Dear WP3 Partners,
As you all known the Security Chapter has asked us to provide some input. Torsten has compiled an initial list to answer these questions. I'd like to ask you to check this list and to bring up missing issues in out call tomorrow morning. If you cannot attend please send them per email to Torsten or me. The current version reads:
Regarding Identity Managment:
· Authentication will be needed on the service level.
· Service will authenticate user (client), a service will authenticate another service who is calling the service on behalf of a user.
· A user will be authenticated against an authentication provider or against a certificate.
· A service will be authenticated by an API key.
· Things will not be handled different from services.
· The IDM should support all relevant protocols used widely in the internet.
· The example services will be implemented by the GE providers and the use case project members.
· Network security is expected to be provided by the testbed provider and/or the Cloud provider. Apps GE are relying mostly on HTTPS protocol. PKI must be provided for the testbed.
Privacy and Data Handling
· We don't know. We assume that privacy threats are considered within the assets of the individual partners.
· There are no general approaches to store personal data securely. This is the responsibility of the individual asset provider. We assume there will be trust relationship between components, which share personal data such as forwarding a buy request from the store to the provider. No personal data are exchanged otherwise.
· Disclosure of personal data is not intended.
· Unkown
· A service needs to know information that is necessary to execute the business transaction only. There are no known specific attributes or predicates yet.
· Maybe.
· Revocation is not a requirement but are a common practice that might be used for some security reasons, so it should be supported.
Security Monitoring
· Must be analysed in more detail by then individual asset owners. Generally, it should be possible to at least support a subset of the requested events. I most cases this require deep changes in the asset code.
· No specific indicators are supported. We are curious what the team can provide.
· We don't know.
· Probably yes.
· That needs to be shown.
· That needs to be shown.
Best regards,
Uwe
Dr. Uwe Riss
Senior Researcher, Internet Applications & Services | SAP Research Karlsruhe
SAP AG | Vincenz-Priessnitz-Str. 1 | 76131 Karlsruhe | Germany
T +49 6227 7-70212 | F +49 6227 78-26158 | M +49 151 16810936 | mailto: uwe.riss at sap.com<mailto:uwe.riss at sap.com>
www.sap.com<http://www.sap.com/>
Pflichtangaben/Mandatory Disclosure Statements: http://www.sap.com/company/legal/impressum.epx
Diese E-Mail kann Betriebs- oder Geschaeftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrtuemlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielfältigung oder Weitergabe der E-Mail ausdruecklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank.
This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.
From: fiware-wpa-bounces at lists.fi-ware.eu [mailto:fiware-wpa-bounces at lists.fi-ware.eu] On Behalf Of BISSON Pascal
Sent: Montag, 6. Februar 2012 12:14
To: fiware-wpl at lists.fi-ware.eu; fiware-wpa at lists.fi-ware.eu
Cc: BISSON Pascal; LELEU Philippe
Subject: Re: [Fiware-wpa] [Fiware-wpl] Actions Points to be Done
Importance: High
Dear Colleagues,
I'm just forwarding you this email from Juanjo to remind you the Action Points Daniel and I on behalf of Security team were requesting from each of you.
Counting on you to work on those actions points and report to us asap.
Reading you soon.
