Estimated - 11:00 to 12:00 CET.
Performed - 11:00 to 12:20 CET.
Room Passcode: (Ask if necessary)
-----------------------------------------------------------------------------------------------------------------------------
If you have never attended an Adobe Connect meeting before:
Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm
Get a quick overview: http://www.adobe.com/products/adobeconnect.html
Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
Today's Meeting Participants:
Relaxations can be applied to PPT but not OP (not a relaxation, just a statement) 1
Massimiliano Masi Just a statement to PPT.
Some PN were also unable to obtain a compliant set of certificates from a Trusted Third Party provider due to organisational constraints (CAs are not required to be authorized by the national authorities listed on the European TSL list.) 2, 7, 8
Massimiliano Masi Same as point 2 about signature. PN get their certificates from their own certificates authorities. The trust list of Epsos has been done from a legal agreement.
S Ask about the PKI model but this is linked to the use of Building blocks (CEF).
The previous relaxation has caused that NCP operators / TSLSync import certificates from the central services without their validity/revocation checks. 7, 8
Massimiliano Masi and Kostas Karkaletsis Related to section 2. The same class checking the certificates profiles is checking of the validity of the to be imported certificates.
Lack of VPN connection between central services and NCPs: planned but never implemented 9
Massimiliano Masi Behind SMP task force.
Joao Cunha VPN connection between CS is not mandatory, not sure if it should be applied to the current TSL.
OpenNCPs are not ATNA Secure Nodes 9
TSL-file is being signed by a non-TL certificate (NCP signature certificate) 9
Massimiliano Masi Signed by NCP sign not correct, not soft prb organization problem, signature must be checked as explained in point 2.
Kostas Karkaletsis 3.4 or 3.A certificate process (check).
Certain certificates can be merged/combined. Instead of 5 certificates an NCP can use only 3. 7, 8 (to be confirmed):
Massimiliano Masi Same as 7.Waiting info from Stéphane Spahni.
Some certificate attribute deviations by some countries (e.g. France) 7, 8 (to be confirmed)
Massimiliano Masi Same as 7.Waiting info from Stéphane Spahni.
No proper signature verification of NSL lists (TSL-Sync doesn't verify the TSL file) 7, 8
Massimiliano Masi Same as 7.Not a software topic. Waiting info from Stéphane Spahni.
NCP 2 NCP messages are not signed (signatures are only applied to the assertions) 7, 8, 3 - section 5.5.2
Massimiliano Masi How the Epsos message protect (VPN netw layer, TLS identification of endpoint) assertion is supporting the evaluation of the message. What is missing it the proteciton token of the message. Now in 2016, something must be done, ask the TC for per message sig or secure conversation? (important) Suggestion is to learn from TB and use per message sign. It may create performance issues.
Current architecture doesn't respect differentiation between Trust Zones
Massimiliano Masi OpenNCP implement security relax.ATNA log files format: epSOS log files were based on RFC 3881, which was deprecated by IHE and IETF. Audit log is now based on DICOM audit schema, which OpenNCP doesn't support. 5 (not sure if this fits in this list)
This is not a security relaxation. Related to audit trail not secured node.
No separate secure storage for audit trails 6 - section 6.8.1 (to be confirmed)
D3.A.7 epSOS EED AuditTrail states in Appendix A: Massimiliano Masi "One should not constrain where audit data is stored as long as the defined security requirements are followed." with the subsequent change made "Requirement for storing audit data outside the NCP was dropped." Massimiliano Masi Audit trails and non repudiation long story. Definition of storage has never been worked done. I would ask either someone from SANTE or E-Sens a study about the storage of the evidences. Next bi-weekly.
Non-repudiation: No signed Acknowledge for every received message 6 - section 7.8.1 (to be confirmed) (Is this somehow related to #11?)
This is ETSI REM
No WorkflowManager: Liferay Portal implements business logic.
Massimiliano Masi Same as point m).
IdA: XSPA role "medical doctor" is not among the list of possible values in D3.A.7 epSOS EED SAML Binding v1.1 - 2.3, but it's used in the sample assertion (not sure if this is a relaxation, it's just something I noticed)
Joao Cunha Is it an issue? Next bi-weekly Markus (Unlicensed).
TSL-Editor creates TSL files with fields marked in the specification as "MUST NOT be used for epSOS".
Massimiliano Masi It's a bug. Try to findout the list.
Somehow related to #16. Liferay bus implements the business logic which has never been specified by epSOS. The portal MUST NOT be required to run the OpenNCP gateway. The IdA MUST NOT be used by the portal, but the WorkfFlow manager MUST inject the credentials from the NI (e.g., the portal, or the hospital) to respect the framework agreement. The trust model is based on brokered trust which is implemented by the NCP-B STS (which is not implemented). Portals and hospitals MUST use the workflow manager to connect (not just APIs, but a living component).
Massimiliano Masi If NCPA accept assertions generated by client and not NCP-B it doesn't respect the fwk agreement.
The EPSOS_PROP is a environment variable which should not be used (https://www.securecoding.cert.org/confluence/display/java/ENV02-J.+Do+not+trust+the+values+of+environment+variables). Actually it was done to interoperate amongst the common components. Attackers can easily poison the environment variables. In general, how the security coding is done?
Massimiliano Masi shortcut to use and configure all components; Discuss this into the TC and STF how to replace or change.
No Application server environment:
As an infrastructure portal, Liferay Portal can support over 3,300 concurrent users on a single server with mean login times under half a second and maximum throughput of 79+ logins per second. OpenNCP portal has significant degradations after 40 concurrent login (true?). Since the same components are used by the gateway (highly coupling), the OpenNCP is not done for huge data transfer.This will result in DoS attacks.
Massimiliano Masi Load test results.
Missing Access Control context:
Kostas Karkaletsis Inspect the code of Policy Manager component.
AOB:
In general, I would appreciate to start with decoupling the NCP with the portal, create workflow manager and STS. This will be a significant improvement of the above mentioned relaxations, and security issues highlighted by the Security TF.
Documentation: