Changes between Version 7 and Version 8 of GEC10IdentityAndAttributes


Ignore:
Timestamp:
04/11/11 16:25:15 (8 years ago)
Author:
tmitchel@bbn.com
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • GEC10IdentityAndAttributes

    v7 v8  
    3737 Summary and Wrap Up - Tom Mitchell (10 mins)
    3838
     39==== Community Agreement ====
     40 * Add external identity providers to GENI
     41 * GPO should build a prototype !InCommon compatible GENI portal / slice authority
     42 * Agree on an initial set of required identity attributes
     43  * Name
     44  * Institution
     45  * Affiliation
     46  * Email address
     47  * Phone number
     48
     49==== Next Steps ====
     50 * GPO will build a prototype portal / slice authority that accepts !InCommon logons and produces slice credentials
     51  * Build a portal
     52  * Become an !InCommon service provider
     53  * Work with a few test institutions to get desired attributes from their identity providers
     54  * Federate with a few GENI Aggregates
     55 * Demonstrate this portal at GEC11
     56  * Pending group evaluation, expand this portal to other institutions and aggregates
     57
     58==== Selected Discussion Points ====
     59===== Ken Klingenstein =====
     60 * GENI should adopt same practice as sites like !PubMed: sign in via old user/pass or !InCommon
     61 * Use local identity in a global fashion
     62 * Other countries use this more than the US
     63 * Standards are developing
     64 * IETF GSSAPI will lead to federated SSH
     65  * But currently this is for web login
     66  * Note this is federated and not domesticated which is likely what GENI wants
     67 * Access Control
     68  * Scale is hard
     69  * Group management tools help
     70  * Privilege management is sometimes needed
     71  * Fine grain delegation needed
     72 * Identity Management Principles
     73  * Scale
     74  * Address privacy via consent
     75  * Leverage institutional attributes
     76  * Make consistent with security
     77 * Extra GENI principles
     78  * Cluster / CF specific attributes should be auto managed
     79  * Integrate across existing projects
     80  * Provide access to GENI to new users and communities
     81 * !CoManage is complementary
     82 * Let GENI leverage this infrastructure
     83
     84===== Rob Ricci =====
     85 * I want
     86  * Accountability
     87  * Neck to wring
     88  * Name, email, institution, role
     89  * PI or faculty advisor
     90   * Could be a candidate for a self asserted attribute
     91  * Class enrollment would be nice to have
     92 * ProtoGENI already does this
     93 * ProtoGENI will accept these attributes from trusted sources
     94 * ProtoGENI will separate the concept of the slice authority from the identity provider
     95  * A change, but a good idea
     96 * Optimize for low hassle with assurances of trustworthiness
     97 * Scale isn't that big:
     98  * Thousands currently, not 10s of thousands
     99  * Adding undergrads will stretch that
     100 * ProtoGENI users
     101  * 25% non US
     102  * PIs verify students
     103  * ProtoGENI (Rob) verifies PIs
     104   * 100s of users, not thousands
     105 * Pruning of accounts is manual currently
     106 * Users are trusted to self update their information currently
     107
     108===== Jeff Chase =====
     109 * Build in security, trust roots, and federation into GENI
     110 * Separate policy from mechanisms
     111 * Use off the shelf solutions, like Shibboleth
     112 * Grouper (now part of !CoManage) allows an institution to manage group memberships
     113 * Use Shibboleth at the edge of GENI using a portal
     114 * Use existing X509 keys internally
     115 * Don't use the Shibboleth delegated authentication stuff for now
     116 * How do we handle revocation? Limited life certificates?
     117 * Putting attributes in certificates would mean revealing attributes to services that the identity provider did not explicitly permit
     118
     119===== Group =====
     120 * Rob Ricci: if this could help with 'instant gratification' of a newly enrolled student getting access, that would be nice
     121 * Andy Bavier says PL is willing to federate with a new, GPO-run portal / slice authority that does this
     122 * Andy is interested in using !CoManage or similar to offload some attribute maintenance
     123 * Trusting the GPO portal still requires establishing trust, and the portal would still manually approve experimenter applications
     124
    39125==== Background reading ====
    40126  Identity and Access Management (http://www.internet2.edu/pubs/200703-IS-MW.pdf) [[br]]