Introductions & Review
Approval of Agenda
The initial Security Forum meeting on Tuesday Feb 3, 10.00-12.30 began with a round of
introductions by attendees. This was followed by a review of the published agenda for
Security Forum members over the Conference week (see slides),
in which it was agreed that the Security Architectures session on Friday Feb 6,
11:00-12:30 should be cancelled and will be progressed in a teleconference between this
Conference and the next. (ACTION: Ian)
Actions/Projects Review
The action items from the previous meeting (Washington DC, October 2003) were then
reviewed, this also providing an overview of all current Security Forum projects and
deliverables, and so enabling decisions to be made on establishing their ongoing
priorities up to the next meeting.
Action items associated with the Vulnerability Management Initiative are as follows:
- (ALL) Review and return comments on NIST's SP800-53 (expected to be available by the
week ending Oct 31 2003). The review period ended in January 2004. The next review draft
will be available for review in June 2004. Ian will post a link on our web page. We could
consider it for review as a Security Forum resource.
- (Mike/Ian - Completed) Provide to the American Security Consortium a consolidated report
of the Security Forum's feedback on its review of the ASC RPI document. Awaiting a
response from the ASC, who seem to be well behind their original schedule. Mike has been
invited by ASC's Ron Ross to attend future ASC meetings as a Security Forum
representative. We will try to arrange this.
- (Mike/Ian) Develop a proposal for how the Security Forum will engage with NIST, ASC, and
EOIF to establish beneficial working relationships with these organizations, to advance
the objectives of our EVM initiative. It was agreed that EOIF is not an organization we
should actively pursue, but we should respond if they ask for our expertise.
Action items associated with the Secure Mobile Architecture (SMA) are as follows:
- (ALL - Completed) Engage in the Company Review (27 Oct - 24 Nov) of the Secure Mobile
Architecture document, reviewing the SMA document and returning feedback on its
information security content.
- (ALL - Completed) Participate in a one-hour Company Review topic teleconference with the
SMA authors on Friday 14 Nov starting at 07.00 US Pacific time. (Security Forum concerns
over this document have been recorded, and decisions are now left to the outcome of the
formal Company review process.)
Action items associated with Security Design Patterns are as follows:
- (Bob Blakley/Craig Heath) Continue to resolve the Company Review Change Requests on the
Technical Guide to Security Design Patterns. (This action was carried forward, with work
ongoing during this meeting.)
- (Bob Blakley) Plan a series of Writers Workshops once the Technical Guide to Security
Design Patterns is published, to gather feedback on the effectiveness of the pattern
definitions. Assemble this feedback as updates to a Version 2 of the Security Design
Patterns document. (This action was carried forward. Bob is running an SDP workshop in
Chiliplop, April 13-16 in Carefree, Arizona - check details on www.hillside.net).
Action items associated with Identity Theft are as follows:
- (ALL) Join in the Information Gathering Phase 1 of this project, to identify a set of
documented cases of identity theft and investigate these cases in detail, to identify how
an identity is stolen, how a stolen identity is used, how identity theft is detected, and
how the victim of identity theft demonstrates that identity theft has occurred. Complete
this Phase 1 by the time we go into the next meeting (San Diego, 2-6 February 2004). (This
action was carried forward. It was agreed to park this project for three months and to
revisit at the next meeting.)
Action items associated with Identity and Authentication are as follows:
- (Eliot Solomon) Produce a new draft of the Manager's Guide to Identity and
Authentication, taking into account the inputs in email and discussion in the Washington
meeting, and advise its availability for review. (This action was carried forward. It was
agreed to form a small group to progress this project.)
Action items associated with Trust Models are as follows:
- (Ian - Completed) Supply the feedback comments produced during the Washington meeting
review of Steve Whitlock's 25 Sept draft of his PKI Trust Models document.
- (ALL) Volunteer to identify and contribute to creating further Trust Model examples to
populate the Trust Models document. (There were good inputs from Steve Mathews and Steve
Hanna. See the Technical Guides report.)
