6th
Annual PKI R&D Workshop
Summary
http://middleware.internet2.edu/pki07/proceedings/workshop_summary.html
Ben Chinowsky, Internet2
Note: this summary is organized topically rather than chronologically. See http://middleware.internet2.edu/pki07/proceedings/ for the workshop program, with links to papers and presentations.
The
workshop looked at three aspects of its main theme of
"applications-driven PKI":
I. Identity systems and federations
II. Current or imminent applications
III. Advanced approaches to infrastructure
There were also some additional talks not directly related to the workshop
theme.
I. Identity systems and federations
There is a surge of interest in an "identity layer for the Internet", and a change in how identity is conceived in many quarters. The old joke goes that on the Internet no one knows you're a dog; identity is about giving you control over who -- if anyone -- gets to know that you're a dog, and if so, what kind of dog you are. This notion of identity as attributes, instead of identity as identifier, is gaining momentum for both privacy and security reasons.
In that spirit, Carl Ellison, now working with Identity and Access Architect Kim Cameron at Microsoft, and speaking on his behalf, keynoted on Identity Management. The Internet was built without much attention to security; various approaches to addressing this -- like proliferating per-vendor passwords and Microsoft Passport -- are more and more showing their limitations. Kim Cameron, through extensive discussions with a variety of parties concerned with solving this problem, has proposed seven Laws of Identity:
1. User Control and Consent. Technical identity systems must only reveal information identifying a user with the user's consent.
2. Minimal Disclosure for a Constrained Use. The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.
3. Justifiable Parties. Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship.
4. Directed Identity. A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles.
5. Pluralism of Operators and Technologies. A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers. (Ellison drew a contrast between this situation and DNS, which he suggested only worked because it was implemented before anyone noticed.)
6. Human Integration. The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks. (Ellison has been advocating such mechanisms for years, under the label "ceremonies".)
7. Consistent Experience Across Contexts. The unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies. (Here is where the card metaphor comes in; as Cameron notes, "we must 'thingify' digital identities -- make them into 'things' the user can see on the desktop, add and delete, select and share...How usable would today's computers be had we not invented icons and lists that consistently represent folders and documents? We must do the same with digital identities.")
A great deal of detail on Cameron's Laws of Identity is available at http://www.identityblog.com/?page_id=354.
The way to obey these laws is to build an "identity metasystem". This means not only creating a system (like Microsoft's CardSpace) for presenting choices of identity to the user and conveying identities to relying parties, but also creating a way for different such systems to interoperate.
Ellison's keynote was immediately followed by presentations on three more identity systems, and a panel discussion of the relationships among the various identity systems and the identity metasystem. Eric Norman moderated the discussion.
Mike Ozburn introduced OpenID. The main idea behind OpenID is to use a URL to identify the individual; OpenID is the result of a recent pooling of effort by four separate projects that had been taking similar approaches. This approach solves the namespace problem by leveraging DNS, creating a "single point of contact, single point of control" for each individual. Ozburn stressed that "OpenID is NOT a trust system...but it can be PART of one". OpenID already has millions of users and over a thousand sites enabled to use it. OpenID is currently used mostly for low-risk applications like blogs and social networking, not commerce, education, or government.
Mike McIntosh introduced the Higgins project. Higgins is an open-source identity framework and API which can accommodate CardSpace, OpenID and other protocols; IBM and Novell have prominent leadership roles in the project. Like CardSpace, Higgins uses a card metaphor for user identities, is designed with interoperability with other identity systems in mind, and includes elements of an identity metasystem. McIntosh noted that he is working closely with Kim Cameron, and cited Law of Identity #5 -- Pluralism of Operators and Technologies -- as key to the effort. McIntosh also noted that the Eclipse Public License will allow incorporation of Higgins into proprietary code.
