DRAFT
Federal CIO Council XML Working Group
Meeting Minutes, December 19, 2001
GSA Headquarters, Auditorium
Please send all
comments or corrections to these minutes to Jessica
Glace.
While waiting for the first presenter to arrive, there was some informal discussion.
A brief discussion on Value Chain Management for the January/February meetings took place.
Marion Royal announced that Jon Bosak will speak at an upcoming meeting.
Owen Ambur discussed the Federal CIO strategy sessions at LMI. He said this group has primarily been education and outreach oriented, not operational. As this group becomes more mature, it becomes more important for us to consider how our charter might be amended and extended to address operational issues. He mentioned the Department of the Navy's XML developers guide and Michael Jacobs noted that another version is scheduled for issuance in February as version 1.1. Mr. Ambur also noted that EPA is drafting policy statements that may be good models for consideration by the Working Group.
Mr. Royal said the registry/repository will be a focus this year and it is time to deliver some products to Fed CIO. We are working on sanitizing the Navy document for federal use. A number of action items were identified at the 2 day off site meeting. Those action items will be coming out on the mail list. Mr. Royal would like to know which voluntary standards bodies are being participated in by government employees and would also like to know what should be participated in, but currently has no representatives.
Lisa Carnahan called in. She directed two questions to Mark Crawford on registries:
There are no rules or guidelines set-up by NIST. NIST will accept all contributions into the registry. If there are similarities, we would like to somehow distinguish those.
Mr. Ambur said the Working Group's efforts should align with the Quicksilver projects, since the Administration's eGov portfolio management structure is designed to support those projects and, presumably, they will receive the necessary support to be successful.
Mr. Royal said government to citizen and internal efficiency and effectiveness were focuses.
Ms. Carnahan said there is a need for something to start with.
Mark Crawford said Elliott Christian is to contact Lisa regarding the registry/repository.
Mr. Royal said it addresses four segments for G2G as well as internal effectiveness.
Michael Jacobs asked if the objectives of the registry/repository effort would be discussed and if this is for a pilot or for “real” info.
Mr. Royal said he was hoping Ms. Carnahan would be willing to be the chair. There are a couple of different places to start e-forms, such as Quicksilver. We won’t move to production until we have some lessons learned.
Mr. Jacobs said there may be some members of the DON WG that Federal CIO WG can task to help with the registry/repository initiative.
Ms. Carnahan said we’ll take as many people who are willing.
The first presenter arrived and the formal meeting began.
The first presentation of the meeting was an
Overview of XML Security Issues
by Christopher "Kit" Lueder, Mitre (tasked by DISA and JEC).
Mr. Lueder presented a broad overview of current XML security. This is the first step of a security analysis and a work in progress. It is not intended for the general public.
Due to time constraints Mr. Lueder quickly went through his slides on:
XML can use other security mechanisms such as:
The categories of XML-related threats are new technology, new services and new mechanisms for old technology. XML is immature from a security perspective. New tools need to be debugged. Best practices and evolving architectures are not fully worked out. Open-source software is visible to hackers. Additional categories of XML-related threats include interoperability concerns, disclosure/visibility concerns, legal concerns, heavy reliance on Schema documents, hyper-linking concerns, parsing vulnerabilities, and finally, all of the previously existing security threats.
Mr. Royal said Unicode in XML doesn’t have proper tools that can identify Trojans and other viruses. We’re lucky that we do a good job with ASCII; SOAP and other technology over HTTP as we build firewalls. What’s your opinion?
Mr. Lueder said Unicode has infinite ways to code and it’s harder to know how it will be encoded and if it’s safe, currently you’ll have to block Unicode with a firewall. I don’t have a solution to that.
Mr. Crawford said leading virus checkers are working on the issue of performing checks. If you have concerns stick with encoding your files with ASCII.
The question was posed, “So, do you block everything but ASCII?” And the answer was yes.
Walt Houser asked if UTF-8 is the default for XML.
Mr. Crawford said XML can support any character encoding.
Mr. Houser asked wouldn’t you have to change the UTF default.