Action items associated with PKI Certificates are as follows:
- (Mike/Ian) Discuss with Richard Lee (Black Forest Group) opportunities to evaluate the
BFG's proposals to extend the standard content of PKI certificates, possibly by inviting
Roger Schell to give a presentation in our next (San Diego) meeting.
Action items associated with ALPINE documents are as follows:
- (Ian - Completed) Maintain visibility to the Security Forum of the European Union's
ALPINE project deliverables, and encourage members' review and feedback. (All ALPINE
deliverables are available from www.opengroup.org/alpine.
Action items associated with Identity Management are as follows:
- (Bob Blakley - Completed) Supply draft text to Skip Slone for the IdM White Paper to
describe how permissions are derived from attributes of identity but are not attributes
themselves.
- (Eliot Solomon - Completed) Find material for scenarios for self-management of one's own
identity, and supply these to Skip Slone for inclusion in the IdM White paper.
- (Ian - Completed) When the IdM White Paper is complete from the content viewpoint,
arrange technical author review by The Open Group to ensure consistent style and
presentation, prior to publication. (The Identity Management white paper is available to
IdM participants on the project web page at www.opengroup.org/projects/idm).
Action items associated with Security Architectures are as follows:
- (ALL) Continue activity to use the six architecture models presented by Eliot Solomon in
the Boston (July 2003) meeting as objects for describing the security-view of the
architecture. Use the questionnaire as an aid to bring out the security view for each
model. (This action was carried forward. It was agreed to progress this work in a
teleconference between this meeting and the next.)
Action items associated with Secure Messaging are as follows:
- (ALL - Closed) Maintain awareness of the Messaging Forum activities on Secure Messaging,
and continue to contribute expert security guidance to them. (This is an ongoing
activity.)
External Reports
Attendees reported on external activities, industry news updates, and significant
events of interest to members since the previous meeting
- ETIS Information Security Group
Ian reported that arising from the ALPINE meeting hosted by ETIS in November 2003, the
ETIS members decided to set up an ETIS security SIG aimed at addressing information
security issues specific to the telecommunications industry. Ian has participated in their
inaugural meeting (January 20, 2004) which included giving a presentation on security as a
business enabler (based on MGIS). The Open Group is hosting their next meeting in UK
on April 14, and will seek to bring in telecoms requirements - and possibly members - to
the Security Forum
- Jericho
Ian reported that an influential group of FTSE-100 organizations have proposed development
of a security infrastructure that will enable what they call de-perimeterization. The Open
Group is currently hosting this group - which met on January 20 at The Open Group's UK
office and decided to name itself the Jericho Forum. It's membership is invitation-only.
It has an Open Group PlatoWeb page at www.opengroup.org/jericho
and the public view of that page gives a description of its aims and objectives, complete
with links to public information - press articles, etc. - about them. The Open Group hopes
this initiative may develop into a work item which has major interest for Security Forum
members, and if and when it does we will anticipate direct involvement as the Security
Forum. Until then it is a private forum.
- Guidelines for Secure Applications
Steve Whitlock reported that some colleagues of his in Boeing have produced a draft guide
for writing secure applications, tentatively called "Design In". He has
suggested to them that other enterprises might be interested in this as little
has been written about building secure software up to now (apart from the recent,
excellent, Microsoft book). The Boeing draft is more architectural and principle-based
rather than a coding guide. All agreed it sounds like an interesting work item for
the Security Forum to consider and build on (and perhaps improve). Even middleware
requirements for writing secure software are not readily available, and this kind of guide
would make our Manager's Guides more actionable. Steve added that finishing this guide in
The Open Group would also improve communication between customers and suppliers. Steve
suggested we wait for the next draft - expected within one week - and he will then supply
it for Ian to make available for Security Forum member review.
- Feedback on MGIS
Steve explained that a Boeing colleague has provided some good feedback on our published
MGIS, and he has passed this to Ian, who proposed sharing it with Security Forum members
with a view to revising MGIS.
