Google Site Search


Thursday, June 26, 2008

JBoss - Kerberos/SPNEGO etc

Darran has released the first beta version of the JBoss Negotiation project that enables applications to use SPNEGO. Things like Windows Desktop SSO against Active Directory or SSO against a Kerberos server etc should work for you.

Please find more information here:
JBoss Negotiation Wiki

NOTE: JBoss Negotiation will be the OFFICIAL kerberos related implementation for JBoss. If not, what is the point of starting the project and working on it. You agree?

UPDATE (Nov 14, 2008): Some minor tasks plus doc work remain to go before GA. You can use the CR versions.

Wednesday, June 25, 2008

Oasis Cross-Enterprise Security And Privacy Authorization (XSPA) Technical Committee

Mark and I have supported a proposed Oasis Technical Committee Charter.


1a. Name
OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) TC

1b. Statement of Purpose
Enterprises, including the healthcare enterprise, need a mechanism to exchange
privacy policies, consent directives and authorizations in an interoperable
manner. At this time, there is no standard that provides a cross-enterprise
security and privacy profile. The OASIS Cross-Enterprise Security and Privacy
Authorization (XSPA) TC will address this gap.

The need for an XSPA profile has been identified by the security and privacy
working group of the Healthcare Information Technology Standards Panel (HITSP).
HITSP is an ANSI-sponsored body charged with identifying standard building
blocks that can be leveraged to implement common healthcare use cases. The XSPA
profile will require the participation of subject matter experts in several
areas, including WS-Federation, SAML, WS-Trust, and possibly others noted below.
OASIS has the unique combination of member expertise necessary to complete this

The purpose of the XSPA profile is to address common needs: allow parties to
adopt a set of methods that, taken together, will enable them immediately
interoperate with other diverse participants in the same data exchanges; use
readily available open standards, so that participation is broadly possible
without significant licensing limitations, hardware or software choice
constraints or single-source vendor risks; and provide a fully specified stack
or set of specifications or options, all known to be interoperable. The
foregoing needs are especially acute when the use of a particular set of methods
is mandated, either by law or as a practical matter by its adoption by central
actors in a mandatory system.

Governmental health regulators are increasingly requiring certain parties
exchange health and health payment information (such as personal health records,
and itemize statements of health care charges and benefit payments) in
electronic form, and use sets of data standards identified as broadly suitable
and secure. Similar government-sponsored or government-encouraged
standardization projects are underway in many other countries. The XSPA profile
will provide another "building block" in the creation of large scale
interoperability of health information. These profiles will also aid in
achieving interoperability for secure data exchange among various health care
entities including providers, hospitals, pharmacies and insurance companies. It
is envisioned that the work produced by this committee will also help the
National Health Information Network (NHIN) in the US for secure data exchange.

It specifying the XSPA profile, where stable open standards exist, they should
be noted and adopted. Where functions are not available, or some connective
choices or additional material is required, it will be created. Doing so is the
purpose for this committee's creation.

The profile specified by this TC will have broad applicability to health
communities beyond the regulated portion of U.S. healthcare data transactions
that the HITSP panel is directed to address. Use cases from other instances of
cognate data exchanges, particularly in healthcare privacy contexts, may be
solicited and used to improve the TC's work. However, the first priority of
this committee will be to deliver and demonstrate sets of standards-based
methods that fulfill the identified security & privacy functions needed by
HITSP's specifications of functions and mandates.

The XSPA TC may also cover a more general enterprise server profile which will
provide the building blocks for business models and industry applications. Some
of the models investigated will include enterprise security and more generally
SOA security. Application of how these security and privacy models apply to
different industry sectors, including domains such as finance where privacy
rights must be supported, will also be investigated if time permits.

