© 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Security & Identity : From present to future

Matt Flaherty, IBMMary Ruddy, Meristic

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Agenda

• Securing the platform... security features in 3.4 • Platform security... what's coming next• Beyond the platform.. Higgins identity framework 1.0• Higgins identity framework... what's coming next

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Platform security... what's available and where

• The platform security goal: Protect the operating system, application code and user’s data

from each other and from malicious code packaged as bundles

• Security features to attain this span the software stack

Java Runtime Environment

OSGi Service Platform

Eclipse Platform

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Platform security... what's available in the JRE

Java Runtime Environment

JCA JCE

JAAS JSSE

• Java Cryptography Architecture

• Java Cryptography Extensions

• Java Authentication and Authorization Service

• Java Secure Sockets Extensions

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Platform security... what's available in OSGI

• Support for Java features: signing, permissions, etc• Strict classloading policies between bundles

Bundle “private classes”

• Administrative services for permissions org.osgi.service.PermissionAdmin org.osgi.service.condpermadmin.ConditionalPermissionAdmin

• User registry for managing users and roles org.osgi.service.UserAdmin

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Platform security... what's available in Eclipse

• Signature checking during bundle provisioning• NEW! Signature checking during bundle loading• NEW! Certificate management UI• NEW! Secure storage via preferences API • NEW! JAAS enhancements - declarative wiring, events

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Platform security... what's coming next!

• Manageable Java2 permission infrastructure Code sanitation for doPrivileged User interface, policy management

• Expose certificate management facilities Public APIs for label providers, viewers, wizards, etc Trust model integration with OSGi, P2, ECF

• Deeper JAAS integration Potential: RCP Lifecycle integration, Jobs integration

• Identity management support with Higgins

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

How do you bring security and identity to people?

The web of today isn’t people-centered

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

It’s silo-centered

Site ASite A Site BSite B Site CSite C

Type type type, click, click, click. Clickety-clack, clickety-clack.

Site BSite B

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

There is a better way

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Automatic identity sharing

Identity Selector

The BIG IDEA for People

Site ASite A Site BSite B Site CSite C

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Automatic identity sharing

Identity Selector

The BIG IDEA for People

Site ASite A Site BSite B Site CSite C

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Automatic identity sharing

Identity Selector

The BIG IDEA for People

Site ASite A Site BSite B Site CSite C

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Then you’d have Higgins

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Higgins

Higgins1: a species of Tasmanian long-tailed mouse

2: an open source identity selector and interoperability framework being developed by

IBM, Novell, Oracle, CA, Google, Parity…

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

A consistent user experience across contexts (including Financial Services, healthcare, eCommerce) is the key to

convenience and adoption

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

i-cards

Managed

Personal (self-issued)

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

These i-cards are managed by an Identity Selector

Something that works on behalf of the user (citizen, patient, consumer). Really.

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Click on a card

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

…you’re signed in.

(No password required)

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

The Identity selector is powered by an interoperability framework

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Interoperability framework

Higgins FrameworkHiggins Framework

Higgins Browser Extension

Higgins Browser Extension AppsApps Identity

ProvidersIdentity

ProvidersApps and Services

CardSpaceCardSpaceProtocol Providers implement protocols for interacting with Relying Parties

OpenIDOpenID

CardSpace Managed (WS-Trust)

CardSpace Managed(WS-Trust)

RSS/AtomRSS/Atom

I-Card Providers implement identity protocols and card types

CardSpace PersonalCardSpace Personal

SAMLSAML X509X509

Higgins Relationship

Higgins Relationship

KerberosKerberos

JNDI / LDAPJNDI / LDAP

Enterprise Apps

Enterprise Apps

Token Providers implement different kinds of security tokens

IdAS Context Providers connect to different identity data sources

SAMLSAML

UN/PSUN/PS IdemixIdemix

RDF OWLRDF OWL

Active Directory

Active Directory

Comms ClientsComms Clients

Relying PartiesRelying Parties

Plug-ins

Common data model

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Higgins 1.0 has just been released

7 Solutions now available Three Identity Selectors 2 Identity Providers (WS-Trust and SAML2) A Relying Parity Identity Attribute Service (interoperability framework)

Coming in Higgins 1.1 Additional Identity Selectors More Identity Protocols…. More i-card types

Security & Identity | From present to future | © 2008 by Matt Flaherty & Mary Ruddy; made available under the EPL v1.0

Legal informationIBM and the IBM logo are trademarks or registered trademarks of IBM Corporation, in the United States, other

countries or both.

Java and all Java-based marks, among others, are trademarks or registered trademarks of Sun Microsystems in the United States, other countries or both.

Eclipse and the Eclipse logo are trademarks of Eclipse Foundation, Inc.

Other company, product and service names may be trademarks or service marks of others.

THE INFORMATION DISCUSSED IN THIS PRESENTATION IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY. WHILE EFFORTS WERE MADE TO VERIFY THE COMPLETENESS AND ACCURACY OF THE INFORMATION, IT IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, AND IBM SHALL NOT BE RESPONSIBLE FOR ANY DAMAGES ARISING OUT OF THE USE OF, OR OTHERWISE RELATED TO, SUCH INFORMATION. ANY INFORMATION CONCERNING IBM'S PRODUCT PLANS OR STRATEGY IS SUBJECT TO CHANGE BY IBM WITHOUT NOTICE.