Raw notes of Informal GAP analysis meeting of 09 Feb 2012
---------------------------------------------------------
- I’ll process these notes and consolidate them into the GAP analysis document
- Post per use case findings to the email threads on the list to keep those up to date
Next meeting Mon 13 Feb @ 2 pm ET
---------------------------------------------------------
Gershon Janssen: * Informal Gap Analysis meeting Feb 09
Gershon Janssen: Agenda for this meeting is:
To further go through each of the use cases and try to establish what standards might be applicable.
There is no particular order in which we want to walk through the use cases, so if there are use cases we have good insights into at this stage, lets do those first. If none, then lets take them in order starting from use case 8.
Gershon Janssen: ... stepping away for 2 minutes...
AnilSaldhana(RedHat): dialing in
Gershon Janssen: ...I'm back...
AnilSaldhana(RedHat): 1 min
Gershon Janssen: Hi Michele!
Michele Drgon (DataProbity): ...I'm back..... 
Michele Drgon (DataProbity): Hi Gershon! Had to use your words as they fit perfectly! 
Gershon Janssen: @Michele: great to have you back!
Michele Drgon (DataProbity): @Gershon Thank you!
Gershon Janssen: 3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment
Gershon Janssen: - XACML
- PMRM
AnilSaldhana(RedHat): =======
AnilSaldhana(RedHat): Use Case 8: Identity Privacy in a Shared Cloud Environment
Short description:
Show the need for controls to exist to maintain privacy of identities while
operating in a cloud if desired
Relevant applicable standards:
- XACML
- PMRM
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): ===================
AnilSaldhana(RedHat): W3C P3P
Gershon Janssen: W3C P3P
AnilSaldhana(RedHat): http://www.w3.org/P3P/
AnilSaldhana(RedHat): http://www.w3.org/P3P/
AnilSaldhana(RedHat): Platform for Privacy Preferences (P3P) Project
Gershon Janssen: tier=2
AnilSaldhana(RedHat): THings involved: preferences
AnilSaldhana(RedHat): attributes of the identity
AnilSaldhana(RedHat): controls on these
AnilSaldhana(RedHat): Preferences (what I like) and attributes (my age, height) etc are different things
Gershon Janssen: ---
Use Case 9: Cloud Signature Services
Short description:
There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
Gershon Janssen: ---
Use Case 9: Cloud Signature Services
Short description:
There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
Gershon Janssen: ---
Use Case 9: Cloud Signature Services
Short description:
There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
Gershon Janssen: ---
Use Case 9: Cloud Signature Services
Short description:
There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): ==========
AnilSaldhana(RedHat): Use Case 9: Cloud Signature Services
Short description:
There is a business need in many applications to create digital signatures
on documents and transactions. When applications, and users, move into the
cloud so should also the signing services. Both users and applications have
a need to sign documents.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): ==================
AnilSaldhana(RedHat): W3C XML DSig
Michele Drgon (DataProbity): NIST on Cloud Security/Privacy http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494
AnilSaldhana(RedHat): Michele" Thanks so much.
Gershon Janssen: OASIS Digital Signature Services (DSS) TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss
AnilSaldhana(RedHat): Dale Moberg:
AnilSaldhana(RedHat): ==============
AnilSaldhana(RedHat): Relevant applicable standards:
OASIS Digital Signature Services (DSS) TC
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss
"The Digital Signature Services (DSS) specifications describe two XML-based request/response protocols a signing protocol and a verifying protocol. Through these protocols a client can send documents to a server and receive back a signature on the documents; or send documents and a signature to a server, and receive back an answer on whether the signature verifies the documents. The DSS Core specifications provide the basic protocols and elements which are adapted to support specific use cases in the DSS profiles."
Also note "the following profiles of the OASIS Digital Signature Services:
XML Timestamping Profile
Signature Gateway Profile
German Signature Law Profile
Entity Seal Profile
Electronic PostMark (EPM) Profile
Abstract Code-Signing Profile
J2ME Code-Signing Profile
Asynchronous Processing Abstract Profile
Advanced Electronic Signature Profiles"
Analysis notes:
Basic functionalities of signing and verifying are specified, as are specialized profiles.