Scott Cantor gave an overview of the Security Assertion Markup Language (SAML) space, including the history and current status of the Shibboleth and Liberty Alliance projects. Cantor's most emphatic point, however, was the danger of a new generation of web applications being tied to particular identity systems: "BrokenWeb 2.0". Cantor stressed that "it's just as wrong to bind an app to SAML or OpenID" as to bind it to passwords; in a correct, scalable architecture, applications trust the web server. But, despite the broad emerging consensus on the need for an identity metasystem, the construction of BrokenWeb 2.0 is already well underway.
Eric Norman underscored this concern in his informal definition of the concept of an "identity layer" for the Internet: "application developers shouldn't have to write code to do identity stuff." Several points were made about how to achieve this:
- There was general agreement that identity should be conceived as a collection of attributes, rather than identity being counterposed to attributes. Carl Ellison stressed the distinction between an authenticator and the attributes bound to that authenticator. In order for an identity metasystem to work, this distinction needs to be rigorously maintained; attributes and authenticators should not be combined as with e.g. credit card numbers.
- Scott Cantor observed that one huge problem is that users don't see identity as a collection of attributes, and don't understand the nature and privacy implications of many of the low-level attributes. Work on user interfaces that address this is underway, but still at an early stage.
- Cantor also noted that there are two reasons that deployers can't make the PKIX libraries work: the implementations are poor and the protocol is too complicated to begin with. IETF Chair Russ Housley agreed.
- Rich Guida noted that privacy concerns can be more readily addressed in intra-enterprise or enterprise-to-enterprise communications, and that there is great need for, and benefit in, deploying identity systems even with this more restricted scope. There are many complexities associated with the attribute-centric approach, which helps explain why it is not prevalent today. Simpler approaches, where identity is tied to an identifier such as an employee ID number, are much more commonplace and may be perfectly sufficient for use within or between enterprises. This approach is what much of Microsoft's Active Directory framework is based on.
- There was a discussion of duplication vs. specialization among identity systems. Mike McIntosh argued that some systems are better for some purposes than others; Cantor argued that most of them can serve most purposes. Nonetheless, there was general agreement that a plurality of systems is inevitable, so that an identity layer / identity metasystem -- not an attempt to standardize on one identity system -- is the right approach.
Continuing with the theme of attribute-centricity, Ken Klingenstein's invited talk explored the concept of an "attribute ecosystem". Klingenstein envisions a central role for Shibboleth in this system: providing real-time transport from identity providers to service providers for authorization decisions. Other "compile-time" means will also be used to ship attributes to service providers, and intermediate entities such as proxies and portals, as well as to the identity provider itself. Klingenstein's slides present a variety of scenarios for how the pieces could fit together. The user needs to be able to manage all of this, which is a significant challenge; the Autograph tool developed by the Australian Meta Access Management System (MAMS) project is one attempt to meet that challenge. Klingenstein wrapped up by observing that if this sounds like PKI, that's because what he's trying to create is PKI with a few more degrees of freedom.
Klingenstein, Georgia Marsh, and Jens Jensen presented experiences with federations in a panel discussion moderated by Scott Rea, who posed the question, "how is the mix of SAML / PKI / other working out?" Marsh described the approach of the General Services Administration's eAuthentication project as to use commercial off-the-shelf (COTS) technologies to grow e-government; ease of use is key to this effort. EAuth uses SAML for lower levels of assurance and PKI for higher levels, and is not limited to government-issued credentials; in fact, Marsh noted, "the government really does want to get out of the credential-issuing business". EAuth has been operational since October 2005; there are currently 46 relying parties and six credential service providers. Business aspects remain more challenging than technical aspects; lessons learned so far include "federate business not technology" and "align the data to the business process".
Jensen gave an overview of lessons learned in running a Shibboleth federation in the UK. He stressed the importance of policies in setting other federations' members' expectations; at the same time, keeping them consistent is difficult, as updating policy requires you to then prod everyone to update their procedures.
In his global federations survey, Klingenstein noted that the UK federation aims to encompass all of K-12, higher education, and continuing education -- a much broader scope than any US federation. Klingenstein also cited privacy guidelines from the UK (http://www.ukfederation.org.uk/library/uploads/Documents/recommendations-for-use-of-personal-data.pdf), including the mandatory provisions of the UK Data Protection Act. Klingenstein noted that federations are being rapidly adopted by collaborative applications, wikis in particular; his slides also list an impressive variety of other current and planned uses.