Mr. Lueder said there are categories of XML related threats.
Hyper-linking concerns security mechanisms bypassed by linked data.
Mr. Houser asked if canonicalization would fix that.
Mr. Lueder responded you would have to take the external data and decide if you want to take it in or not.
Krishna Sankar said he would discuss that in his presentation.
There is potential for Web-based attacks, but Mr. Lueder hasn’t heard of any identified publicly that may be because attacks aren’t really publicized.
A specific technology is SOAP. SOAP processing can be like a remote procedure call.
General firewall considerations are:
You could deploy a Web server on a DMZ that receives XML, but commercial products, which provide that functionality don’t currently seem to be available.
Usually, SOAP can’t be sent inbound to an enterprise because it is blocked by a firewall. Some security mechanisms will hide XML from firewalls.
Mr. Jacobs asked are these problems that are unique to XML or are these issues already there.
Mr. Lueder said some are there or are new ways of representing the old problem. For instance, Port 80 used to be ok, but now remote procedural calls being made through port 80 could be an issue.
SOAP needs to look into firewall capabilities for filtering SOAP.
Mr. Royal said one of the Web server providers are going to identify the envelope for SOAP if your system accepts the gets and puts; so it’s just a matter of figuring out what we’re going to do with these messages.
Mr. Lueder said you have to ask the question is it good enough to know it’s SOAP that’s going in or do you want to know what is in the message. At this point you can let SOAP in or not, but you can’t see what’s inside the SOAP.
Mr. Royal said so as we build systems what should we do, put the security layer on top of this; ignore everything else; or should we push the vendors to get inside the content of the SOAP.
Mr. Lueder said the first step is to have a proxy sever so you have a chance to look at the content, but this is a gray area.
JP Morgan said today’s servers are fairly simple and based on the particular service that is requested; but it’s very easy to check against a SOAP dispatcher to ensure that a digital signature being able to verify the SOAP W3C implementations. As it’s accepted, it will be implemented into the products.
Mr. Royal said that fits in with the e-gov initiatives.
Mr. Crawford added it’s important that XML WG know what they should be looking for as far as security is concerned.
Mr. Lueder will try to get DISA approval to put his slides on XML.gov.
Last months IEEE had some good articles on security.
Mr. Royal said the e-gov task force Quicksilver is looking for a single sign-on. They don’t understand what that involves, but they think it’s a good idea.
Mr. Jacobs said they are going toward a common access server and industry partner.
Mr. Morgan said that trust only goes as far as the issuer of the certificate or the issuer of the cert. There needs to be some form of trust such as a federally issued digital passport, which is trusted today. The government would be the ultimate issuer of trust.
Mr. Royal said that is different than what I responded to.
Mr. Owen said let’s discuss that after the next presentation.
The second presentation of the meeting was
by Krishna Sankar, Cisco & OASIS, & JP Morgenthal, eThink Systems.
Mr. Sankar opened his presentation by saying there are various XML standards that would help us. I will give you a few examples and hopefully when you review the slides you will pick out a few more things. Please send me any questions you may have.
There are some assertions that need to happen in security. The first one is a person must say, “I trust this entity when I get this”, then the entity must say, “Yes I trust this person”. The advantage of this is that then you don’t have to have a central authority. To do this, you need a standard for assertions.
Mr. Royal asked when DSIG or authentication is used, where is that applied to XML.
Mr. Sankar said that is covered in the use cases.
Mr. Morgenthal said Key Management Specification (XKMS) has become a W3C initiative and there is a second draft of the implementation.
Mr. Crawford said a long-term effect is needed.
XML Signature is also called DSIG. It is a W3C effort and is in Proposed Recommendation status. The XML Signature can take three forms: enveloping,
enveloped, or detached.
Mr. Royal asked is it an external content reference?
Mr. Sankar answered yes.
Mr. Royal asked would I have to go grab it and then sign it.
Mr. Sankar answered yes.
A canonicalization engine is used to normalize the document. This is an important step.
Mr. Royal asked who decides what the proper form is.
