Re: [id-cloud-comment] Identity in the Cloud Gaps and EU standards

[Michael Poulin <m3poulin@yahoo.com>]

Hi Herbert,

 this is very useful information!

@All - WE SHOULD KNOW AND CONSIDER THIS:

about 10 days ago I was in the CloudWorld Oracle open house presentations. There we learned that Oracle's Cloud solution for cross enterprise boundary solution in authentication is based on

1) opening the client's firewalls for Oracle's systems like security;

2) creation of integrated internal-to-Cloud authentication and _authorisation_ realm around the Oracle's Entitlement solution

3) Oracle disallow and cannot support any Entitlement solutions from other vendors (no plug-ins)

4) All this on the top of the commercial model where the client pays to Oracle for the security means.

The audience - Oracle users and partners - has expressed its disappointment and frustration of such a solution referring to two points:

1) for those companies that have good authentication/authorisation solutions already, opening their firewall to an uncontrolled Oracle's perimeter protection means an additional non-mitigated risk, which is not welcome [breaking Oracle's Cloud means a 'green light' for the intruder into the clients systems]

2) all were concerned that Oracle eliminated commercial competition between Cloud vendors (of the Entitlement solution) and Oracle's clients might have pay hire price for Oracle's authorisation than for possibly cheaper but equally good solutions from other vendors.  Many said that their business stakeholders will take this as unacceptable factor and can kill the entire deal with Oracle.

So, let's learn from the mistakes of others.
Standards are good only when we know where to apply them. If the things we construct in technology do not sound commercially, any neat solution has no value regardless standards.

Regards,
- Michael Poulin

---

From: Herbert Leitold <Herbert.Leitold@a-sit.at>
To: id-cloud-comment@lists.oasis-open.org
Sent: Wednesday, May 29, 2013 10:30 PM
Subject: [id-cloud-comment] Identity in the Cloud Gaps and EU standards

Dear all,

I read the Identity in the Cloud Gap Analysis with interest.

What to me is missing in the list of standards are relevant EU/EEA standards
that are gaining importance with existing and upcoming regulation. This as
in particular public authorities might file those as a requirement. 

These are:
[1] XAdES for signature part (tier 2 standard) ETSI TS 101 903 [2] STORK
specifications (tier 3) D5.8.3b Interface Specification, 2010 [3] STORK 2.0
(tier 4) on representation/delegation

On [1]  XAdES is profiling XMLDSIG that has been mentioned. It is inter alia
relevant under the EU Services Directive. In particular in the "Format
Decision" 2011/130/EU which e.g. also gets used in the revision of the
eProcurement Directive and might get a role related to the upcoming eID and
Trust Services Regulation. 

So if a EU/EEA public authority deploys related services to the Cloud, it is
a requirement.

This is relevant for Use Case 13; to some extent to Use Case 9.


Similarly on [2], STORK is  using and extending SAML 2.0. It is used by the
18 piloting Member States and will as well have a role related to the
upcoming eID and Trust Services Regulation.

I.e. it is will also be a requirement on the EU/EEA federation related to it
.

It is relevant to Use Cases 12, 16, and 21. To some extent to UC 6.


Finally, as UC 26 addresses "on behalf" authentication: That is exactly what
STORK 2.0 [3] is working on as federating mandates and representation
between the participating states. Though it is work in progress. 

Kind regards,
Herbert


Herbert Leitold
A-SIT, Secure Information Technology Center - Austria
Inffeldgasse 16a, A-8010 Graz, Austria
Tel.: +43 316 873-5521
Fax: +43 316 873-105521
Herbert.Leitold@a-sit.at





--
This publicly archived list offers a means to provide input to the
OASIS Identity in the Cloud TC.

In order to verify user consent to the Feedback License terms and
to minimize spam in the list archive, subscription is required
before posting.

Subscribe: id-cloud-comment-subscribe@lists.oasis-open.org
Unsubscribe: id-cloud-comment-unsubscribe@lists.oasis-open.org
List help: id-cloud-comment-help@lists.oasis-open.org
List archive: http://lists.oasis-open.org/archives/id-cloud-comment/
Feedback License: http://www.oasis-open.org/who/ipr/feedback_license.pdf
List Guidelines: http://www.oasis-open.org/maillists/guidelines.php
Committee: http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=id-cloud
Join OASIS: http://www.oasis-open.org/join/