II. Current or imminent applications
Uri Resnitzky presented and demonstrated his Directory-Enabled PKI Appliance. The Appliance stores users' digital-signing keys and leads them through the signing process via a simple graphical interface; the signing key never leaves the Appliance. This is production technology; Resnitzky's paper provides details on its ongoing use in a variety of settings.
Nick Pope described the application of OASIS Digital Signature Services (DSS) to e-invoicing in Europe. The fact that the Value Added Tax (VAT) is applied at every stage of a commercial process, with rebates available for tax paid in a different jurisdiction, presents rich opportunities for fraud; here DSS is applied to stop such fraud. An implementation is in progress and is expected later this year. Pope noted that, although the specification has only recently been ratified, DSS is based on a style of operation already in use for years, e.g. in Thales SafeSign and the Norwegian BankID. See http://www.oasis-open.org/committees/dss/.
David Salbego described how Argonne National Laboratories combined Microsoft Certificate Services, KX.509 and Sun's Java Enterprise Suite to enable certificate-based access to applications. The resulting access manager has been open-sourced at http://www.opensso.dev.java.net/.
R.J. Schlecht introduced the mortgage industry panel, noting that PKI can be applied at several different steps in the mortgage-approval process. This process involves interaction among entities of widely differing resources, and is heavily regulated; the industry has been working on PKI for about four years. Yuriy Dzambasow introduced SISAC (http://www.sisac.org/), "a fully owned PKI subsidiary of the mortgage industry." SISAC certifies accredited issuing authorities to provide certificates to mortgage industry entities (not customers). Schlecht observed that pursuing consistency with FPKI has helped a lot, as parts of the mortgage industry are part of the government.
Francois Leblanc and Jim Bacchus introduced two users for SISAC certificates: "eClosing and eVaulting" and "eNotary" respectively. Leblanc noted that the goal of MERS, the Mortgage Electronic Registration System, is to register every mortgage loan in the US; they are currently at 80%. Bacchus noted that while the law requires you to notarize in person, the result of the process is an electronic document that can go in a digital safe deposit box.
The mortgage panel generated extensive discussion.
- Carl Ellison pointed out that signings are just "little point samples" of the extremely complicated human process of getting a mortgage, and expressed concern that if we automate the document process we'll end up throwing out the human process. Schlecht countered that the intent is not to change the human process, but to reduce the opportunity for error inherent in basing that process on paper documents, e.g. retyping things and losing things.
- John Sabo pointed out that in most signature-fraud cases, what is in dispute is not whether something was signed, but whether the signer was properly informed; he asked how technology could address this. There was general agreement that, while this is more a legal issue than a technical one, document signing could be helpful in creating auditable documentation that the signer was properly led through the process.
- Somewhat more prosaically, Leblanc noted that having electronic copies of documents often makes it possible for the customer to review them individually ahead of time, instead of being confronted with a mountain of documents all at once when visiting the mortgage office.
Peter Alterman led two panel discussions of PKI in the Federal Government. The first concerned current applications:
- Jim Schminky presented the Treasury Department's Secure Extranet Gateway, used for secure access to Treasury applications by business partners, remote Treasury users, and other Government agencies.
- Cindy Cullen discussed SAFE digital signatures and the FDA Electronic Submissions Gateway (ESG). Cullen noted that the FDA wants to get away from "semi trucks full of submissions" and is making a big push for submissions to be made electronically. On the pharmaceutical-industry side, the Regulatory Affairs department of AstraZeneca has been involed in the ESG pilot.
- Alterman stood in for Chris Jewell in presenting the Controlled Substances Ordering System (CSOS) at DEA. CSOS has been a great success, with over 33,000 certificates issued and over two million line items ordered so far. Working closely with industry has been key to this success. See http://www.deaecom.gov/ for more information.
