Painless Security

At The MIT Kerberos Consortium‘s 2010 conference, Josh Howlett and Sam Hartman delivered a talk on Moonshot. Slides should be up in a day or so. We reported on status and gave a brief overview.

The new material was apropos for the venue. At the bar BOF back in March at IETF 77, we received several comments on Moonshot’s limitations. It doesn’t work well for services that require rapid authentications for multiple requests. There’s not a good story for use when a Moonshot service needs to contact another service. There isn’t a good standardized mechanism for mapping in domain-specific policy.

We presented a proposal that Luke and Sam developed to optionally provide a Kerberos ticket as part of moonshot authentication. This scales from a service that simply generates its own service tickets all the way through resource domains that have many services and complex policy and provide the client a TGT. Clients can implement the feature in order to achieve better performance. Server can implement the feature in order to get delegation support within a resource domain and to get policy mapping.

Luke has prototyped a version of this service involving a service ticket. We plan on briefly mentioning a desire to have extensible fast reauthentication support at the ABFAB meeting in IETF 79. However in the interest of getting the working group off to a good start we’re going to focus on the well understand parts of the system and formally propose this extension after IETF 79.

Moonshot is being discussed at the TERENA TNC 2010 conference. Our session started at 08:00 UTC (a few minutes ago), but will be going on for around the next hour or so. There is a presentation before Moonshot, but then Josh is up. See here for streaming and the Moonshot web site for our updated specifications. When the session is archived I’ll post a pointer to the video stream.a

Monday morning, Project Moonshot was presented to the US networking research community at the Internet2 spring members meeting. Our presentation was well received. We presented an updating briefing paper as well as much of the same material presented earlier at IETF. We’re moving forward to the planning phase for our standardization and implementation efforts. If you would be interested in getting involved in this exciting federated authentication project, please let us know.

There are two other approaches that are likely to come up tonight; see this message for details. These mechanisms require significantly lower infrastructure than Moonshot, but do not provide all the benefits. One question is whether there is a continuum of use-cases depending on what level of investment in client changes are made.

The federated authentication bar BOF will be held tonight at 9 PM US Pacific time in the Manhattan room at the IETF 77 meeting.. Here is information for participation.

Reading List

• Use case/briefing paper
• EAP GSS-API Mechanism draft
• RADIUS SAML attributes draft
• sstc-saml-binding-aaa-draft-00
• sstc-saml-eapgss-sso-draft-00
• Feasibility analysis of the approach
• Brief overview

Remote Participation

• Join our audio stream during the session
• Join our jabber chat room at moonshot@conference.jabber.postel.org

At IETF 77, we’re having a get together to discuss federated authentication beyond the web. The meeting will be in the Mahattan room starting at 9 PM US Pacific time. I think audio streaming will be available; I will post a link closer to the meeting time.

In the last entry, I mentioned that a preliminary spec would be available; see the preliminary EAP GSS-API mechanism. A use case paper and slide set are being reviewed internally and should be ready early next week. We may even have preliminary versions of the binding between RADIUS and SAML available before IETF.

There have been a number of great discussions on the moonshot-community list and with others interested in the broader area.

I will be attending Debconf 9 in Spain from July 23-30. I will also be attending debcamp the previous week. I’m hoping to build contacts and increase my involvement in the Debian community, and the previous debconf I attended was an interesting window into what was going on in Debian and Linux.

I’m still lining up things to do at Debcamp. Jelmer Vernooij will be there; he’s interested in working with me on Samba 4 support for MIT Kerberos in Debian. I’m interested in working with him on making the user experience good for people who use both Samba 4 and other Kerberos applications.

As I wrote at the bottom of this post, I believe it is critical that the open source community not just follow what Microsoft is doing in the Enterprise space. I also think it is important that we maintain avenues for our own innovation. To that end, I want to look at what we can do to use enterprise infrastructure independent of AD-look-alike projects like Samba as well. So, I’ll be looking at making what I can do to help this in Debian. Areas of interest include:

1. Easy set up of Kerberos to use an LDAP database
2. Easy configuration of libpam-krb5 and libpam-ldap together using Kerberos for authentication and LDAP for authorization but not authentication.
3. Support for FAST integrated into Debian systems so we can gain better protection against weak passwords. As I promised, more about this in its own post.
4. Better support for PKI/smart cards for network authentication.

These are all projects I think I could make headway on myself. However the value of debcamp is the other people there. I’ve never been to a debcamp before and so I don’t know what it will be like. I do know that I will give higher priority to projects that will benefit from close cooperation over a week. So, if you’re there and want to try to recruit me to your project, feel free. I’m interested in enterprise infrastructure, VOIP, IPv6, network security and making complex infrastructure easy to use.

As I mentioned, I’ve been in DC for the last two days at the AFCEA Solutions conference on identity assurance. One thing I’ve learned is that the government and those providing services to the government think about identity and some of the related security problems much differently than we do in the Internet standards community and especially the open source software community.

I’m sitting here in a session where people are bemoaning the fact that people put their personal information on Myspace, Facebook, etc. (Interestingly, LJ was not mentioned.) There seems to be inadequate consideration of the value people get for making this information available.

However the most stunning revelation is the strong desire to make sure that people have a single identity and to avoid duplicates. The Kerberos community went down this path a while ago. We found that users really want to have multiple identities in multiple contexts. The example within MIT is that you really probably didn’t want to buy porn using your work credential.

In some of the government contexts, for example giving people security clearances, making sure all the identities are bound together seems really important. However I feel that a strong push to bind everything to a physical identity will be very harmful to privacy in the long run. I’ve found that reputation-based identity has been really critical to online communities.

I’m on a panel discussing the implications of large databases of information on the identity management/assurance problem. The concern is that as you have large databases like national ID databases, credit report databases, medical records, etc, and you want to share information, how do you handle the identity management problems. Sharing is important because it enables new uses of the information. You would like to delegate access to information to services and agents. However, you also want to meet privacy and secrecy objectives. Technologies like oauth are in this space, although I think that this conference would not be interested in that particular technology.

I have not been thinking that much about some of the problems in this space before preparing for this panel. However, it has been a lot of fun to consider and I think there are some very interesting challenges in this space.