Painless Security

At IETF 77, we’re having a get together to discuss federated authentication beyond the web. The meeting will be in the Mahattan room starting at 9 PM US Pacific time. I think audio streaming will be available; I will post a link closer to the meeting time.

In the last entry, I mentioned that a preliminary spec would be available; see the preliminary EAP GSS-API mechanism. A use case paper and slide set are being reviewed internally and should be ready early next week. We may even have preliminary versions of the binding between RADIUS and SAML available before IETF.

There have been a number of great discussions on the moonshot-community list and with others interested in the broader area.

I will be attending Debconf 9 in Spain from July 23-30. I will also be attending debcamp the previous week. I’m hoping to build contacts and increase my involvement in the Debian community, and the previous debconf I attended was an interesting window into what was going on in Debian and Linux.

I’m still lining up things to do at Debcamp. Jelmer Vernooij will be there; he’s interested in working with me on Samba 4 support for MIT Kerberos in Debian. I’m interested in working with him on making the user experience good for people who use both Samba 4 and other Kerberos applications.

As I wrote at the bottom of this post, I believe it is critical that the open source community not just follow what Microsoft is doing in the Enterprise space. I also think it is important that we maintain avenues for our own innovation. To that end, I want to look at what we can do to use enterprise infrastructure independent of AD-look-alike projects like Samba as well. So, I’ll be looking at making what I can do to help this in Debian. Areas of interest include:

1. Easy set up of Kerberos to use an LDAP database
2. Easy configuration of libpam-krb5 and libpam-ldap together using Kerberos for authentication and LDAP for authorization but not authentication.
3. Support for FAST integrated into Debian systems so we can gain better protection against weak passwords. As I promised, more about this in its own post.
4. Better support for PKI/smart cards for network authentication.

These are all projects I think I could make headway on myself. However the value of debcamp is the other people there. I’ve never been to a debcamp before and so I don’t know what it will be like. I do know that I will give higher priority to projects that will benefit from close cooperation over a week. So, if you’re there and want to try to recruit me to your project, feel free. I’m interested in enterprise infrastructure, VOIP, IPv6, network security and making complex infrastructure easy to use.

As I mentioned, I’ve been in DC for the last two days at the AFCEA Solutions conference on identity assurance. One thing I’ve learned is that the government and those providing services to the government think about identity and some of the related security problems much differently than we do in the Internet standards community and especially the open source software community.

I’m sitting here in a session where people are bemoaning the fact that people put their personal information on Myspace, Facebook, etc. (Interestingly, LJ was not mentioned.) There seems to be inadequate consideration of the value people get for making this information available.

However the most stunning revelation is the strong desire to make sure that people have a single identity and to avoid duplicates. The Kerberos community went down this path a while ago. We found that users really want to have multiple identities in multiple contexts. The example within MIT is that you really probably didn’t want to buy porn using your work credential.

In some of the government contexts, for example giving people security clearances, making sure all the identities are bound together seems really important. However I feel that a strong push to bind everything to a physical identity will be very harmful to privacy in the long run. I’ve found that reputation-based identity has been really critical to online communities.

I’m on a panel discussing the implications of large databases of information on the identity management/assurance problem. The concern is that as you have large databases like national ID databases, credit report databases, medical records, etc, and you want to share information, how do you handle the identity management problems. Sharing is important because it enables new uses of the information. You would like to delegate access to information to services and agents. However, you also want to meet privacy and secrecy objectives. Technologies like oauth are in this space, although I think that this conference would not be interested in that particular technology.

I have not been thinking that much about some of the problems in this space before preparing for this panel. However, it has been a lot of fun to consider and I think there are some very interesting challenges in this space.