[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Raw notes of Informal GAP analysis meeting of 09 Feb 2012
Raw notes of Informal GAP analysis meeting of 09 Feb 2012 --------------------------------------------------------- - I’ll process these notes and consolidate them into the GAP analysis document - Post per use case findings to the email threads on the list to keep those up to date Next meeting Mon 13 Feb @ 2 pm ET --------------------------------------------------------- Gershon Janssen: * Informal Gap Analysis meeting Feb 09 Gershon Janssen: Agenda for this meeting is: To further go through each of the use cases and try to establish what standards might be applicable. There is no particular order in which we want to walk through the use cases, so if there are use cases we have good insights into at this stage, lets do those first. If none, then lets take them in order starting from use case 8. Gershon Janssen: ... stepping away for 2 minutes... AnilSaldhana(RedHat): dialing in Gershon Janssen: ...I'm back... AnilSaldhana(RedHat): 1 min Gershon Janssen: Hi Michele! Michele Drgon (DataProbity): ...I'm back..... Michele Drgon (DataProbity): Hi Gershon! Had to use your words as they fit perfectly! Gershon Janssen: @Michele: great to have you back! Michele Drgon (DataProbity): @Gershon Thank you! Gershon Janssen: 3.8 Use Case 8: Identity Privacy in a Shared Cloud Environment Gershon Janssen: - XACML - PMRM AnilSaldhana(RedHat): ======= AnilSaldhana(RedHat): Use Case 8: Identity Privacy in a Shared Cloud Environment Short description: Show the need for controls to exist to maintain privacy of identities while operating in a cloud if desired Relevant applicable standards: - XACML - PMRM Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): =================== AnilSaldhana(RedHat): W3C P3P Gershon Janssen: W3C P3P AnilSaldhana(RedHat): http://www.w3.org/P3P/ AnilSaldhana(RedHat): http://www.w3.org/P3P/ AnilSaldhana(RedHat): Platform for Privacy Preferences (P3P) Project Gershon Janssen: tier=2 AnilSaldhana(RedHat): THings involved: preferences AnilSaldhana(RedHat): attributes of the identity AnilSaldhana(RedHat): controls on these AnilSaldhana(RedHat): Preferences (what I like) and attributes (my age, height) etc are different things Gershon Janssen: --- Use Case 9: Cloud Signature Services Short description: There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- Gershon Janssen: --- Use Case 9: Cloud Signature Services Short description: There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- Gershon Janssen: --- Use Case 9: Cloud Signature Services Short description: There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- Gershon Janssen: --- Use Case 9: Cloud Signature Services Short description: There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): ========== AnilSaldhana(RedHat): Use Case 9: Cloud Signature Services Short description: There is a business need in many applications to create digital signatures on documents and transactions. When applications, and users, move into the cloud so should also the signing services. Both users and applications have a need to sign documents. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): ================== AnilSaldhana(RedHat): W3C XML DSig Michele Drgon (DataProbity): NIST on Cloud Security/Privacy http://www.nist.gov/customcf/get_pdf.cfm?pub_id=909494 AnilSaldhana(RedHat): Michele" Thanks so much. Gershon Janssen: OASIS Digital Signature Services (DSS) TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss AnilSaldhana(RedHat): Dale Moberg: AnilSaldhana(RedHat): ============== AnilSaldhana(RedHat): Relevant applicable standards: OASIS Digital Signature Services (DSS) TC http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=dss "The Digital Signature Services (DSS) specifications describe two XML-based request/response protocols a signing protocol and a verifying protocol. Through these protocols a client can send documents to a server and receive back a signature on the documents; or send documents and a signature to a server, and receive back an answer on whether the signature verifies the