Thursday 14 April 2011

Shooting for the Moon

The JANET networkshop is now in its third day, abuzz with all things networking and with lots of networkers from industry and academia networking with each other. But also for identity managers was there something of interest.

Project Moonshot is an activity with ambitions to, er, shoot for the moon - to develop an infrastructure for what I call A(A(A))I (usually people "solve" authentication first, then look at authorisation, and then maybe accounting.) The great thing about Moonshot is that it is built entirely on standards.

Moonshot's Sam Hartman gave a very impressive presentation on the next five years in security, covering both grids and clouds. The amount of technical data Sam is able to hold seemingly effortlessly in his head reminds me of the people who play simultaneous chess. Josh Howlett from JANET gave a very interesting presentation on the technical progress and current state of Moonshot: in particular, note how many services work almost unmodified because they use generic security services (JANET will make the presentations available online.)

[Managers' version] Moonshot is a way for users to authenticate to resources. As with IGTF and eduRoam, trust is built from federations - if your user is in the same institute, it is easy enough to trust them; if they are in another country, you need to work your way up the hierarchy. But this is all transparent because trust relationships are established beforehand. So why something new? Shibboleth is tied closely to web resources, IGTF certificates are usually separated from home institution ids, eduRoam is currently mainly for networks. If we can make everything interoperate, you can use your home id to authenticate to everything: the grid, the network, clouds, your toaster, etc. Federated identity brings users single sign-on and single accounts for multiple services.

[Techie version] Moonshot links a RADIUS (2865) service (like eduRoam) into applications using a GSSAPI (2743) module for EAP (3748). So it's all very modular and based on existing standards, but of course much of the module and glue stuff is new. Proposed extensions to GSSAPI will bring support for delegation (5588, 5896). GSSAPI already supports (4121) Kerberos, and this has been tied into MyProxy by Daniel Kouril from CESNET. Sam has built a virtual image which can now be used to demonstrate this. Based on Debian, it should work with several different image hosting environments, such as Xen or VMware. For the NGS, we should now deploy a(nother) MyProxy server, I am thinking of using the training CA, to enable Moonshot access to the NGS.

[User's version] You will be able to access more stuff by just using your home institution password!

No comments: