2013-12-02 eGov Meeting Minutes

Date and Time

Date: 2. Dec 2013

Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 08:00 NZ(+1)

Role Call

Keith Uber

Thomas Gundel

Denny Prvu

Colin Wallis

Ajay Daryanani (non voting)
Rainer Hoerbe
Patrick Curry

 

Quorate call 

Administration


Anil John is now non-voting due to non-attendance (meeting conflict?). Colin to inform Anil.
Quorom is now 5 out of 9 voting.
September 2 minutes approved: Rainer moved, Colin seconded.
1. Charter review
Scope: Ken felt that we were unduly restricting ourselves to governments being relying parties, We should include governments as IDPs as well. Colin has added
Section 8 - Duration: Reflecting dicussion on previous calls, colin has set the duration at 1 year. We would make a decision in 2014 about remaining as a WG or becoming a discussion group.
Charter Vote and forward to LC: Colin moved, Keith and Thomas seconded. Approved.
Reviewed charter to be submitted to leadership council.
AP: Colin to Action

2. IDCloud Gap Analysis

OASIS ID Cloud technical committee is connecting use cases and solutions/technologies for IDM in cloud services/PaaS. They have done a nice use case document and follow up gap analysis on what standards cover what aspects of identity lifecycle and what is missing in available standards offerings.
The document seems a bit unbalanced. It is s very detailed in UMA, OpenID Connect, etc, but is very light on references to SAML.
The STORK project's SAML profile was proposed and accepted to be included.
Rainer proposes to put forward to the TC more information about the Kantara SAML eGov Implementation Profile for inclusion in the analysis.
The document is not yet final so is a ‘living document’ - details on STORK were recently added.
Rainer has tried to contact Gershon Janssen (OASIS IDCloud Secretary) re this, no response received to date.
Colin participated in the early stages, when the discussion/document was a very high level.
Q: Is Research/HigherEd interested in cloud use cases?
Internet2, SWAMID provide box.net to their students 
In Spain, Google and Microsoft are federated via SAML2
AP: Rainer to write and circulate a draft text response to the OASIS IDCloud TC to the list for comments
Ajay will share the document in tomorrow’s GEANT meeting to see what the feeling is within that group.

3. Presentation

Patrick Curry presented MACCSA, Multinational Alliance for Collaborative Cyber Situational Awareness. The audio presentation was recorded and will be made available in the days after the call.

Rough notes follow. Please listen to the audio for more detail.

MACCSA
History
Led by the USA
Cyberspace part led by the UK
Five areas lead by 
Norway - Threats and vulnerabilities
Sweden - Information sharing
Italy - Legal
Finland - Technology
UK- Main experiment which lasted a week - an advanced simulation environment involving 90 people, telco, energy, air traffic management, military
Activity and Experimentation lasted two years to test and evaluate the value of collaborative cyber situational awareness
'You were only 20% effective at best if you didn’t share information - Collaboration is your only choice'
Information sharing framework (ISF) needs to be implemented.
To take that forward and implement it requires an organization.
Over 9 months a series of transitions workshops were arranged 
First group consisted of 22 governments, 35 nations, 8 EU organizations, UN, ITU, NATO, TMForum, ITU, CSA (Cloud Security Alliance).
Outcome was examination of four organizations that could handle this. None were considered appropriate.
Multinational Alliance for Collaborative Cyber Situational Awareness (MACCSA) was wascreated in October 2013 to fill the need.
MACCSA: Legal entity in October 2013, UK Based, Early stage - Legally formed, Has not yet met. First meeting scheduled for 13 December 2013, London.
Founding participants are now being gathered
What do they do?
Information sharing network
Information sharing model, information management model
Federated trust Level 3 PKI
Cyber 
Mapping to the four levels of assurance
Based on standards collection comprising ISO27000, AUS top 35 mitigation, NIST 800-53, US - release 4?, SANS Top 20 controls, including security metrics, sufficient for audits to occur.
Challenges:
Trust framework audit models have been examined. from IDM environment to other types of control.
One or more interoperable schemes are required.
We are leveraging what is needed for business to share information.
The same could be applied to citizen or government cases. This work is highly reusable.
Software is being developed by the organization which will be made public.
Fake organizations are their biggest problem. How to detect the authority of individuals within an organization.
How to determine if a company is compliant with requirements of their industry sector.
Need to be accurate to within 24hours.
ROLO (Register Of Legal Organisations) doesn’t exist today. Examining joint venture options to create it. It will pull together data that is captured from other public registers.
To be a European business register. Register is voluntary, not legislated. EU has a register interoperability API in place.
The API already supports 76 nations register, so not just EU.
Accurate, complete and timely data is important. The register could support other business activities. Relations to taxations, drug trafficking preventions, money laundering etc.
Fake government organizations is a nightmare scenario. How to check that some org/body is legitimate.
Q from Colin:
The link to Kantara is that the IAF could become a more generic framework with a set of profiles under that (one of them being one for MACCSA)?
Patrick:
Federation model, Most PKI Bridges support one or two policies. Need reusable policies across national boundaries
NATO IDM Policy. NATO and EU have agreed to work together to make sure that nations don’t need to have two or more ID systems.
Must be forward looking. Needs to be inclusive of Mobile device challenges. 
Kantara IAF needs to bring in biometrics
Where does liability fall?
Opportunities for Kantara to get these people on board and co-operate.
NISP: Network information security platform??
Has three working groups:
  1. risk management (3 sub groups - risk mgmt and mitigation, metrics, risk mgmt framework and maturity models)
  2. info sharing
  3. research and innovation
This research is not confined to EU members. Content will flow back to EU legislation.

Next Meeting  

Date and Time

Date: 8. Jan 2014 (Note exceptional date due to new year. )

Time: 11:00 PDT | 14:00 EDT | 20:00 CET | 06:00 NZ(+1)

------------------------------------------------------- 

To join the teleconference 
------------------------------------------------------- 
DIAL IN INFORMATION: 

Skype:  +99 051 000 000 481 
Conference Id: 613-2898 
US Dial-In: +1-805-309-2350  

http://kantara.atlassian.net/wiki/display/GI/Telco+Bridge+Info 

Â