Mr. Sankar said C14N is the standard. When you send SOAP, there are routing headers that go across, that way the signature stays intact.
Mr. Houser asked if C14N has established a hyperlink standard.
Mr. Sankar said you run process the document the same.
Mr. Houser asked as opposed to processing it through the engine; why canonicalize a signed detached form.
Mr. Sankar said you have two different operating systems.
Mr. Royal asked what if you have to do some manipulation.
Mr. Jacobs asked can’t the header be malicious.
Mr. Royal said the processor is to understand the header but we still want to accept the document; it’s not so much a generic form of the document, it’s something different I believe.
Mr. Houser said I believe that is what we are looking for here.
Mr. Royal asked so who decides what that format is.
Mr. House said what if the President signs an XML document in .pdf FO or Word FO, but it is the same document with the same signature.
Mr. Morgenthal asked is it an envelope or is it a URI.
Mr. Sankar said there is also a transform; the spec has those things.
The second topic of the presentation was XML Encryption. The mission of the XML Encryption Working Group is to develop a process for encrypting/decrypting digital content (including XML documents and portions thereof) and an XML syntax used to represent the encrypted content and information that enables an intended recipient to decrypt it. XML Encryption is in W3C Last Call status.
Mr. Houser asked what digest options are available.
Mr. Sankar said you can open any that you want.
Mr. Morgenthal said they are listed in the Digital Signature specification.
Mr. Sankar presented an XML Encryption mark-up example.
Mr. Royal asked what if you are interested in different signatures applied to different parts of a document.
Mr. Sankar said it could be in Xpath, which would sign different parts of an XML document.
Mr. Houser asked what if the original document changed.
Mr. Morgenthal said it would be critical that the hash mark be updated.
Mr. Royal said but that would be appended.
Mr. Houser said you could use Xpointer to point to the original document.
David Eng asked is there a way to make the data not visible to multi parties.
Mr. Morgenthal said encryption can be released by these people, in this case you could see the information.
Mr. Royal said security has advanced greatly in the past 12 months.
Mr. Morgenthal said this is being driven by the e-business initiatives.
At this time, JP Morgenthal took over the presentation to discuss the XKMS initiative.
The main idea behind XKMS is we want to be able to go to a central authority for issuance of keys and handling reissuance of keys. The central authority should be able to handle applications that move around the Net. This is all driven by trust. The whole idea behind this is that you trust who the document is coming from.
Mr. Sankar said I believe you will have each agency managing their own authority.
Mr. Crawford said he was not sure the government would take on a centralized role in this.
Steve Vineski said the GSA ACES contract goes out to outside contractors.
Mr. Royal asked how do we identify employees of government to each other. If we use a certificate authority how do we id our customers as they come, which is more difficult as this PKI bridge is being built. We have to evaluate our systems and decide how much we need to verify these systems.
Mr. Morgenthal said this is a double-edged sword, but it comes down to non-repudiation. It needs to make sure the trading partner is trusted; are they a legitimate authority.
Mr. Royal said part of the thing government is trying to realize is the government does not need all of the signatures that are currently required. We do need some non-repudiation.
Mr. Morgenthal said there is a need for keys for VPNs. We have a methodology that can decrypt that data, but anyone in the world can create the encrypted data.
Mr. Royal asked who should generate the certs and how do we find the certs.
Mr. Morgenthal said hopefully someday the Post Office can do it- that would provide a high level of trust- building an extranet product in favor of the W3C Lego approach, but you need to take all the technologies as a set.
Mr. Houser asked if this would provide ability to have an anonymous transaction.
Mr. Morgenthal replied no.
Mr. Houser asked what if you registered an alias.
Mr. Morgenthal said you now have the ability to accept or deny.
Mr. Houser said not all authorities are equal.
Mr. Sankar resumed the presentation to discuss Security Assurance Markup Language (SAML).
Mr. Houser asked is there any relationship between Webdev and XACML.
Mr. Sankar wasn’t sure, but would look into it.
Mr. Royal said XML is formalizing the API for how these systems communicate with each other and they are getting into the actual process of how these are used.
