...
- Housekeeping (Jerome):
- S Security task force is the group in charge of fixing known security issues, and providing security policies document in order to improve the scalability of OpenNCP components.
- A first testing session (security and load) has been run from a end to end flow (client --> NCPB --> NCPA).
- Technical vulnerabilities and remediation
- Background:
- Decision has been made to fix the clients in order to provide safe clients even if not part of OpenNCP
- Then we'll start again the security test and execute component per component testing
- Liferay:
- Kostas Karkaletsis has solved already a number of issues & installed a new version of Liferay 6.2.0-CE-GA1).
- has solved some of the issues in the current version (Liferay 6.2.0-CE-GA1) and results are here: https://openncp.atlassian.net/wiki/display/ncp/Liferay+Security+Issues
- has installed locally the version 6.2-CE-GA6 (which seems to have solved some of the security issues)
- trying to migrate the installation from previous version to the new one
- S is asking if we are expecting issues with the migration?
- Normally it should be easy. Kostas will probably be finished by tomorrow evening
- Database:no update script, this is done automatically
- S is asking if we are expecting issues with the migration?
- has installed https://portswigger.net/burp/ which is a web application security testing tool in order to be able to do this testing my own, before sending it to your team in order to have faster results
- Nathan TAKU:
- Good idea to use the burp suit
- Nathan TAKU will be available next week to work on those issues. Kostas will contact Nathan as soon as ready
- Nathan recommends to have a look at the recommendations for fixes
- Nathan TAKU:
- When can we execute a new test session?
- Only one server in DG SANTE so we need to have a look at the calendar to plan the tests
- Kostas Karkaletsis: as from end of next week (15/02)
- S will check the availability of the server and will check with Marco to follow the same process and planning for the other portal
- Is it possible to have a public installation? Server not available at the moment. But Jerôme will organize a quick call with Kostas
- Kostas Karkaletsis has solved already a number of issues & installed a new version of Liferay 6.2.0-CE-GA1).
- Background:
- Relaxations
- Massimiliano Masi: The biggest problem we have is regarding the integration with the national connector on the national infrastructure side
- It make sense to write a document with functional requirements and then handover it to Kostas, Joao and Jerôme
- Massimiliano Masi proposes to start a kick off document trying to formalizing the discussions by e-mail
- It make sense to write a document with functional requirements and then handover it to Kostas, Joao and Jerôme
- What Massi needs is a fresh version of deliverable - Please see section /wiki/spaces/ncp/pages/72417298 where the document "epSOS Security Deviations Fact Sheet" is displayed
- What Massi needs is a fresh version of deliverable - Please see section /wiki/spaces/ncp/pages/72417298 where the document "epSOS Security Deviations Fact Sheet" is displayed
- How to implement and to deal with message signature?
- epSOS approach
- Current version of OpenNCP: no message signature, only assertions
- Question is : Do we have a secure conversation (sign every message but without the key) between NCPs? Or xml digital signature (each message is signed using the key of the identity provider)
- Secure conversation is relevant if we have a real conversation
- xml digital signature is good if we have only a few conversations => Ok for Massi because at the end we do not exchange that much messages (experience from the pilot)
- Massimiliano Masi: VPN = secure network, TLS = host-to-host security, we need application-to-application security
- Reference to document D 3.A EED v0.8 section 4.3.5.2
- How/who can we decide on this topic?
- Proposition of Massi:
- Analyse the implications of both approach
- Present and discuss at the Technical Committee meeting and then decide by voting
- need for a comparison between both approach before voting => need to prepare a document before the Technical Committee
- Proposition Kostas:
- Better to have a list of all the issues and then prioritize them
- S will make the list and prepare a proposition for this Technical Committee on
- Better to have a list of all the issues and then prioritize them
- Both approaches could be in parallel. Choice of how to implement and priority
- Proposition of Massi:
- List pros and con's on the wiki for discussions, from the page dedicated on security
- => S will create the page
Link to the discussion page where the team can brainstorm: /wiki/spaces/ncp/pages/73597020
- To be discussed/decided to the next Technical Committee meeting on .
- => S will create the page
- Workflow manager:
- Component that keeps OpenNCP stateless
- Part of the national connector discussion.
- STS implementation => To be included in the priority list of issues
- Massimiliano Masi: The biggest problem we have is regarding the integration with the national connector on the national infrastructure side
3. AOB
- What is the status on the version number of certificates? It should be 5 according to Massi
- This has also to be communicated to the Member States
- Do we need more certificates for the use of SMP/SML?
- SMP puts the signature on the metadata => against epSOS current model
- According to Massi, we may need additional certificates. Joao also refers to DIGIT impact analysis
4. Next meeting
Will be organized ad hoc
5. Next steps
...