Managers Guide to Data Privacy
The lead editor Eliot Solomon gave a walk-through on the latest draft of this guide.
After discussion on detailed editing issues, we noted that the first part of the book is
in good shape, but the latter part needs additional description for the headings/topics we
want to cover. There is also some cleaning-up to do of duplicated description. When this
is done the guide will be complete. Steve Jenkins and Eliot offered to do this authoring
work. Their offer was accepted and they will be credited with Jacques Francoeur and Bob
Blakley as joint authors.
Guide to PKI & Related Technologies
Eliot Solomon felt this guide no longer has the value it had 6 months ago and suggested
we re-evaluate what we want to achieve with the material that the present draft contains.
Ian Dobson confirmed that since making the current draft available to the Directory
Interoperability Forum and Messaging Forum, no comments or expressions of interest have
been received from members. Nevertheless, Ian thought that nothing has happened to improve
understanding of PKI technology and its surrounding security issues over the past 6
months, and from his understanding of the non-USA market - particularly Europe - there is
still a significant need to explain to business Managers what they can expect from Public
Key solutions, and to describe to them how they might use any existing PK software they
may already have bought but are confused as to how to make use of.
Eliot thought we would be better advised to think in terms of writing a Managers Guide
to IT Security for the Enterprise. Other suggestions included that we could target
whatever guide we do produce in this space more along the lines of how the MGIS introduces
the Public Key issues - Know Who's Who, etc. Other members proposed to review the existing
draft more closely to input their feedback. Whatever our decision, this PKI guide will not
receive attention from the editing team until they complete the final draft of the Privacy
Guide for member review.
Digital Rights Management
Craig Heath has released his DRM Backgrounder paper, which is now available from The
Open Group Web site at www.opengroup.org/projects/sec-guides.
Craig noted from the Security Design Patterns workshop held on Wednesday afternoon that we
have concluded that playback devices do need a guard. He drew a putative architecture for
a DRM system and described the key points it represents. The representation of his system
architecture makes an assumption that the DRM Agent has 3 points of contact with the
outside world:
- protocols & formats
- hardware abstraction
- application hooks to properly authorized consumers
In detailed discussion, it was noted that Craig's protected secret store needs to be
both tamper-resistant and secret. An authorization API is not the solution that this
problem needs. Craig explained that some 10-12 items have been identified as needing to be
protected in this DRM context, so a common way to provide that protection would seem to be
a
good thing. The Open Mobile Alliance (OMA) have DRM requirements but these are not
publicly available at this time, and we also know that Motorola were interested in
solutions to DRM requirements though these are not yet clear.
Guide to Secure Email
Following on from the discussion and actions agreed in our previous conference in
Boston (22-26 July), we have discussed with Secure Messaging Forum members how we should
move forward to use the advice & policy & practices parts of their Secure
Messaging Challenge Toolkit document as the basis for a Managers Guide to Implementing
Secure Email. Since our joint discussion in the Boston meeting, the Security Forum has
shifted its approach from proposing to include secure email as part of our Working with
PKI guide; we now think it could be a separate guide in its own right.
Russ Chung had volunteered to be the point of contact in the Messaging Forum for working
on this topic. He joined the Cannes meeting by telephone. Ian Dobson thanked him for doing
so at 6am Los Angeles time. Russ noted that The Open Group has now published the Secure
Messaging Challenge Toolkit in paper form. 80% of the toolkit is screenshots and the
details of setting up the environment, and about 20% is discussion on policy and
practices. The toolkit is a cookbook on what the implementor needs to do the set up a
secure email system.
In discussion, it was suggested that we should include in our Secure Email guide a
description of the Secure Messaging Challenge and what it signified, and say that if the
reader wants to know more then they should read the toolkit document. Some discussion
ensued on what the Secure Messaging Challenge project had achieved in demonstrating -
secure exchange of keys and secure messages - and what further challenges would be useful
in taking it further, e.g. digital signing, timestamping, revocation of keys. However, for
the purposes of this Secure Email guide, we agreed that our aim should be to develop an
operating guide for what has already been achieved.
Russ volunteered that as a first step he will prepare an outline structure for this Secure
Email guide, from the available information that is in the published Secure Messaging
Challenge Tooolkit document, peeling away the implementation-specific material. He will
send this to Ian for circulation to the Security Forum and Messaging Forum membership,
requesting feedback for guidance on what the Secure Email guide should cover. Based on
this feedback, Russ will produce a first draft of the text by the next (San Francisco)
meeting.
Guide to Data Privacy
Agreement on how to complete editing of the Guide by 28 November 2002
Guide to PKI & Related Technologies
Review purpose of this Guide, and prompt members to review existing draft and return
comments.
Digital Rights Management
The discussion concluded that while there are known business requirements in this DRM
space, we are unable at this time to express them clearly enough to be able to move it
forward
Guide to Secure Email
Agreement on how to generate an initial draft for review at the next meeting.
Guide to Data Privacy
Eliot Solomon and Steve Jenkins undertook to complete this Guide by end of November 2002.
It will then be made available for a 2-week formal review before being released for
publication.
Guide to PKI & Related Technologies
Question as to whether this 2002 deliverable now has sufficient value to justify
completing it. Ian Dobson will prompt all members (including in the DIF and Messaging
Forums) to request they review the existing publicly available draft PKI Guide and return
comments on what additional issues it might address and what further material it might
include. In any event, resources to take it forward will not be available until December
(after completion of the Privacy Guide) so even if we proceed, it will not now be
delivered in 2002.
Digital Rights Management
Ian Dobson will check what liaisons The Open Group may have in place with the Open Mobile
Alliance (OMA) to see if we might be able to access their members-only requirements work
on DRM issues.
Guide to Secure Email
Russ Chung will prepare an outline structure for review, and based on feedback he will
produce a first draft for review at the next (San Francisco) meeting.
