MACE: The Untold Story

1
MACE The Untold Story

• RL Bob MorganUniversity of Washington and
  Internet2MACE Chair
• Internet2 Member MeetingChicago,
  IllinoisDecember 2006

2
Topics

• How we work
• Who is involved
• Where we've been to
• Why we do it
• What we're up to
• When we'll be done

3
MACE Origins

• April 1999, a motel in Ann Arbor ...
• group considered work on middleware in
  Internet2
• driven by concerns in advanced networking about
  need for common application support (e.g. RFC
  2768)
• everyone said I was told not to volunteer for
  anything
• core group of campus infrastructure architects
  hinted that maybe they could volunteer, a little,
  if everyone did
• September 1999, a hotel in Denver ...
• Early Harvest, NSF-supported, 20 campus
  architects
• clarified scope of work (vast), interest (intense
  but wary)

4
MACE conceived

• Middleware Architecture Committee for Education
• mace a spiked club used for breaking armor
• mace a staff borne as a symbol of authority
• mace a spice, a thin leathery tissue between
  the stone and the pulp of the same plant that
  produces nutmeg
• Mace(tm) a liquid used for temporarily
  immoblizing
• MACE members are called
• MACEdonians
• MACEochists
• MACEtodons

5
... and it's a convenience store
6
MACE structurally

• a committee
• to direct and support the activities of the
  Internet2 Middleware Initiative (I2MI)
• and other activities as it sees fit
• a self-organizing body (i.e., a club)
• work is supported by Internet2 in various ways
• and by the institutions who donate participants'
  time
• agenda formed by participant campus needs, in
  service of the broader community
• higher-ed centric, but not higher-ed only
• US-centric, but not US-only

7
MACE governance

• membership
• university IT infrastructure architects who
• have the background, expertise, and time
• show interest in the work by participating
• have the architectural and collaborative
  perspectives
• seek to cover a range of technical areas
• small enough so everyone knows everyone
• responsibility on members to keep reasonably
  active
• some members are liaisons to important
  communities
• e.g. non-US (EU, Australia), non-HE-IT (grids)

8
MACE process

• attempt to be open and transparent in all
  activities
• though not everything is documented ...
• agenda set by
• members, other Internet2 programs/initiatives,
  non-members, funding agencies consensus process
• real work happens via working groups
• WG charter must describe work that is consistent
  with initiative, has clear and achievable
  deliverables, has identified chair and workers,
  likely user community, MACE member liaison
• rarely interested in research, generally in
  deployments

9
Internet2 Middleware Initiative

• Important element of overall Internet2 program
• environment for making MACE agenda successful
• working group support
• mailing lists, conference calls, flywheels, web
  presence, technical support, branding/PR,
  intellectual property framework and legal
  support, lifecycle
• funding
• support from NSF NMI program since 2001, via
  NMI-EDIT consortium
• and from Internet2 member support
• primarily for release time for campus
  architects/developers

10
I2MI technical strategy

• Work products include
• best practices docs, standards, schema, software,
  tutorial/guidance, services, architecture
  proposals, ...
• Many opportunities, few truly new ideas
• assess feasibility of systems/services by keeping
  in touch with successful small-scale deployments
  in the community
• encourage development of practices/packages that
  can be adopted by the broad HE community
• influence projects/products/standards to conform
• work is done by extended community, not MACE per
  se

11
Some special staff support

• ... without whom none of this would be possible
• Ann West outreach coordinator for NMI-EDIT,
  organizer of CAMP conferences (shared with
  EDUCAUSE)
• Renee Frost support of everything in making
  MACE effective
• Nate Klingenstein documentation wizard,
  training taskmaster
• Steve Olshansky the dictionary definition of
  flywheel
• and oh yes, Ken ...

12
(No Transcript)
13
a resemblance has been noted ...
14
Outreach

• EDUCAUSE
• support CAMP conferences, broad HE outreach
• co-sponsor eduPerson and HEPKI work
• identity management work in net_at_edu
• TERENA
• home for middleware work in Europe
• supports European liaisons to MACEUS MACE
  members participate in TERENA TFs
• newly-formed ECAM group modeled on
  MACEsupporting European middleware collaboration

15
Industry standards

• OASIS SAML TC, Liberty Alliance
• helped drive original SAML work in 2001 from
  Shibboleth requirements
• helped promote SAML adoption in Liberty, Liberty
  contributions to SAML 2.0
• Scott Cantor is primary author of SAML 2.0 spec
• worked with Microsoft on compatibility ...
• other standards bodies
• IETF, W3C

16
Testimonial Eve Maler, Sun

• Sun is proud to support Internet2 and
  recognizes the importance of its innovations,
  such as Shibboleth, to Sun customers and
  partners. The external integration project run
  by FEIDE, the Norwegian education agency, shows
  one example of how Sun and its partners are able
  to use Shibboleth technologies to great benefit.
• I'd like to especially thank Internet2
  representatives Scott Cantor and RL "Bob" Morgan
  for their efforts to support the important
  identity management standards work taking place
  at the OASIS Security Services (SAML) Technical
  Committee and the Liberty Alliance. The effort
  to converge the Shibboleth, Liberty ID-FF, and
  SAML V1.x streams into SAML V2.0 could not have
  been done without them.
• - Eve Maler, Technology Director, Sun Microsystems

