OASIS Open

Pass code: 46620642

United Kingdom 08000234295 02076351808 +44 2076351808
United States 18662486013 17183541170

Australia 1800004583 0282239344 +61 282239344
Austria 0800291639 0179567791 +43 179567791
Belgium 080080213 027133682 +32 27133682
Canada 18667425609
China 108008520981
China 108001520981
Finland 0800112578 0969379596 +358 969379596
France 0805770046 0157323695 +33 157323695
Germany 08007005013 069945192088 +49 69945192088
Greece 0080044141240
India 0008004401045
Ireland 1800946925 012421054 +353 12421054
Italy 800782318 0291483678 +39 0291483678
Japan 0034800400553 0357674201 +81 357674201
Netherlands 08000223510 0202013854 +31 202013854
Portugal 800844385 214154495 +351 214154495
Russia 84955453544 +7 4955453544
Singapore 8008523488 64155063 +65 64155063
Spain 900810179 912757175 +34 912757175
Switzerland 0800562604 0448009450 +41 448009450
United Kingdom 08000234295 02076351808 +44 2076351808
United States 18662486013 17183541170

Review of COEL Ecosystem document

We agreed the approach to security was coherent and sensible with no obvious holes.

• Action [2015-07-28 / 1]: Create issue to add ‘transparent’ label for Consumer view of Coelition and Service Provider in Ecosystem key relationships diagram (dotted lines)
• Action [2015-07-28 / 2]: Create issue to potentially combine COEL Ecosystem and COEL RolesAndPrinciples documents
• Action [2015-07-28 / 3]: Create issue to potentially have a more ‘offline’ approach (or double check) for ‘all atoms’ requests from Service Provider to Data Engine

Review of actions

• Action: [2015-07-28 / 4] Target committee drafts for all documents in mid-October 2015.

[2015-07-21 / 1] David: Create Issues in OASIS issue tracker from outstanding issue list document. TO BE COMPLETED

[2015-07-21 / 2] Paul: Verify that the IDA specification captures the "Need a standard format for Operators and Service Provider identifiers" DONE

[2015-07-21 / 3] Paul: Present security options for ecosystem at next call. Post an email for discussion to COEL list.(to include privacy contribution from Joss) DONE

[2015-07-21 / 4] David to lead discussion at next meeting on Schedule for publishing drafts. DONE

[2015-07-21 / 5] David: Make requests to OASIS to create document folders: "Documents/Submissions" and "Working Drafts/COEL Model" DONE

• Agreed to cancel meetings on 4th  & 25th August 2015 due to summer holidays.

We agreed last week to review the latest security topics. See below:

[1] Use SSL for all internet communications within the ecosystem. This creates an encrypted channel for the data (Atoms, Reports and Pseudonymised Keys – no DIPI) and prevents a third party from reading it in transit. It means that servers like the IDA, Data Engine and any Service Provider/ or Operator systems must have SSL certificates (between £100 and £300 pa cost or see https://letsencrypt.org/)

[2] Use single factor authentication (user-id and password) for all Data Engine and IDA calls with the exception of: [a] submitting atoms which can be done anonymously [b] an operator registering consumers with the DE (see below for why)

[3] Use IDA generated pseudonymous keys as the user-ids for actors in the ecosystem. These are devoid of DIPI and unique across the ecosystem.

[4] Use different user-ids AND different passwords for each embodiment (e.g. for Operator with IDA, Operator with DE, Service Provider with different DEs etc)

Let’s look at the systems/interactions to see what the threats are:

[1] Operator / IDA: Disclosure of M2M credentials would allow an attacker to generate Pseudonymous Keys on behalf of an operator. There is no possibility of disclosure of DIPI or behavioural data. Risk is low.

[2] Service Provider / IDA. Disclosure of SP interactive login would allow attacker allocate new OperatoIDs or disable existing OperatorIDs. The IDA will not keep any DIPI for operators and their IDA passwords are stored encrypted so there is no risk of these being disclosed. If an attacker gains access then the Service Provider will need to change their password and re-register its operators.

[3] Operator / DE: Disclosure of operator credentials would allow an attacker only to register consumers as the operator has no other role with the DE. With this in mind Matt and I agreed that there is no need for an operator password when registering a consumer with the DE. Registering is similar to submitting an Atom.

[4] Service Provider / DE: This is where the highest threat is. Disclosure of credentials that gave access to the Data Engine Management Interface (MI) and Query Interface (QI) would open up two possible attacks:

[a] An attacker can query the tree of operators and consumers (via MI) and then retrieve all Atoms for all consumers for the SP (via QI).

[b] An attacker can use the MI to issue ‘forget’ requests for consumers. This would result in either deleting all the atoms, or disconnecting the atoms from their original consumer ID. It would render the atoms useless to the SP because by definition these are not reversible.

To reduce the likelihood of [a], we should mandate that separate credentials be used to access the MI and QI, reducing the likelihood of getting both.

To reduce the likelihood of [b], the data engine must use a secondary method to assert the identity of the service provider. Forgetting is a rare event and insisting that there be a human in the loop will make it more secure. We can mandate that the DE send an authorisation email to the SP asking it to confirm the forget request. (Unlikely attacker has access to this mailbox). Or the DE can mandate a second factor of authentication for forget requests such as a handheld RSA key

[5] Operator/SP. Where the operator is a separate entity (such as in the GP/AI scenario), it will request reports on consumers from the SP, but these reports are pseudonymised so contain no more information than the query returned from the DE. The operator adds in the DIPI itself. Low risk.

• OASIS Open (General Membership)
• General Public