Mr. Sankar said the XML standards are all turning into XML messages and vocabularies.
Mr. Royal said we didn’t know how these fields were being used.
Mr. Sankar provided some examples of additional needed standards. There is a need for a single sign-on from different registries. UDDI allows anyone to do a find or get; it only needs an authentication to update or change data. It is not scalable and different registries need different authorities. There is still a need to access information in one registry.
Mr. Royal asked is this supporting the ebXML security.
Mr. Sankar said yes, I was also part of that team. STF178 will provide the link.
We can add a few things from xml.gov if there is an opportunity to extend this.
Microsoft WS-SECURITY enhances SOAP.
There are three use cases in Mr. Sankar’s presentation.
Mr. Houser asked are you familiar with trading rights exchange (Ko Fugimira with MTT).
Mr. Sankar replied that he wasn’t.
Mr. House said he would give Mr. Sankar his card for follow-up on that.
Regarding the privacy issue, Mr. Ambur noted that some privacy advocates do not object to a national id card if it is made voluntary. In effect, the driver's license is already a national ID card. The problem is that State motor vehicle administration systems cannot communicate efficiently with the Social Security Administration and other systems containing information that is pertinent to the identification of individuals.
Mr. Royal said his son couldn’t get his learner’s permit because he couldn’t prove that he was a resident of VA.
Mr. Ambur said this process could be improved through the use of XML.
The third presentation of the meeting was
XML for
User-Centric (Citizen-Centric) Directory Services by
Marc LeMaitre, eXtensible Name Service (XNS) and OneName.com.
Mr. LeMaitre works for a profit organization (OneName.com), but is representing a non-profit (XNS.org).
What is Web identity if it is different from Enterprise identity? XNS is neutral. It is an open protocol based on XML. The protocol will be managed by XNS org. When you talk about security, you are also talking about trust and privacy.
Twelve Web services are specified in WSDL 1.1 and XML Schemas 1.0. XNS creates a Web identity architecture. P3P user agent profile- an agent being the way we have implemented and are publishing the DNS infrastructure.
IP-> DNS -> XNS
Internet standards-> Web standards -> Web services standards
This is the assumption that you want identity rather than anonymity.
Web identity is evolving just as Web content evolved in the last decade. There is a need to be able to harmonize across your different identities, for example, the same person can hold two vastly different identities, one as a father and one as an employee. There is a need to be able to represent me as an individual to a bank and also to the HMO.
Mr. Sankar asked is the agency an entity.
Mr. LeMaitre said an agent is an XML document; XNS is one big XML document. XNS is self-describing.
Mr. Royal asked are you able to inherit characteristics.
Mr. LeMaitre said I will answer that in the next couple of slides.
A Java wrapper is built around the documents. The agent can be empty, but the agent needs to know where to go and get the data.
When you join a company, they give you the company policy that links to signing a contract for commissions. One of the contracts can negotiate to share information with a minimum level of security.
An analogy is the Credit Card system where two people can have Visa cards, but with different banks, using the same trust network. All the stores with Visa signs want someone to say you will inherit the following contract; there are some broad initiatives.
There is a difference between “European privacy” and “American privacy”.
Privacy requires a two-way binding contract.
In XNS, any agent (business or personal) can exchange a contract with any other agent.
Publish schema in XML and you can have a core service in XNS and others can inherit this.
XNS sets-up a “pipe” and the permissions to update and to synchronize information.
With PKI, you continually go back to the cert authority and ask is it good rather than the cert authority just telling you when a change is made.
Mr. Sankar asked do you have any protocols.
Mr. LeMaitre said February 2002 is the date for the specs to be published. We would love to hear selective feedback on the negotiation protocol that includes requested and required data.
PKI is based on a reputation service, which you trust. Look at what Liberty is trying to do and what is already out. What does the Liberty Alliance stamp mean to people when they go to the Web site. Are they willing to take the wrap for consequences of the stamp? They answered they MAY be willing to get into recourse.