documents. The DSS Core specifications provide the basic protocols and elements which are adapted to support specific use cases in the DSS profiles." Also note "the following profiles of the OASIS Digital Signature Services: XML Timestamping Profile Signature Gateway Profile German Signature Law Profile Entity Seal Profile Electronic PostMark (EPM) Profile Abstract Code-Signing Profile J2ME Code-Signing Profile Asynchronous Processing Abstract Profile Advanced Electronic Signature Profiles" Analysis notes: Basic functionalities of signing and verifying are specified, as are specialized profiles. Possible GAPs identified: At most, perhaps a specialized profile is needed? AnilSaldhana(RedHat): ====================== Gershon Janssen: seems very relevant; will not match completely with all parts of the profile. Gershon Janssen: XML-DSIG Gershon Janssen: is a W3C standard AnilSaldhana(RedHat): May not be tailored to Cloud - DSS AnilSaldhana(RedHat): Current proposals in IETF": JSON Web Signature (JWS) and/or encrypted using JSON Web Encryption (JWE). AnilSaldhana(RedHat): damn. will dial back in AnilSaldhana(RedHat): dialed AnilSaldhana(RedHat): http://openid.net/specs/draft-jones-json-web-token-07.html Gershon Janssen: include this as a proposal from IETF AnilSaldhana(RedHat): http://tools.ietf.org/html/draft-jones-json-web-signature-04 AnilSaldhana(RedHat): JWS proposal AnilSaldhana(RedHat): This may be relevant to cloud if the api uses json based transport AnilSaldhana(RedHat): REST based architectures Gershon Janssen: Focus of use case is on signatures. Gershon Janssen: ....line is really bad... Gershon Janssen: --- Use Case 10: Cloud Tenant Administration Short description: Feature the ability for enterprises to securely manage their use of the cloud provider's services (whether IaaS, PaaS or SaaS), and further meet their compliance requirements. Administrator users are authenticated at the appropriate assurance level (preferably using multi-factor credentials). Relevant applicable standards: - SAML Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): Level of Assurance may be relevant Gershon Janssen: level of assurance is also relevant here AnilSaldhana(RedHat): How does a user become administrator? AnilSaldhana(RedHat): Whats involved here? Gershon Janssen: Mapping identities to cloud resources. AnilSaldhana(RedHat): Mapping of Identities to Cloud Resources. Relationship can be (handles/owns) Gershon Janssen: SNIA AnilSaldhana(RedHat): Storage of information that may have compliance requirements Gershon Janssen: storage: storage of information, compliance AnilSaldhana(RedHat): http://www.infoq.com/articles/regulatory-compliant-cloud-computing Gershon Janssen: if there is sensitive data (health, financial, etc.) why put it in the public cloud? AnilSaldhana(RedHat): healthcare, military, financial data - will you put it in the cloud? Gershon Janssen: e.g. frameworks / encryption backing this. Still people refrain from putting their sensitive stuff in the cloud. AnilSaldhana(RedHat): Law enforcement, compliance Gershon Janssen: even if you have encryption; would you put in the cloud? Gershon Janssen: there is law enforncement, compliance, etc. Gershon Janssen: CDMI spec Gershon Janssen: DMTF -- for storage elements Gershon Janssen: ISO38 study group on who's doing what on cloud. Gershon Janssen: Michel: will see what she can find to share. Gershon Janssen: --- Use Case 11: Enterprise to Cloud SSO Short description: A user is able to access resource within their enterprise environment or within a cloud deployment using a single identity. With enterprises expanding their application deployments using private and public clouds, the identity management and authentication of users to the services need to be decoupled from the cloud service in a similar fashion to the decoupling of identity from application in the enterprise. Users expect and need to have their enterprise identity extend to the cloud and used to obtain different services from different providers rather than multitude of userid and passwords. By accessing services via a federated enterprise identity, not only the