Report to the JA-SIG Board

Report to the JA-SIG Board

The JA-SIG uPortal Conference

From what I have heard since the conference, by every measure, the uPortal Conference in Vancouver was very successful. Selecting topics, adopting the program to changing priorities, and, perhaps more important, canceling some early contacts for presentations when new topics appeared, seems to yield a more relevant program than the traditional solicitation of papers long in advance of the program. UBC’s savvy and hard work and leadership certainly strengthened JA-SIG at the same time other conferences have falling attendance.

Because of activities in authentication and authorization and the deployment of applications using Web Services suggests continued change in technology this fall, Carl Jacobson mentioned using the same approach in developing the program could match the pace of technology change..

The UDDI Registry

At the Vancouver conference Sun’s John Fowler mentioned setting up one or two UDDI servers,

I mentioned coordination with the organizations that want to maintain a central directory for higher education. This was unfortunate since it could have been interpreted as a suggestion JA-SIG implement such a directory. After thinking about the UDDI service, I would suggest a JA-SIG test UDDI implementation—with no expectation of mission-critical levels of service and accuracy—limited to JA-SIG developers and JA-SIG projects. This could increase interest in JA-SIG by Web Services developers and implementers, without the risks of unfulfilled expectations and organizational roles.

Those potentially interested in a directory service for higher education include EDUCAUSE (based on .edu domain registry?), CREN (digital certificates and public keys), National Council of Higher Education Loan Programs NCHELP (U.S. financial aid participants), AACRAO (transcript, enrollment certificate exchange), and National Student Clearinghouse (transcripts, enrollment certificates, student loans) as well as the directories in the four U.S. Departments—Health and Human Services, Education, Justice (INS), and Veterans Affairs.

If there is a UDDI server brought up, the JA-SIG Board may wish to take a position on the appropriate scope of a “JA-SIG” UDDI server. A narrow scope would ensure others JA-SIG was not interested in operating the higher education directory. If a decision is made to have a UDDI server, it would be useful to publicly describe the limited scope to reduce speculation.

The Liberty Alliance

At Monday’s EDUCAUSE-sponsored Federal and Higher Education PKI meeting, Mitretek representative Monette Repress mentioned the Liberty Alliance would be releasing its specification mid-July. The specification will include 12 SAML assertions that will be supported by the Alliance. At Tuesday’s e-Authentication Initiative Industry Day sponsored by the U.S. General Services Administration, the Liberty Alliance was mentioned three times both as a technology and as a possible source of on-line identification for consumers.

In a conversation this morning, Art Pasquinelli suggested JA-SIG consider joining the Liberty Alliance and perhaps supporting the Alliance by integrating Liberty Alliance access in uPortal. He pointed out that JA-SIG can join as an affiliate member at no cost. This would provide early access to draft specifications and attendance at the semi-annual conferences. JA-SIG members could also participate in the standards setting activity if invited by the Experts Group. JA-SIG would be the first higher education institution or organization to join.

I believe Carl Jacobson has begun discussion of participation.

Authentication and Authorization

At the Monday’s Federal and Higher Education PKI meeting, GSA’s David Temoshok described the federal government’s plans for e-government. The Office of Management and Budget is implementing e-government initiatives that cross department and agency boundaries. OMB observes an average 19 departments an agencies provide each government service—grants, loans, etc. (see Figure 1). OMB has also observed there are some common services, such as e-authentication, required to meet consumer expectations. The University of California’s David Wasley said the Office of the President has begun issuing digital certificates to UC staff. He also mentioned a pilot project with the U. S. Department of Education beginning late summer. UC will “register” the digital certificates with the Department using the subject field. ED/FSA Champion of Privacy and Security Andy Boots attended the meeting. He mentioned that single signon [to the separate department systems] has become a priority. Andy is participating in the OMB Quicksilver Project sponsoring e-Authentication. Extending the discussions that began in the April 29th Shibboleth briefing for publishers, David also provided a conceptual diagram of Shibboleth supporting a portal.

By telephone Internet 2’s Ken Klingenstein said Shibboleth is now at Alpha 2 and they are looking for more Alpha testing volunteers.

