...
2. Technical vulnerabilities and remediation:
- Analysis of the assertions provider (HCPA and user Assertion), TRC-STS component.
S this topic will be discuss into another meeting related to the implementation deviations and we will discuss about it later inside the security group. - Situation of the clients (Portal and epSOS-Web).
S OpenNCP Portal and epSOS-Web client are not an official implementation/components of the OpenNCP but because they are available as a POC we have to ensure that they are secured client, the decision have been made to fix the security issues found because they are not so complex and time consuming.
Kostas Karkaletsis proposed to configured the portal in a secure mode and execute once again the security tests. One page has been created to list the issues and how to fix them, this page is private and limited to the security group.
TODO: Marco Bernardini and S will fix the issues into the epSOS-Web client and Kostas Karkaletsis and S will fix the issues linked to the Portal.
Then Nathan Taku will execute a new security test session. - Detailed review of the vulnerabilities document (Nathan).
Nathan Taku has explained the vulnerabilities in details and the guidelines to follow in order to solve the issues.
Heiko Zimmermann ask what is the strategy that we will adopt: fixing issues, providing secured client, providing guidelines "how to secure the client", and I'm agree to fix the security issues, it will improve the quality of the clients and the components.
S proposes to ask the question into the next Bi-weekly meeting and if the community in general is agree with our roadmap. The main idea is enhancing confidence through clients components by removing security risks.
- Analysis of the assertions provider (HCPA and user Assertion), TRC-STS component.
3. AOB:
- Testing secured web services (impossible to parse XSD with the current way of importing them).
Eric Ngantchjon: there is a problem for the parsers to load xsd files throughout an url because there are embedded into the war and jar archive. Our security and load software cannot read file when there are imported as it is describe after:
<xsd:include schemaLocation="XCPD_Service?xsd=schema/XXX.xsd"/>.
For the time being we use a workaround by adding manually the XSD files in order to execute properly the schema validation.
Is it possible to use a different way for WSD packaging into the ws-server web application?
S the XSD are all packaged into a zip file "schema.zip", this is a strange situation while the schemas are available throughout the browser.
Please Kostas Karkaletsis if you have an idea about this topic or an advice?
- Real B to B test session organised with Luxembourg NCP:
Heiko Zimmermann is ok to start a real security test session with the PPT NCP node hosted in Luxembourg, but first we need to fix the known issues (not overcome the security test).
An external provider is doing some tests on the Luxembourg node and I perhaps could share the result with the group.
Do we execute the security test between LU and EC software through the VNP or not?
S if it's possible yes because the objective is to test a "Production mode" node, so if it's possible without proxy restriction etc. problem, we will try.
- Test session of the components with the help of EC experts (Gwen).
Gwen Quivy: we will use the WhiteBox testing tool and we have requested support from EC to execute security tests components per components because of the User assertion generation necessary when .
Kostas Karkaletsis proposes his help about required security assertions required by the WSDL. - Heiko Zimmermann They are remaining questions about security relaxation as also explainend by Stéphane Spahni during the last technical committee (X509 certificates, merge of the certificates, the number of required certificates, SHA2 etc).
Deliverable 3.8.7 and 3.8.2 could help to answer or understand the relaxation, it's difficult to find a written relaxation. Maybe Marcello Melgara could help to find the info into the deliverables.
5 + 1 certificate for OSCP respond --> more info into the maintenance shop of Expand project.
Reference document:
View file name D3 A 7_epSOS_EED-X.509-Profiles_v1.0.doc height 250 View file name D3 A 7_epSOS_EED_Algorithms-and-Key-Length_v1.0-2.doc height 250
4. Next meeting:
- Deviation meeting schedule at 11:00 CET.
- Task Force Meeting Not yet planned, probably in 2 weeks.
...