Identity management standards from oasis
Download
1 / 38

Identity Management Standards from OASIS - PowerPoint PPT Presentation


  • 70 Views
  • Uploaded on

Identity Management Standards from OASIS. Patrick Gannon President & CEO. Architecting Identity Management The Open Group, Boundaryless Information Flow San Francisco, 24 January 2005. Open Standards for Identity Management. Future Shock – “De-perimiterization” Why do standards matter?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Identity Management Standards from OASIS' - yuli-serrano


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Identity management standards from oasis

Identity Management Standards from OASIS

Patrick Gannon

President & CEO

Architecting Identity Management

The Open Group, Boundaryless Information Flow

San Francisco, 24 January 2005


Open standards for identity management
Open Standards for Identity Management

  • Future Shock – “De-perimiterization”

  • Why do standards matter?

  • What is a “standard”; how can you tell?

  • Key directions in Web Services Standards

  • What your company can do









Why do standards matter for e business
Why do standards matter for e-business?

  • Businesses require expansion of the value chain into unlimited, de-perimiterized extranets

  • Support of multiple platforms is a business necessity

  • Must support multiple languages, taxonomies, semantics and business processes

    But…

  • Normalizing data, processes and users costs time and money


Why do standards matter risk reduction for e commerce

Unstable business and technical requirements

Persistent technical base with stable versioning

New and emerging business requirements

Evolving and converging standards

Diversity of business partners and technologies

Interoperable standards

Need for long term support

Reliable, fixed terms of availability

Why do standards matter?Risk Reduction for e-commerce


“Without standards,

a technology cannot become ubiquitous, particularly when it is part of a larger network.”

The Economist, 8 May 2003



What is a Standard?

  • Anything that a vendor publishes? Or on which a few vendors agree?

    • They may be “specifications”

    • Some call them “de facto” standards

    • But they are not necessarily open standards

  • Open standards are distinguishable:

    • Published, clear rules

    • Level playing field with public input

    • Transparent operations

    • Transparent output


What s an open standard
What’s an “Open Standard”?

An open standard is:

  • publicly available in stable, persistent versions

  • developed and approved under a published process

  • open to input: public comments, public archives, no NDAs

  • subject to explicit, disclosed IPR terms

Anything else is to some extent proprietary:

  • This is a policy distinction, not a pejorative

  • See the US, EU, WTO governmental & regulatory definitions of “standards”


Regulatory mandates for standards
Regulatory mandates for standards

Increasingly, it matters to government buyers, users and regulators whether standards are “real” standards.

  • WTO Technical Barriers to Trade Agreement, Annex 3:

    • http://www.wto.org/english/docs_e/legal_e/final_e.htm.

  • National criteria, such as in the U.S. gov’t:

    • http://www.whitehouse.gov/omb/circulars/a119/a119.html.

  • These rules focus on desirable process attributes: public process, public archives, open to comment without NDA or non-compete restrictions, etc.


  • OASIS is a member-led, international non-profit standards consortium concentrating on structured information and global e-business standards

  • Members of OASIS are

    • Vendors, users, academics and governments

    • Organizations, individuals and industry groups

  • Best known for e-business & security standards such as:

  • UDDI

  • SAML

  • ebXML

  • WS-Security

  • WSRP

  • WSRM

  • SPML

  • XACML

  • UBL


Standards adoption
Standards Adoption consortium concentrating on structured information and global e-business standards

  • To be successful, a standard must be used

  • Adoption is most likely when the standard is

    • Freely accessible

    • Meets the needs of a large number of adopters

    • Flexible enough to change as needs change

    • Produces consistent results

    • Checkable for conformance, compatibility

    • Implemented and thus practically available

  • Sanction and Traction both matter


Traction consortium concentrating on structured information and global e-business standards

XML

W3C

SOAP v1.1

SOAP v1.2

W3C

Market Adoption

WSDL v1.1

WSDL v1.2

W3C

ISO

15000

ebXML(x4)

OASIS

WS-Security

WSS

OASIS

UDDI v2,3

OASIS

UDDI v2,3

UDDI.org

SGML

ISO

BPEL4WS

WS-BPEL

OASIS

Proprietary

JCV

Consortia

SDO

Sanction

Open Standardization


Formula for sustainable standards
Formula for Sustainable Standards consortium concentrating on structured information and global e-business standards

Traction

XML

W3C

ebXML

ISO

15000

SOAP v1.1

SOAP v1.2

W3C

Market Adoption

ebXML x4

OASIS

WSDL v1.1

WSDL v1.2

W3C

WS-S v1.0

WSS

OASIS

UDDI v2,3

OASIS

UDDI v2,3

UDDI.org

SGML

ISO

BPEL4WS

WS-BPEL

OASIS

Proprietary

JCV

Consortia

SDO

Sanction

Open Standardization


Key directions in security standards for web services

Key Directions in Security Standards for Web Services consortium concentrating on structured information and global e-business standards


Data Content consortium concentrating on structured information and global e-business standards

Orchestration & Management

Security & Access

Service Description

Service Discovery

Messaging

Common language (XML)

Common transport (HTTP, etc.)

Web Services Security


Data Content consortium concentrating on structured information and global e-business standards

Orchestration & Management

Security & Access

Service Description

Service Discovery

Messaging

CAM

ASAP, BTP, ebXML-BP, WSBPEL, WSCAF

WSDM, WSRF, WSN

[DSML], RLTC, XACML, SPML

DSS, PKI, SAML, WSS, XCBF

Common language (XML)

Common transport (HTTP, etc.)


