AAI Workshop 2000: Agenda

Monday 20. November 2000

 14:10  Arrival of participants / Hotel room check-in

 14:30  Welcome
        Thomas H. Brunner, SWITCH
        Christoph Graf, SWITCH

 14:40  Technology

   - Authentication and Authorization Infrastructures: Kerberos vs. PKI
     PD Dr. Rolf Oppliger, eSECURITY Technologies, Muri b. Bern

         An authentication and authorization infrastructure (AAI) provides
         infrastructural support for both authentication (i.e., the process
         of verifying an identity claimed for a system entity) and
         authorization (i.e., the process of granting a right or permission
         to a system entity to access a system resource). As will be
         discussed during the workshop, there are many applications for AAIs
         and AAIs are getting increasingly important in todays networked and
         distributed environments. With regard to the design, implementation,
         and large-scale deployment of AAIs there are two "development roots"
         one may consider to start with: the Kerberos authentication system
         and public key infrastructures (PKIs). In this talk, we introduce
         the technologies and discuss the advantages and disadvanatges of
         Kerberos, Kerberos-based AAIs, PKIs, and PKI-based AAIs. The talk
         concludes with the insight that it is possible and very likely that
         both Kerberos-based AAIs and PKI-based AAIs are going to converge to
         something conceptually similar to attribute certificates in the area
         of authorization.

 16:15  Break

 16:45  Internet 2

   - Generic AAA, an architecture for multi kingdom policy decisions
     Cees de Laat, Utrecht University, NL (co-chair of IRTF-RG AAAARCH)

         A number of Internet Services require Authentication,
         Authorization, Accounting and Audit Support. The IETF AAA Working
         Group is chartered with defining short term requirements for a
         protocol that will support such services for NASREQ and MobileIP.
         The work of the IETF AAA group has shown that there are a number
         of areas where a AAA architecture would be helpful. The AAAARCH RG
         will work to define a next generation AAA architecture that
         incorporates a set of interconnected "generic" AAA servers and an
         application interface that allows Application Specific Modules
         access to AAA functions.

 17:45  Smart Card Technology

   - Smart Card aspects of an AAI
     Stéphane Joly, NagraCard SA, Cheseaux

         Presentation focusing on the smart card aspects of an AAI and the
         consequences for the project implementation.
 18:05  Requirements (1)

   - Requirements of a public and university Library for AAI
     Wolfgang Lierz, Head IT services, ETH-Bibliothek Zürich

         The Consortium of Swiss Academic Libraries co-ordinates the
         access for all users of participating libraries to third party
         databases over the Internet, which requires access control.
         Traditionally, library users have different level of access,
         from anonymous walk-in users to group and individual access from
         known locations as well as with roaming. A further complication
         arises through multiple roles individuals play in parallel or
         over time.
         Obviously, IP based access control is no longer a viable solution.

   - Privacy enhanced X.509 certficates
     Andreas Schneider, Institut für Informatik, Universität Zürich

 18:40  End of sessions

 19:00  Dinner

Tuesday 21. November 2000

 08:30  Requirements (2)

   - Authentication and Authorization in the Swiss Virtual Campus
     Dr. Jacques Monnard, Centre NTE, Université de Fribourg

         In the future, the Swiss Virtual Campus (SVC) will allow students
         to take courses from Swiss Universities over the Internet. 
         Through the SVC, instructors and students will need to have
         controlled access to a wide variety of services (enrollment data,
         courses, libraries, etc.). In this context, authentication and
         authorization will play a very important role.

 08:45  Projects & Activities

   - A Secured Extranet supporting medical data exchange between organisations
     Dr. Sc. Stéphane Spahni, DIM, Hôpitaux Universitaires de Genève

         There is a growing need for sharing medical data between healthcare
         partners (e.g. hospitals, GPs, home care).
         But while paper-based transmission of documents is well accepted,
         it is by far not the case for electronic-based transmission. In the
         framework of the SYNEX European Project, a secured Extranet has been
         built between the University hospitals of Geneva and the Geneva's
         Association of GPs, supporting secure and reliable transfert of data.

   - Management of users at the University of Lausanne
     Alexandre Roy, Centre informatique, Université de Lausanne

         The management of users has evolved from "managing a /etc/passwd
         file" to the GESU application (home made) which is tightly bound
         to the human ressource database. The email system, the Unix users
         and a LDAP directory are controlled by GESU; the integration of a
         Win2k Active Directory will be soon in operation. The LDAP
         directory is a central element for the future of authentication
         and authorisation at UNIL.

   - CLASP (Common Login and Access rights across Services Plan)
     Denise Heagerty, CERN

         The CLASP (Common Login and Access rights across Services Plan)
         project is investigating mechanisms for Single Sign On and common
         access rights across CERN services. This talk will present the
         results of a feasibility study, which recommends Kerberos v5
         authentication with some integrated support for X.509 certificates.
         Centrally defined "e-groups" are proposed to achieve common access
         control for files, web pages and e-mail lists.

   - GASPAR a secured portal to acces EPFL e-services
     Ion Cionca, EPFL

         - before GASPAR: each service had its own identification method
           and users lists; impossible to merge data
         GASPAR offers identification and authentication for secure web
         acces to e-services
         - based on new identification tools (SCIPER; CAMIPRO, SAC etc.)
         - to access a secured e-service one must first register on GASPAR
         - GASPAR uses HTTP protocol as API for e-services authentication
         - acces to e-services is granted to GASPAR clients, with a valid
           EPFL e-mail address and with the appropriate ACL to the service
         - SSL certificate used is implemented but not yet officially

   - Student Card Solutions
     Gilles Beljakovic, NagraCard SA, Cheseaux

         Presentation of student card solutions with a focus on:
         - benefits for universities and the students
         - different departments involved

   - Ready for PKI tests with the SWITCH Swisskey Corporate ID
     Thomas Lenggenhager, SWITCH

         SWITCH has no the Swisskey Certificate Management System (SCMS)
         installed on a PC at SWITCH Head Office. For testing purposes
         at Swiss Universities, we can now provide certificates.
         SWITCH will start with own tests and is interested to hear
         about potential tests within universities.
         [Due to missing time, this paper was not presented, but slides
         were incorporated in the printed material]

 10:00  Break

 10:30  Panel Discussion

        Experts from outside the universities will discuss their view &
        vision and will answer your questions.

        Bruno Gschwend, Swisskey
        Cees de Laat, Utrecht University
        Christophe Ollagnon, NagraCard ( Slides)
        Rolf Oppliger, eSECURITY Technologies
 12:30  End of workshop

 13:00  Lunch