Overview of OASIS Process and Technical Work ITUT

Overview of OASIS Process and Technical Work ITU-T SG 17 meeting Geneva, 11 March 2004 Karl Best, OASIS © OASIS 2004

Agenda oasisopen. org z. Who is OASIS z. The OASIS Conceptual Model z. Why Standards z. OASIS work in Security © OASIS 2004

Who is OASIS? © OASIS 2004

Overview oasisopen. org z OASIS is an international consortium dedicated to developing and promoting the adoption of e-business specifications z Member-elected Board of Directors and Technical Advisory Board; member-driven standards process z Members of OASIS are providers, users and specialists of standards-based technologies and include organizations, individuals, industry groups, and government agencies. z International, not-for-profit, open, independent z Successful through industry-wide collaboration © OASIS 2004

OASIS technical work oasisopen. org z The OASIS technical agenda is set by our members; bottom-up approach z Technical committees formed by the proposal of our members z Each Technical Committee sets its own scope, schedule, and deliverables z More than 60 Technical Committees in a variety of topic areas y E-business y Security y Web services y Public sector © OASIS 2004

OASIS standards process oasisopen. org z Specifications are created under an open, democratic, vendor-neutral process y Any interested parties may either participate or comment y No one organization can dictate the specification y Ensures that specifications meet everyone’s needs, not just largest players’ z All discussion open to public inspection and comment z Bi-level approval process y TC approves Committee Draft y OASIS members approve OASIS Standard z Resulting work is representative broad range of industry, not just any one vendor’s view © OASIS 2004

Progression/Approval of OASIS technical work oasisopen. org 1. Any three or more OASIS members propose creation of a technical committee (TC) 2. Existing technical work submitted to TC; or TC starts work at the beginning. TC conducts and completes technical work; open and publicly viewable 3. TC votes to approve work as an OASIS Committee Draft 4. TC conducts public review, and three or more OASIS members must implement the specification 5. TC revises and re-approves the specification 6. TC votes to submit the Committee Draft to OASIS membership for consideration 7. OASIS membership reviews, approves the Committee Draft as an OASIS Standard © OASIS 2004

What sets OASIS apart oasisopen. org z Established, legitimate, and neutral z Published and consistent rules and process z High degree of open access, publicly visible, accountable z High degree of responsible coordination with other SDOs © OASIS 2004

The OASIS Conceptual Model © OASIS 2004

Purpose of a Conceptual Model oasisopen. org z. A model to describe the technical activities of industry organizations y. Descriptive, not Prescriptive z. Identify overlaps for the purpose of increasing collaboration z. Identify gaps for the purpose of starting new work © OASIS 2004

Previous Work: ISO Open EDI Model oasisopen. org Source: ISO/IEC 14662, “Information Technology – Open-EDI Reference Model”, First Edition, December 15, 1997 © OASIS 2004

Previous Work: BIC B 2 B Model oasisopen. org Source: Business Internet Consortium (BIC) Whitepaper, “High-Level Conceptual Model for B 2 B Integration ”, March 02, 2002 © OASIS 2004

OASIS Conceptual Model for e. Business standards oasisopen. org Transaction Instance Transaction Patterns Generalized Content Generalized Processes Content Definition Language Process Description Language Repository Presentation Description Service Description Language Management Registry / Directory Quality of Services Specialized Processes S e c u r i t y Conformance and Interoperability Specialized Content Messaging XML Syntax Transport Network © OASIS 2004

