Wednesday, November 30, 2005

Looking back to look forward: Thoughts on HP acquiring of Trustgenix

First Phase Provisioning
  • Access360
  • Business Layers
  • Waveset
  • BMC
Web Access Control
  • Oblix
  • Netegrity
  • Securant
  • DASCOM
  • Entegrity
Password Management
  • Courion
  • M-Tech
Meta-directory/Virtual Directory
  • iPlanet
  • Novell
  • Siemens
  • Zoomit
  • OctectString
  • RadiantLogic
Second Phase web services, federation, SOA
  • Trustgenix
  • PingIdentity
  • Sxip
  • SOA Software
  • Layer 7
  • Symlabs
Third Phase activity in applications, information governance, identity in the network, and role / privilege analysis
  • Eurikify
  • Bridgestream
  • Prodigen
  • TIzor
  • Consul
  • Virsa
Would be adding to the list when i get chance..

Wednesday, November 23, 2005

GRID: Globus Toolkit 4.0 - Authorization Model

The feature list is
  • Support for PDP Chaining
  • Policy Combination algorithm Supported: DENY overrides ALLOW (permit overrides can be simulated by having a MasterPDP which will then controll the other PIP &PDP - Will need to specify sequence of the PDP & PIP Separately)
  • Supports the concept of PIP which works as Interceptor (like PDP) but does not return decision. It instead returns data which can be used by PDP (More info needed on how)
  • ID that will be authorized is extracted from the credential used by client to contact the service.
  • A concept of Resource Owner is supported which can be extracted from "resource, service or container depending on availability in that order of precedence"
  • Authorization Schemes supported
    • self - Caller ID = Owner
    • gridmap - Caller ID part of pre-defined list. This sheme also supports user ID mapping to local user id (how does that help or can be leveraged??)
    • Identity - Caller ID = Specified ID
    • Host - Called's Host ID = specified Host ID. Host ID being a special form of certificate with a common name (CN) corresponding to a name obtained from DNS or some configured service name. (How does this get mapped to caller, is the caller id = host id or is host id like a computer certificate in the Windows system??)
    • SAML Call-out - PDP contacts a SAML Authz Service using request/response interface
    • userName - Caller ID = JAAS authenticated User (who is authenticating and how is that being passed to PDP?)
  • The development involves the following - Please note all the plugins have initialize and close function
    1. Implement the PDP interface - org.globus.wsrf.security.authorization.PDP :: boolean isPermitted(javax.security.auth.Subject,javax.xml.rpc.handler.MessageContext, javax.xml.namespace.QName operation). This interface also hase capability to get policynames and get/set policy (org.w3c.dom.Node)
    2. Reference the PDP from a security descriptor - Change $GLOBUS_LOCATION/etc/<service name>/security-config | <service name>-security-descriptor.xml add the <authz value="ascope:class name"/> where ascope is scope which is an authorization scheme "context" used to distinguish different authorization schemes with the same implementing class within the chain.
    3. Test the PDP - run client
    4. Implement the PIP interface - org.globus.wsrf.security.authorization.PIP :: collectAttributes(Subject subject,MessageContext ctx,QName operation)
    5. Reference the PIP from a security descriptor - <authz value="ascope:PIP_Class pdpscope:PDP_CLASS"/>
    6. Test the PIP - the order of execution of PIPs and PDPs depends on the order in which they were specified in the authorization chain configuration
    7. Communicate an attribute from PIP to PDP - e.g. - subject.getPublicCredentials().add(attribute); & subject.getPublicCredentials();
    8. Add a configuration to an interceptor - Use the service deployment descriptor to pass the data to PDPConfig used in initialize call. The D.D. is located in $GLOBUS_LOCATION/etc/<your_service> and <parameter name="ascope-attribute" value="notmanager"/> i.e. scope_name-attribute_name (Guess can not have hiphenated scope name??)
  • Next Steps -
    • Develop Attribute/Role-based Authorization - Proper representation of attributes need to be developed which can be transferred accross the PDPs
    • support for fine grained expression of "delegation of rights" =
    • pluggable authorization engines
    • lazy collection of attributes
    • caching of decision/attributes
    • and metadata about attributes/interceptors
  • Resources - GlobusTK 4.0 Release Manual, WS Authentication and Authorization documentation, GridShib (Globus Toolkit with Shibboleth), Community Authorization Service

Sunday, November 20, 2005

Linkmania

Links

Consentry LAN Controller

Another company in the "identity enabled network" space besides Identity Engines that I talked about earlier
Moral of the story seems to be that
  • Trusted Identity store (like LDAP) needs to be integrated with network
  • Application access policy must include Identity & Roles
  • Application Control beyond port.
Nothing new here. Besides looking at the product itself nothing new on the authentication side (seems to be similar things that other network product would support). But at the same time there are wide variety of applications that are supported "out-of-box" though I am not sure what we are going to achieve by simple performing an allow or deny at the application level since that is as good as port level access! (nothing more finegrained). The field of identity enabled network seems to be the next step in the growth of the identity. It would be interesting to see what other companies are working on.