The second Federal PKI panel addressed issues around the August 2004 Homeland Security Presidential Directive 12 (HSPD-12), which mandates Personal Identity Verification (PIV) cards, i.e. smartcards, for Federal employees and contractors.
- Judith Spencer gave an update on HSPD-12 implementation. She noted that there have been many queries from states, industry, and foreign governments about how HSPD-12 applies to them. The short answer is that it doesn't, but many people want to be compatible with it anyway; FIPS 201 is seen as "the gold standard". All Federal employees with less than 15 years service are to have PIV cards by October 27, 2007; all Federal employees and contractors should have them by October 27, 2008. (In the mortgage panel, Jim Bacchus, a Marine Corps reserve officer, noted that he didn't use his smartcard for the first six years he had it, but since HSPD-12 he's had to use it every time he sends email.)
- Debb Blanchard gave an overview of the implementation of HSPD-12 at the Veterans Administration. They have issued about a thousand smart cards so far, and need to issue about 400,000 more before the October 2008 deadline.
- Tim Polk discussed PIV-enabling applications, noting that many applications -- both COTS and custom -- have limited compatibility. Polk's presentation noted "Six Deadly Sins" of PIV-Enabling: hardwiring to current cryptography modules, failing to allow for large certificates, overloading key-usage extensions, processing only the common name rather than the full name, assuming that a valid path means a valid user, and relying on a single type of certificate status information.
In the discussion, Peter Alterman (altermap@mail.nih.gov) asked the group for its help in documenting issues that are inadequately addressed in the Common Policy (http://www.cio.gov/fpkipa/documents/CommonPolicy.pdf). There was strong interest in seeing better documentation of PIV-enabling best (and worst) practices; Polk noted his certainty that the list of Deadly Sins will grow.
There was also a short rump-session presentation by Simon Godwin, discussing PKI in RFID passports. US passports have been completely redesigned to include RFID chips with biographical and biometric data (the latter is mostly the photo). Godwin noted that, in the US, "PKI as it relates to passports is really all about signing data" -- there is no document-specific keypair on the passport, just the public key used to sign the data on the chip. Sean Smith noted that Singapore is pursing a more advanced scheme, with passports carrying keypairs. Godwin also reassured the group that there are no plans to remove humans from the passport-inspection process.
III. Advanced approaches to infrastructure
Tan Teik Guan discussed digital signatures via One Time Private Keys (OTPK). This scheme builds on the practice, already common in Singapore and Hong Kong, of using one-time passwords for everyday banking transactions. With OTPK, a separate private key is created, used, and deleted for each signature; the key never leaves the client. A demo is at http://www.demo.com/demonstrators/demo2006fall/79808.php; a toolkit and pilot project are planned.
Wills, bids at auction, and bids for government contracts are examples of documents commonly put in sealed envelopes in order to ensure that they are not read until after a certain point in time. Observing that there is currently no electronic equivalent to this process, Ricardo Felipe Custódio introduced the proof-of-concept Temporal Key Release Infrastructure. Custódio also further developed the analogy with the sealed envelope, e.g. noting that TKRI provides a functional equivalent of a window in the envelope. Custódio's team currently has a working prototype.
Nicholas Santos discussed Limited Delegation for Client-Side SSL. As evidenced by the endemic practice of password-sharing, users really need a way to delegate their privileges to other users; Santos noted that this concept is well-understood everywhere except in traditional PKI. His solution, developed as a student of Sean Smith at Dartmouth, involves a non-standard use of X.509 proxy certificates, together with dynamically loadable modules in Mozilla Firefox -- and, unlike password sharing, allows delegation of a subset of privileges, not just all or none.
Paul Rabinovich made the case for standardizing Kerberos names in X.509 certificates, in order to facilitate their use for cross-domain authentication. He outlined four possible approaches to doing this, advocating the most vendor-neutral of the four. This talk generated lively discussion, including a suggestion that at least one of the approaches be written up as an RFC, but overall there was little support for Rabinovich's position. In particular, all four approaches were resoundingly rejected by Russ Housley, who argued that the time for standarding X.509 on Kerberos names has come and gone.
Three of the five rump-session talks also fell into the "advanced infrastructure" category:
- Doug Engert discussed using PIV smartcards on Linux for authentication to Active Directory. You can test this today; see http://opensc-project.org/.
- Olga Kornievskaia presented her work on PKINIT, which provides initial Kerberos authentication via X.509 certificates. This work is further described in standards-track RFC 4556, and CITI is working toward including it in MIT Kerberos 1.7. See http://citi.umich.edu/projects/pkinit/ for more information.
- Kent Seamons presented the work of his graduate student, Timothy van der Horst, on Simple Authentication for the Web. SAW is inspired by the common practice of using email to help a user who has forgotten their password. SAW introduces a variant of this approach as the primary means of authentication, resulting in a system that removes the need for passwords at many web sites. The goals of this work are convenience and security. Complete details are available in a paper to be published at the 3rd International Conference on Security and Privacy in Communication Networks in September 2007 (see http://isrl.cs.byu.edu/publications.php). The extension of this approach to IM and SMS was discussed at length in the Wednesday night BoF.
Also in the BoF, Massimiliano Pala discussed his work on an OCSP-like protocol for PKI resource discovery. See https://www.openca.org/projects/libprqp/ for more information.
There were three talks on PKI for Grids:
- Jens Jensen presented a PKI for the UK National Grid Service, complementary to but independent of the UK Shibboleth deployment. Jensen noted that the UK e-Science CA is the world's second-largest Grid CA, behind only the US Department of Energy Grid CA.
- Hoon Wei Lim outlined a Certificate-free Grid Security Infrastructure Supporting Password-based User Authentication. This work is a variation on the Gentry and Silverberg approach to identity-based cryptography, using IBC hierarchies that match the hierarchies of virtual organizations.
- Stephen Langella discussed Enabling the Provisioning and Management of a Federated Grid Trust Fabric. In Langella's work with the Cancer Biomedical Informatics Grid (caBIG), a major problem he encountered was how to know which CAs to trust. The approach developed to address this problem uses a single trusted CA to bootstrap the process of identifying other trustworthy CAs.
Organizational and miscellaneous
John Sabo introduced the OASIS Identity and Trusted Infrastructure (IDtrust) Member Section, formerly the PKI Member Section. IDtrust oversees the Enterprise Key Management Infrastructure (EKMI) Technical Committee, which is concerned with symmetric key management, and the PKI Adoption Committee. Sabo's slides note that "PKI is resurgent, driven by applications needing signatures, esp. for paperless transacting." See http://www.oasis-idtrust.org/.
Sara "Scout" Sinclair gave a short rump-session presentation on the Dartmouth PKI Lab's planned PKI Census. Where the OASIS survey focused on qualitative barriers to adoption, this will focus on quantifying the status of PKI as it exists today, and in particular on how many people are using it for each of its many current applications. Send questions you'd like included in the Census, and suggestions for people to send the Census form to, to geetha.wunnava@dartmouth.edu and scout.sinclair@dartmouth.edu.
Conclusion
PKI (more precisely, the distribution and use of X.509 digital certificates for authentication, digital signatures and encryption) is not happening the way we originally expected -- by reaching a sudden tipping point -- but it's happening nonetheless, via a patchwork of deployments, for a wide variety of purposes, taking a correspondingly wide variety of approaches. The broadening of this year's program to include discussion of identity systems and metasystems in general, reflects this turn of events.
The wrap-up discussion revealed authorization, delegation, and the delegation of authorization as additional areas of particular interest for next year's workshop. Kent Seamons noted that while technical paper submissions were up over last year, we still want a greater volume of submissions for next year. The submissions deadline is expected to be sometime in October.
In program committee discussions shortly after the workshop, it was agreed that the scope of next year's meeting will be broadened to "identity and trust". This will formalize the trend established at PKI07. Please join us at the 7th Symposium on Identity and Trust on the Internet (IDtrust 2008), March 4-6, 2008; watch http://middleware.internet2.edu/idtrust/ for details.