Developments in cooperation between research and standardization related to security and secure communications Presentation at eMayor clustering event, 4 March 2005 “Secure Information Processing in the Public Sector” Bart Brusse, COPRAS Project Manager
COPRAS aims to improve the IST research/standards interface….. FP6 Specific Support Action (SSA) addressing projects in 18 Strategic Objectives in calls 1 & 2 Improve interfacing between FP6 IST projects and standards bodies: –Act as a facilitator to FP6 IST projects wishing to upgrade their deliverables through standardisation –Prepare generic information on RTD/standards interfacing guiding those proposing or evaluating future projects Project lifespan: 01/02/2004 – 31/01/2007 Methodology: –Survey projects and analyse their standards related output –Develop Standardization Action Plans with selected projects
…..and addresses shortcomings currently experienced on both sides Interfacing with standardisation is required but the ‘right’ body may not always be easy to find Cooperation has to be initiated at an earlier stage, making tangible results available sooner IST projects’ standardization targets have to be better matched with ongoing activity Structuring cooperation will reduce overlap and save resources on the side of research projects Start Half way EndRequirements analysisTests & pilots ‘Standardisation gap’ Standardisation processes IST project duration Technical developments
Security related activities are underway within CEN/ISSS and ETSI Biometrics, standards related issues with particular emphasis on ISO/IEC/JTC1/SC37; preparation of a report on European specific requirements in Biometrics ETSI TC ESI, addressing the lack of standards supporting electronic signatures and public key certificates, in line with, and endorsed by the initiative of the European Commission to establish a harmonized infrastructure for electronic signatures CEN/ISSS Workshop on Data Protection & Privacy, aiming to help business in Europe comply with the Data Protection Directive and relevant national legislation by facilitating harmonization of practice and developing the understanding of current practices CEN/TC224/WG15 on a European Citizen card, defining the concept of a smart card issued under the authority of a national or local government institution
A new focus group within CEN/ISSS on eGovernment standardization Lack of a coherent overview of eGovernment standards issues, lack of persistence, lack of maintenance & lack of visibility Identify issues & themes, agencies & authorities, standardized solutions & mechanisms currently existing in the field of eGovernment in Europe Identify and map out initiatives and services including frameworks, design rules, clearing houses, existing standards & specifications, etc. Involve public administrators, identify recurring policy issues & obstacles, contribute to IDABC proposals, analyze standardization requirements BackgroundObjectives
Security related activities underway within OASIS Application Vulnerability Description Language (AVDL), creating a uniform way of describing application security vulnerabilities eXtensible Access Control Markup Language (XACML), for the expression of authorization policies in XML Provisioning Services, an XML-based framework for information exchange between Provisioning Service Points XML Common Biometric Format (XCBF), a common set of secure XML encodings for the patron formats specified in CBEFF Public Key Infrastructure (PKI), meeting business and security requirements Rights Language, defining an industry standard for a digital rights language Security Services, advancing the Security Assertion Markup Language (SAML) as a standard Web Application Security (WAS) providing guidance for initial threat, impact, risk rating Web Services Security (WSS), on Web Services security foundations Digital Signature Services (DSS), supporting the processing of digital signatures
Security related activities underway within W3C XML Encryption, developing a process for encrypting/ decrypting digital content and an XML syntax used to represent the encrypted content, as well as information that enables an intended recipient to decrypt it XML signature, developing an XML compliant syntax used for representing the signature of Web resources and portions of protocol messages and procedures for computing and verifying such signatures XML Key management, development of a specification for an XML application/protocol allowing a client to obtain key information from a web service Deployment of further activities, on higher level security applications, possibly in combination with ETSI, are being discussed Additional information on XML security may be found at: siegen.de/~geuer- pollmann/xml_security.html
ICTSB Network and Information Security Steering Group (NISSG) Aim - To act as an overall focal point for the European standardization community on network and information security issues Output – To ensure the implementation of the NIS report produced by the CEN/ETSI NIS Group Next steps –Meetings 9 March 2005, 1 June 2005 –Any issues regarding new activities (as distinct from issues concerning existing ones, wherever they may be) should be addressed to NISSG as the focal point Membership - open to any ICTSB member organization and their relevant technical groups and invited stakeholder interests
COPRAS maps standardization with IST projects activities & output 164 projects addressed across 10 Strategic Objectives FP6 Call 1 92 responses received (56%) 40 projects approached for participation in the COPRAS Programme 51 projects targeted in , & Strategic Objectives with projects addressing security 31 responses received (61%) 7 projects invited with output relevant to security related standardization Kick-off meeting 14 th October 2004: jump-start development of ‘Standardization Action Plans’
5 “Security” projects participated in the kick-off meeting ProjectStandardization objectives addressed eMayorSecure municipal government applications: X-forms digital signature & smartcard integration; eGovernment XML exchange standards; government digital identification tokens (smartcard) standardization and related CA architecture. TrustComInteroperability profiles covering: model driven security, collaborative business processes, policies & security, contracts & service level agreements, trust PMI and PKI, web & GRID technologies, semantic technologies. SECOQCQuantum cryptography: standardization of ‘internal’ interfaces to achieve interoperability of QKD components from different manufacturers; standardization of ‘external’ interfaces and network infrastructure to make applications compatible with different QKD systems and to provide applications standardized access to QKD based infrastructures. BioSecBiometrics: standardized multi-modal measurements of acceptance and trust (privacy, data security, reliability, invasiveness); development of standards to promote acceptance and trust of biometrics (standards for data & privacy protection, for user-friendly design, handling & interfacing). Digital Passport Next generation European digital passport with biometric data for secure and convenient border passage: security concept & system architecture, minimum security requirements for cards & personal identification; standards & guidelines for a security framework, network security; use of electronic signatures in passports; privacy & data protection.
Concrete cooperation on further standardization steps with SECOQC Standardization Action Plan defining –Specific technical issues –Relevance towards the eEurope programme Possible standardization action steps –COPRAS participation in SECOCQ Interface standardization workshop –Business plan for a dedicated CEN/ISSS workshop on quantum cryptography –Installation dedicated workshop and drafting CEN Workshop Agreement (CWA) Definition of required dissemination and consensus building support to be provided by COPRAS
COPRAS remains open to cooperate with and support other security & eGovernment oriented projects Thank you for your attention & feedback Bart Brusse, COPRAS Project Manager Tel: