Dear Task 8.1 Partners,
Please take in account the TID comments bellows.
Thank a lot
Best regards
Daniel
De : BISSON Pascal
Envoyé : jeudi 3 novembre 2011 15:23
À : GIDOIN Daniel; Seidl, Robert (NSN - DE/Munich); TRABELSI, Slim; Marton, Gabor (NSN - HU/Budapest); Goetze, Norbert (NSN - DE/Munich); Antonio Garcia Vazquez
Cc : fiware-security at lists.fi-ware.eu
Objet : TR: Materializing Security in FI-WARE
Dear Task leads,
Please have a look at the comments we got from TID regarding the review of (this time) our security entries to the features backlog. Please check and address those comments asap (remember deadline is set for Tomorrow 4/11/11 EOB!).
To be also addressed at our audio conf tomorrow.
As for the backlog management security tracker I just dropped an email to Miguel being said I created the backlog management tracker on due time and that it is still there (I just gave it a try). This only problem is that I can see any ticker attached so far. Can't figure why. So would be checking with Miguel and Daniel.
Regards,
Pascal
De : Miguel Carrillo [mailto:mcp at tid.es]
Envoyé : jeudi 3 novembre 2011 13:34
À : BISSON Pascal; GIDOIN Daniel
Cc : JUAN JOSE HIERRO SUREDA
Objet : Re: Materializing Security in FI-WARE
Hello again,
As promised, my comments to the backlog follow. The case of this chapter differs from the others as there's a worrying gap.
General comments (for all WPs)
=============================
You should review the full description of your backlog entries in the Wiki to make sure all fields are properly filled in. Despite we provided a spreadsheet explaining how to fill each fields and some examples when we started this exercise (the spreadsheet was distributed in mid August) we have found that that guidelines haven't been followed in many cases. We have enhanced the tutorial on the Wiki to include all the explanations now and to make sure that there is a place on the Wiki that you can check out in case of doubt. You can find it at:
* http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/How_to_upload_the_full_description_of_backlog_entries_to_the_Wiki
Particularly important is the style used for the text provided as "Goal" field. Please try to align with the patterns provided in the description of this field.
Do not forget to visit the pages with instructions to handle the trackers:
* http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/How_to_create_and_configure_trackers_in_FusionForge
* http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/How_to_create_entries_in_the_%22Backlog_Management%22_Tracker_of_a_FI-WARE_Chapter
Particular comments (for this WP)
=============================
Unfortunately, there is very little I can say here because no tracker has been created! It would be very good news to know that this is somewhere else ... We need a prompt reaction, follow the previous instructions and make sure that tracker and wiki are properly synchronised. There is little time and this is important.
Regards,
Miguel
--
El 02/11/2011 18:25, Miguel Carrillo escribió:
Dear Pascal & Daniel,
I am sending private emails to all WPLs with further comments to the "Materializing Security in FI-WARE" section on the wiki. There are general comments (applicable to most WPs) and other that apply to your WP in particular. We have prepared a simple and friendly tutorial to make sure that we go in the same direction (http://tinyurl.com/6gueb5t) .
General comments (for all WPs)
=============================================================
* Still there are heterogeneous templates for assets. Take Samson<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/SAMSON_Platform> and Hadoop<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Hadoop> as the reference templates for assets
* IPRs in Assets are very frequently expressed in a vague manner. "This product has IPR associated to it", "Open source"... To end with this situation change all assets and put this:
* Assets with patents/IPRs. Use this text: "This product will be licensed under FRAND (Fair Reasonable and Non-Discriminatory<http://en.wikipedia.org/wiki/Fair,_reasonable,_and_non-discriminatory_terms>) Terms according to pre-requisites of the FI-PPP program".
* If needed, you can add sentences like the one in SAMSON ("Licensing of the software under an Open Source license is currently under consideration. ")
* Open source: see Hadoop <http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Hadoop> and use it as template. The text is: "This product is licensed under the open source XXX" where "xxx" will be replaced with the license that applies and a link to the detailed terms where possible.
* If you rephrase this or use variants it's ok as long as the additions are properly explained.
* Programming Artefacts. I see that this is frequently removed. This is part of the template, it is mandatory and has to stay there. I am not sure if everyone is understanding this. This field elaborates on what we are providing to a developer(an API?, a tool? ... )
* Delete empty sections. I see many blocks of "Themes", "Features" and "User Stories" (for instance) that are empty. This gives a poor impression and will cause trouble in the review. Please remove blank sections, they will have to be re-created when the first entry is added to the wiki
Particular comments (specific to your WP)
=============================================================
If I say "ok" to one of them, do not relax. It means that there is no particular remark. But the general comments still apply to it and it may need changes.
1) COMMENTS ON ASSETS
The names of the partner should be removed from titles where they appear(inconsistent with the rest of the assets in other WPs)
* IoT Internet protocols fuzzing framework<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/IoT_Internet_protocols_fuzzing_framework> - wrong template.
