© oasis 2004 overview of oasis process and technical work itu-t sg17 meeting geneva, 11 march 2004...

© OASIS 2004

Overview of OASIS Process and Technical Work

ITU-T SG17 meetingITU-T SG17 meetingGeneva, 11 March 2004Geneva, 11 March 2004

Karl Best, OASISKarl Best, OASIS

© OASIS 2004

oasis-open.orgoasis-open.org

Who is OASISThe OASIS Conceptual ModelWhy StandardsOASIS work in Security

Agenda

© OASIS 2004

Who is OASIS?

© OASIS 2004

oasis-open.orgoasis-open.orgOverview

OASIS is an international consortium dedicated to developing and promoting the adoption of e-business specifications

Member-elected Board of Directors and Technical Advisory Board; member-driven standards process

Members of OASIS are providers, users and specialists of standards-based technologies and include organizations, individuals, industry groups, and government agencies.

International, not-for-profit, open, independent Successful through industry-wide collaboration

© OASIS 2004

oasis-open.orgoasis-open.orgOASIS technical work

The OASIS technical agenda is set by our members; bottom-up approach

Technical committees formed by the proposal of our members

Each Technical Committee sets its own scope, schedule, and deliverables

More than 60 Technical Committees in a variety of topic areas E-business Security Web services Public sector

© OASIS 2004

oasis-open.orgoasis-open.orgOASIS standards process

Specifications are created under an open, democratic, vendor-neutral process Any interested parties may either participate or comment No one organization can dictate the specification Ensures that specifications meet everyone’s needs, not

just largest players’ All discussion open to public inspection and

comment Bi-level approval process

TC approves Committee Draft OASIS members approve OASIS Standard

Resulting work is representative broad range of industry, not just any one vendor’s view

© OASIS 2004


Progression/Approval of OASIS technical work

1. Any three or more OASIS members propose creation of a technical committee (TC)

2. Existing technical work submitted to TC; or TC starts work at the beginning. TC conducts and completes technical work; open and publicly viewable

3. TC votes to approve work as an OASIS Committee Draft

4. TC conducts public review, and three or more OASIS members must implement the specification

5. TC revises and re-approves the specification6. TC votes to submit the Committee Draft to OASIS

membership for consideration7. OASIS membership reviews, approves the

Committee Draft as an OASIS Standard

© OASIS 2004

oasis-open.orgoasis-open.orgWhat sets OASIS apart

Established, legitimate, and neutralPublished and consistent rules and

processHigh degree of open access, publicly

visible, accountableHigh degree of responsible coordination

with other SDOs

© OASIS 2004

The OASIS Conceptual Model

© OASIS 2004


A model to describe the technical activities of industry organizations Descriptive, not Prescriptive

Identify overlaps for the purpose of increasing collaboration

Identify gaps for the purpose of starting new work

Purpose of a Conceptual Model

© OASIS 2004


Previous Work: ISO Open EDI Model

Source: ISO/IEC 14662, “Information Technology – Open-EDI Reference Model”, First Edition, December 15, 1997

© OASIS 2004

oasis-open.orgoasis-open.orgPrevious Work: BIC B2B Model

Source: Business Internet Consortium (BIC) Whitepaper, “High-Level Conceptual Model for B2B Integration ”, March 02, 2002

© OASIS 2004


OASIS Conceptual Model for eBusiness standards

Qu

ality

of S

erv

ice

s

Ma

na

ge

me

nt

S e

c u

r i t y

XML Syntax

Network

Transport

Generalized Processes

Specialized Processes

Generalized Content

Specialized Content

Messaging

Service Description Language

Presentation Description

Transaction Patterns

Transaction Instance

Repository

Registry / Directory

Process Description Language Content Definition Language

Co

nfo

rma

nc

e a

nd

Inte

rop

era

bility

© OASIS 2004


OASIS Conceptual Model: populated

Q u a l I t y o f S e r

v I c e s

M a n a g e m e n t

S e c u r i t y

Network

Transport



Generalized Content

Specialized Content



XML Syntax

Messaging



Repository



Conformance and Interoperability

Auto-Repair, C-Trade, Education, eGovernment, ElectionML, eProcurement, Emergency, LegalXML(8), MaterialsML, PLCS, ProdPS, TaxXML

19

ASAP, BCM, BTP, CAM, ebXML-BP, FWSI, TransWS, WSBPEL 8

XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, SPML, WAS, WSDM, WSS

13

Entity-Resolution, RELAX-NG, Topic Maps (3) 5

UIML, WSRP,HumanML

3DSS, ebXML-RegRep, UDDI 3

ebXML-CPPA

1ebXML-MSG, WSRM

2

Conformance, ebXML-IIC, XSLT-Conformance 3

CIQ, UBL, Doc-Book, XLIFF, OpenOffice 5

© OASIS 2004


OASIS Conceptual Model: populated

Q u a l I t y o f S e r

v I c e s

M a n a g e m e n t

S e c u r i t y

Network

Transport



Generalized Content

Specialized Content



XML Syntax

Messaging



Repository



Conformance and Interoperability

Auto-Repair, C-Trade, Education, eGovernment, ElectionML, eProcurement, Emergency, LegalXML(8), MaterialsML, PLCS, ProdPS, TaxXML

19

ASAP, BCM, BTP, CAM, ebXML-BP, FWSI, TransWS, WSBPEL 8

XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, SPML, WAS, WSDM, WSS

13

UIML, WSRP,HumanML

3DSS, ebXML-RegRep, UDDI 3

ebXML-CPPA

1ebXML-MSG, WSRM

2

CIQ, UBL, Doc-Book, XLIFF, OpenOffice 5

Entity-Resolution, RELAX-NG, Topic Maps (3) 5

Conformance, ebXML-IIC, XSLT-Conformance 3

Final approval

(as of Dec 2003)

Preliminary approval

© OASIS 2004


Common transport (HTTP, etc.)

Common language (XML)

Viewing web services as a related set of functions

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

© OASIS 2004


Common transport (HTTP, etc.)

Common language (XML)

Chords: Implementations usually combine functions

Service Discovery

Service Description

Orchestration & Management

Security & Access

Messaging

Data Content

Example: The OASIS Disease Control Interoperability Demo at XML 2003

UBL

XForms

ebXML BP

ebXML Registry

ebXML MSG

ebXML CPP/A

XACML

© OASIS 2004

Why Standards

© OASIS 2004

oasis-open.orgoasis-open.orgWhat is a Standard?

Just anything a single vendor declares is a standard? Or anything on which two or more vendors agree? These may be “specifications”, but not

“standards” from the OASIS point of viewStandards are specifications developed

and/or approved under a Published, consistent process Fair environment, open participation Transparent, accountable, open operations Transparent output

© OASIS 2004

oasis-open.orgoasis-open.orgWhat is a standard?

A standard is:publicly available in stable, persistent versionsdeveloped and approved under a published

process open to public input: public comments, public

archives, no NDAssubject to explicit, disclosed IPR termsSee the US, EU, WTO governmental & treaty

definitions of “standards”

Anything else is proprietary:This is a policy distinction, not a pejorative

© OASIS 2004


Coordination of standards at OASIS

OASIS recognizes the many dependencies across standards organizations Promote interoperability Reduce duplication

OASIS participates in and coordinates with many other standards and industry coordination efforts, e.g., W3C and OASIS management meetings ISO/IEC/ITU/ECE e-business coordination MoU RosettaNet, OMA, AIAG, WS-I, GGF, etc. Cat A liaisons with TC154, various JTC1 SCs A.4 and A.5 recognition from ITU-T

© OASIS 2004


Coordination of standards at OASIS

OASIS TCs encouraged to establish liaison with applicable working groups at other organizations

