Cybersecurity

The OASIS Cyber Threat Intelligence (CTI) TC was chartered to define a set of information representations and protocols to address the need to model, analyze, and share cyber threat intelligence. In the initial phase of TC work, three specifications will be transitioned from the US Department of Homeland Security (DHS) for development and standardization under the OASIS open standards process: STIX (Structured Threat Information Expression), TAXII (Trusted Automated Exchange of Indicator Information), and CybOX (Cyber Observable Expression).
 
The OASIS CTI Technical Committee will:

• define composable information sharing services for peer-to-peer, hub-and-spoke, and source subscriber threat intelligence sharing models
• develop standardized representations for campaigns, threat actors, incidents, tactics techniques and procedures (TTPs), indicators, exploit targets, observables, and courses of action
• develop formal models that allow organizations to develop their own standards-based sharing architectures to meet specific needs

The DSS-X TC is developing new profiles of the existing OASIS Digital Signature Services core protocol "Digital Signature Service Core Protocols, Elements, and Bindings Version 1.0" and is maintaining this specification and its existing profiles. If at a later date it becomes clear that a new version of DSS is necessary then this may be produced by the TC.

DSS-X is also working on promotion of the standard and the creation of material helping dissemination. In general terms, the TC has the goal to facilitate the processing of digital signatures and time stamps in a client server environment.

The DSS-X TC is a member of the IDtrust Member Section.

The OASIS Trust Elevation TC works to define a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication. The Trust Elevation TC is intended to respond to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). The Trust Elevation TC promotes interoperability among multiple identity providers--and among multiple identity federations and frameworks--by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels.

The XACML Technical Committee defines a core XML schema for representing authorization and entitlement policies.
 
XACML is expected to address fine grained control of authorized activities, the effect of characteristics of the access requestor, the protocol over which the request is made, authorization based on classes of activities, and content introspection (i.e. authorization based on both the requestor and potentially attribute values within the target where the values of the attributes may not be known to the policy writer). XACML is also expected to suggest a policy authorization model to guide implementers of the authorization mechanism.

The OASIS KMIP TC works to define a single, comprehensive protocol for communication between encryption systems and a broad range of new and legacy enterprise applications, including email, databases, and storage devices. By removing redundant, incompatible key management processes, KMIP will provide better data security while at the same time reducing expenditures on multiple products.

The initial focus of this Working Group was the development of mechanisms that provide confidentiality and authentication between DNS Clients and Iterative Resolvers (published as RFCs 7858 and 8094). With proposed standard solutions for the client-to-iterative resolvers published, the working group turns its attention to the development of documents focused on: 1) providing confidentiality to DNS transactions between Iterative Resolvers and Authoritative Servers, 2) measuring the efficacy in preserving privacy in the face pervasive monitoring attacks, and 3) defining operational, policy, and security considerations for DNS operators offering DNS privacy services. Some of the results of this working group may be experimental.There are numerous aspects that differ between DNS exchanges with an iterative resolver and exchanges involving DNS root/authoritative servers. The working group will work with
DNS operators and developers (via the DNSOP WG) to ensure that proposed solutions address key requirements.

The OpenC2 TC was chartered to draft documents, specifications, lexicons or other artifacts to fulfill the needs of cyber security command and control in a standardized manner. The Technical Committee will leverage pre-existing standards to the greatest extent practical, identifying gaps pertaining to the command and control of technologies that provide or support cyber defenses. The TC will base its initial efforts on artifacts generated by the OpenC2 Forum, a community of cyber-security stakeholders that was facilitated by the National Security Agency; the Forum has published a language description document (RC4), actuator profiles, and open source prototype implementations.
 
For more information on the OpenC2 TC, see the TC Charter.
 
OpenC2 TC standing rules can be found under Additional Information.

The OASIS PKCS 11 Technical Committee develops enhancements to improve the PKCS #11 standard for ease of use in code libraries, open source applications, wrappers, and enterprise/COTS products: implementation guidelines, usage tutorials, test scenarios and test suites, interoperability testing, coordination of functional testing, development of conformance profiles, and providing reference implementations.
 
The updated standard provides additional support for mobile and cloud computing use cases: for distributed/federated applications involving key management functions (key generation, distribution, translation, escrow, re-keying); session-based models; virtual devices and virtual keystores; evolving wireless/sensor applications using near field communication (NFC), RFID, Bluetooth, and Wi-Fi.
 
TC members are also designing new mechanisms for API instrumentation, suitable for use in prototyping, profiling, and testing in resource-constrained application environments. These updates enable support for easy integration of PKCS #11 with other cryptographic key management system (CKMS) standards, including a broader range of cryptographic algorithms and CKMS cryptographic service models.

The OASIS PMRM TC works to provide a standards-based framework that will help business process engineers, IT analysts, architects, and developers implement privacy and security policies in their operations. PMRM picks up where broad privacy policies leave off. Most policies describe fair information practices and principles but offer little insight into actual implementation. PMRM provides a guideline or template for developing operational solutions to privacy issues. It also serves as an analytical tool for assessing the completeness of proposed solutions and as the basis for establishing categories and groupings of privacy management controls.

The Security TWG provides architectures and frameworks for the establishment of information security capabilities within the storage networking industry, including that of stored information in heterogeneous environments. The focus of the Security Work Group is directed toward long-term security solutions, taking into account any security inherent in underlying transports or technologies.

The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application.
 
If you are a manager looking for a high-level overview of SAML, the Executive Overview is recommended. If you are looking for a technical introduction to SAML concepts and capabilities, it is recommended to start with the Technical Overview. Additional technical information, including the complete set of SAML specifications, can be found in the knowledgebase at saml.xml.org.

The mission of the Automotive Working Group is to develop Open Web Platform specifications for application developers, including but not limited to HTML5/JavaScript, enabling Web connectivity through in-vehicle infotainment systems and vehicle data access protocols. The API is agnostic with regard to the connection used.
 
This group will develop service specifications for exposing vehicle data and other information around vehicle centric functions.
 
A common pattern will be described to unify the style the different service interfaces are using.
 
The specification(s) produced by this Working Group will include security and privacy considerations.
 
Members of the Working Group should review other working groups' deliverables that are identified as being relevant to the Working Group's mission.
 
Services may include but are not limited to

• Vehicle Data
  • vehicle brand, model, year, fuel type, transmission type, steering wheel position, tire pressure, oil level, wiper position, lights, doors, windows and seat settings as well as navigation, trip computer data, climate control data, speed, RPMs, acceleration, gears, …
• media
  • media control, track lists, …
• navigation
  • route manipulation, points of interests, …