20151015 - Meeting minutes, Thursday, October 15th, 2015 - OpenNCP integration with SMP
OpenNCP integration with SMP
Estimated - 15:30 to 17:30 CEST
Performed - 15:30 to 17:30 CEST
AGENDA
1. Discussion about open issues that are halting us from progressing with this e-SENS BB
LOCATION
- DG-DIGIT office: DIGIT ROOM B-28 2/SDR1 AUDIO
PARTICIPANTS
Today's Meeting Participants:
Adrien Ferial (DG DIGIT)
Sandro D'Orazio (DG DIGIT)
Invited Members List:
Uwe Roth
MEETING NOTES
1. Discussion
- Each NI trusts its own NCP
- How this is established is not defined by epSOS but by national infrastructure of each country (each MS is sovereign)
- The Framework Agreement (FWA) states that the only trusted actors are the NCPs
- Each country has a Trusted List (TL-A and TL-B) that directly trust themselves
- Each TL has a list of CAs
- IdA is signed by the certificate issued by CA in TL
- TSL has been defined to be signed by a certificate issued by CA in TL
- TSL file integrity is verified by checking the signature
- TSL file authentication is verified since it is signed with a certificate being issued by CA in TL
- Current TSL file has a digital signature (that is not an aDES) because it's currently signed by NCP Signature certificate
- Each NI trusts its own NCP as a data processor, not the SMP (by the FWA). From a technical point of view, it is acceptable that the SMP signs the SMP files (there's no security degradation) but not from a legal point of view
- A single PKI model doesn't fit eHealth because some countries need their certificates to be issued by specific national CAs
- To go for a PKI model we have to reach a consensus among the MS
- SMP files can only have one signature (one single <Signature> element), by SMP spec
- Can we redefine the FWA to include SMP as a trusted node? Can we do that within the timeframe of e-SENS? DIGIT has someone that can help...
- New information: HTTP GET can be done via HTTPS (1-one way SSL). (PUT is done via 2-way SSL)
- If FWA changes, SMP would be kept in Trust Zone II
2. Actions agreed
In order to keep the epSOS trust model we have 3 possibilities:
- Try to change the FWA (DG-SANTE)
- Have multiple signatures on the SMP files (OASIS to change the SMP spec)
- Would conflict with other domains due to changes in the XSD
- Try to use extensions, putting the signature in the extension
- No need to change the SMP spec (but we should confirm with OASIS)
- Predicted workflow:
- NCP-A signs SMP file with trusted certificate and PUTs it in SMP
- SMP verifies signature of SMP file
- SMP puts the NCP signature in the extension
- SMP signs the SMP file with its own certificate
- NCP-B fetches SMP file
- NCP-B verifies SMP signature
- NCP-B changes the SMP file to replace the SMP signature with the NCP-A signature that is stored in the extension
- NCP-B verifies the SMP file (now signed with NCP-A certificate)
We can try to address #1 and #2 in parallel and leave option #3 as a fallback solution if #1 or #2 fail.
- We'll have SMP/SML centralized in September 2016 in Production environment (DIGIT)
- None of the actions previously agreed will be ready until the end of this year (DIGIT)
- As for the pilot, we have 2 scenarios:
- e-SENS extended
- We can try to have a full stack SMP to be tested in April's Connectathon
- e-SENS not extended
- We go for EXPAND (EXPANDATHON)
- We should implement using the current SMP implementation and inform what requirements should implemented later
- We won't have DNSSEC in DIGIT's DNS for EXPANDATHON
- If we define DNSSEC as a MUST we need to have our own SMP/SML/DNS with DNSSEC in EXPANDATHON. Otherwise we can use the current infrastructure (we need an agreement with Jerry from UNIPI)
- Joao Cunha and Uwe Roth to discuss if we can relax the DNSSEC requirement (at least for the pilot, but state it as mandatory for the future)
- Adrien suggests to forget about DNSSEC. PEPPOL doesn't have it.
- SMP: has lack of documentation
- It's almost done for SML but for SMP still has to be done
- Ask IHE for support for SMP/SML
- Regarding the developments to be made in OpenNCP:
- Change TSL-Editor to add a TSL-to-SMP transformator (e.g. XSLT)
- We can use the current SMP/SML if we decide to discard DNSSEC. Otherwise we'll need to have a local development environment with SMP/SML and a DNS server with DNSSEC
- Without DNSSEC, we can be provided a specific SMP user with sufficient rights to PUT the SMP files
- DIGIT has a SMP client JAR file to do the GET that they can provide
- PUT takes an unsigned SMP file
- SMP signs the SMP file
- Validation of SMP signature is made by the client JAR file in NCP-B. In case we have multiple signatures (scenario #2), we can use Apache Santuario (Massimiliano Masi)
- Then we can consume the data
- We will need to have the SMP certificate in the NCP truststore
- As for the caching:
- Which component should host it? Study this with Kostas Karkaletsis
- We need to move some properties from the epsos properties DB to the cache
- Cache should be in TZ2 (NCP-B), not in the NI
- Study which properties are fetched from the DB and which components are responsible for that
- For now, the developments should focus on using SMP for endpoints, certificates and search masks
- How do we expect to access the information of TRC-STS in LAM?
- If we just need the URL: we can do a nslookup directly in the DNS for the specific NAPTR record that will save the address of each country TRC-STS
- If we need more than just the URL (more metadata): we'll need to use the normal SMP/SML workflow
- When TSL/SMP file is signed by a scheme operator, the signature should be a XaDES. But its adoption depends on the Actions agreed:
- In #1: we don't need
- In #2 or #3: e-SENS e-Signature BB says that we should use a XaDES since we have a qualified signature. In scenario #2 SMP can have a XMLDSIG, while NCP will have a XaDES.
- XaDES = XMLDSIG that as a MANIFEST with some properties
- e-SENS extended
Photos of the whiteboard:
- https://openncp.atlassian.net/wiki/download/attachments/65634340/20151015_174508.jpg?api=v2
- https://openncp.atlassian.net/wiki/download/attachments/65634340/20151015_174512.jpg?api=v2