1c. Scope
The purpose of the TC is to specify sets of stable open standards and profiles,
and create other standards or profiles as needed, to fulfill the security and
privacy functions identified by the functions and data practices identified by
HITSP, or specified in its use cases, as all are mandated or specified from time
to time. These functions will at a minimum support the HITSP Access Control
Transaction Package specification TP20, including those access control
capabilities required to support the HITSP Manage Consent Directive Package
specification TP30. This includes the support of reliable and auditable methods
to identify, select and confirm the personal identity, official authorization
status, and role data for the subjects, senders, receivers and intermediaries of
electronic data; data needed to convey and/or enforce permitted operations on
resources and associated conditions and obligations; and reasonable measures to
secure and maintain the privacy and integrity of that data from end to end.

1. The TC may identify existing, stable open standards, and sets of standards,
and alternative standards, extensions and profiles, for fulfilling each of the
HITSP-identified functions and use cases. Where HITSP subject-matter-specific
profiles have already identified such standards as recommended, those approved
standards will be included in the TC's identified sets of standards. Where the
TC identifies elements or alternatives not already so identified as recommended,
the TC should, if it believes the additional alternatives are necessary or
advisable, recommend their inclusion to the appropriate HITSP expert panel.

2. The TC may create and approve specifications, and extensions or profiles of
specifications, as needed to fulfill HITSP-identified functions and use cases
not satisfied by existing stable open standards. Contributions made to the
committee for work issued by the committee itself will be subject to the OASIS
IPR Policy. Any such work must include appropriate conformance clause or test
information. Such work will be recommended for inclusion, as appropriate, in
the standing recommendations of the appropriate HITSP expert panel.

3. The TC may elect, in the above specifications, extensions or profile, to
indicate methods for the fulfillment of other publicly-available health-related
use cases (or mandates), or functions described in those use cases (or
mandates), including from other regions and other regulatory regimes; and may
elect to create and approve additional specifications, and extensions or
profiles of specifications, as needed, to fulfill those use cases or component

4. The TC may elect to elaborate or extend any of the above use cases or
functions, publish the same and create additional standards, profiles or
extensions to support those augmented use cases or functional descriptions. In
any such augmented work the TC must specify whether it is intended to fulfill an
HITSP (or other) mandate. Any such work must include appropriate conformance
clause or test information. Such work completed may be recommended for
inclusion, as appropriate, in the recommendations or reports of any relevant
health regulatory or advisory body.

5. The TC may elect to create supplemental information regarding the above
matters such as demonstrations, implementation guides, best practices, FAQs, or
other explanatory, implementation or promotional material as it may deem useful.

6. In all of its work, the TC should, to the extent feasible, prefer widely
implementable, widely interoperable, modular standards, extensions, profiles and
methods that permit use by a variety of participants with diverse hardware,
software, data architecture and messaging practices. The TC intends to ask
OASIS to contribute all or part of its final work, as relevant, HITSP or related
panels for incorporation into its recommendations and mandates.

1d. List of Deliverables
1. A list of the specific HITSP use cases and functions that the TC plans to
fulfill, by October 2008.

2. A set of specifications, sets, profiles and extensions, as described in
paragraphs #1 and #2 under 'Scope', to fulfill each of the HITSP use cases and
functions identified for fulfillment in deliverable paragraph #1, with the first
such specification or profile to be approved as a Committee Specification by
[December 2008], and the remainder if any to be approved by Committee
Specifications by [June 2009]. The TC may elect to create one or more of such
deliverables in whatever combinations it deems appropriate.

3. An interoperability demonstration of the XSPA profile, consistent with
paragraph #5 under 'Scope,' demonstrating the end-to-end enforcement of
healthcare security policy at the HIMSS (Healthcare Information and Management
Systems Society) meeting (April 2009).

4. Optionally, such other deliverables (e.g., those listed in paragraphs 1-6
under 'Scope') as the TC may elect, until the later of December 2009 or such
later date as the TC may elect to conclude.

1e. IPR Mode:
Royalty Free on Limited Terms under the OASIS IPR Policy

1f. Anticipated Audiences:
Health-related data transaction participants, especially in exchanges subject to
security or privacy regulation; regulators of healthcare, health payment and
personal privacy; vendors and integrators supplying products or services to the
foregoing; and, secondarily, participants in regulated or closely monitored
data exchanges with privacy and security requirements in other topical fields.