Possible GAPs identified:
At most, perhaps a specialized profile is needed?
AnilSaldhana(RedHat): ======================
Gershon Janssen: seems very relevant; will not match completely with all parts of the profile.
Gershon Janssen: XML-DSIG
Gershon Janssen: is a W3C standard
AnilSaldhana(RedHat): May not be tailored to Cloud - DSS
AnilSaldhana(RedHat): Current proposals in IETF": JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE).
AnilSaldhana(RedHat): damn. will dial back in
AnilSaldhana(RedHat): dialed
AnilSaldhana(RedHat): http://openid.net/specs/draft-jones-json-web-token-07.html
Gershon Janssen: include this as a proposal from IETF
AnilSaldhana(RedHat): http://tools.ietf.org/html/draft-jones-json-web-signature-04
AnilSaldhana(RedHat): JWS proposal
AnilSaldhana(RedHat): This may be relevant to cloud if the api uses json based transport
AnilSaldhana(RedHat): REST based architectures
Gershon Janssen: Focus of use case is on signatures.
Gershon Janssen: ....line is really bad...
Gershon Janssen: ---
Use Case 10: Cloud Tenant Administration
Short description:
Feature the ability for enterprises to securely manage their use of the cloud provider's services (whether IaaS, PaaS or SaaS), and further meet their compliance requirements.
Administrator users are authenticated at the appropriate assurance level (preferably using multi-factor credentials).
Relevant applicable standards:
- SAML
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): Level of Assurance may be relevant
Gershon Janssen: level of assurance is also relevant here
AnilSaldhana(RedHat): How does a user become administrator?
AnilSaldhana(RedHat): Whats involved here?
Gershon Janssen: Mapping identities to cloud resources.
AnilSaldhana(RedHat): Mapping of Identities to Cloud Resources. Relationship can be (handles/owns)
Gershon Janssen: SNIA
AnilSaldhana(RedHat): Storage of information that may have compliance requirements
Gershon Janssen: storage: storage of information, compliance
AnilSaldhana(RedHat): http://www.infoq.com/articles/regulatory-compliant-cloud-computing
Gershon Janssen: if there is sensitive data (health, financial, etc.) why put it in the public cloud?
AnilSaldhana(RedHat): healthcare, military, financial data - will you put it in the cloud?
Gershon Janssen: e.g. frameworks / encryption backing this. Still people refrain from putting their sensitive stuff in the cloud.
AnilSaldhana(RedHat): Law enforcement, compliance
Gershon Janssen: even if you have encryption; would you put in the cloud?
Gershon Janssen: there is law enforncement, compliance, etc.
Gershon Janssen: CDMI spec
Gershon Janssen: DMTF -- for storage elements
Gershon Janssen: ISO38 study group on who's doing what on cloud.
Gershon Janssen: Michel: will see what she can find to share.
Gershon Janssen: ---
Use Case 11: Enterprise to Cloud SSO
Short description:
A user is able to access resource within their enterprise environment or within a cloud deployment using a single identity.
With enterprises expanding their application deployments using private and public clouds, the identity management and authentication of users to the services need to be decoupled from the cloud service in a similar fashion to the decoupling of identity from application in the enterprise. Users expect and need to have their enterprise identity extend to the cloud and used to obtain different services from different providers rather than multitude of userid and passwords.
By accessing services via a federated enterprise identity, not only the user experience of SSO is to gain, but also Enterprise compliance and for control of user access, ensuring only valid identities may access cloud services.
Relevant applicable standards:
- SAML
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): Provisioning (SPML, SCIM)
Gershon Janssen: provisioning is involved; needed for creation of identities
AnilSaldhana(RedHat): sync of identities bw enterprises and public cloud provider
Gershon Janssen: openID
Gershon Janssen: oAuth
Gershon Janssen: OpenID connect
Gershon Janssen: sc38/working group 1; also 3?