Pascal / Daniel
* Address APs identified during Security plenary session:
* Each Chapter to provide their answers to the questions raised by the Security team for each of the Security GEs (the sooner, the better and no later than by end of this week so 3/02/2012)
* Each Chapters to consider integration of Security GEs within their Chapter architecture and whenever those are needed and at appropriate level (i.e. architecture level, GE level). As a first step, this should lead to definition of at least one Epic by chapter and GEs to reflect this as ongoing work
* Each Chapter to analyze the interaction (sequence) diagram with the Security Monitoring GE to check, amend/complete and validate them (there is one for each of the Chapters that was elaborated by the Security team). This is needed prior delivery of the information requested by the Security Chapter (i.e. log, security events, countermeasures, ....) by Security Monitoring GE (also gets the architecture of the chapter ready to have this information delivered). The Security chapter will provide other chapters with information needed by Security Monitoring GE (also format under which this information has to be provided)
De : fiware-wpl-bounces at lists.fi-ware.eu [mailto:fiware-wpl-bounces at lists.fi-ware.eu] De la part de Juanjo Hierro
Envoyé : mardi 31 janvier 2012 11:22
À : fiware-wpl at lists.fi-ware.eu; fiware-wpa at lists.fi-ware.eu
Objet : [Fiware-wpl] Actions Points to be Done
Dear WPLs/WPAs,
I plan to deliver more precise guidelines, including some templates sometime today but probably very late in the evening, effectively to be ready tomorrow morning because I'm currently very busy finalization of the publication of the first Open Call which was due by today.
Apologize for any problem this may cause, but I hope you will understand. In the meantime, please try to deal with the couple of urgent points that we revised during last week WPL/WPA meeting (some of them commented during our joint confcall yesterday). We should not forget to address them:
* Provide complete and accurate minutes of the f2f meeting last week. As announced, Miguel sent detailed instructions to follow regarding this (based on feedback by some partners, we will change the place where you should upload them, Miguel will send an email updating on this). PLEASE don't forget to transform Actions Points you identified into WorkItems in the corresponding tracker (your chapter tracker or the FI-WARE-Private tracker). Miguel will setup a Backlog Management tracker on the "FI-WARE Private" project so that you will be able to create WorkItems you believe that need to be addressed and followed-up at FI-WARE global level.
* Complete response to questionnaire distributed by the Testbed team. This is urgent in order to complete the Testbed design.
* SAP: complete revision of Epics linked to BM&BE GE being considered in the first Open Call.
* Planning of sprint 4 (this requires the first point regarding identification of WorkItems to be done)
* Address APs identified during Security plenary session:
* Each Chapter to provide their answers to the questions raised by the Security team for each of the Security GEs (the sooner, the better and no later than by end of this week so 3/02/2012)
* Each Chapters to consider integration of Security GEs within their Chapter architecture and whenever those are needed and at appropriate level (i.e. architecture level, GE level). As a first step, this should lead to definition of at least one Epic by chapter and GEs to reflect this as ongoing work
* Each Chapter to analyze the interaction (sequence) diagram with the Security Monitoring GE to check, amend/complete and validate them (there is one for each of the Chapters that was elaborated by the Security team). This is needed prior delivery of the information requested by the Security Chapter (i.e. log, security events, countermeasures, ....) by Security Monitoring GE (also gets the architecture of the chapter ready to have this information delivered). The Security chapter will provide other chapters with information needed by Security Monitoring GE (also format under which this information has to be provided)
* Review status of UC project tickets to update them or make some progress. Don't forget to change the assignee of a ticket to be the issuer whenever you change the state to "Needs revision by the issuer".
* Standardization Plan: please check latest requests on the matter ... there is info pending !
Best regards,
-- Juanjo
-------------
Product Development and Innovation (PDI) - Telefonica Digital
website: www.tid.es<http://www.tid.es>
email: jhierro at tid.es<mailto:jhierro at tid.es>
twitter: twitter.com/JuanjoHierro
FI-WARE (European Future Internet Core Platform) Chief Architect
You can follow FI-WARE at:
website: http://www.fi-ware.eu
facebook: http://www.facebook.com/pages/FI-WARE/251366491587242
twitter: http://twitter.com/FIware
linkedIn: http://www.linkedin.com/groups/FIWARE-4239932
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-apps/attachments/20120206/88c85ecf/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: WP8 Session at FI-WARE GA 25012012 [Mode de compatibilit?].pdf
Type: application/pdf
Size: 2943776 bytes
Desc: WP8 Session at FI-WARE GA 25012012 [Mode de compatibilit?].pdf
URL: <https://lists.fiware.org/private/old-fiware-apps/attachments/20120206/88c85ecf/attachment.pdf>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy