JISC OpenID Report
This morning I got the final copy of this report so I popped it straight up onto the JISC site, which means you can see it around lunchtime if you click here.
We feel this is an important report for the sector as it reviews a technology that we constantly get asked questions about and up to now we haven’t had authoritative answers for. OpenID is, without a doubt, an important technology but up until now there hasn’t been a comprehensive review of how it could be used in the higher and further education sectors. This has led to a lot of speculation and rhetoric with very strong advocates for the technology but, equally, very strong critics. We’re hoping this report will inform the debate, particularly given the project has also developed a gateway between OpenID and the UK federation so those with OpenID credentials can access Shibbolised resources (subject to the resource provider being happy with providing access).
Overall, the conclusions were:
i) there is considerable interest in OpenID in the commercial market place, with players such as Google and Microsoft taking an active interest. However,
ii) all commercial players want to be OpenID providers, since this gives them some control over the users, but fewer want to be service providers since this increases their risks without any balancing rewards
iii) until we can get some level of assurance about the registration of users and their attributes with the OpenID providers, it won’t be possible to use OpenID for granting access to resources of any real value. In other words, without a trust infrastructure OpenID will remain only of limited use for public access type resources such as blogs, personal repositories, and wikis
iv) imposing such a trust infrastructure with barriers to the acquisition and use of OpenIDs may be seen to negate its open-access, user-centric advantages
v) OpenID has a number of security vulnerabilities that currently have not been addressed, but at least one of these is also present in the current UK federation.
The implications from this are:
i) Whilst OpenID does have its security vulnerabilities and weaknesses, some of these are also shared by Shibboleth as it is currently designed. Other technologies may subsequently solve these and therefore this could have implications for the UK federation.
ii) The UK federation as currently deployed has a significant shortcoming which is the readiness of IdPs to disclose the real-world identity of users to SPs (as distinct from providing opaque persistent identifiers to support simple customisation). This is not a technical shortcoming but an operational one. Whilst it is relatively easy to solve, until it is, it limits the applicability of Shibboleth to personalised and other services which need to know who the users are. OpenID does not suffer from this limitation and therefore there might be use for it in some scenarios where trust issues can be resolved.
And, finally, the recommendations are:
i) The UK academic community should keep track of both OpenID and CardSpace identity management systems as they evolve. There is clearly a great demand for a ubiquitous secure identity management system, but no consensus yet as to what this should be.
ii) Now that a publicly available OpenID gateway has been built, publicise its availability to the community and monitor its applications and usage. If usage becomes substantial, consider productising the service.
iii) Consider offering a more secure and more trustworthy gateway registration service for SPs that do not use, or use more than, the eduPersonPrincipalName attribute. This will allow them to use OpenIDs for authentication and a wider selection of eduPerson attributes for authorisation. (The current self-registration service is clearly open to abuse).
I’d welcome any comments on the report and/or gateway. I think what we need to do is to keep the debate going and share experience to ensure that researchers and learners can get the most of OpenID.
Grant 10/08: Project to Develop an Identity Toolkit
This all sounds a little complex from the title above but I’m really looking forward to some good responses on this grant (started off as a call but has now moved into our new money issuing process so has a different name). More details can be found here.
For those with quite long memories the background to this was to take up a recommendation from the Identity Project and provide funding for the development of an identity toolkit that would help universities and colleges with putting in an identity infrastructure. It’s work that has been done at some institutions already so people like Cardiff, for example, have done a good deal of work in this area. However, what this grant aims to do is to bring together that good experience and provide it all in one place so that everyone can use it either a little or a lot, dependent on where they are in the cycle of managing identity.
We’re hoping this is going to be a very useful piece of work as more and more institutions are joining the federation and having to address the subject of identity management as part of moving to using the federation to control access to resources. Whilst it is not going to be a panacea it should form an important part of the future work on identity and access management that is going to go ahead over the next few years.
Ubiquity
There’s quite a lot of buzz around Ubiquity at the moment, which is probably most simply described as an attempt by Mozilla to take the mashup out of the domain of the web developer and into the hands of the user. The product allows a user to create their own mashups without having to be fluent in web scripting and coding; all they need to do is install the appropriate client on their browser (currently Firefox only) and then type in what they want to do.
The applications demonstrated in the demo are fairly simple at this stage but it’s easy to see how they could have quite a lot of use in education to help take the drudge out of some common tasks and to open up what we’re doing about combining services. So, as an ex social scientist I seemed to spend quite a lot of time combining stats together and then displaying them on a map; it would be great if a I had a ‘widget’ that would do that for me and take some of the spadework out. That then frees me up to do a bit more of the interesting research that I really want to do.