user experience of SSO is to gain, but also Enterprise compliance and for control of user access, ensuring only valid identities may access cloud services. Relevant applicable standards: - SAML Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): Provisioning (SPML, SCIM) Gershon Janssen: provisioning is involved; needed for creation of identities AnilSaldhana(RedHat): sync of identities bw enterprises and public cloud provider Gershon Janssen: openID Gershon Janssen: oAuth Gershon Janssen: OpenID connect Gershon Janssen: sc38/working group 1; also 3? Gershon Janssen: federated identity management: kantara (SAML) Gershon Janssen: --- Use Case 12: Consumer Cloud Identity Management, Single Sign-On (SSO) and Authentication Short description: A user (or cloud consumer) is able to access multiple SaaS applications using a single identity. Relevant applicable standards: - SAML Analysis notes: Possible GAPs identified: --- Gershon Janssen: openID Gershon Janssen: oAuth Gershon Janssen: SPML, SCIM Gershon Janssen: (provisioning aspects) Gershon Janssen: attribute management Gershon Janssen: WS-Federation Gershon Janssen: also trust frameworks; need to work on this specific item. Gershon Janssen: IMI Gershon Janssen: --- Use Case 13: Transaction Validation and Signing in the Cloud Short description: Users are able to perform transaction and document signing in the cloud using a trusted signing service that manages their signing keys. Relevant applicable standards: Analysis notes: Possible GAPs identified: --- AnilSaldhana(RedHat): WS-Transactions AnilSaldhana(RedHat): OTS AnilSaldhana(RedHat): openGroup Transaction Services Gershon Janssen: Open Group Transactions Services (OTS) AnilSaldhana(RedHat): JTS (Java Transaction Services) Gershon Janssen: SAML Gershon Janssen: OTP standards Gershon Janssen: smart card standards AnilSaldhana(RedHat): fips 140-2 Gershon Janssen: large area's of standards... AnilSaldhana(RedHat): ISO X9 has a bunch of financial standards AnilSaldhana(RedHat): or working groups AnilSaldhana(RedHat): ANSI X9 Gershon Janssen: ANSI X9 has a group on biometrics AnilSaldhana(RedHat): Public Key Infrastructure (PKI) X9F4 ISO 15782 Certificate Management for Financial Services Originally X9.57, to be replaced by X9.79 Part 3 ISO 21188 PKI for Financial Services Practices and Policy Framework Originally X9.79 PKI Part 1, evolved to Webtrust for CA auditing standard X9.79 PKI for Financial Services Part 3: Certificate Management (WIP) X9.79 PKI Part 4: Asymmetric Key Management (consideration) Time Stamp Management and Security X9F4 ISO/IEC 18014 Security Techniques Time Stamping Services X9.95 Trusted Time Stamp Management and Security RFC 3161 Internet X.509 Time-Stamp Protocol Wireless Management and Security X9F4 X9.112 Wireless Part 1: General Requirements X9.112 Wireless Part 2: POS and ATM (work in progress) X9.112 Wireless Part 3: Mobile Commerce (work in progress) Penetration Testing X9F4 X9.111 Penetration Testing for Financial Services Cathy Tilton: It is X9.84 - Biometric Information Management and Security Michele Drgon (DataProbity): http://cloudaudit.org/CloudAudit/Home.html Cathy Tilton: The biometric groups are INCITS M1 and ISO/IEC JTC1 SC37 (also some in SC27) Gershon Janssen: --- Use Case 14: Enterprise Purchasing from a Public Cloud Short description: Reduce the number of passwords that are stored and used in the cloud and eliminate the need for cloud "directory synchronization" while advocating a "claims based" architecture. Relevant applicable standards: - SPML Analysis notes: Possible GAPs identified: --- Gershon Janssen: PKI Gershon Janssen: level of assurance Gershon Janssen: SSO standards Gershon Janssen: trust / WS-Federation Gershon Janssen: XML security Gershon Janssen: REST security Gershon Janssen: trust relationships between to entities Gershon Janssen: -> not sure if there are any standards for this AnilSaldhana(RedHat): http://docs.oasis-open.org/id-cloud/IDCloud-usecases/v1.0/cnd01/IDCloud-usecases-v1.0-cnd01.html#_Toc299985616 Gershon Janssen: next meeting monday @ 2 pm ET ----- |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]