* FI-Ware Vulnerability assessment<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/FI-Ware_Vulnerability_assessment> - No "Publicly available documentation", please fill this in
* Ontology handler<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Ontology_handler> -empty fields
* Vulnerabilities OVAL scanner<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Vulnerabilities_OVAL_scanner> - ok
* NVD<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/NVD> - it looks like a 3rd party asset. If so, use the right template (short one)
* Attack trace engine<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Attack_trace_engine>- IPR not compliant with agreement in FI-WARE. "Publicly available information" is empty (if there isn't any, state it clearly but do not leave it blank)
* Service-Level-SIEM<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Service-Level-SIEM> - ok
* CVSS<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/CVSS>- it looks like a 3rd party asset. If so, use the right template (short one)
* Visualization Framework<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Visualization_Framework> - ok
o Botnet Tracking .ORANGE<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Botnet_Tracking_.ORANGE>:
There are two lines with the same asset: please visit to check duplication this page: https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Baseline_Assets
The asset has two pages, Botnet Tracking .ORANGE<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Botnet_Tracking_.ORANGE> and Botnet Tracking<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Botnet_Tracking>.
First one: wrong template, wrong name and poorly populated. Second one: poorly populated.
Remove one of the two from the wiki and amend the one you choose.
* Context-based security and compliance<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Context-based_security_and_compliance>
* Fragmento<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Fragmento> - ok
* Compliance Governance Dashboard<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Compliance_Governance_Dashboard> - IPR description should explicitly describe in accurate terms the licenses that apply (Creative Commons or other?)
* CRLT Compliance Request Language Tools<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/CRLT_Compliance_Request_Language_Tools> - Previous Comment not addressed: IPR description should be more explicit than "Open source"
* USDL Language<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/USDL_Language> - ok to provide a link as additional info in IPR, but there must be a statement giving a clear summary of the IPR situation with no need to exit the wiki
* S&D Run-Time Framework<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/S%26D_Run-Time_Framework> - ok
* Identity Management Generic Enabler<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Identity_Management_Generic_Enabler>
* Stork<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Stork>- mainly ok but part of the IPR are open
* Identity Management<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Identity_Management> - Template very poorly populated. IPR should be more explicit.
* White Label IdP<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/White_Label_IdP> - IPR empty.
* Access Control<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Access_Control> - 3 empty fields
* Privacy Generic Enabler<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Privacy_Generic_Enabler>
* Privacy Enabler<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Privacy_Enabler>- Template very poorly populated. Description for the IPR section must be more specific. If not public info, publish something on the wiki, this will be enough and definitely public.
* Idemix - Privacy-Preserving Credential Library<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Idemix_-_Privacy-Preserving_Credential_Library> - there is an addition section ("Methods and Parameters") not compliant with the template. Integrate in another section or remove.
* Idemix - Credential-based Authentication Engine<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Idemix_-_Credential-based_Authentication_Engine> - it does not follow any official template.
* Accountable privacy policies<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Accountable_privacy_policies> - Apart from the description, the rest of the fields are poorly populated. The IPR should be expressed in more accurate terms.
* Data Handling Generic Enabler<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Data_Handling_Generic_Enabler>
* PrimeLife Policy Engine: PPL<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/PrimeLife_Policy_Engine:_PPL> - not compliant with the Asset template: respect sections and section order. The IPR must express at least that it will be offered under a FRAND scheme.
* Optional Security Enabler<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Materializing_Security_in_FI-WARE#Optional_Security_Enabler>
* Database Anonymization Optional Asset<https://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Database_Anonymization_Optional_Asset> - wrong template - comment not addressed!
* Secure Storage Service (SSS) Optional Asset (Thales)<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Secure_Storage_Service_%28SSS%29_Optional_Asset_%28Thales%29> - wrong template. Amend asset name, it must not contain the partner name
* Morphus Optional Asset (INRIA)<http://forge.fi-ware.eu/plugins/mediawiki/wiki/fiware/index.php/Morphus_Optional_Asset_%28INRIA%29> -Amend asset name, it must not contain the partner name. IPR must be completed. The "Runtime pre-requisites" section is part of the template and must not be removed.
2) COMMENTS ON BACKLOG
* I will send you this first thing in the morning
Please make sure that this is properly looked at by all the concerned members of the WP under your supervision.
Deadline: Friday, 4 EOB.
Thanks for your cooperation
Miguel
--
----------------------------------------------------------------------
_/ _/_/ Miguel Carrillo Pacheco
_/ _/ _/ _/ Telefónica Distrito C
_/ _/_/_/ _/ _/ Investigación y Edifico Oeste 1, Planta 5
_/ _/ _/ _/ Desarrollo Ronda de la Comunicación S/N
_/ _/_/ Madrid 28050 (Spain)
Tel: (+34) 91 483 26 77
e-mail: mcp at tid.es<mailto:mcp at tid.es>
----------------------------------------------------------------------
--
----------------------------------------------------------------------
_/ _/_/ Miguel Carrillo Pacheco
_/ _/ _/ _/ Telefónica Distrito C
_/ _/_/_/ _/ _/ Investigación y Edifico Oeste 1, Planta 5
_/ _/ _/ _/ Desarrollo Ronda de la Comunicación S/N
_/ _/_/ Madrid 28050 (Spain)
Tel: (+34) 91 483 26 77
e-mail: mcp at tid.es<mailto:mcp at tid.es>
----------------------------------------------------------------------
________________________________
Este mensaje se dirige exclusivamente a su destinatario. Puede consultar nuestra política de envío y recepción de correo electrónico en el enlace situado más abajo.
This message is intended exclusively for its addressee. We only send and receive email on the basis of the terms set out at.
http://www.tid.es/ES/PAGINAS/disclaimer.aspx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.fiware.org/private/old-fiware-security/attachments/20111103/10c93c1c/attachment.html>
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy