|Chair|| Yasuo Okabe-chair (Middleware)
Kento Aida - chair (Grid middleware)
James Sankar - Chair(Middleware)
Support from hideaki sone (to be confirmed)
|Objective||This session will encourage the collaborations of middleware developers and those responsible for identity management and directory services to discuss ways to get campuses ready for middleware technologies so that end users can connect to the network and access resources (online journals, collaborative services, grid applications, physical instruments, data) in a secure, scalable and manageable way. This workshop may also include some Grid Middleware talks.|
|Target Audience||Middleware developers, identity management administrators, application developers, IT management|
Yasuo Okabe - chair (middleware) - speaker topics on Id Mgt, Directories, Federations,
2. Taking Care of Our Core Business: Managing Community Collaboration
Ken Klingenstein Internet2
Keywords: Collaboration Management, Identity Management, Virtual Organizations, Web 2.0
Abstract: Two powerful forces are converging to create a global collaboration mesh on top of the Internet. The two forces are the rise of Internet scale identity, primarily via the federated identity approaches developed within the higher ed community, and a bloom in collaboration tools, particularly among the Web 2.0 group of social networking tools. These new collaboration tools, added to our existing base of listprocessors, wikis, and IM, etc has resulted in the need to manage identity, including privacy, groups, and privileges, in a consistent fashion across all these collaboration applications. Leveraging federated identity, a number of collaboration management platforms (CMP) are being developed, in the US, Australia and elsewhere, to provide identity services to applications. The collaboration management platforms are also being extended to apply to domain science and virtual organization needs, including both Grids and remote instrumentation. This session will provide an update on collaboration management platforms and the growing set of applications that can be consistently managed.
One particularly important set of collaborations is virtual organizations, where domain science instruments, Grids, and other resources want to have their access controls managed through the same platform. In some cases these domain systems can, if properly plumbed, also be managed through the CMP.
CMP’s also tap into a newly emerging part of the middleware space – called the attribute ecosystem. The attribute ecosystem provides a set of transports to move attributes around: from sources of authority to identity providers and service providers, from identity providers to relying parties, from virtual organization service centers to relying parties, etc. A set of tools are being put together to plumb these transports, including the linked identities of Liberty Alliance, batch feeds, and the attribute aggregation work in the UK, and Shibboleth itself.
COmanage, a project of Internet2 with support from NSF, is a CMP that is being developed within the US. It deeply leverages previous work by this community, including Shibboleth, Grouper (for group management) and Signet (for privileges administered to groups or people). It can be deployed in many different models, including enterprise level, by a VO, a department, a service center, etc. It can be used to manage a basic set of collaboration applications, and expand its managed suite over time to file shares, calendaring, and domain and legacy applications.
This session will describe CMP’s, show how COmanage is being used by collaborations and CO’s, and discuss how the attribute ecosystem will evolve to service these application needs.
Acknowledgements: Collaboration Management platforms are being developed in a number of countries, including the UK, the US, France, Australia and others.
Dr. Ken Klingenstein is Project Director of the Internet2 Middleware and Security Initiative. He coordinates activities intended to build an interoperable middleware infrastructure among I2 members that will glue next generation applications to network capacities and enable inter-institutional resource sharing.
Ken is on loan to Internet2 from the University of Colorado at Boulder, where he was Director of Information Technology Services for 14 years, and continues to serve as Chief Technologist for the campus and Adjunct Professor of Telecommunications. He has been active in national networking since the beginnings of NSFnet in 1985, serving as a principal in state and regional networking and providing national leadership as Chair of the Federal Networking Council Advisory Committee, Vice-President of FARnet, and giving presentations at the House Subcommittee on Technology, the Kennedy School of Government and the National Research Council, among others. He has also been prominent in higher education, serving on the CAUSE Board, the CREN Board, the Common Solutions steering group, and making numerous presentations on both technology and the management of technology at national conferences. Ken received the 2003 EDUCAUSE Leadership in Information Technologies Award.
Ken received his Ph.D. in Applied Mathematics from the University of California at Berkeley.
