AAI Workshop 2000: Agenda
Monday 20. November 2000
14:10 Arrival of participants / Hotel room check-in
14:30 Welcome
Thomas H. Brunner, SWITCH
Christoph Graf, SWITCH
14:40 Technology
- Authentication and Authorization Infrastructures: Kerberos vs. PKI
PD Dr. Rolf Oppliger, eSECURITY Technologies, Muri b. Bern
An authentication and authorization infrastructure (AAI) provides
infrastructural support for both authentication (i.e., the process
of verifying an identity claimed for a system entity) and
authorization (i.e., the process of granting a right or permission
to a system entity to access a system resource). As will be
discussed during the workshop, there are many applications for AAIs
and AAIs are getting increasingly important in todays networked and
distributed environments. With regard to the design, implementation,
and large-scale deployment of AAIs there are two "development roots"
one may consider to start with: the Kerberos authentication system
and public key infrastructures (PKIs). In this talk, we introduce
the technologies and discuss the advantages and disadvanatges of
Kerberos, Kerberos-based AAIs, PKIs, and PKI-based AAIs. The talk
concludes with the insight that it is possible and very likely that
both Kerberos-based AAIs and PKI-based AAIs are going to converge to
something conceptually similar to attribute certificates in the area
of authorization.
16:15 Break
16:45 Internet 2
- Generic AAA, an architecture for multi kingdom policy decisions
Cees de Laat, Utrecht University, NL (co-chair of IRTF-RG AAAARCH)
A number of Internet Services require Authentication,
Authorization, Accounting and Audit Support. The IETF AAA Working
Group is chartered with defining short term requirements for a
protocol that will support such services for NASREQ and MobileIP.
The work of the IETF AAA group has shown that there are a number
of areas where a AAA architecture would be helpful. The AAAARCH RG
will work to define a next generation AAA architecture that
incorporates a set of interconnected "generic" AAA servers and an
application interface that allows Application Specific Modules
access to AAA functions.
17:45 Smart Card Technology
- Smart Card aspects of an AAI
Stéphane Joly, NagraCard SA, Cheseaux
Presentation focusing on the smart card aspects of an AAI and the
consequences for the project implementation.
18:05 Requirements (1)
- Requirements of a public and university Library for AAI
Wolfgang Lierz, Head IT services, ETH-Bibliothek Zürich
The Consortium of Swiss Academic Libraries co-ordinates the
access for all users of participating libraries to third party
databases over the Internet, which requires access control.
Traditionally, library users have different level of access,
from anonymous walk-in users to group and individual access from
known locations as well as with roaming. A further complication
arises through multiple roles individuals play in parallel or
over time.
Obviously, IP based access control is no longer a viable solution.
- Privacy enhanced X.509 certficates
Andreas Schneider, Institut für Informatik, Universität Zürich
18:40 End of sessions
19:00 Dinner
Tuesday 21. November 2000
08:30 Requirements (2)
- Authentication and Authorization in the Swiss Virtual Campus
Dr. Jacques Monnard, Centre NTE, Université de Fribourg
In the future, the Swiss Virtual Campus (SVC) will allow students
to take courses from Swiss Universities over the Internet.
Through the SVC, instructors and students will need to have
controlled access to a wide variety of services (enrollment data,
courses, libraries, etc.). In this context, authentication and
authorization will play a very important role.
08:45 Projects & Activities
- A Secured Extranet supporting medical data exchange between organisations
Dr. Sc. Stéphane Spahni, DIM, Hôpitaux Universitaires de Genève
There is a growing need for sharing medical data between healthcare
partners (e.g. hospitals, GPs, home care).
But while paper-based transmission of documents is well accepted,
it is by far not the case for electronic-based transmission. In the
framework of the SYNEX European Project, a secured Extranet has been
built between the University hospitals of Geneva and the Geneva's
Association of GPs, supporting secure and reliable transfert of data.
- Management of users at the University of Lausanne
Alexandre Roy, Centre informatique, Université de Lausanne
The management of users has evolved from "managing a /etc/passwd
file" to the GESU application (home made) which is tightly bound
to the human ressource database. The email system, the Unix users
and a LDAP directory are controlled by GESU; the integration of a
Win2k Active Directory will be soon in operation. The LDAP
directory is a central element for the future of authentication
and authorisation at UNIL.
- CLASP (Common Login and Access rights across Services Plan)
Denise Heagerty, CERN
The CLASP (Common Login and Access rights across Services Plan)
project is investigating mechanisms for Single Sign On and common
access rights across CERN services. This talk will present the
results of a feasibility study, which recommends Kerberos v5
authentication with some integrated support for X.509 certificates.
Centrally defined "e-groups" are proposed to achieve common access
control for files, web pages and e-mail lists.
- GASPAR a secured portal to acces EPFL e-services
Ion Cionca, EPFL
- before GASPAR: each service had its own identification method
and users lists; impossible to merge data
GASPAR offers identification and authentication for secure web
acces to e-services
- based on new identification tools (SCIPER; CAMIPRO, SAC etc.)
- to access a secured e-service one must first register on GASPAR
- GASPAR uses HTTP protocol as API for e-services authentication
- acces to e-services is granted to GASPAR clients, with a valid
EPFL e-mail address and with the appropriate ACL to the service
- SSL certificate used is implemented but not yet officially
distributed
- Student Card Solutions
Gilles Beljakovic, NagraCard SA, Cheseaux
Presentation of student card solutions with a focus on:
- benefits for universities and the students
- different departments involved
- Ready for PKI tests with the SWITCH Swisskey Corporate ID
Thomas Lenggenhager, SWITCH
SWITCH has no the Swisskey Certificate Management System (SCMS)
installed on a PC at SWITCH Head Office. For testing purposes
at Swiss Universities, we can now provide certificates.
SWITCH will start with own tests and is interested to hear
about potential tests within universities.
[Due to missing time, this paper was not presented, but slides
were incorporated in the printed material]
10:00 Break
10:30 Panel Discussion
Experts from outside the universities will discuss their view &
vision and will answer your questions.
Bruno Gschwend, Swisskey
Cees de Laat, Utrecht University
Christophe Ollagnon, NagraCard ( Slides)
Rolf Oppliger, eSECURITY Technologies
12:30 End of workshop
13:00 Lunch
14:45