Figure 1 – Scope of the U.S. Federal E-government Strategy

The University of Texas Health Science Center’s Bill Weems has the most understated and important contribution. He said they have been widely implementing PKI. They have found (1) those who have digital certificates require much less customer service support than those with logons and passwords—no digital certificates have been compromised or lost as contrasted to passwords that have to be reset often, (2) although people will give their logon and password to someone else, there has been no observed case where a digital certificate has been given to someone else, and (3) the “best” digital certificate is one contained in a USB device small enough to fit on a key chain. Unfortunately, he observed, the University has several thousand Windows machines that do not support USB. UTHSCH experience would make a good article for NACUBO’s Business Officer magazine.

National Institute of Health’s Peter Alterman (who also is a member of the e-Grant initiative) said NIH was committed to extending use of the higher education bridge certificate authority (HEBCA).[1]

Mitretek’s Monette Repress commented the Liberty Alliance specifications would be available mid-July.

Tuesday the General Services Administration held the e-Authentication Initiative Industry Day. OMB Associate Director for Information Technology and E-Government Mark Forman gave a short presentation about the work that led to an emphasis on e-authentication. The slide in Figure 1 summarizes the initiatives.

GSA’ Steve Timchak and David Temoshok described the program and plans for e-authentication. The conceptual design is shown in Figure 2.

Figure 2 – Conceptual Design for e-Authentication

A more detailed view was given in the subsequent diagram shown in Figure 3.

Mitretek’s Monette Respress led the discussion of the prototype that would be delivered with at least two applications September 30, 2002.

At the break in the presence of Ms. Respress, Georgetown University and Internet 2’s Michael Gettes commented he had recommended uPortal for the Mitretek prototype and Shibboleth as a model for e-Authentication. Monette confirmed interest in Michael’s recommendations.

GSA mentioned a Request for Information would be released within the next two weeks. During the question and answer period I asked when responses would be received—no schedule yet—and whether they would be made available to the public [without the delay of a Freedom of Information Act request]—don’t know. I thought the responses to the RFI would provide additional insight in federated authentication and authorization.

Figure 3 – eAuthentication Process Flow Details

uPortal and e-Authentication

Today I sent an e-mail to Mitretek asking if they were interested in learning more about uPortal. Carl has been clear the priorities for the Mellon Grant are (1) necessary and limited development of the framework, (2) support of uPortal “partners,” and (3) other opportunities. There is the possibility of participating e-Authentication initiatives because uPortal does not endorse any commercial product. There are three concerns. One is providing uPortal without technical support. The learning curve on any software as complex as uPortal has become is steep. Second, uPortal itself since the two tentative applications are e-Travel and e-Learning. If the prototype has limited implementation, uPortal would be acceptable. However, both applications could scale very rapidly if federated authentication were successful. Third, possible forking of the code if e-Authentication developed one method of remote authentication and Shibboleth or the U.S. Department of Education choose another and they could not be supported by the current authentication API. Or putting it another way, is there any reason to believe the MIT OKI authentication API and the federal government would be identical? Or even reasonably common?

An implementation of e-Authentication may be beneficial globally if e-Authentication provides access to Liberty Alliance registrants. David Wasley had commented the University of California has been asked to develop contacts with middle school and high school students to encourage them to attend college. Tisch McNamara from the California Community Colleges believes access to Liberty Alliance would give many the opportunity to request transcripts on-line.

The Board may want to discuss what level of interest there is in participating in the U.S. centric e-Authentication project and under what terms and conditions.

Beyond the content of the federal e-Authentication initiative, there is a judgment about the future of this project. First, there is no question about funding. President Bush has committed himself—insofar as President’s commit themselves—to e-Government. This makes funds available either by the budget process—every limited—or by requiring agencies to participate using their own funds—which is already happening. The project also falls under Homeland Security. Note Sallie McDonald’s title is Assistant Commissioner for Information Assurance and Critical Infrastructure Protection.

Mark Forman’s personal reputation is now dependent upon some e-Government initiative being successful before the November elections. e-Authentication is a critical milestone in any of these initiatives. The Mitretek team began support of GSA in 1999 for the federal PKI bridge—knowledgeable, experienced, and connected. The Mitretek team is impressive. I believe this one will reach critical mass, It will rely heavily on Liberty Alliance technology and authentication services—the only way to get to large numbers quickly.