Completed OASIS standards can be submitted to other SDOs; promote adoption of completed and approved work ebXML specifications submitted to ISO TC154 SAML, XACML submitted to ITU-T SG17

© OASIS 2004


Formula for Sustainable StandardsM

arke

t Ado

ptio

n

Open Standardization

Traction

SanctionProprietary JCV Consortia SDO

SGMLISO

XMLW3C

SOAP v1.1 SOAP v1.2W3C

UDDI v2,3UDDI.org

WSDL v1.2W3C

ebMSG v2OASIS

WSDL v1.1

eb Reg v2OASISWS-S v1.0

BPEL4WS WS-BPELOASIS

WS-SOASISWS--*

? UDDI v2,3OASIS

© OASIS 2004

OASIS Work in Security

© OASIS 2004

oasis-open.orgoasis-open.orgOASIS Security TCs

Application Vulnerability Description Language (AVDL)

Digital Signature Services (DSS)eXtensible Access Control Markup

Language (XACML)Provisioning ServicesPublic Key Infrastructure (PKI)Rights Language

© OASIS 2004

oasis-open.orgoasis-open.orgOASIS Security TCs (cont.)

Security Services (SAML)Web Application Security (WAS)Web Services Security (WSS)XML Common Biometric Format (XCBF)

© OASIS 2004


Application Vulnerability Description Language (AVDL) TC

Started: May 2003Purpose: create a uniform way of

describing application security vulnerabilities; create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks.

Status: ongoing work

© OASIS 2004


Digital Signature Services (DSS) TC

Started: December 2002Purpose: develop techniques to support

the processing of digital signatures, including defining an interface for requesting that a web service produce and/or verify a digital signature.


© OASIS 2004


eXtensible Access Control Markup Language (XACML) TC

Started: May 2001Purpose: define a core schema and

corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML.

Status:XACML v1.0 approved as an OASIS Standard, February 2003; continuing work

© OASIS 2004

oasis-open.orgoasis-open.orgProvisioning Services TC

Started: November 2001Purpose: define an XML- based

framework for exchanging information between Provisioning Service Points.


© OASIS 2004


Public Key Infrastructure (PKI) TC

Started: January 2003Purpose: address issues related to the

successful deployment of digital certificates to meet business and security requirements as well as technical and integration/interoperability issues, and increase the awareness of digital certificates as an important component when managing access to network resources.


© OASIS 2004

oasis-open.orgoasis-open.orgRights Language TC

Started: May 2002Purpose: define an industry standard for

a digital rights language that supports a wide variety of business models and has an architecture that provides the flexibility to address the needs of the diverse communities that have recognized the need for a rights language.


© OASIS 2004

oasis-open.orgoasis-open.orgSecurity Services (SAML) TC

Started: January 2001Purpose: develop an XML framework for

exchanging authentication and authorization information.

Status: SAML v1.1 approved as an OASIS Standard, August 2003; continuing work

© OASIS 2004


Web Application Security (WAS) TC

Started: July 2003Purpose: produce a classification

scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools.


© OASIS 2004


Web Services Security (WSS) TC

Started: September 2002Purpose: define Web Services security

foundations for higher-level security services which are to be defined in other specifications.

Status: Committee Draft approved and submitted to OASIS membership; approval as OASIS Standard expected end of March 2004

© OASIS 2004


XML Common Biometric Format (XCBF) TC

Started: March 2002 Purpose: define a common set of secure XML

encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These XML encodings are based on the ASN.1 schema defined in ANSI X9.84:2003 Biometrics Information Management and Security.

Status: XCBF v1.0 approved as an OASIS Standard, August 2003; continuing work

www.xml.org www.xml.coverpages.org

www.oasis-open.org

© oasis 2004 overview of oasis process and technical work itu-t sg17 meeting geneva, 11 march 2004...

Documents

oasis slide

oasis standards

zmembers of oasis

oasis standard slide

oasis committee draft

oasis conceptual model

overview of oasis process

oasis standard zresulting