17
Testimonial Kim Cameron, Microsoft

• Higher ed has always been among the essential
  innovators in distributed systems. This has been
  true both because of the research carried out in
  the university and the practice resulting from
  smart application of emerging technology.
• Internet2 middleware, via projects like
  Shibboleth, has concretely helped move the
  industry forward, and set an example in
  confronting hard problems with real deployments.
  Since the early days of Shibboleth, I've worked
  to make sure that Microsoft's emerging identity
  systems meshed with it in a practical way,
  because I believed in and respected your goals.
  I want to support, work with you and learn from
  you as contributors to the metasystem that will
  enable an identity-aware cyber world.
• I hope this helps explain how much Microsoft
  values its relationship with I2 middleware, and
  how much I personally have enjoyed and benefited
  from collaboration with the members of your
  community.
• - Kim Cameron, Chief Identity Architect,
  Microsoft

18
Outreach CAMP Workshops

• 15 CAMP workshops 2002-2006
• 31 other shorter workshops
• 2770 total attendees from 610 organizations, 93
  non-US, HE, research, corporate
• CAMP topics
• Base directories, authentication, PKI, medical
  apps, federation, distributed authorization
• Advanced 3-tier architectures, authorization
  architectures, virtual organization support,
  workflow models

19
CAMP attendees by state
20
Outreach NMI releases

• NMI program has semi-yearly releases
• joint work with Grids Center
• software, standards, other documents
• very useful discipline in completing/publicizing
  project work
• venue for contributions from extended middleware
  community, i.e. not just MACE/I2MI projects

21
Outreach extended communities

• International
• UK (JISC), China, Japan, Scandinavia, Australia,
  ...
• US Federal government
• E-Authentication, NSF, NIH, DHS, etc etc
• US state governments and K-12
• Wisconsin, Washington, Virginia, California, etc
• Publishing/content industry
• Association of American Publishers, American
  Mathematics and Chemical Societies, OCLC
• almost all major academic publishers (Elsevier,
  Thomson, JSTOR, EBSCO, Proquest, OVID, etc)

22
Reflections on why we do it

• Key Concepts Identity, Institution, Reputation
• Identity not just identifiers
• spam says Protect your identity! Project your
  identity!
• who cares about identifiers? only IdM geeks
• identity is sameness over time, sameness for
  some individual or societal purpose
• so identity is stories or relationships,potenti
  ally everything about you
• repeatability and aggregation are essential
• not only people have identities ...

23
Institutions

• Institution (defined)
• a significant practice, relationship, or
  organization in a society or culture an
  established organization or corporation (as a
  bank or university) especially of a public
  character
• Institutions exist to create and maintain trust
• in activities in their area of business
• via acting predictably, absorbing risk, doing
  reliable work
• business of higher education institutions is
  creation and dissemination of knowledge, via
  practice of intellectual collaboration

24
Reputation

• reputation (defined)
• overall quality or character as seen or judged by
  people in general a place in public esteem or
  regard good name
• institutions support reputation of their members
• if I were just plain Bob speaking, would you
  believe me?
• activities of members create reputation of
  institution
• that is, institutional activities, those
  activities conducted in institutional role and
  setting
• reputation is the reflection of identity in the
  community

25
Institutional reputation management

• In an online world
• reputation is under threat from online fraud,
  poor controls, uncontrolled access, data
  tampering, etc
• reputation is maintained by starting with our
  existing institutional nature, and extending and
  protecting it with digital techniques identity
  and access management, cryptography, system
  management, trust federations
• effective, consistent identity management is
  fundamental to to maintaining the social role of
  our institutions
• ... and that's why we do it

26
Some directions schema/directory

• MACE has had success
• defining/promoting schema and directory
  practices, extending LDAP practices into SAML
  space
• now a brave new world
• many schema definers national/academic
  communities, technologies (e.g. CardSpace),
  applications
• many attribute representation protocols,
  architectures, data flows
• so focus on information models, processes for
  attribute definition and adoption, flows to
  support business relationships and privacy,
  mappings

27
Directions authentication/identity

• Internet identity movement
• Microsoft CardSpace/metasystem, OpenID, XRI, etc
• personal identities not tied to particular
  institutions, adaptable to many technologies
• Useful spectrum of authentication practices
• institutions/apps must support a range of
  methods, appropriate to risk/cost of services
• standardized assessment of assurance levels
• increased use of 2-factor/PKI as appropriate
• federation becoming pervasive
• advanced multi-party architectures more
  standardized

28
Directions authorization

• Signet/Grouper released, being adopted
• critical project phase to assemble adopter
  community to take packages in useful directions,
  create sustainable project with many contributors
• application integration is key e.g. Sakai,
  Kuali
• many vendor products in the space, need to keep
  models in alignment
• applications to Grid/VO environments emerging,
  support of these scenarios is central in upcoming
  S/G work
• support of diverse UIs, protocol access
• XACML ready for prime time?

29
Directions Workflow

• Emerging enterprise infrastructure service
• administrative uses for approval/work routing
• academic/research uses for composition of
  processing from multiple services
• strong interaction with authorization management
• depends on good enterprise role definition
• some outstanding deployment examples, new vendor
  and open-source products
• planning assessment activity to understand nature
  of potential work in this area

30
Directions SOA/ESB

• Service-Oriented Architecture
• industry hype victim, but kernels of truth
• infrastructure architecture perspective has
  always been about modular services, directories
• whether SOAP is the one protocol to end all
  others is questionable, but it is here to stay
  for many purposes
• Enterprise Service Bus
• a new name for message/event queue, pub/sub
• key technology for integrating middleware
  services with many apps
• discovery work still to be done ...

31
Reputation?
32
The End