CS Colloquium, April 28: Douglas Sicker
Ruth Covington
Department of Computer Science
ECOT 717 Engineering Center
Campus Box 430
Boulder, Colorado 80309-0430
(303) 492-7514, FAX (303) 492-2844
CS COLLOQUIUM
Role Based Authorization in Distributed Real-time Communication
Douglas C. Sicker
University of Colorado
Monday, 28 April 2003
3:00 - 4:00
Bechtel Conference room DLC 1B70 (enter through Engineering Center walkways)
A role-based security policy allows authorization decisions to be based on a role that the user asserts rather than on identity. Role-based authorization can be implemented through an approach that conveys user information in the form of attributes associated with that user. Relying on attributes provides a number of advantages, including simplifying access control, providing a means for more granular (and subsequently more flexible) authorization decisions, and providing a measure of privacy. While role-based authorization has been investigated in the intra-domain space, it is only recently that it has been considered for inter-domain communication.
An approach to providing role-based authorization capabilities between domains could be based on the use of the Session Initiation Protocol (SIP). SIP is an application layer protocol that allows endpoints to locate other endpoints and invite them to participate in a session. SIP presently defines various methods for performing authentication (and to a limited extent authorization). However, these methods are generally identity based. In order to facilitate inter-domain role-based authorization, several new SIP-based mechanisms must be defined. This approach would require asserting user attributes between domains in a secure manner. Security Assertion Markup Language (SAML) provides a format for describing these assertions. These user attributes are coded into SAML assertions that are then transported between the SIP entities.
In this talk, I will begin by providing an overview of the architecture for inter-domain role-based authorization. I will then describe a SIP profile and binding for SAML. These profiles and bindings define the ways to incorporate SAML into various communication protocols. Next, I will present a security analysis of the threat model for each of the profiles. I’ll conclude this talk by presenting some performance assessments of this design.
BIOGRAPHY
Douglas C. Sicker is an assistant professor at the University of Colorado at Boulder in the Department of Interdisciplinary Telecommunications. Before this he was Director of Global Architecture at Level 3 Communications, LLC. Prior to this, Doug was Chief of the Network Technology Division at the Federal Communications Commission (FCC). He has also held faculty positions in the field of medical sciences. Doug’s general interests include signaling and security in IP-based networks. His recent work focuses on privacy and role-based authorization in IP-based networks. He is also interested in the interaction of policy and network technology. Doug is a senior member of the IEEE, as well as a member of the ACM and the Internet Society. Doug is active in the Internet2 and the IETF. After leaving the FCC, Doug served as the Chair of the Network Reliability and Interoperability Council steering committee, an FCC federal advisory committee. Doug also served on the Technical Advisory Council of the FCC. Doug holds a Ph.D. from the University of Pittsburgh.
------------------------------
http://www.cs.colorado.edu/department/events/colloquia/colloquia.html
Sign Language Interpreters Available Upon Request. Please contact Ruth Covington, Department of
Computer Science, Engineering ECOT 717, 303-492-7514, at least five days prior to the colloquium.