You are here: The Open Group > Architecting to the Edge™ > Proceedings > Report

Security Forum

Objective of Meeting

The Security Forum meeting in Washington DC ran from Wednesday through Friday, April 26-28. The first day was a joint meeting with the Identity Management Forum in which we  covered our shared program of activities. The Thursday and Friday provided a full agenda on Security Forum activities. The activities covered included:

  • Security Strategy White Paper
  • Trust Models Guide
  • Identity Management (joint with the Identity Management Forum):
    • Framework for Identity Management (joint with INCITS & ISO JTC1 SC27)
    • Architectures for Identity Management
    • IdM Design Patterns Workshop
    • Identity Management Catalog
    • Common Core Identifiers (joint with NAC and DMTF)
    • Best Practice Guide for Directory in IdM
    • IdM Standards for TOG Standards Information Base
  • Security in Data
  • Collaboration with the Jericho Forum:
    • Security Strategy White Paper and Jericho Forum Roadmap
  • Collaboration with the American Bar Association Cyberspace Law Section:
    • Security Strategy White Paper


The Security Forum agenda and activities status was presented in a set of summary slides which are available here.

Liaisons & Industry Update

A  regular part of Security Forum meetings that members place high value on is hearing reports from other members on significant IT security events, activities, and new developments/directions they have encountered since the previous meeting. This meeting was no exception - with reports and ensuing lively discussions on Homeland Security, changes in ISO JTC1 SC27 IT security standards working groups, NIST April 2006 workshop on PKI, developments in  the Jericho Forum, Network Centric Operations Industry Consortium (NCOIC), and several other newsworthy items. These exchanges of news and opinion are available only to members.

Security Strategy White Paper

Prior to their Friday joint meeting with members of the ABA Cyberspace Law group, Security Forum members reviewed comments on the latest draft outline and synopsis for this White Paper. This review and discussion resulted in agreed updates to clarify and expand the proposal, and improve understanding of our future direction for this work. Specific decisions include to bring out as a major theme the notion of "control" as fundamental to security, and to add a legal/regulatory view into the enterprise architecture.  See the follow-on discussion reported below under Collaboration with the American Bar Association Cyberspace Law Section.

Trust Models Guide

This project has suffered from scarce resources over the past six months, due to higher work priorities elsewhere. The intended use for it remains valid, though less urgent than was believed at the start, and its content remains relevant and useful, and is unique in that it evaluates failure modes - what happens and what are the business consequences when a given trust model fails in any one of several different ways. Members agreed that we will make an effort between now and the next meeting (Miami, July 17-21) to gather the missing contributions needed to complete this document, and will also share it with the Jericho Forum members who are also working on their Trust & Transivity positioning paper.

Identity Management (joint meeting with the IdM Forum)

  • Framework for Identity Management: This is a joint project with international standards bodies INCITS CS1 and  ISO JTC1 SC27; we are awaiting formal notification that we have been granted category C liaison status with ISO JTC1 SC27, which will entitle us to make direct review representations to their drafting the ISO Standard on this topic. SC27 is currently revising its working groups structure into five working groups. This restructuring activity is delaying their progress on project work, including on this framework Standard. ISO JTC1 SC27 Working Groups are meeting in Madrid Spain, May 8-12. We may expect a pre-Madrid meeting draft next week, and may submit comments on it before their May 8-12 meeting if we so wish. We look forward to progress from their Madrid meeting, although we understand they have allocated only one hour to developing this IdM Standards framework document.
  • Architectures for Identity Management: Due to other work priorities, little progress has been made on this document since the previous meeting in Barcelona. The situation remains that the co-editors have yet to decide whether to develop new material to fit into the revised structure so it presents a balanced view, or to revise the structure (yet again) to fit the material that they currently have. They are looking for additional resources to complete this project. Noting that there is significant value in the existing draft, we will make the latest draft available to all members on our IdM web page and invite renewed review to establish exactly what additional contributions are needed, and establish a realistic plan for completing it.
  • IdM Design Patterns: The revisions for our 3rd Party Identification and 2nd Party Identification design patterns are captured in notes from the design patterns workshop session held in Barcelona, but are not yet available in revised pattern definitions. Work will continue to complete this activity, which is expected to result in almost final patterns. We are also interested in developing an authenticator design pattern, and have hopes of developing a draft for it for review in the next conference (Miami, July 17-21). Members also noted that several new books on security design patterns have been published recently. Members agreed to take our design patterns work forward by reviewing our current work in the light of these new publications, and shifting our focus between now and the next meeting to considering applying existing design patterns to specific security problems - such as are being proposed in the Jericho Forum's de-perimeterization space - to demonstrate the value of using a design patterns approach to solving today's IT security problems.
  • Identity Management Catalog: We have now resolved the final issues on updating our questions in the IdM Catalog template, so will update the template as soon as possible, and then invite those with existing entries in the Catalog to revisit their responses in the light of the clarifications the revised questions provided. Work is progressing well on development of an advanced web page display system for our Identity Management Catalog, and we will drive this through to completion as rapidly as time permits. It was agreed that we will aim for launch of our IdM catalog at the July Conference in Miami - this will require a deadline of June 30 for close of entries by vendors, allowing time for approval by our Editorial Advisory Board, and preparation of a press release involving the vendors who have provided entries.
  • Common Core Identifiers (joint with NAC and DMTF): The Company Review of the CCI Business Scenario and the CCI Framework (comprising the framework document, and the framework matrix spreadsheet) closed on April 11, and the ballot on change requests closed on the day of this meeting (April 26). Members of the IdM Forum were the prime review and balloting constituency in The Open Group. The NAC are running their review of this document concurrently and we are coordinating their feedback so as to close on mutually agreeable solutions. The DMTF has not participated in the CCI work in recent months and has indicated that they have copyright problems with joint publication, so publication of the approved document my not include them. There is also liaison activity underway with W3C to explain why their URN does not serve the requirement for a CCI (the reason is because URN is tied to a protocol), and with OASIS to follow up on evolving their XRI standard so it meets the requirements that have been identified for CCI. The resulting published CCI documents are expected to provide high value to those engaged in the area of shared identifier usage across organizational boundaries - a very difficult area because of problems migrating from the many legacy systems that currently exist, business reluctance to invest in moving from solutions that currently provide adequate solutions for today (though probably not tomorrow), and the purist problem of agreeing what is a "final" solution for an enduring (permanent) universal unique identifier scheme in an industry that is characterized by adaptability and change.
  • Best Practice Guide for IdM: Members received a presentation proposing this new project - to develop a best practices guide for Identity and Access Management Framework (IAMF), covering what IT needs from the infrastructure and why. The presenter declared willingness to lead this project. The outline structure proposed addressed this under several key headings: high availability, serviceability, leveraging mature & established industry standards, performance, security, compliance with legislation & regulations, hardware, and case studies. All members were invited to review this proposal, provide their feedback, and indicate their interest in being an active contributor/participant.
  • IdM Standards Entry in Standards Information Base: Members reviewed the final draft preparatory to submitting it for Company Review, made further additions to include standards called out in the CCI matrix, and deleted some that were viewed as peripheral or not current. The resulting draft will be submitted for Company Review directly following this meeting.