1g. Language:

(2) Non-normative information regarding the startup of the TC, which includes:
(2)(a) Identification of similar or applicable work that is being done in other
OASIS TCs or by other organizations, why there is a need for another effort in
this area and how this proposed TC will be different, and what level of liaison
will be pursued with these other organizations.

The proposed Cross-Enterprise Security and Privacy Authorization (XSPA) TC will
be incorporating several standards in a profile allowing the exchange of privacy
policies, consent directives and authorizations in an interoperable manner. The
need for an XSPA profile has been identified by the security and privacy working
group of the ANSI-sponsored Healthcare Information Technology Standards Panel
(HITSP). No other organization is addressing this identified gap in standards.
The profile will use standards from several OASIS TCs: SAML (SSTC), WS-Trust
(WS-SX) and XACML. Liaison will be established by concurrent work items in the
cited TCs' area of expertise.

(2)(b) The date, time, and location of the first meeting, whether it will be
held in person or by telephone, and who will sponsor this first meeting. The
first meeting of a TC shall occur no less than 30 days after the announcement of
its formation in the case of a meeting held exclusively by telephone or other
electronic means, and no less than 45 days after the announcement of its
formation in the case of a meeting held face-to-face (whether or not a telephone
bridge is also available).

The proposed XSPA TC will hold the first official meeting on August 8, 2008 by
telephone and will use a free conference call service.

(2)(c) The projected on-going meeting schedule for the year following the
formation of the TC, or until the projected date of the final deliverable,
whichever comes first, and who will be expected to sponsor these meetings.
The TC will meet biweekly or as otherwise agreed upon by the members of the
technical committee.

(2)(d) The names, electronic mail addresses, and membership affiliations of at
least Minimum Membership who support this proposal and are committed to the
Charter and projected meeting schedule.
Mark Little (Redhat)
Anil Saldhana (Redhat)
Sampo Kellomki (Symlabs)
Anil Tappetla (Cisco)
David Staggs (Veterans Health Administration)

(2)(e) The name of the Convener who must be an Eligible Person.
David Staggs.

(2)(f) The name of the Member Section with which the TC intends to affiliate, if

(2)(g) Optionally, a list of contributions of existing technical work that the
proposers anticipate will be made to this TC.

(2)(h) Optionally, a draft Frequently Asked Questions (FAQ) document regarding
the planned scope of the TC, for posting on the TC's website.
To be provided at a later date.

(2)(i) Optionally, a proposed working title and acronym for the specification(s)
to be developed by the TC.
To be provided at a later date.

I strongly feel that this TC is a great step toward health care security.

Friday, June 20, 2008

Would you go any lengths to protect Customer Data?

If no, why NOT?

With widespread reports of data breaches and frequents postal mails from enterprises to users/customers that their data/accounts/secrets may be compromised, it is high time the industry took steps to ensure that all data is encrypted and safe.

Here is a recent story of a Citibank system being hacked to go on an ATM theft spree in New York City. The comments on the post do claim that it is not possible for anyone to hack in to a system and get pins but is it correct? I am unsure.
Citibank Hack Blamed for Alleged ATM Crime Spree

The dust has not yet settled on the massive TJMaxx breach which has been the worst data breach.

Digital certificates/https, SSL, EV Certificates can ensure Identity and safe transport of information over the wire, but are we SURE that controls exists beyond the url for our data/information? Only time will tell. The PCI-DSS standard is a welcome change in this regard.

As architects and stakeholders, I fervently wish that everyone takes this issue of data security a little more seriously and make it part of the design process upfront and not as an after-thought or a reactive fix. :)

I am quite hopeful that the upcoming OASIS EKMI Standard will provide a decent specification to implement Symmetric Key Management for applications. Even though the charter seems ambitious (management at the applications level), it does provide practical all-round security. We are not talking about an infrastructure to encrypt data across multiple enterprises. If we are able to encrypt and properly manage keys within an enterprise, then majority of the job is well done.

