Modern science increasingly depends on international collaborations. Large instruments are expensive and have to be funded by several countries, and they generate very large volumes of data that must be archived and analysed. Scientific research infrastructures, e-Infrastructures, or cyber infrastructures support these collaborations and many others. In this chapter we look at the issue of trust for such infrastructures, particularly when scaling up from a small one. This growth can be “natural,” as more researchers are added, but can also be dramatic if whole new communities are added, possibly with different requirements. Our focus is on authentication, since for most realistic infrastructures, authentication is the foundation upon which further security is built. Our aim has been to focus on real-life experiences and examples, distilling them into practical advice.
Science and research are increasingly becoming global: where researchers previously only communicated by email, they now collaborate closely across national boundaries using supporting e-infrastructures or cyber infrastructures. For a small group of researchers sharing few resources, it is fairly easy to establish a trusted relationship between the users and the resources: for example by getting everyone together in the same room and hand out passwords. It becomes much more difficult to establish and maintain these relationships when the group grows, when many other resources are added, or when the resources need higher levels of protection (e.g. if accessing sensitive data or controlling an instrument.)
This chapter looks at the challenges in scaling up from small infrastructures to large ones. Our emphasis is more on human processes than technology: ultimately trust is between humans, supported by processes and policies; the role of technology is to mediate the trust in a distributed infrastructure. Purely technological proposals for scaling to larger infrastructures have been studied elsewhere, e.g. identity based encryption (Shamir, 1984), or more recently, building PKI (Public Key Infrastructure) with secure “mediators” (Boneh, 2001; Vanrenen, Smith, & Marchesini, 2005) these and others will not be pursued here. When we need to cover aspects of commonly used technology, we do so to assess how much it can help scale the trust infrastructure.
In addition to being “sociological,” our overall aim is highly practical: we focus on processes and technology which are known to work on a global scale.
A high level outline of this chapter is as follows:
A discussion of the participants and their trust relationships.
Investigating scalability issues.
A discussion of issues and controversies.
Practical advice for people seeking to scale a trust infrastructure.
Participants And Security Goals
Let us first look at the simplest case mentioned in the introduction: a group of users accessing a shared resource. They may use a password to authenticate to the resource, and the password can be reset using their email address if they forget it. e-Commerce (see Example 1 and Anderson (2008, sec. 10.5) for further discussion) is similar. In both cases, we have a group of users who interact only with the resource, not with each other.
Example 1. Doohickey Inc sells widgets on the Internet.
Alice signs up and gets a password mailed to her. She uses the password to log in and buy widgets using her credit card. Each time Alice logs in, she sees her account and can track her order. If she forgets her password, she clicks a reset button and a new (possibly temporary) password is sent to her email account.
The need for security is not high because the account is used mainly for presentation purposes (unless the server remembers her credit card details and no additional checks are performed!)
Security in this case appears to be symmetric, being based on a secret shared between the user and the resource, namely the password1. (The trust relationship need not be symmetric, though, as we shall see in sections Resources and Scalability of the Infrastructure.)
Key Terms in this Chapter
Authentication: In the context of this chapter, authentication refers to the process of establishing that a usually remote entity is who or what they claim to be (cf. (Chokhani, S., et al, 2003), section 2.) Authentication of an entity to a verifier usually involves the presentation of an identity token, along with a verification by the verifier of the validity of the token, as well as a check that the entity is the one named in the token. A real-life example is presenting a passport to an immigration official, who will check that it is a valid passport and compare the picture with the person presenting the passport. Cf. identification, below.
Identification: “Establishing that a given name of an individual or organization corresponds to a real-world identity of an individual or organization, and establishing that an individual or organization applying for or seeking access to something under that name is, in fact, the named individual or organization” (Chokhani, S., et al, 2003, section 2.) As an example, consider an application for a passport: if you have had one before, it may be sufficient to show it; otherwise a documented process is used to verify your name and the likeness of a recent photo. (Once the passport is issued, another process needs to ensure that it is delivered to you, the applicant.) An example of the second half of the definition is if you pick up a package (in your name) at the post office, and use the passport to prove that you are the person to whom the package is addressed.
Policy: In the context of this chapter, a policy is a published statement describing any or all of infrastructure, community, participants, methods, obligations, requirements, jurisdictions, etc., sufficient for a participant to determine the trustworthiness of the publisher. For example, a federation of identity providers (a special case of the hub in section 3) may have a policy that all users shall have individual identity tokens (i.e. tokens must not be shared.) Some identity providers (i.e. token issuers) within the federation may further require that the tokens carry a reasonable resemblance of the token owner’s name. The policy of the federation, and possibly the individual providers, should be sufficient for a resource provider to determine the LoA (see above) of the federation and whether it is sufficient; possibly they will accept tokens only from the providers that issue named tokens. Of course, it is necessary that a participant with a policy follow the policy – an audit may be required to assuage the resource provider.
Level of Assurance: (LoA): The LoA is an attempt to measure of the overall strength of the assertions made in the infrastructure (section 2.5.3.) An infrastructure managing public data does not usually need a high LoA; if it manages personal data it needs a much higher one; if it manages state secrets, it needs a higher one still. See (Bolten, J.B., 2003) for an overview, and (Burr, Polk, & Dodson, 2006.) for further details.
Trusted Third Party: An intermediary whose role in the infrastructure is to establish or mediate trust, and, possibly, verify the trustworthiness (i.e. reputation) of other participants.
Trust: The word “trust” has several meanings (section 3); the ones relevant to this chapter are the belief in the honesty and reliability of, or confidence in, some other party. For example, Alice feels confident lending Bob her car because she trusts that he will return it and she has confidence he will drive well. See also
Scalability: Scalability refers to the ability of the trusted infrastructure to scale, usually in terms of the number of participants. A secondary aspect of scalability is scaling geographically, as scaling beyond national boundaries often poses certain problems. As discussed in section 3, scalability should be seen from the perspective of the individual participant making bilateral trust decisions, as well as the total scale of the infrastructure and its ability to grow. It is the purpose of this chapter to give guidelines for building trusted infrastructures that will grow to a global scale.