OpenNCP Technical Committee Meeting

07 Jan 2016 

Estimated - 13:00 to 14:00 CET

Performed - 13:15 to 14:30 CET

AGENDA

0. Housekeeping (Michèle)

1. Way of working of the committee in 2016

• Members presentation
• Role of the committee
• Decision on meeting days / times for the Spring 2016

2. Discussion on security and stress tests done in 2015

• Presentation of the results (Jerôme)
• Discussion of necessary fixes and their implications to OpenNCP architecture
• Assignments for the Task force to fix selected issues and roadmap for new release

3. Development status

• Fixing of release issues 2.4 missing links, broken links (Marcello)
• Certificate & relaxation (service provider/consumer), such certificates do not pass the Gazelle test (Stephane)
• Previous meetings topics:

a. CDA Display Tool Update + Model-Based Validator

b. SMP/SML (João + Tech Committee + EC Team);

c. eID (we may not have Alexandre with us);

4. AOB

• Release management

5. Next meeting

PARTICIPANTS

Today's Meeting Participants:

Alexandre Santos

Heiko Zimmermann

Joao Cunha

Kostas Karkaletsis

Marcello Melgara

Massimiliano Masi

Mustafa Yuksel

Stéphane Spahni

S

Natasha Carl

Nathan Taku

MEETING NOTES

0. Housekeeping (Michèle)

1. Way of working of the committee in 2016

• New governance in 2016, EC is leading the different Committees. This is therefore the 1rst Technical Committee led by EC.
  The mission of the Technical Committee is to provide guidance and decision on the following topics:
  • architecture
  • quality assurance
  • roadmap & release management
• Every attendee introduced himself to the team. The members of the Committee have an expertise on OpenNCP, some are in the project since the very beginning.
  List of members = list of today's attendeed? michele.foucart, list to be confirmed with the participants
  

  • Stephane Spahni (Public sector, Hospital Universitaires Geneve)

  • Heiko Zimmermann (Public sector, Agence eSante Luxembourg)

  • Kostas Karkaletsis (Private sector, Gnomon)

  • Jerome Subiger (Public sector, EC)

  • Natasha Carl (Public sector, EC)

  • Mustafa  Yuksel (Private sector, SRDC)

  • Alexandre Santos
  • Joao Cunha
  • Marcello Melgara
  • Massimiliano Masi
• The team agrees on the set-up, time and frequency of the meeting (Thursday 1pm, every 2 weeks)

2. Discussion on security and stress tests done in 2015

• Presentation of the results (Jerôme & Nathan)
  • Tests executed on the full chain, from the client & the NCP.
  • The second phase will be to do stress & security tests component per component
  • Some issues, mainly related to the logs file - Kostas did already made the fixes
    • Normalization of the log system/hierarchy
    • other issues but more related to the configuration server
      
      • proposition is to write guidelines, defining the setting of the server
      • Alexandre Santos: one of the issue is the normalization (e.g. on accessing the components, there are different ways of logging events). This will be done step by step on the components
    • Massimiliano Masi: there are deviation of the OpenNCP implementation towards specifications The openNCP created some components (secu manager...) wrong in different context. e.g. invalide key...
    • • Joao Cunha

        During the central services assessment in the scope of e-SENS SMP/SML, some security relaxations were identified in the document "eHealth cross border central services status quo and outlook", authored by me and Uwe Roth (LIST). The new document that was agreed to be prepared by me, Massi and Kostas can recover those security relaxations, easing some of the work.

        => This document can be the starting point and will be shared. 

• • • • Massimiliano Masi, Kostas Karkaletsis Joao Cunha: Collaborate on the document and share with the Community

• • S: assersion issue, there is a distinction to be made between assersions to sign messages (HCPA) & user assersions

• • Set-up of a security task force led byS 
    • Kostas Karkaletsis, Stéphane Spahni
    • If there are other volunteers in the future, they are welcome and free to join.
    • Documents will be shared only within the task force
      
      

Alexandre Santos: there are few things that need to be separated

• issues related to the portal, cross site scripting...should not be the main focus here, because portal is a reference implementation only
• code quality: new approach, very small team of developers responsible for every commit on the repository, so indeed there is a need for quality review
  
  • DG SANTE is responsible for the quality Assurance

• • Set-up of a release management task force led by Natasha Carl
    • Alexandre Santos also wants to participate. Alexandre was responsible for the release management
    • Marcello Melgara can be in the loop

3. Development status

• Fixing of release issues 2.4 missing links, broken links (Marcello)
  • Alexandre Santos has created a new version of the portal that was available to the team after the expandathon, now available on join up server
  • some issues on connector TSL editor are now synchronized on join up server + issue with Lombardy...asked support team joinup to reindex. Joinup is now clean
• try to recompile the terminator component, now the join up server is indexed
• issue with the CDA display tool - don't know what is the last version of the component of the CDA tool => Marcello says that we should first have it right
• Certificate & relaxation (service provider/consumer), such certificates do not pass the Gazelle test (Stephane) - all related to the security task force. different certificates. earlier it was separate certificates => following stephane this is a regression with regards to security. service provider & receiver

4. AOB

• Reminder from YacoubouY to upload the tsl files, since we only received a few until now
  

   

5. Next meeting

• • michele.foucart Next meeting schedule: 21 Jan 2016 13:00 CET (to be confirmed)
  • task force security: S to organize somewhere next week
  • task force release management: Natasha Carl to organize