A British Law requires the submission of the encryption keys when law enforcement officers demand. It is called the "Regulation of Investigatory Powers Act 2000" It does not help for an enterprise if the keys are dispersed all around the enterprise or embedded within applications.

Here is an alarming report about how SSNs are vulnerable.
Uses of Social Security Numbers in the Private Sector:
Why SSNs Are Not Appropriate for Authentication

Social Security numbers fall into the category of something one knows. The problem is that one’s SSN is widely known. It’s not all that difficult to obtain if you are a criminal engaged in the types of identity-related fraud that I mentioned earlier.


Thursday, June 19, 2008

Oasis Open Standards Forum in London

At the end of September and beginning of October, OASIS is holding a very important forum in London.

I am on the Program Management Committee for this forum which has an apt theme "Security Challenges for the Information Society".

-Image source from Oasis Event Page (

Gerry Gebel from Burton, an analyst I envy and a good friend (ok, or a person I know) is one of the Keynote speakers.

So if you are going to be in the region around that time, this forum is for you.

I am pretty excited about this forum because it not only covers all the advances in the Federated Identity Space, but also some of my favourite topics such as E-Gov Security, Browsers Security, Healthcare Security, Key Management and Access Control.

Gerry's Bio:
Gerry Gebel, Vice President and Service Director for Burton Group Identity and Privacy Strategies

Gerry covers identity management, federation, entitlement management, user provisioning, authentication technologies, directories, privacy issues, and PKI. Since joining Burton Group in 2000, Gerry has written numerous reports and articles on these topics. Gerry has also been instrumental in advancing the state of identity-based interoperability by leading demonstration projects for federation, entitlement management, and user-centric standards and specifications. Prior to joining Burton Group, Gerry gained experience in architecture, engineering, integration, and production support of mainframe, client sever and distributed systems in the financial services industry since 1986. Gerry was a founding member of Securities Industry Middleware Council (SIMC), a vertical industry organization representing the securities industry to the IT provider community and served as council vice president and Security Focus Group chairman.

Call for SAML Profiling

Please take a look at the following call for saml profiles:

Note: The Oasis Security Services Technical Committee (SSTC) is issuing this call.

The SSTC is issuing a "call for profiling intentions" in order to organize its work for the next several months. If you are planning to submit a SAML profile, binding, or extension to the SSTC for its consideration sometime soon(ish), please drop me a note with a proposed title, short abstract/rationale, and the timeframe in which you plan to bring the draft to the SSTC.

Similarly, if you are working on a SAML profile or extension in your own venue and want to seek the SSTC's guidance, let us know that as well.

Please let us know by Friday, July 25 of your plans so we can put together a comprehensive plan for SSTC activities through the fall.

Tuesday, June 17, 2008

Mozilla Firefox 3 will be released today (June 17th)

Ok, my good friend at Mozilla Foundation, the Human Shield (Johnathan Nightingale) has confirmed that Firefox v3.0 will be released today (JUne 17th, 2008). You can check out his blog entry at:

Go catch a party or get ready for the Guiness World Record.

Firefox 3 is a very important release with tons of Security features (that does include EV Certificates).

Q: When will Fedora 9 have Firefox 3?
(09:43:55 AM) anil: johnath: is ff3 a go today?
(09:50:54 AM) johnath: anil: it is, yes
(09:52:13 AM) anil: johnath: bring it on man
(09:52:42 AM) johnath: you signed up to be part of the world record?
(09:53:04 AM) anil: johnath: where is it?
(09:53:18 AM) ***johnath offers generic backgrounder:
(09:54:18 AM) johnath: anil^^
(09:54:56 AM) anil: johnath: seeing it man.
(09:55:04 AM) anil: johnath: when will fedora 9 have ff3
(09:55:19 AM) anil: johnath: not yet got any answers yet from fedora guys
(09:55:41 AM) johnath: soon - we generally work with the distros to make that process as easy as possible - I don't know a date, though, just that discussions are active and ongoing