[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: MINUTES OASIS IDCloud TC Meeting 02 April 2012
---------------------------------------- DRAFT MINUTES OASIS IDCloud TC Meeting 02 April 2012, 02:00pm to 03:00pm ET ---------------------------------------- Member status changes after 02 April 2012 meeting: Lost voting rights: None. Gained voting rights: None. Now: 10 voting members in TC. Scribe: Gershon Janssen 1. Roll Call and Agenda Review Name Status ---- ------ Anil Saldhana Member Anthony Nadalin Member Gershon Janssen Member David Turner Member Dr. Dominique Nguyen Member Matthew Rutkowski Member Observers: None. 6 people joined the meeting. This meeting quorates. No changes to the proposed agenda. 2. Approval of the 19 March 2012 Meeting Minutes http://lists.oasis-open.org/archives/id-cloud/201204/msg00002.html Dominique moves to approve the minutes; Anil seconds. Motion carries. Meeting minutes approved. 3. F2F in May Discussion. Target: 16-17 May, location Redmond, WA Goal of meeting: progress gap analysis Further logistics and details will be provided to the list. 4. IDCloud Use Case Document 15 day public review notification status. PR is still not out; is in TC admin queue. 5. Gap Analysis Discussion. * Discussion on Use Case 23: - An Extended Validation Certificate (EV) is an X.509 public key certificate issued according to a specific set of identity verification criteria. These criteria require extensive verification of the requesting entity's identity by the certificate authority (CA) before a certificate is issued. Certificates issued by a CA under the EV guidelines are not structurally different from other certificates (and hence provide no stronger cryptography than other, cheaper certificates), but are designated with a CA-specific policy identifier so that EV-aware software can recognize them. - The criteria for issuing EV certificates are defined by the Guidelines for Extended Validation Certificates, currently (as of Nov 2010) at version 1.3. The guidelines[1] are produced by the CA/Browser Forum, a voluntary organization whose members include leading CAs and vendors of Internet software, as well as representatives from the legal and audit professions - EV cert is basically a trust elevator compared to regular certs. - When hosting an app in public cloud managed by a different entity, how are the certs managed; are they still ev-certs (higher trust) and valid? Action Item: Anil: Question will be posted to the list for more on list discussions. * Discussion on Use Case 3: - Audit stuff to come from specific domains - Difficult to say we need audit, w/o more contexts - Granularities on audit; where the checklists stop versus actual practical standards being used - Difference between auditing controls guidelines and granularity of them; not suitable for cloud usage; you cannot do e.g. basic enumerations, etc. - probably opportunities for cloud specific audit data for the proof of isolation of multi-tenant environments - when doing this also include databases; maybe include networks - possible ISO 27017 document may say something about this; should be about cloud audit on top of ISO27002 - Need to have better auditing (introspection) standards that can be automated to show security compliance (with identities) in virtual cloud environments that include the three IaaS aspects of cloud (i.e. compute in terms of hypervisor/virtual machine auditing, storage/managed storage like DB access, and network to verify network routes are secured) and that the multi-tenant aspects of these resources are considered - NIST Mitre standards were an attempt for traditional platforms, but they do not translate well to cloud IMO 6. Respond to comments for the public review. Need to work on a response to the PR comments. To formalize response emails to the persons who provided us comments so that they know they were received and discussed and what the outcome was. Anil and Matt will work on this. 7. Other Business. Informal GAP analysis meeting will continue as of this week. Next meeting will be cancelled due to travels of both chairs. 8. Adjourn. Meeting adjourned.
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]