Add a little more and it’s a tool that could become extremely useful. It’s all built on an open source license so there is potential for Grease Monkey type extensions that allow further extensions. We are slowly and painfully seeing the freeing up of data under Open Access and a revival in the citizen scientist as a result (see here) . Then we have tools and standards such as OAuth and OpenSocial that are allowing us to selectively release data about us and permissions to help these services do something for us.
Ultimately, I think it’s worth watching what Ubiquity is doing over at Mozilla Labs because it could start opening up some mainstream avenues for really useful mashup tools that save the researcher and educationalist a lot of time and let them get on with what they’d like to do.
Verisign PIP
Saw this on TechCrunch today and was intrigued. OK, you are effectively maintaining an identity vault but it further proves yesterday’s post that the bigger vendors are starting to get into identity metasystems, often in a variety of ways. Given they want to see these succeed commercially then maybe this will be the year when identity starts to get a little easier rather than more complex.
The down sides for Verisign’s PIP(Personal Identity Portal) is that it still seems quite US focused, you have to have an active browser session with PIP for it to work and there is a limit to which sites it will manage details for.
The up sides are that it works for most of the main commercial sites (such as Amazon, Facebook, LinkedIn), you can have two factor authentication if you so wish and it’s Verisign so they’ve got a good background in dealing with security and trust.
In sum, another useful tool in the armoury of identity for the educationalist and researcher, even if it’s not going to be somewhere to store your federation credentials or that digital certificate to get at Grid resources.
Call for Participation: OASIS OASIS Identity Metasystem Interoperability (IMI) TC
One of the latest calls for participation that came my way was this one for Identity Metasystem Interoperability. I’ll fess up now and say this has been sitting in my inbox for a while waiting for me to have a look through it hence this entry not being quite as current as it could be.
Firstly, what is an identity metasystem? A good definition can be found (as always) at Wikipedia. In brief, an identity metasystem provides for a user to be able to manage their identity credentials all in one place. So, if I’m a researcher and I have a digital certificate, a federation login and access to a wiki or blog through a user name and password, I can manage them off one interface instead of having to remember each set of details.
So what does this mean? Well, we at JISC put out an ITT for some work looking at exactly the same area and its applicability to higher and further education last year. We felt at the time that there was a great deal that could be got out of finding appropriate identity metasystems to manage identity for those in education and research as we’re all conscious of the ever-increasing number of identity credentials we get given. We didn’t get any responses we could fund so it was put on hold until there was more capacity in the sector to respond.
OASIS’s move to form the group is worth a look because it’s showing a wider interest in getting this working after quite a lot of effort from Microsoft to promote CardSpace and infocards. There is also the work of the Higgins project and Bandit’s DigitalMe and previous efforts such as at a Burton identity event to show interoperability between all these systems. Is now the time when identity metasystems will start being used rather than just being shipped with one of the most-used operating systems? I think time will tell and that users are taking quite a while to get used to this new thing called identity. In the mean time, I hope that the TC on identity metasystems is a diverse one that reflects the needs not only of Microsoft but also of a wide range of users, including those in education and research.
It’s all about the Process and Training
If you haven’t read the recent reports on the root causes of government data loss and you deal with personal data at your institution then you really should. They highlight that whilst the technology was adequate for the job both the training, culture and process were far from adequate. If you only read one report, though, then this should be it. The data handling review gives some good pointers on how process, training and cultural adptation are vital to ensure that personal data is handled sensitively and appropriately. It’s a message we relayed through the Identity Project and as we store more and more personal data about staff and students then we need to have measures in place to ensure that everyone who deals with it knows how they should be handling the data so that the end user gets the experience they deserve and can be secure in the knowledge that their identity is safe.
RSC Eastern Technical Managers Forum Meeting
I was fortunate enough to be invited to the above by Thomas Rochford and it was great to see how much interest there is amongst FE colleges on the subject of identity management. We had a lively debate on the findings of the Identity Project and specific identity challenges within FE. There were certainly intakes of breath over some of the findings and particularly those that related to how much money and how many staff there were estimated to be to deal with identity in HE institutions. All in all, I think we have a good deal more work to do in FE on identity but it’s also potentially an area where we could quickly learn lessons that have more general applicability to other areas. As I said at the event I would welcome comments on this blog about topics that would be of interest to explore and my colleague Nicole Harris’s blog entry on the future of access and identity management is also now open ahead of the event on 30th June that will look at future development areas.
Key topics from the conversations were:
- Outsourced identity management and how that could work with existing institutional processes and systems;
- OpenID - what could it be used for?
- Guidance on best practice;
- How you determine and prove that a member of an institution is that member;
- The balance of risk and reward in identity management - how do I determine whether the risk I take on releasing additional functionality is worth the reward that my users get?
Slides from the event are due to be published soon so I’ll link through to those or pop them up on Slideshare.