3. AAI Federations in Europe
Licia Florio, TERENA
Abstract: The idea of setting up an authentication and authorisation infrastructure (AAI) was rapidly adopted in many countries in Europe already years ago.With the technology becoming more mature, and with idea of decoupling authentication from authorisation, the AAIs evolved into federations. The talk will provide an overview of the federations in Europe with a look at the future mainly to explore how the federations are evolving and are trying to inter-operate among each others.
Biography: Licia Florio holds a Master Degree in Computer Science obtained at the University of Bologna (Italy). In 2001, she joined TERENA (the Netherlands) the not-for-profit association of the National Research and Education Networks in Europe (NRENs). Licia's role in TERENA is to work as Project Development Officer, where she is in charge of TERENA’s Middleware and roaming area, including the liaison with the Grid community.
Current key activities include the ongoing management of task forces (TF-Mobility and TF-EMC2) and their related spin-off projects, such as eduroam, TACAR (TERENA Academic CA Repository), SCHAC (the schema harmonisation committee) and SCS (Server Certificate Service).
4. CARSI: Federated Identity and Resource Sharing over CERNET
CARSI is still in its beginning phases. How can we help it grow to be large and strong? How can more applications be enabled and connected? In the spirit of an international community, this session will involve questions for the audience as well as the presentation by the authors.
To learn more, please visit the CARSI homepage at http:// carsi.edu.cn. This is also linked to by the Shibboleth community pages.
This presentation showcases the accomplishments of many Chinese professors involved in the CARSI, including:
Prof. Bei Zhang
Associate Prof. Ping Chen
Associate Prof. Hao Ma
Associate Prof. Xiaonan Li
Associate Prof. Jian Cui
Associate Prof. Qun Shang
Associate Prof. Zhuwei Wang
5. Japanese University PKI (UPKI) Update and Shibboleth using PKI authentication
Toshiuki Kataoka, NII, Japan
Abstract: Updates on the UPKI project; server certificate issuing, UPKI common CP/CPS, and CA start pack will be presented. Also a new plan of Shibboleth federation using campus PKI authentication will be presented.
6. Cyber Science Infrastructure and Grid Operation
Kento Aida, NII, Japan
Abstract: The Cyber Science Infrastructure (CSI) is a project to develop a new information infrastructure, which provides advanced services for scientific research, in Japan. The Grid is one of services in CSI, and the goal is to run a production grid organized by computing centers in multiple universities/laboratories. This talk briefly introduces an issue of Grid operation in CSI focusing on federated operation among multiple computing centers.
7. Secure and Transparent WLAN Roaming System for Campus Network
Yoshikazu Watanabe, Tohoku University
Abstract: Tohoku university is researching and developing campus network roaming system in UPKI(University PKI) project in Japan. As part of that activities, we have introduces eduroam to Japan. Through the experience of using eduroam, we have found two requirements for more secure roaming systems. The first one is a capability to prevent roaming users from communicating by the direct use of assigned IP addresses of visited institutions. The other is a capability of access controls between roaming users and local network resources.
This talk will propose a method to meet the above requirements. The method has a proxy VPN functionality for the first requirement, and a policy based access authorization functionality for the second requirement. The method provides roaming users with their home network environments transparently, and realizes access controls to make visited networks more secure.
8. Privacy Oriented Attribute Exchange in Shibboleth Using Magic Protocols
Toshihiro Takagi, Kyoto University
Abstract: In frameworks for Shibboleth, a user is often forced to reveal the immediate values of their attributes if the SP (Service Provider) requests some attributes of one's.
There are cases where users must present detailed privacy information which SPs don't actually require to authorize them. We propose an extension of the attribute exchange protocol between an IdP and an SP in Shibboleth.
While in the conventional framework of Shibboleth attributes are exchanged in immediate values, in our new extension an SP and an IdP exchange attributes in accordance with the protocol for Millionaire's Problem and the protocols for Oblivious Transfer (these protocols are known as "Magic Protocols"). This extension enables the SP to know whether user's attributes meet the requirement for authorization, without the SP and the IdP revealing their confidential information.
We also show how we can detect cheating in execution of this protocol, e.g. the IdP tells an another value instead of a true value to the SP in malice.
|Remark||Videoconference Facility is required|