Security in Data

Members had a refresh of the presentation given in the previous meeting (Barcelona, January 2006), in which he proposed a set of five precisely defined security components which would represent the basic elements of a secure system. In this presentation, these components were deliberately named exclusive of existing security terminology to ensure they carried no inferred characteristics or functions from existing common security terminology. In that presentation, these components were used to demonstrate how they would provide the essential functionality of an accountable, reconcilable transaction. Also in the Barcelona presentation, recognizing that this new view requires extensions to cater for secure operation in  more complex transactions, two further components were added to make seven in all, with an understanding that more may be needed as we acquire experience of applying them. Members took away from Barcelona an appreciation and intent to work on this new approach to security, to figure out what the design rules are, how they relate to existing practices, what data format is required, and putting it together in a holistic topology. In this Washington DC meeting, members recalled their earlier discussion on Identity Management design patterns, in which they agreed to review the de-perimeterization work underway in the Jericho Forum and look for a Jericho Forum problem that they would like to address using both security design patterns to demonstrate the effectiveness of applying design patterns to analyzing and solving real IT security problems. They also decided that a good way to test this "security in data" approach would be to apply the seven components thus far defined to the same Jericho Forum problem and see what outcomes this approach produces. This represents a second substantive outcome arising from the intent agreed in our joint meeting with Jericho Forum members in Barcelona (January 2006) to collaborate on areas of common interest in IT security.

Collaboration with the Jericho Forum

Arising from the intent agreed in our joint meeting with Jericho Forum members in Barcelona (January 2006) to collaborate on areas of common interest in IT security, the outcomes from the members' discussion on "design patterns" and on "security in data" have resulted in two substantive areas where the IdM and Security Forum members aim to collaborate with the Jericho Forum to work on specific de-perimeterization problem areas. A third area is taking the Jericho Forum commandments into the Security strategy project. A fourth area is evaluating the Jericho Forum Positioning Papers - the first four were published electronically on April 25 and announced during the Jericho Forum's Annual Conference that day. It was noted that a conclusion in the Voice over IP paper is that standards groups need to work together on providing an open standard in this area - this represents a fourth challenge that the Security Forum will evaluate. A fifth collaboration is sharing the Security Forum's Trust Models draft document with the Jericho Forum members who are developing their Trust & Transivity positioning paper.

Collaboration with the American Bar Association Cyberspace Law Section

On Friday April 28 the Security Forum held a joint meeting with the American Bar Association's Cyberspace Law Section's group that is addressing Connectivity, Storage, and Computing Infrastructure, at the World Bank HQ in downtown Washington DC. This was at the invitation of an ABA member who is leading this ABA group. They are keen to leverage the past successful collaboration with the Security Forum on the Framework for Electronic Chattel Paper, to work with us on developing our Security Strategy White Paper, which they see represents a significant contribution to their group's goals. After initial introductions and positioning representations, attendees reviewed the Jericho Commandments, and the impact of de-perimeterization on secure IT operations, as a vital contribution to the White Paper, and also as a valuable level-setting discussion to steer our further discussion. The discussion then moved on to detailed review of the Security Strategy synopsis and structure for the White Paper. Valuable new contributions were captured from this wide-ranging discussion, and these will be consolidated into a revised document that will form the basis for further development between now and the next meeting.


Agreement on a set of actions to progress the work discussed in this meeting.

Next Steps

Issue and progress completion of the agreed set of actions arising from the meeting.


See above.

   |   Legal Notices & Terms of Use   |   Privacy Statement   |   Top of Page   Return to Top of Page