Gershon Janssen: federated identity management: kantara (SAML)
Gershon Janssen: ---
Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication
Short description:
A user (or cloud consumer) is able to access multiple SaaS applications using a single identity.
Relevant applicable standards:
- SAML
Analysis notes:
Possible GAPs identified:
---
Gershon Janssen: openID
Gershon Janssen: oAuth
Gershon Janssen: SPML, SCIM
Gershon Janssen: (provisioning aspects)
Gershon Janssen: attribute management
Gershon Janssen: WS-Federation
Gershon Janssen: also trust frameworks; need to work on this specific item.
Gershon Janssen: IMI
Gershon Janssen: ---
Use Case 13: Transaction Validation and Signing in the Cloud
Short description:
Users are able to perform transaction and document signing in the cloud
using a trusted signing service that manages their signing keys.
Relevant applicable standards:
Analysis notes:
Possible GAPs identified:
---
AnilSaldhana(RedHat): WS-Transactions
AnilSaldhana(RedHat): OTS
AnilSaldhana(RedHat): openGroup Transaction Services
Gershon Janssen: Open Group Transactions Services (OTS)
AnilSaldhana(RedHat): JTS (Java Transaction Services)
Gershon Janssen: SAML
Gershon Janssen: OTP standards
Gershon Janssen: smart card standards
AnilSaldhana(RedHat): fips 140-2
Gershon Janssen: large area's of standards...
AnilSaldhana(RedHat): ISO X9 has a bunch of financial standards
AnilSaldhana(RedHat): or working groups
AnilSaldhana(RedHat): ANSI X9
Gershon Janssen: ANSI X9 has a group on biometrics
AnilSaldhana(RedHat): Public Key Infrastructure (PKI)
X9F4
ISO 15782 Certificate Management for Financial Services
Originally X9.57, to be replaced by X9.79 Part 3
ISO 21188 PKI for Financial Services Practices and Policy Framework
Originally X9.79 PKI Part 1, evolved to Webtrust for CA auditing standard
X9.79 PKI for Financial Services Part 3: Certificate Management (WIP)
X9.79 PKI Part 4: Asymmetric Key Management (consideration)
Time Stamp Management and Security
X9F4
ISO/IEC 18014 Security Techniques Time Stamping Services
X9.95 Trusted Time Stamp Management and Security
RFC 3161 Internet X.509 Time-Stamp Protocol
Wireless Management and Security
X9F4
X9.112 Wireless Part 1: General Requirements
X9.112 Wireless Part 2: POS and ATM (work in progress)
X9.112 Wireless Part 3: Mobile Commerce (work in progress)
Penetration Testing
X9F4
X9.111 Penetration Testing for Financial Services
Cathy Tilton: It is X9.84 - Biometric Information Management and Security
Michele Drgon (DataProbity): http://cloudaudit.org/CloudAudit/Home.html
Cathy Tilton: The biometric groups are INCITS M1 and ISO/IEC JTC1 SC37 (also some in SC27)
Gershon Janssen: ---
Use Case 14: Enterprise Purchasing from a Public Cloud
Short description:
Reduce the number of passwords that are stored and used in the cloud and eliminate the need for cloud "directory synchronization" while advocating a "claims based" architecture.
Relevant applicable standards:
- SPML
Analysis notes:
Possible GAPs identified:
---
Gershon Janssen: PKI
Gershon Janssen: level of assurance
Gershon Janssen: SSO standards
Gershon Janssen: trust / WS-Federation
Gershon Janssen: XML security
Gershon Janssen: REST security
Gershon Janssen: trust relationships between to entities
Gershon Janssen: -> not sure if there are any standards for this
AnilSaldhana(RedHat): http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cnd01/IDCloud-usecases-v1.0-cnd01.html#_Toc299985616
Gershon Janssen: next meeting monday @ 2 pm ET
-----