- Expectations from the Vulnerability Management Meeting
Mike said that this meeting occupying the whole of Thursday is important for us because it
represents an excellent opportunity for us to decide what our specific interests should be
in VM, what we think needs to be done, what we can and should do ourselves, and what we
should hand off to other consortia, etc. He requested the support of the Security Forum
members in deciding on these and establishing priorities. Yasuko Kanno said that IPA is
very interest in VM so will be following this discussion very closely.
Identity Management
This was a joint meeting with the members of the Directory Interoperability Forum. This
meeting is covered in a separate report.
Manager's Guides
The review of the actions from the previous meeting - see above - covered the two
Manager's Guide projects in our portfolio of work:
- Manager's Guide to Identity and Authentication
Carried forward - it was agreed to form a small group to progress this project between now
and the next meeting.
- Identity Theft - Phase 1 of project plan - information gathering (documented cases of
identity theft and the nature and characteristics of the theft)
Carried forward - it was agreed to park this project for three months, because the leader
for it does not currently have the time to move it forward. We will revisit it at the next
meeting.
PKI in Government and the Defense Industry
This was a joint open meeting with the members of the Messaging Forum. This meeting is
covered in a separate report.
Vulnerability Management Initiative
This meeting is covered in a separate report.
Technical Guides
Craig Heath reported that the Technical Guide to Security Design Patterns is not yet
complete, but work on resolving the Company Review Change Requests is progressing during
this meeting, and the current estimate is that it will be completed by February 13. The
editors will send their completed drafts to Ian, who will then assemble a complete draft
and arrange production by The Open Group editor. When this is completed we will run a
final two-week sanity check before publishing it. Bob Blakley still plans to run a series
of Writers Workshops on the security design patterns defined in our SDP. This is an
established technique for gathering feedback on the correctness and effectiveness of the
pattern definitions. We will assemble this feedback for creating updates to a Version 2 of
the Security Design Patterns document. Bob is running a workshop in ChiliPloP, an event in
April 13-16 in Carefree, Arizona - details are available at www.hillside.net/chilliplop. Interested reviewers may
also find relevant information on security design patterns at www.securitypatterns.org.
Steve Whitlock gave an update on the current status of his draft of the Technical Guide
to Trust Models. He described the template that it uses to ensure we can create a valid
set of comparative evaluations for the different trust models that security architects use
most, and explained the value of this kind of book - it does not provide new information
but it does assemble highly relevant information into a single guide which will provide
references to the more detailed descriptions in large technical tomes. The existing draft
includes emailed feedback from reviewers, capturing all the issues and queries raised to
date. Steve regretted that the members who he had hoped to get answers to many of his
queries had already left the Conference so he still does not have the answers he needs.
However, he will expect to make further progress by email and phone discussions with the
relevant experts. Steve sent his current Version 3 draft to the sec-members email list,
with the following covering note:
"Here's Version 3 of the Trust Models draft as it stands at the end of our meeting
here in San Diego. It includes some inline comments that need to be resolved and notes at
the end from Steve Hanna and Steve Matthews.
I'm still working on digesting some of this information. Steve Hanna has pointed me to
Understanding PKI (Housley and Polk) which has a description of trust models. The second
edition of Carlyle Adams' PKI book (can't remember the title and other author) has a
chapter (Chapter 9) on PKI trust models that I would also like to reconcile. Understanding
PKI has a two-tier trust model layout. There are differences between all three texts (the
two books and our draft) in designating models versus instances or
implementations of models, but I think it will be possible to bring us in sync.
I've also collected more information on failure modes which is where the potential
contribution of our draft lies. Eliot has pointed me to more information on the four
corner model which I will incorporate prior to our next meeting."
Ian will upload this draft to the Security Forum's web page, to facilitate access and
review.
Security Architectures
In our review of actions from the previous meeting - see above - it was agreed that we
should cancel our scheduled meeting session (Friday 6, 11:00-12:30) on this project, due
to the leader (Eliot Solomon) not being available to attend it. We agreed to carry it
forward, and make progress via a teleconference between this meeting and the next.
The current status of this work is available via a link in the Security Forum's
PlatoWeb page (members-only access after they log-in) at http://www.opengroup.org/projects/sec-arch/protected/index.tpl.
