The Challenge. The goal of our service is to allow users’ credentials as managed by universities (and other research institutions) in InCommon to be used to access NSF’s cyberinfrastructure. The primary technical challenge we face is the technology difference between InCommon, which is based on the Security Assertion Markup Language (SAML) as implemented by the Internet2 Shibboleth software, and NSF’s cyberinfrastructure, which is based on public key infrastructures (PKIs) that emerged from computational grids.

Our Approach. Our project leverages existing software to provide the required functionality. Much of our approach has been previously demonstrated in the TeraGrid federated login system. Since Shibboleth is a web-based technology, designed for users using web browsers, our service is a web application residing in Apache. Building on Shibboleth and Apache, we use the work pioneered in the GridShib project, deployed in TeraGrid, to convert Shibboleth into certificates as needed for much of the NSF CI. As with the TeraGrid work, we use MyProxy with specialized hardware security modules to generate these certificates.

Service Operation. Central to our proposed work is the operation of our service for the NSF community. Our plans for operating our service include:

• 24x7 Support
• Strong Operational Security
• Incident Response and Certificate Revocation
• Reliability, Disaster Recovery and Scalability
• Detailed Usage Accounting

Level Of Assurance. Standard membership in InCommon provides limited guarantees regarding the level of assurance of user credentials. However, InCommon has now defined "Bronze" and "Silver" Identity Assurance Profiles to which members may adhere in order to provide higher-levels of assurance. Both the standard level and Silver level will be of use to the NSF community. (We don’t believe the NSF CI community has a current need for the Bronze level.) The default level will initially be much more common while Silver will take some time for universities to adopt, but Silver offers a higher level of assurance desired by some CI projects. To support these two levels, we operate two certification authorities (CAs): one for standard InCommon members and one for those meeting the Silver profile. CI operators are then able to choose to trust one or both of these CAs based on their desire for assurance and the breadth of their user base. We believe that ultimately the Silver profile is more desirable for NSF CI due to its higher security and are working in our outreach activities to encourage its adoption. The International Grid Trust Federation (IGTF) is the de facto standards body for defining levels of assurance for PKIs in production academic grids around the world. We are pursuing IGTF accreditation for the "Silver" CA, making those credentials usable for CI with high need for assurance.

Non-InCommon home institutions. While InCommon is growing and now represents over 200 organizations and over 4 million users, we recognize that there will be users from organizations that have not yet joined InCommon. In this case we encourage users to sign up with the free identity provider service available from InCommon-member ProtectNetwork. This allows users at universities not in InCommon to use our service in the same manner. We also support authentication with OpenID from many providers including Google and Yahoo.

Privacy. The CILogon Service follows best practices for auditing, as befits an authentication service. With regards to these logs, we follow standard NCSA and University of Illinois policies. In summary, user information will only be released in aggregate form (so we can report metrics to NSF) or with the explicit, opt-in permission of the user. Note that the purpose of the service is to issue certificates containing user identifying information, but the CILogon Services issues certificates on explicit request of the user.

Host certificates. Currently the CILogon Service focuses on issuing certificates that identify people, rather than hosts or services, since this allows us to directly leverage the authentication services provided through InCommon.