Mr. Royal said XNS.org seems to be the only name in the presentation. Are there a significant number of organizations working on this?
Mr. LeMaitre said he can’t discuss the exact companies working on the effort because they are working under nondisclosure.
Mr. Royal said I have a concern as to whether this is intellectual property.
Mr. Crawford asked if there were any patent issues.
Mr. LeMaitre said no, there are not. In February 2002 it will be completely licensed to XNS.org; Bill Washman could answer that question.
Mr. Crawford said we don’t trust it unless there is no patent.
Mr. Sankar said if you start using this in cross organizations, in infrastructures there is an issue.
Mr. LeMaitre said could you give me a business card if you are concerned.
Mr. Crawford said it would be appropriate for Bill Washburn to make a statement issued on the list serv.
Mr. LeMaitre said when we talk about identity today, it is not just about identity, but also about privacy and being able to change my mind.
Mr. Royal asked are you using an ISO standard.
Mr. LeMaitre said no it is completely independent.
Part of the open source implementation is the open JDBC to allow you to be able to integrate it. We don’t want the proprietary question to be an issue. Mr. LeMaitre will ask Bill Washburn to send an e-mail to Marion Royal.
Mr. Sankar said make a bold decision and make it totally open.
Mr. Morgenthal asked about collaborative party profiles.
Mr. LeMaitre said we discussed them, but I’m not sure what the status is.
You can have multiple agents in a business and various different businesses. There is a huge overlap in the collaborative party profiles.
The final presentation of the meeting was
.net My Services (formerly code named HailStorm) by
David Brown, Microsoft.
In introducing Mr. Brown, Mr. Ambur noted that a requirement of the Administration's "citizen-centric" eGovernment Action Plan is the need to identify the generic attributes of groups of citizens that are relevant to their interactions with government. XML is an appropriate format in which to represent such attributes, and Microsoft's .NET strategy takes advantage of the potential of XML. Criticism of the Passport schema has focused upon proprietary elements that Microsoft has specified for the identification of groups of people. Hal Howard of Microsoft has said the company would be happy to turn those attributes over to a standards organization.
Mr. Brown opened by telling the group that he had been a government employee for 13 years in DOD. Now he has been with Microsoft for 2 years. Microsoft is trying to be a part of the Liberty Alliance. They are not yet a member but are interested in it. The Liberty Alliance is a product. Microsoft calls Passport service an identity service and Mr. Brown personally disagrees with this, only the government can do this. It is a continuity service. It just means that the same person is coming back and asking for the same stuff again. The Internet is going to be a big supercomputer that is interconnected. “. Net” is a brand in the Microsoft world. Microsoft is building tools, clients, and Web services. The customers of this product are the citizens.
Mr. Royal asked what can and should government agencies be doing to ready themselves for these types of goods.
Mr. Brown said let me talk more about what .Net My Services is.
One piece is Passport, which gets you an id that you need for everything else; the second piece is Alerts; the third piece is .Net My Information. A lot of information the user owns should be controlled by the user. You can give information to others, for example, if you wanted, Ticketmaster could update the Skins dates on your Outlook calendar.
Mr. Royal asked what are you selling.
Mr. Brown said money is coming from the end user not from the partners.
Mr. Sankar said you can have .gov in this same platform.
Mr. Brown said we talk about people, but it applies to families, companies- all of which are entities.
Mr. Royal asked where do you draw the line of the necessary information versus the value added information.
.Net password will be free, but the extras are what will carry charges. Alerts are free right now, so the user can identify where they want an Alert to go, extra rules are the value add that the user would pay for. All of these services are based on the passport user id. In the future all kinds of authentications will be built into the services.
In terms of the actual protocols, all of these things use SOAP underneath it all. We are working on specifications. The protocol that you use to pass data is Kerberos.
Microsoft will run Passports; other companies can run the Passport server. An implementation issue is users need to trust. .Net My Services is dependent on safeguarding user’s private data.
From an operational standpoint there needs to be distributed data centers, keep away from hackers, Fort Knox syndrome- whoever stands this up will have the most complex issue which is the operations.