Friday, November 11, 2005

Global Identity Body

I think we really need to see how the identity is managed in real world and may be that can help us figuring out how it may work in digital world. So we would need a passport like mechanism, which would assert very basic information about the person across the international boundary and that is where I think we may concentrate at these international conference (any thing beyond that would be equivalent to boiling the ocean). Then we would need trusted bodies for various context. For example the international transactions would need banks working as intermediatery (as used for trade by companies across international boundaries) and then you may have technical bodies like medical bodies who may vouch for their members in transactions. So, I agree with the basic idea that there would be large number of bodies and also think that there would be multiple protocols that would be developed for and by each of community as they need to share this information. I think the idea of having a single standard across the board is a dream.
We have to remember that the identity is not some thing like internet which was developed completely from scratch and hence the people who joined later accepted the work of the earlier groups. Neither is it like the desktop technologies which were accepted easily due to prevelance of single OS.
That's why we should not expect a single protocol or even "meta-identity" system to be accepted by the world because paradigms have changed or are changing in the digital world.

Identity/Reputation management with Opinity

What is a product like this going to buy me as a citizen of web? I can see their idea of a central repository of user reputation (something similar to Credit Reporting company). But all the big sites have their own repository and why would they want to share that. So, their basic approach would be to get the smaller websites to get to use this service. Now that is a big issue because why would most of these websites want to purchase a service they do not need. As soon as the customer pays via credit card, these people do not care about the reputation of the customer. So unless this system can help them
Lets take the model from customer point of view. Most people would like to get tangible benifits out of this before they would be ready to aggregate their identity information in one place. This could be in form of discount in online stores. In addition to that the reputation needs to be integrated with a identity engine that can build a central repository of their profile (which will include their blogs, comments on other websites for products, etc) across the web which can then be converted into his reputation (because without the "identity" you will not know who are the people talking about since there could be really large number of "John Doe" out there).
May be I am thinking too far into the future. At the moment, it could be more like something that gamers and others involved in online activities (like chat ) would use to aggregate and share their information out of box.

Identity Map

Good idea and summary of various type of information that is associated with the user i.e.
  • Names
  • Characteristics - Static and dynamic
  • Relationships - I am not sure whether Relationship should be separate from the role. I am assuming that any relationship with always have the roles automatically defined for all the participant of the relationship either implicitly or explicitly.
  • Roles - See the Relationship and that is why roles by them selves may not make sense. These have to be in a given context and the context being the relationship or community of which relationship is part of.
  • Locations
  • Experience - Experience would result in knowlege!! right? and so knowledge would be super set of experience and information that was gathered through experience of others (i.e. teaching, reading).
  • Knowledge -
  • Reputation
What do you say?

Identity Engines Delivers Platform for Network Ide?

So finally the company is out with the product. I have been hearing about this company for some time now. Any way seems like these guys are catering to the requirement of companies that want to control access to their network in much secured fashion. Most of these guys have need to perform the following functions
  • Sequestering the machine hooked to the environment unless validated (so it may not even be able to get a IP via dhcp)
  • the laptop would be checked for latest version of firewall, antivirus with the latest updates.
  • The user would need to authenticate to ensure that it gets access to the network.
  • (Not seen a lot though) if the user tries to access an application this access needs to be managed.
  • Auditing all these events with additional information for monitoring and analysis.
W.r.t. the third access requirement, I have seen most of the company already have something installed. For example web applications would have the Web SSO products. But most of the client server applications (which are not being fixed since they are not broken) are still out of the perview of the centralized solution. Now looking at the solution it seems to provide the
  • sequesting of machine - this is a tough nut to crack but I think combining with user authentication at switch level can achieve the same result.
  • user authentication - which is provided by most of the managed switches through support of 802.1x and RADIUS (I will be implementing something in next few days for my company and will have more to write about it at that time)
  • Application access control - I am not clear what is the mechanism implemented with regards to mapping the identity to a machine after machine has been authenticated. If it uses the IP address or mac address, then theoretically the battle is lost since these can be spoofed. So, would really be looking forward to get information on this.
  • Security Compliance - I did not see feature support for making sure machine is compliant before allowing it on network.
Something else that is bothering me is the possible requirement of provisioning the switches for sequestering new machine. I am not sure how comfortable the network guys would be with an system managing their boxes "automatically". I know that a lot of firewall and IPS do perform such operations but still it may be an interesting issue.

Thursday, November 10, 2005

Quick and dirty identity management

That is what tells me that we really need to develop a open source identity management interface for people to be able to do the basic
  • User CRUD
  • Password management (password reset)
  • User data management
  • and basic user provisioning to other products

Sunday, November 06, 2005

Friday, November 04, 2005

Vendor Installation News

I see a lot of releases on the vendor installations. This is an attempt to capture them on single page.

Wednesday, November 02, 2005

ID-entity Blog Launch - Lessons from IIW2005 [Li…

Seems like somebody else is also bothered by complete lack of discussion of Liberty/SAML in the Identity 2.0 world like me

The browser as the Virtual Directory GUI

I think most of the people will agree that the basic issue with the auto-form filling is storage and security of that storage. That is what makes the existing auto-fills a big no-no for "informed" users. So, till we have browsers that are developed with very good built-in data security through smartcard or encrypted USB support we can not go too far with the whole idea of identity storage on the client.
The client till that time will continue to make a good pitstop that will allow the end-user to controll what is going from the IDP/Identity Provider to Service Provider.

Internet Infrastructure Ignorance

There is an existing product that is built around the XRI. Besides that the basic issue of multi-identity and associated management w.r.t. End-user is something that the products and protocols have to manage.

Tuesday, November 01, 2005

Anonymous Identity

This is one of the worst reason I have heard against the anonymizers. Now why do I have to make myself known to the whole world if I donot have faith that the website that I access do not have adequate resources or will to protect my identity as is apparent from the way the big companies have failed us.
So these services will always fulfill a requirement in the world.