One of the considerations is the U.S. centrism of e-Authentication at a time when there are many and increasing uPortal deployments in other countries. (Congress’ dispute with ICANN is not helping the U.S. image in the Internet community).

These are personal observations and may differ from those of Michael Gettes—the only other higher education representative—of the 110 attending—at e-Authentication Industry Day.

Related Conferences

June 19-20 EUNIS 2002, Porto, Spain

Art Pasquinelli reported EUNIS was well attended by people at high levels who are interested in implementations rather than the technologies themselves. He believes a consensus is emerging on the use of Web Services (and Sun ONE) technology.

In a conversation this morning with Art Pasquinelli, he commented the European universities are now very interested in Web Services (XML, SOAP, WSDL, UDDI). In February, Joakim Bjorklund of Linkoping University reported on his success in using Web Services to integrate administrative systems at the 2002 European Education and Research Conference. This may have led to broader interest at this conference. Web Services will be a major topic at next week’s Portal Conference at the university. Art thought Web Services would be a common theme for technology conferences this next year.

June 27-28 Portal Conference 2002, Gothenburg, Sweden

Informally led by Joakim Bjorklund of Lingkoping University, the agenda includes formation of a uPortal Users Group. Because of the conference in Nottingham the following week, Joakim reports most attendance will be Swedish. This may reflect the intense interest in uPortal by Swedish universities as well. Several weeks ago Joakim reported expecting about 60 attendees.

July 1, 2002 Portals 2002, Nottingham, England

A one-day executive-level conference on portals organized by the University of Nottingham. This was aimed at vice chancellor and directors. In March Stephen Brydges hoped for 100. When the registration exceeded 200, further registrants were denied because of both space and materials limitations. Sun, International Business Solutions (IBS), and CampusPipeline are listed as sponsors.

Other Issues and Opportunities

Four authentication and authorization projects expect to use SAML assertions—Shibboleth, WS-Security for SOAP, e-Authentication, and the Liberty Alliance. This brings up the issue of converging the higher education assertions—tags and values. This should be a project for the Postsecondary Electronic Standards Council (PESC). However, it is unlikely PESC will be able to reconcile these implementations by the time there will be deployments of uPortal Web Services applications (channels). Some suggestions on how to get quick convergence would be helpful.

Corrections

In the original report, Peter Alterman was incorrectly identified as head of the e-Grants initiative. Charles Havekost is program manager.

Judi Hasson, writing for Federal Computer Week has the following to say about e-Grants:

“The federal government is launching a "storefront" project July 1 for state and local governments to apply online for e-grants, one of five major initiatives to help the government deliver its services electronically.

“The e-grants project would use an existing portal, FedBizOpps, adding details about applying for the estimated $400 billion in grants from the federal government each year. The Health and Human Services Department issues half the grants, including tens of millions of dollars to the states for Medicaid. But other agencies also provide grants for everything from art projects to community initiatives.

“Charles Havekost, the e-grants program manager at the HHS, where the project is being developed, said June 10 at a Digital Government Institute conference on e-grants that the project would save money by avoiding the cost of building its own portal. They also plan to use existing government contract vehicles and off-the-shelf products. He likened the project to a storefront, where people can shop for what they want”

There are several points about this project. First, e-Grants will become operational before e-Authentication has produced a design. Second, FedBizOpps uses e-mail for document exchange. FedBizOpps defines templates for transaction content that use XML tags. The messages are authenticated by an assigned FedBizOpps password. The logon and password are assigned by the Help Desk. The current nine templates were made available in 1999. “Release 2” will be implemented July 2, 2002..

Michael Gettes also said Internet 2 may have become a member of the Liberty Alliance. Internet 2 is not listed on the Liberty Alliance Web page, no one from Liberty Alliance has yet responded to queries about membership.

Revised June 23, 2002

jim farmer1June 20, 2002

[1] In the original text, he was identified as head of the e-Grant initiative. Additional details are provided in Corrections.