[STF] Security Harvesting

• From: Joseph Hui <Joseph.Hui@exodus.net>
• Date: Thu, 8 Aug 2002 15:52:59 -0700
• To: <www-ws-arch@w3.org>
• Message-ID: <45258A4365C6B24A9832BFE224837D551D1D03@SJDCEX01.int.exodus.net>

Hi all,

Here's a structure-free compilation of the "security harvesting"
done by Darran and Abbie on behalf of the STF, according to a
sec tech list agreed upon by STF members, for satisfying the
second STF deliverable ("to identify security technologies to
look at"), assigned during the Paris F2F.
Please note that the efforts of the "harvesting" was geared
towards "identifying" the technologies, as opposed to
investigating them, per objective of the assignment, which
emphasized breadth (and not depth).  Thus the format of 
presentation comprises terse descriptions and reference links.
Elaborations will be done on demand, in themed threads, on
one-tech-per-thread basis.  Please also note Darran may in
due time make an ebXML addition.


OASIS WS-Security 
----------------- 
Relevance: SOAP based message integrity, message confidentiality 
and message authentication. 

Status: Substantive initial submission.  V1.0 process begins 
September 14th. 

Description:    
WS-Security defines a standard for SOAP based message integrity, 
confidentiality and authentication.     WS-Security also defines a 
mechanism for specifying binary encoded security tokens (e.g. X.509 
certificates). These security tokens may then be used independently
or in combination to accommodate a wide variety of security models
and encryption technologies. 

Links:     
http://www-106.ibm.com/developerworks/library/ws-secure/ 
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwssecur/html/securitywhitepaper.asp 



OASIS Security TC - SAML v1.0 
----------------------------- 
Relevance: SAML defines a standard for exchanging authentication 
and authorization information. 

Status: v1.0 at committee specification.  Expected ratified Q3 2002. 
   
Description: 
The SAML specification includes an XML schema that defines SAML 
assertions and protocol messages.  The specification also describes 
methods for binding these assertions to other existing protocols
(http, SOAP) in order to enable additional security functionality. 
   
Links:     
http://www.oasis-open.org/committees/security/ 
http://lists.oasis-open.org/archives/security-services/200201/doc00000.doc 



OASIS XCBF TC 
------------- 
Relevance: Secure exchange of Common Biometric Exchange Format Files. 

Status: OASIS standard expected March 2002 
   
Description: 
XCBF defines a common set of secure XML encoding for the patron formats 
specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 
6529). 
   
Links: 
http://www.oasis-open.org/committees/xcbf/ 
http://www.ansi.org/public/news/2002apr/biometrics_standards.html 

           

OASIS Provisioning TC 
--------------------- 
Relevance: Secure XML encoding and exchange protocol for 
provisioning requests. 

Status: OASIS standard expected January 2003. 
   
Description: 
The Provisioning TC is defining the Service Provisioning Markup Language 
(SPML).  SPML defines an XML based framework for the exchange of any 
general provisioning requests. 
   
Links:     
http://www.oasis-open.org/committees/provision/ 
http://www.oasis-open.org/committees/provision/Intro-102301.doc 



OASIS Access Control TC 
----------------------- 
Relevance: Core XML schema for representing authorization and 
entitlement policies. 

Status: OASIS standard expected October 2002    

Description: 
XACML will define the representation for rules that specify the who, 
what, when and how of information access. 
   
Links: 
http://www.oasis-open.org/committees/xacml/ 
http://xml.coverpages.org/xacml.html 


           
OASIS Rights Language TC 
------------------------ 
Relevance: XML based rights expression language 

Status: OASIS standard expected October 2002 
   
Description:    
The purpose of the Rights Language TC is to define the industry standard 
for a digital rights language that supports a wide variety of business 
models and has an architecture that provides the flexibility to address 
the needs of the diverse communities that have recognized the need for
a rights language.

Links: 
http://www.oasis-open.org/committees/rights/ 
http://www.internetnews.com/dev-news/article.php/10_1002301 
           


W3C XML Digital Signatures 
--------------------------- 
Relevance: message integrity, message confidentiality and message
authentication. 

Status: Good Progress on many drafts 

Description: 
   
The mission of this working group is to develop an XML compliant
syntax used for representing the signature of Web resources and
portions of protocol messages (anything referencable by a URI)
and procedures for computing and verifying such signatures.
This is a joint Working Group of the IETF and W3C. W3C is
hosting the email list and WG site publicly in accordance
with IETF procedure. Please see the Charter for further
information on the constitution of this WG. This WG does
not address broader XML security issues including XML
encryption and authorization.

Links: http://www.w3.org/Signature/ 



W3C XML Encryption 
---------------------------------------- 
Relevance: content integrity/security 

Status: Good Progress on many drafts 

Description: 

The mission of this Working Group (WG) is to develop a process
for encrypting/decrypting digital content (including XML documents
and portions thereof) and an XML syntax used to represent the (1)
encrypted content and (2) information that enables an intended
recipient to decrypt it.. Please see the Charter for further
information on the constitution of this WG. This WG does not
address broader XML security issues including XML Signature,
authentication, and authorization.

