150 likes | 266 Views
A very brief history of Identity in Higher Education a short stroll down memory lane. Michael R Gettes CMU, MIT, Internet2, Duke, Georgetown, Princeton, BostonU gettes@cmu.edu Common Solutions Group May , 2014. In the beginning…. Essentially no security on the Internet
E N D
A very brief history of Identity in Higher Educationa short stroll down memory lane Michael R Gettes CMU, MIT, Internet2, Duke, Georgetown, Princeton, BostonU gettes@cmu.edu Common Solutions Group May, 2014
In the beginning… • Essentially no security on the Internet • 1980’s, 1990’s various HE Univs pursue central ID stores. Andrew, Athena, others? • 1991 – BITNET-III, a project to use home Univcreds to access remote modem pools and central bill the Univ – FAIL!
And then… • 1994/6 – slapd emerges from uMich • Many Universities initiate LDAP services • 1998 OpenLDAP project started • Most of uMichslapd team moves to Netscape • First common mechanism exposing IDs emerge from various Universities in late 1990s • Public Key + LDAP – cost effective “I” in PKI • PKI first seen as 18 months away… (ha ha !)
Many SSO … • Various SSO efforts: • MIT Kerberos • Yale CAS • Michigan CoSign • Washington PubCookie • Many WebAuth – Duke, Stanford, ??? • WebISO – Initial Sign-On (cuz, SSO deemed not wise) – families of apps for Sign-On. CMU named their SSO WebISO using pubcookie (oops!).
September 1999Directories, Identifiers, AuthN (DIA) • “Early Harvest” – various University geeks, herded by Ken Klingenstein, met in Denver to start discussions around Identity Mgmt and Access problems. No volunteers for work except RL “Bob” Morgan. • During dinner… first ideas of inter-org AuthN/AuthZ on the web discussed. Seeds for what would later become Shibboleth planted. Glueworkers: RL “Bob” Morgan, Mark Poepping, Michael Gettes, Bob Brentrup, Alan Crosswell, David Wasley, Paul Hill, Frank Grewe, Keith Hazelton, Steve Kellogg, Daniel Arrasjid, Bill Doster, Mark Bruhn, Steve Worona. Planning group: Morgan, Gettes, Carmody, Poepping, KJK
And then… • 1998/9: MACE formed – first projects: DoDHE, eduPerson, Shibboleth proposal (generated from uWash Internet2 meeting). First minutes: May 22, 2000 – interesting read. • MACE guides I2MI – and the work begins! • HEPKI collaboration with i2-PKILabs, VidMid (H.323), eduPerson, Shibboleth, GRID collab starts, JA-SIG collab, LDAP Recipe, URN/OID Registry, evangelism!!! • Fed/Ed PKI meetings – HEBCA – Bridged PKI
U.S. Federal Viewpoint (2002-04) • HSPD-12 (Homeland Security Presidential Directive 12): President Bush, August 2004: mandatory gov-wide secure IDs for all employees + contractors. Yielded NIST FIPS 201 – PIV – using PKI, LDAP/X.500 and friends. • Fed E-Auth initiative by NIST spawns SP-800-63, guidance to implement OMB-04-04, in support of HSPD-12 pending. • This is where LoA 1-4 come from – guidance and technical controls. • InCommon Bronze/Silver != Fed 1-4 but comparable
NSF Middleware (NMI-EDIT) • 2002 - 2006 – Supposed to be collab between I2MI and GRID. GRID got the $$$. We produced software that worked. • Produced tons of stuff. Regular software package releases of many components. Documentation + experiences. • TIER Version 1? • Can’t say enough good stuff about NMI-EDIT
We have much InCommon • 2004 – InCommon is born. • IBM tried to patent Shib/SAML. We have email with our IP. SAML largely developed by RLBob and Scott Cantor (editor). • 10 Years later… InCommon is critical infrastructure to many Universities. CMU relies on InCommon for local federation. • A huge success story! Born from “US”. Core group but many made it work well.
What worked/works… • Shibboleth, simpleSAMLphp, SAML 2.0 by vendors • social2SAML gateways emerging • LDAP (eduPerson, LDAP-Recipe) • Grouper – still no vendor product like it. • Middleware Research – See KJK work • CAMPs (Always sold out). Global reach. • Global Collaborations – critical to success! • NMI-EDIT – made so much happen! • InCommon! InCommon! InCommon! • Certificates service fashioned after Euro deal on certs • ~600 participants (>400 HE), >7.5M users, 10 years!
Not so much… • Signet – a PrivMgmt System… didn’t take off. • DoDHE – Directory of Directories • “Wait, our public data will be THAT public? NO!” • USHER – Root CA for HE (and HEBCA) • Couldn’t get it in the browsers! No $$$$ • Voice/Video + AuthN/Z – still proprietary. • EDDY – Distributed Diagnostics. Good ideas, but • InCommon Bronze, Silver, Gold Assurance Levels. • PKI is STILL only 18 months away!
It wouldn’t be possible without thesePeople… In no particular order: • Keith Hazelton (Wisconsin), Steve Carmody (Brown), Mark Poepping (CMU), Michael Gettes (various/All), Ann West (MTU/Internet2), David Wasley (UCOP/retired), Tom Barton (Memphis/Chicago), Renee Shuey (PSU), Scott Cantor (The Ohio State), Jim Jokl(uVa), Scotty Logan (Stanford/missing), Frank Grewe (Minn), Paul Hill (MIT/ind), Von Welch (IU/ind), & Ken Klingenstein (Internet2) • Various liaisons from around the world and …
RL “Bob” Morgan (Stanford/Wash)We still miss him very much !!
And we move on… • Shibboleth Consortium formed (funding?) • REFEDs – locus for R+E Federation Operators • CommIT project – change how students apply to college nationally • Scalable Privacy Grant (KJK will discuss) • IAM Test-bed emerging • MFA – Multi-Factor Authentication everywhere • Provisioning and integration – practices for all • Still, so much to do… • Trusted Identity in Education and Research (TIER)