has had on the PKI landscape in the European NREN environment, and the interesting opportunities this has opened for a further deployment of digital signature and encryption technology in Europe.

Author Biography
Jan Meijer, UNINETT, Norway
Having waited long enough for the Netherlands to grow or otherwise acquire proper mountains Jan Meijer moved to Norway in April 2007 to start working for UNINETT, the Norwegian national research and educational network where he is part of the service development department. At UNINETT he is responsible for defining and running the UNINETT storage activities and looks into the challenges associated with large distributed storage infrastructures. He is also working on furthering the use of digital signature and encryption technology.
Before moving to UNINETT he worked at SURFnet where he started in 1998, joining the SURFnet-CERT. Over the years he mostly involved himself with the areas of incident response, security, PKI, internet voting and system administration although many sidesteps could not be resisted. He has contributed to the TF-CSIRT, FIRST, TF-EMC2 and the IETF. Recent visible work outside the security area can be found in the Rijnland Internet Voting System project and the TERENA SCS.

2. Taking Care of Our Core Business: Managing Community Collaborationdownload
Ken Klingenstein Internet2
Keywords: Collaboration Management, Identity Management, Virtual Organizations, Web 2.0

Abstract: Two powerful forces are converging to create a global collaboration mesh on top of the Internet. The two forces are the rise of Internet scale identity, primarily via the federated identity approaches developed within the higher ed community, and a bloom in collaboration tools, particularly among the Web 2.0 group of social networking tools. These new collaboration tools, added to our existing base of listprocessors, wikis, and IM, etc has resulted in the need to manage identity, including privacy, groups, and privileges, in a consistent fashion across all these collaboration applications. Leveraging federated identity, a number of collaboration management platforms (CMP) are being developed, in the US, Australia and elsewhere, to provide identity services to applications. The collaboration management platforms are also being extended to apply to domain science and virtual organization needs, including both Grids and remote instrumentation. This session will provide an update on collaboration management platforms and the growing set of applications that can be consistently managed.

One particularly important set of collaborations is virtual organizations, where domain science instruments, Grids, and other resources want to have their access controls managed through the same platform. In some cases these domain systems can, if properly plumbed, also be managed through the CMP.

CMP’s also tap into a newly emerging part of the middleware space – called the attribute ecosystem. The attribute ecosystem provides a set of transports to move attributes around: from sources of authority to identity providers and service providers, from identity providers to relying parties, from virtual organization service centers to relying parties, etc. A set of tools are being put together to plumb these transports, including the linked identities of Liberty Alliance, batch feeds, and the attribute aggregation work in the UK, and Shibboleth itself.

COmanage, a project of Internet2 with support from NSF, is a CMP that is being developed within the US. It deeply leverages previous work by this community, including Shibboleth, Grouper (for group management) and Signet (for privileges administered to groups or people). It can be deployed in many different models, including enterprise level, by a VO, a department, a service center, etc. It can be used to manage a basic set of collaboration applications, and expand its managed suite over time to file shares, calendaring, and domain and legacy applications.

This session will describe CMP’s, show how COmanage is being used by collaborations and CO’s, and discuss how the attribute ecosystem will evolve to service these application needs.

Acknowledgements: Collaboration Management platforms are being developed in a number of countries, including the UK, the US, France, Australia and others.
References: http://middleware.internet2.edu/co/

Author Biography
Dr. Ken Klingenstein is Project Director of the Internet2 Middleware and Security Initiative. He coordinates activities intended to build an interoperable middleware infrastructure among I2 members that will glue next generation applications to network capacities and enable inter-institutional resource sharing.

Ken is on loan to Internet2 from the University of Colorado at Boulder, where he was Director of Information Technology Services for 14 years, and continues to serve as Chief Technologist for the campus and Adjunct Professor of Telecommunications. He has been active in national networking since the beginnings of NSFnet in 1985, serving as a principal in state and regional networking and providing national leadership as Chair of the Federal Networking Council Advisory Committee, Vice-President of FARnet, and giving presentations at the House Subcommittee on Technology, the Kennedy School of Government and the National Research Council, among others. He has also been prominent in higher education, serving on the CAUSE Board, the CREN Board, the Common Solutions steering group, and making numerous presentations on both technology and the management of technology at national conferences. Ken received the 2003 EDUCAUSE Leadership in Information Technologies Award.

Ken received his Ph.D. in Applied Mathematics from the University of California at Berkeley.

3. AAI Federations in Europe download
Licia Florio, TERENA

Abstract: The idea of setting up an authentication and authorisation infrastructure (AAI) was rapidly adopted in many countries in Europe already years ago.With the technology becoming more mature, and with idea of decoupling authentication from authorisation, the AAIs evolved into federations. The talk will provide an overview of the federations in Europe with a look at the future mainly to explore how the federations are evolving and are trying to inter-operate among each others.

Biography: Licia Florio holds a Master Degree in Computer Science obtained at the University of Bologna (Italy). In 2001, she joined TERENA (the Netherlands) the not-for-profit association of the National Research and Education Networks in Europe (NRENs). Licia's role in TERENA is to work as Project Development Officer, where she is in charge of TERENA’s Middleware and roaming area, including the liaison with the Grid community.