OASIS Conceptual Model: Auto-Repair, C-Trade, Education, e. Government, ASAP, BCM, BTP, populated Election. ML, e. Procurement, CAM, eb. XML-BP, FWSI, Trans. WS, WSBPEL Emergency, Legal. XML(8), Materials. ML, PLCS, Transaction Instance 19 Prod. PS, Tax. XML oasisopen. org 8 Transaction Patterns Generalized Content Definition Language DSS, eb. XMLReg. Rep, UDDI eb. XML-MSG, WSRM CIQ, UBL, Doc. Specialized Processes Book, XLIFF, Generalized Open. Office Processes 5 Process Description Language Registry / Directory 3 Repository eb. XMLCPPA Presentation Description 1 2 UIML, 3 WSRP, Human. ML Service Description Language Conformance, eb. XML-IIC, XSLT 3 Conformance Messaging XML Syntax Transport Network Qual. Ity of Serv. Ices Management S e c u r i t y Conformance and Interoperability Specialized Content XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, 13 SPML, WAS, WSDM, WSS Entity-Resolution, RELAX-NG, Topic Maps (3) 5 © OASIS 2004

OASIS Conceptual Model: ASAP, BCM, BTP, populated Auto-Repair, C-Trade, Education, e. Government, Election. ML, e. Procurement, Emergency, Legal. XML(8), Materials. ML, PLCS, Transaction Instance 19 Prod. PS, Tax. XML oasisopen. org CAM, eb. XML-BP, FWSI, Trans. WS, WSBPEL 8 Transaction Patterns Generalized Content Definition Language DSS, eb. XMLReg. Rep, UDDI eb. XML-MSG, WSRM CIQ, UBL, Doc. Specialized Processes Book, XLIFF, Generalized Open. Office Processes 5 Process Description Language Registry / Directory 3 Repository eb. XMLCPPA Presentation Description 1 2 UIML, 3 WSRP, Human. ML Service Description Language Conformance, eb. XML-IIC, XSLT 3 Conformance Messaging XML Syntax Transport Network Qual. Ity of Serv. Ices Management S e c u r i t y Conformance and Interoperability Specialized Content Preliminary approval Entity-Resolution, RELAX-NG, Topic Maps (3) Final approval (as of Dec 2003) XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, 13 SPML, WAS, WSDM, WSS 5 © OASIS 2004

Viewing web services as a related set of functions Orchestration & Management Security & Access Messaging oasisopen. org Data Content Service Description Service Discovery Common language (XML) Common transport (HTTP, etc. ) © OASIS 2004

Chords: Implementations usually combine functions eb. XML BP Orchestration & Management XACML Security & Access Messaging oasisopen. org UBL Data Content XForms Service eb. XML Description CPP/A Example: The OASIS Disease Control Interoperability Demo at XML 2003 eb. XML Service Registry Discovery eb. XML MSG Common language (XML) Common transport (HTTP, etc. ) © OASIS 2004

Why Standards © OASIS 2004

What is a Standard? oasisopen. org z Just anything a single vendor declares is a standard? Or anything on which two or more vendors agree? y. These may be “specifications”, but not “standards” from the OASIS point of view z Standards are specifications developed and/or approved under a y. Published, consistent process y. Fair environment, open participation y. Transparent, accountable, open operations y. Transparent output © OASIS 2004

What is a standard? oasisopen. org A standard is: z publicly available in stable, persistent versions z developed and approved under a published process z open to public input: public comments, public archives, no NDAs z subject to explicit, disclosed IPR terms z See the US, EU, WTO governmental & treaty definitions of “standards” Anything else is proprietary: z This is a policy distinction, not a pejorative © OASIS 2004

Coordination of standards at OASIS oasisopen. org z OASIS recognizes the many dependencies across standards organizations y. Promote interoperability y. Reduce duplication z OASIS participates in and coordinates with many other standards and industry coordination efforts, e. g. , y. W 3 C and OASIS management meetings y. ISO/IEC/ITU/ECE e-business coordination Mo. U y. Rosetta. Net, OMA, AIAG, WS-I, GGF, etc. y. Cat A liaisons with TC 154, various JTC 1 SCs y. A. 4 and A. 5 recognition from ITU-T © OASIS 2004