This means that you’re putting all your data in Microsoft. This is to make it easier for the user.
Mr. Sankar said being kept in a central place is a convenience, but on the flip side, your information is there.
Betsy Schmidt asked wouldn’t third party audits have to be by the government?
Mr. Brown responded I would think, but it could be another private authority. I feel the government would be appropriate, but I work for the Federal division of Microsoft.
Mr. Crawford said this sounds like Sun and AOL, but it seems that Microsoft has gone into it in a lot more detail, at least publicly.
Mr. Brown said he agrees with that. The key is that what Web services do is on top of HTTP; you could make it the reality.
Mr. Sankar said right now the Internet isn’t being used to it’s fullest.
Mr. Crawford said he is looking at it from an assurance perspective.
Mr. Sankar said Microsoft is more granular.
Mr. Brown said this is a very early SDK
Mr. Royal said the issue raised bravely by Microsoft was that there needs to be a central authority. The road that Microsoft is plowing is a good garden, but I don’t trust Microsoft or other large companies. I don’t want to rely on a particular company that has a passport account.
Susan Turnbull said this is not perceived as a traditional contract since it’s free, in order to mitigate the responsibility.
Mr. Brown said I don’t understand. Microsoft licensing agreements are typically written so that we don’t have liability.
Ms. Schmidt said Microsoft won’t have liability.
Ms. Turnbull said since it’s free it’s in a different category. For example, the city buys a lighthouse for $2 just to establish a contract.
Mr. Eng asked can a Passport represent a company, similar to a mainframe id.
Mr. Brown said I don’t like thinking of a Passport as an identity.
Mr. Royal said the most important thing you’ve said is that the .Net Services is a product not a protocol. It will be modified and it will not be an open standard.
Mr. Brown said Microsoft is guaranteeing that the this will be interoperable with Kerberos, which should not be an issue. Microsoft drives many standards, because going to a standards body gets a lot more work done and better.
Mr. Ambur noted the essence of Passport is that it creates a persistent ID. We may not know much about the individual the first time they use the ID. Indeed, when they register, they can provide any information they choose. However, as they use the ID to conduct online transactions, they begin to build a record and it is the record of how people conduct themselves that matters, not merely who they "are". Microsoft is saying a lot of good things in their .NET initiative. In particular, the notion of establishing personal profiles in XML and then building applications and services around those profiles is excellent. It is up to us to hold them to their word and make sure the appropriate elements get turned over to the relevant standards organizations.
|
Last name |
First name |
Organization |
|
Ambur |
Owen |
Interior-FWS |
|
Breton |
Henry |
Lockheed Martin |
|
Carnahan |
Lisa |
NIST |
|
Crawford |
Mark |
LMI |
|
Dean |
Ben |
SSA |
|
DeMaitre |
Marc |
ONENAME |
|
Disbrow |
Jim |
DOE |
|
Eng |
David |
EPA |
|
Glace |
Jessica |
LMI |
|
Holloway |
Karen |
MNG |
|
Hunt |
Jim |
GSA |
|
Jacobs |
Michael |
DON CIO |
|
Kanaan |
Muhan |
DynCorp |
|
Knight |
Dolores |
DTIC |
|
Lueder |
Kit |
Mitre |
|
Marr |
Timothy |
Lockheed Martin |
|
Mitchell |
Mary |
GSA |
|
Morgenthal |
J.P. |
Ikimbo |
|
Niemann |
Brand |
EPA |
|
Pittman |
Ken |
Pittman & Associates |
|
Poot |
Lex |
DTS |
|
Roberts |
Davis |
SAIC |
|
Royal |
Marion |
GSA |
|
Sanford |
Lewis |
GSA |
|
Sankar |
Krishna |
Cisco Systems |
|
Schmidt |
Elizabeth |
Software AG |
|
Sinisgalli |
Mike |
Vitria |
|
Stanco |
Tony |
GW CPI |
|
Turnbull |
Susan |
GSA |
|
Vineski |
Steve |
EPA |
|
Yee |
Theresa |
LMI |