Current key activities include the ongoing management of task forces (TF-Mobility and TF-EMC2) and their related spin-off projects, such as eduroam, TACAR (TERENA Academic CA Repository), SCHAC (the schema harmonisation committee) and SCS (Server Certificate Service).

4. CARSI: Federated Identity and Resource Sharing over CERNET download

Abstract: CARSI(Cernet Authentication and Resource Sharing Infrastructure) is a project chartered to build a federated identity infrastructure over CERNET. The project is led by Peking Univ. and sponsored by the CNGI (China Next Generation Internet) project and the 863 Program for Hi- tech Research and Development in China. An experimental pilot project over the last two years involved 6 nodes: Peking Univ., Tsinghua Univ., BUPT-Beijing Univ. of Posts and Telecommunications, UESTC-Univ. of Electronic Science and Technology of China, SCUT- South China University of Technology, and RITT-Research Institution of Telecommunication Technology. The problems encountered during the pilot have led to a variety of initiatives to make CARSI easy to use and control, and to reach more universities:

  • CARSI-FCNA(Federation Contract Negotiation & Audit): This project leverages Shibboleth's logging to create a variety of cross- domain usage statistics: tracing users' behavior, number of visits to each service by federated users, and so on.
  • CARSI-OpenIdP: This is an open IdP to provide a home for users wanting to access federated services whose home university has not yet joined CARSI-Fed
  • CARSI-FPR(Federation Provider Registry): A tool for application and IAM system administrators to easily join CARSI-Fed as an IdP or SP.
  • CARSI-Uid: This project aims to develop a unified user ID space and other standard attributes for the CARSI-Fed.
  • CARSI-WAYF: A service to allow users to select both a home provider and enter login information on a single page to limit user interaction.

CARSI is still in its beginning phases. How can we help it grow to be large and strong? How can more applications be enabled and connected? In the spirit of an international community, this session will involve questions for the audience as well as the presentation by the authors.

To learn more, please visit the CARSI homepage at http:// carsi.edu.cn. This is also linked to by the Shibboleth community pages.

This presentation showcases the accomplishments of many Chinese professors involved in the CARSI, including:

Prof. Bei Zhang
Associate Prof. Ping Chen
Associate Prof. Hao Ma
Associate Prof. Xiaonan Li
Associate Prof. Jian Cui
Associate Prof. Qun Shang
Associate Prof. Zhuwei Wang

5. Japanese University PKI (UPKI) Update and Shibboleth using PKI authenticationdownload
Toshiuki Kataoka, NII, Japan

Abstract: Updates on the UPKI project; server certificate issuing, UPKI common CP/CPS, and CA start pack will be presented. Also a new plan of Shibboleth federation using campus PKI authentication will be presented.

6. Cyber Science Infrastructure and Grid Operation download
Kento Aida, NII, Japan

Abstract: The Cyber Science Infrastructure (CSI) is a project to develop a new information infrastructure, which provides advanced services for scientific research, in Japan. The Grid is one of services in CSI, and the goal is to run a production grid organized by computing centers in multiple universities/laboratories. This talk briefly introduces an issue of Grid operation in CSI focusing on federated operation among multiple computing centers.

7. Secure and Transparent WLAN Roaming System for Campus Network download
Yoshikazu Watanabe, Tohoku University

Abstract: Tohoku university is researching and developing campus network roaming system in UPKI(University PKI) project in Japan. As part of that activities, we have introduces eduroam to Japan. Through the experience of using eduroam, we have found two requirements for more secure roaming systems. The first one is a capability to prevent roaming users from communicating by the direct use of assigned IP addresses of visited institutions. The other is a capability of access controls between roaming users and local network resources.

This talk will propose a method to meet the above requirements. The method has a proxy VPN functionality for the first requirement, and a policy based access authorization functionality for the second requirement. The method provides roaming users with their home network environments transparently, and realizes access controls to make visited networks more secure.

8. Privacy Oriented Attribute Exchange in Shibboleth Using Magic Protocolsdownload
Toshihiro Takagi, Kyoto University

Abstract: In frameworks for Shibboleth, a user is often forced to reveal the immediate values of their attributes if the SP (Service Provider) requests some attributes of one's.

There are cases where users must present detailed privacy information which SPs don't actually require to authorize them. We propose an extension of the attribute exchange protocol between an IdP and an SP in Shibboleth.

While in the conventional framework of Shibboleth attributes are exchanged in immediate values, in our new extension an SP and an IdP exchange attributes in accordance with the protocol for Millionaire's Problem and the protocols for Oblivious Transfer (these protocols are known as "Magic Protocols"). This extension enables the SP to know whether user's attributes meet the requirement for authorization, without the SP and the IdP revealing their confidential information.

We also show how we can detect cheating in execution of this protocol, e.g. the IdP tells an another value instead of a true value to the SP in malice.
Remark Videoconference Facility is required

Copy Right 2008 APAN | Last Updated 25 Jan 2008