Middleware Web-Auth Project

 

The project goal is cross-institutional authentication and authorization services on the web.   It will focus on a relatively “simple” need: to share a web page (or CGI service) with individuals or groups from various institutions using the credentials and directories of their respective institutions. This project will prototype or complete an implementation that satisfies this “simple” need.  For example, if gettes@georgetown.edu wishes to authenticate to a web page at University of Washington, then when challenged for credentials, would use either his E-mail address, Kerberos principal or X.509 Certificate and related material (password, tickets, etc…). The web server would then utilize known authentication techniques (userid/plain-text password, kerberos, LDAP and PKI) to authenticate against his home institution, as appropriate for his institution, and grant or deny access to the page.  Authorization issues must be explored and developed for use in this project.  These might employ GAAAPI or other mechanisms to control access to a web resource.  Authorization will utilize LDAP directories by “discovering” the directory according to relevant RFCs, access and search it, returning attributes as necessary for evaluation by the web server itself, or for handling by CGI.  Careful consideration must be given to PKI and trust models for all methods of authentication and authorization. Policy issues shall not hinder the required progress of this project. While PKI is ultimately a critical component of this project, it should be implemented as the last phase of the project due to the current complexities in PKI deployments.

 

 The products of the project should be, and are not limited to:

  1. A module for the Apache web server that
  2. Documentation regarding operations, best practices, lessons learned, requirements, deployment considerations, trust models, policy space issues, critical components, missing technologies and all relevant communications and knowledge gained during the life of the project.
  3. Open source and freely available software components and tools to all institutions of higher education and organizations in support of higher education including K-12.  Placing these products in the public domain is preferred.
  4. Modular and portable software API and libraries that could be integrated by other applications so as to enable “middleware awareness” as common practice.

 

This project is product from collective discussion of ideas by the following people at Early Harvest, September, 1999, Denver, CO

Copyright 1999, Michael R Gettes, Georgetown University, Bob Morgan, University of Washington, Keith Hazelton, University of Wisconsin, Paul Hill, MIT, Ken Klingenstein, University of Colorado, Mark Poepping, CMU, Frank Grewe, University of Minnesota

 




Recommendations

Expertise and Time Frame

 

Corporate support from IBM and other companies should probably utilize their respective product oriented teams for deployment/development of middleware related products with clear lines of support from research and architecture experts within the company.  Oversight will be handled by middleware developers and architects of the Internet2 and “usual suspects” communities; coordinated by Ken Klingenstein of the Internet2 Middleware Initiative.

 

Given the expected force this project will likely have on the PKI space it should allow for easy deployment of PKI middleware enabled applications. Rapid implementation of the products above should drive other related issues and initiatives.  Since the Common Solutions Group meeting is scheduled for the first week of February, 2000 and the “usual suspects” are part of CSG, the products of this project should be prototyped, demonstrated and documented by end of January, 2000.  Presentation of this project to CSG as a staging area for presentation to the next Internet2 meeting is considered extremely important if not critical.  The completion of this project, short of PKI aspects, is expected by the next Internet2 meeting in the spring of 2000.  Reasonable if not significant progress in the PKI space, along with trust models, should be reportable at the same Internet2 meeting.  Maybe then we can better explore the policy issues that this project will not be initially addressing.

 

Participation in the middleware arena will achieve high visibility and technology return given that this area will enable the applications of the “next generation Internet” for usability between corporations as well as consumers.  We believe this area of development may actually be the enabler of Internet technologies to the masses and is likely to be a very hot area of research and development in the next 2 to 3 years.

 

Project description written by Michael R Gettes, Georgetown University with the assistance from Keith Hazelton, University of Wisconsin, Ken Klingenstein, Internet2/University of Colorado and other “usual suspects”.