Web services security
Web Services security consortium concentrating on structured information and global e-business standards

  • Most e-business implementations require a traceable, auditable, bookable level of assurance when data is exchanged

  • IT operations demand “transactional” level of reliable functionality, whether it’s an economic event (booking a sale) or a pure information exchange

  • Dealings between divisions often need security and reliability as much as deals between companies


Security function by function
Security: function by function consortium concentrating on structured information and global e-business standards

  • Identity authentication

  • Encryption and protection against interception

  • Control of access and authority


Identity authentication
Identity authentication consortium concentrating on structured information and global e-business standards

The latest e-business security standards implement the next generation of identity deployment

  • In the 1990’s, PKI assumed a universal network of official certification authorities

  • Newer federated / distributed identity models permit identity certification to be decentralized and shared among service providers and existing registrars

  • SAML

  • WS-Security

  • XCBF


Identity authentication1
Identity authentication consortium concentrating on structured information and global e-business standards

  • SAML

    (Security Assertion Markup Language )

    • A standard way to convey identity and authorization data

    • Winner of PC Magazine’s Technology Excellence Award in 2002 and Digital ID World 2003 award for innovation in 2003

    • SAML 1.0 approved as an OASIS Standard in Nov. 2002; SAML 1.1 in Aug. 2003

    • SAML 2.0 approved as Committee Draft in Dec. 2004; OASIS Standard in Q1 2005


Identity authentication2
Identity authentication consortium concentrating on structured information and global e-business standards

  • WS-Security

    (Web Services Security)

    • The standard method for attaching security data to a web services message

    • Wide support in web services tool-making

    • Profiles (modules) completed for:

  • SAML

  • Rights expression languages

  • Username-token/ password pairs

  • X.509 PKI

  • WS-Security 2004 1.0 suite approved as an OASIS Standard in April 2004


Identity authentication3
Identity authentication consortium concentrating on structured information and global e-business standards

  • XCBF

    (eXtensible Common Biometric Format)

    • Method for conveying biometric identity data such as retina scans and fingerprints

    • Coordinated with other world efforts, including ITU-T standards and the ANSI X9.84 banking industry biometrics initiative

    • Expect to see more tools and devices commercially deployed soon

    • XCBF 1.1 approved as an OASIS Standard in August 2003


Encryption and protection against interception intrusion
Encryption and protection against interception & intrusion consortium concentrating on structured information and global e-business standards

  • A key problem with encrypted messages travelling over a shared or public network: if you encrypt the wrong bits, it doesn’t arrive, or the recipient can’t process it

  • Shared and automated methods for managing security require a shared vocabulary about security weaknesses and risks

  • DSS

  • PKI TC

  • AVDL

  • WAS


Encryption and protection against interception intrusion1
Encryption and protection against interception & intrusion consortium concentrating on structured information and global e-business standards

  • PKI TC

    (Public Key Infrastructure Technical Committee)

    • Promotion and research regarding industry use of PKI digital signatures and practical obstacles to deployment

    • Project underway

  • DSS

    (Digital Signature Services)

    • Develop methods for processing production and consumption of digital signatures

    • Project underway


Encryption and protection against interception intrusion2
Encryption and protection against interception & intrusion consortium concentrating on structured information and global e-business standards

  • WAS

    (Web Application Security)

    • Threat model and classification scheme for web security vulnerabilities

    • WAS 1.0 is under development

  • AVDL

    (Application Vulnerability Description Lang.)

    • Uniform method for describing appl. security vulnerabilities

    • AVDL 1.0 approved as an OASIS Standard in May 2004

  • Network Magazine started a petition campaign to support wide deployment of AVDL and WAS: http://www.networkmagazine.com/watchdog/avdl.jhtml


Control of access and authority
Control of access and authority consortium concentrating on structured information and global e-business standards

  • In transactional information exchanges, you often must apply

    • access lists,

    • directories of recipients,

    • levels of authority, and

    • access policies

  • So that you know who gets what, and who should get it

  • XACML

  • SPML


Control of access and authority1
Control of access and authority consortium concentrating on structured information and global e-business standards

  • SPML

    (Service Provisioning Markup Language)

    • Disseminates and leverages directories and access lists, such as employee authorizations

    • Demo’ed at Burton Catalyst 2003 in SF

    • SPML 1.0 approved as OASIS Standard – Nov. 2003

  • XACML

    (Digital Signature Services)

    • Method for conveying and applying data access policies & controls

    • Demo’ed at XML2003 in Philadelphia

    • XACML approved as OASIS Standard

      • v1.0 in Feb. 2003

      • v2.0 in Sep. 2004

    • Role-based access profile issued May 2004


What should your company be doing

What should your company be doing? consortium concentrating on structured information and global e-business standards


Reducing risk in new e business technologies
Reducing Risk consortium concentrating on structured information and global e-business standards in new e-business technologies

  • Avoid reinventing the wheel

    • Stay current with emerging technologies

  • Influence industry direction

    • Ensure consideration of own needs

  • Realize impact of interoperability and network effects

  • Reduce development cost & time

    • savedevelopment on new technologies

    • share cost/time with other participants


What can my company do
What can my company do? consortium concentrating on structured information and global e-business standards

  • Participate

    • Understand the ground rules

    • Contribute actively

      Or…

  • Be a good observer

    In any case…

  • Make your needs known

    • Use cases, functions, platforms, IPR, availability, tooling

  • Be pragmatic: standardization is a voluntary process


Identity management standards from oasis1

Identity Management Standards from OASIS consortium concentrating on structured information and global e-business standards

Patrick Gannon

President & CEO

OASIS

[email protected]


ad