Links: http://www.w3.org/Encryption/2001/ 



W3C/IETF XKMS 
------------------------ 

Relevance: protocols for distributing and registering public keys 
Status: In progress 

Description: 
The mission of this working group is to develop a specification
of XML application/protocol that allows a simple client to obtain
key information (values, certificates, management or trust data)
from a web service.  This specification will be based on the XML
Key Management Specification (XKMS). Please see the Charter for
further information on the constitution of this WG. This WG
does not address broader XML security issues. 

Links: http://www.w3.org/2001/XKMS/ 



W3C SOAP 1.2 
-------------------- 

Relevance: message integrity, message confidentiality and message authentication 
Status: In progress 

Description: 
SOAP Version 1.2 is a lightweight protocol intended for exchanging structured
information in a decentralized, distributed environment. "Part 1: Messaging
Framework" defines, using XML technologies, an extensible messaging framework
containing a message construct that can be exchanged over a variety of
underlying protocols.

Links: http://www.w3.org/2000/xp/Group/ 



DMTF - General 
------------------------ 
Relevance: Management standards for distributed systems 
Status: In progress 

Description 

* To lead the development of management standards for distributed desktop,
  network, enterprise and Internet environments

* DMTF goals 
Accelerate adoption 
Unify management initiatives 
Promote interoperability 
Move quickly in the new age 
Raise the bar for management 

Links: http://www.dmtf.org/ 



BEEP 
------------------------ 

Relevance: connection-oriented, asynchronous interactions 
Status: RFC 3080 

Description 
Generic application protocol kernel for  connection-oriented,
asynchronous interactions. 

Links: http://www.ietf.org/rfc/rfc3080.txt 
http://www.beepage.org/beepv.html 



IETF - IKE 
------------------------ 

Relevance: authentication, protocols 
Status: In progress 

Description 
IKE work is performed at the IETF in IPSec WG. 

Links: http://www.ietf.org/html.charters/ipsec-charter.html 



IPSec - IP Security (IETF)
--------------------------
Relevance: Defines IP level security.  Provides
encryption and integrity for IP packets.

Status: Complete

Description:
IETF defines IPSEC as the mechanisms to protect the client protocols
of IP. It defines a security protocol in the network layer that
provides cryptographic security services that flexibly support
combinations of authentication, integrity, access control, and
confidentiality.

Links: http://www.ietf.org/html.charters/ipsec-charter.html



TLS - Transport Layer Security (IETF)
-------------------------------------
Relevance: Provides encryption, authentication and integrity over data streams 

Status: IETF draft RFC2246

Description:
The primary goal of the TLS Protocol is to provide privacy and data integrity
between two communicating applications. The protocol is composed of two layers:
the TLS Record Protocol and the TLS Handshake protocol.

Links: 
http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-01.txt
http://www.ietf.org/html.charters/tls-charter.html


Kerberos
----------
Relevance: Authentication protocol

Status: IETF RFC1510

Description:
Kerberos is a network authentication protocol. It is designed to provide
strong authentication for client/server applications by using secret-key
cryptography

Links:
http://www.ietf.org/html.charters/krb-wg-charter.html


IETF  Public-Key Infrastructure (X.509) (pkix)
------------------------
 
Relevance: Certificate, Certificate  Management,  Certificate  Management Protocol
Status: In progress
 
Description
IETF WG that focus on developing Internet standards needed to support an
X.509-based PKI. The scope of PKIX work has expanded beyond this initial
goal. PKIX not only profiles ITU PKI standards, but also develops new
standards apropos to the use of X.509-based PKIs in the Internet.
 
Links:  http://www.ietf.org/html.charters/pkix-charter.html 
 
 
SASL: Simple Authentication and Security Layer
------------------------------------------------------------------
Relevance:       authentication support to connection-based protocols
Status: RFCs
 
Description
SASL is the Simple Authentication and Security Layer, a method for
adding authentication support to connection-based protocols. To use
SASL, a protocol includes a command for identifying and authenticating
a user to a server and for optionally negotiating protection of
subsequent protocol interactions. If its use is negotiated, a
security layer is inserted between the protocol and the connection. 

Links: http://asg.web.cmu.edu/sasl/sasl-ietf-docs.html
 
 
IETF- SACRED
Relevance:       credential export/import 
Status: In progress, RFCs
 
Description
Focuses on portability of the user's credentials.
Links: http://www.ietf.org/html.charters/sacred-charter.html
 
 
IETF S/MIME
------------------------------------------------------------------
Relevance:       Mail Security
Status: In progress
 
Description
 
The S/MIME Working Group has completed five Proposed Standards that
comprise the S/MIME version 3 specification. Current efforts build
on these base specifications.
 
Current focus is on developing informational document will be prepared
describing techniques that can be used to avoid small subgroup attacks.
Work on interoperability of  the Cryptographic Message Syntax (CMS) is
cryptographic algorithm is under way.
 
Links: http://www.ietf.org/html.charters/smime-charter.html



Cheers,

Joe Hui
Exodus, a Cable & Wireless service

Received on Thursday, 8 August 2002 18:52:00 UTC