European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

Attributes

  • Session 3 - Attribute authorities discovery (protocol)

    Session 3 <Attribute authorities discovery (protocol)> (10:45/Room K3)

    Convener: Davide Vaghetti

    Abstract: 3 Use Cases for Attribute Authority. Possible solutions for Discovery.

    Tags: Attributes, Discovery

    Attribute Authority (AA) Discovery

    In every case you need an attribute authority but only one (the third one) needs discovery:

    1. Authentication Authority is Attribute authority: AA Discovery is sufficient.

    2. VO AA that knows about membership info that the Campus IDP (AA) does not, but the SP will know which VO AA to contact.

    3. Usage of external AA like eGov ID, things like Switch eduID or Social IDs, there only the User will be able to tell which AA to use. This use case is in need of AA discovery.

    Possible solution for AA Discovery

    1) Attribute Authority WAYF (after authentication)

    Pros

    • It does apply to every SP in need of AAD
    • It is not bounded to a specific attribute or set of attributes

    Cons

    • It does complicate the resource access process
    • It puts another burden on the user that has already passed WAYF to choose IDP.

    2) Attribute Authority Central Discovery and Collecting or “(A)AC/DC”

    Pros

    • It is transparent for the user until we do not have collisions in attribute collecting (i.e. multiple values for single value attributes)
    • It is consistent with EduKEEP - user-centric identity management model

    Cons

    • Difficult to implement for every and each attributes, but not that difficult to implement for just some attributes (i.e. schacHomeOrganization)

    Also take a look at: EduKEEP: towards a user-centric identity federation
    http://meetings.internet2.edu/2015-technology-exchange/detail/10003996/

    Off- topic discussion, presentation of a Dutch UETP Uniform Economic Transaction Protocol

    Discussion about Identity Layers in Bank domain:

    • Who entities (who legally represent)
    • What entity
    • How entities (rule sets)
    • Transaction entibining who what and how with timestamp and location. - transaction entities where how, when, where can be combined

    The idea of the entity becomes data-centred as open source - it is important to cooperate. Real-time relevant authority routing. ID is a set of attributes like MAC address, IPv6 Address, connected by a handle based on RFC 4122.

    Conclusion

    Attribute Authority Discovery will be necessary for R&E when eGovID-like technologies will be delivered.

    An Attribute Authority Central Discovery and Collecting mechanism or (A)AC/DC seems to be the simplest solution.