Coordination of standards at OASIS oasisopen. org z OASIS TCs encouraged to establish liaison with applicable working groups at other organizations z Completed OASIS standards can be submitted to other SDOs; promote adoption of completed and approved work yeb. XML specifications submitted to ISO TC 154 y. SAML, XACML submitted to ITU-T SG 17 © OASIS 2004

Formula for Sustainable Standards oasisopen. org Traction XML W 3 C SOAP v 1. 2 W 3 C eb. MSG v 2 SOAP v 1. 1 OASIS WSDL v 1. 2 Market Adoption WSDL v 1. 1 W 3 C WS-S v 1. 0 WS--* ? WS-S OASIS UDDI v 2, 3 OASIS UDDI. org BPEL 4 WS Proprietary eb Reg v 2 OASIS SGML ISO WS-BPEL OASIS JCV Consortia SDO Sanction Open Standardization © OASIS 2004

OASIS Work in Security © OASIS 2004

OASIS Security TCs oasisopen. org z Application Vulnerability Description Language (AVDL) z Digital Signature Services (DSS) z e. Xtensible Access Control Markup Language (XACML) z Provisioning Services z Public Key Infrastructure (PKI) z Rights Language © OASIS 2004

OASIS Security TCs (cont. ) oasisopen. org z Security Services (SAML) z Web Application Security (WAS) z Web Services Security (WSS) z XML Common Biometric Format (XCBF) © OASIS 2004

Application Vulnerability Description Language (AVDL) TC oasisopen. org z Started: May 2003 z Purpose: create a uniform way of describing application security vulnerabilities; create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks. z Status: ongoing work © OASIS 2004

Digital Signature Services (DSS) TC oasisopen. org z Started: December 2002 z Purpose: develop techniques to support the processing of digital signatures, including defining an interface for requesting that a web service produce and/or verify a digital signature. z Status: ongoing work © OASIS 2004

e. Xtensible Access Control Markup Language (XACML) TC oasisopen. org z Started: May 2001 z Purpose: define a core schema and corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML. z Status: XACML v 1. 0 approved as an OASIS Standard, February 2003; continuing work © OASIS 2004

Provisioning Services TC oasisopen. org z Started: November 2001 z Purpose: define an XML- based framework for exchanging information between Provisioning Service Points. z Status: ongoing work © OASIS 2004

Public Key Infrastructure (PKI) TC oasisopen. org z Started: January 2003 z Purpose: address issues related to the successful deployment of digital certificates to meet business and security requirements as well as technical and integration/interoperability issues, and increase the awareness of digital certificates as an important component when managing access to network resources. z Status: ongoing work © OASIS 2004

Rights Language TC oasisopen. org z Started: May 2002 z Purpose: define an industry standard for a digital rights language that supports a wide variety of business models and has an architecture that provides the flexibility to address the needs of the diverse communities that have recognized the need for a rights language. z Status: ongoing work © OASIS 2004

Security Services (SAML) TC oasisopen. org z Started: January 2001 z Purpose: develop an XML framework for exchanging authentication and authorization information. z Status: SAML v 1. 1 approved as an OASIS Standard, August 2003; continuing work © OASIS 2004

Web Application Security (WAS) TC oasisopen. org z Started: July 2003 z Purpose: produce a classification scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools. z Status: ongoing work © OASIS 2004

Web Services Security (WSS) TC oasisopen. org z Started: September 2002 z Purpose: define Web Services security foundations for higher-level security services which are to be defined in other specifications. z Status: Committee Draft approved and submitted to OASIS membership; approval as OASIS Standard expected end of March 2004 © OASIS 2004

XML Common Biometric Format (XCBF) TC oasisopen. org z Started: March 2002 z Purpose: define a common set of secure XML encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These XML encodings are based on the ASN. 1 schema defined in ANSI X 9. 84: 2003 Biometrics Information Management and Security. z Status: XCBF v 1. 0 approved as an OASIS Standard, August 2003; continuing work © OASIS 2004

zwww. oasis-open. org z www. xml. coverpages. org © OASIS 2004