UC Authentication Workgroup Meeting

UCLA Faculty Center

January 15, 1999

10:00 a.m. - 3:00 p.m.

 

Attendees: Marina Arseniev (UCI), Denis DeLaRoca (UCLA), Mike Friedman (UCB), Joan Gargano (UCOP), Eric Goodman (UCSC), Sal Gurnani (UCOP), Russ Harvey (UCR), Pete Neilson (UCLA), Vance Vaughan (UCB), Ken Weiss (UCD), Frank Whittemore (UCSD), Don Worth (UCLA)

 

I. Review of Architecture Statement

 

Clarification:

Edit the Architecture Statement so that it is clear that the certificates are intended for authentication only, not for signing email.

Write a section to address University affilitates which relationships to multiple campuses.

Clarify that this is a technical architecture statement and all business practices and operational aspects of this service is addressed in the CPS.

Recommend:

Applications which serve campus affiliates only should use campus based attribute servers.

Applications which serve all University faculty, staff and students should query the UCOP attribute servers.

Correction:

Page 4: OID should be 113916

 

II. Attribute Service Proof of Concept

 

A service is in operation with all faculty and staff records.

The initial protocol has been implemented using secure LDAP and HTTPS.

Next Phase:

Put and LDAP server on the UDIR server to improve performance.

Incorporate the architecture and data flow of the UDIR into the architecture statement.

III. Certificate Portability

 

The workgroup will recommend the following solutions for mobile uses who use certificate enabled applications.

Station Type

Anonymous Access

Authenticated Access

Multiple Fixed Workstations for and Individual, i.e. work and home

  

Certificate transfer using a floppy disk. Requires the person to get the first certificate with a Netscape browser.

Public Workstation

Functional Certificates

Functional Certificate to authenticate the workstation and Username and Password to authenticate the user.*

Multi-user Workstation

Functional Certificates

Multiple user profiles with personal certificates associated with each profile.

 

* Assumption: This solution is needed when you can't guarantee that the configuration of all public workstations will be refreshed after use to ensure that a previously installed certificate is erased.

IV. Proxy Service Feasibility - new item for discussion

 

Sal Gurnani gave an overview of the use of proxy servers to access content provided by external publisher.
    1. Requires rewriting all URLs in documents returned by the content provider.
    2. Does not work for pages which contain JAVA Script.
    3. Requires capacity planning for the server.
    4. Requires capacity planning for network bandwidth.

Proxy logins should be investigated as an alternative.

The Workgroup recommends that in addition to providing proxy services that groups continue to work with publishers to accept certificates directly and that user education programs provide information about the tradeoffs of each solution.

 

V. Implementation goals to demonstrate interoperability of authentication and authorization services.

 
    1. Dennis DeLaRoca will work with Sal to develop a UCLA application which will accept a UCLA issued certificate and query the UCOP Attribute Service to determine the affiliation of the user.
      2.

      This will test the use of an Application Role Certificate on the server. The business rules associated with this service need to be documented in the CPS.
    2. UC Davis will expand the testbed for MelWeb.
      3.
    3. UCLA will add user documentation to the workgroup website.
      4.
    4. The workgroup will expand the architecture to include definitions of certificate types and the technical issues related to each class.

Classes of Certificates

Anonymity is a special class of functional certificate.
    1. Frank Whittemore will investigate the issues related to the use of certificates for signing and encrypting email. Frank will report on his findings in the year end report.

 

VII. Next Meeting

Friday 26, 1999

Agenda

Netscape Briefing

Review of the Architecture Statement

Discussion of the UDIR with Benny Min