WG15 N087

ISO/IEC JTC1 SC22/WG15 Security Rapporteur Group
Meeting at AFNOR, Paris on June 12, 1990


Minutes of SRG Meeting

1.    The meeting was opened by the convener Kevin Murphy at 9:13 on June 12, 1990. Kevin welcomed all attendees who were then asked to briefly introduce themselves since there were several new faces present.

2.    The list of attendees is attached to the minutes.

3.    Ron Elliott volunteered to be secretary for the meeting.

4.    The terms of reference for the Security Rapporteur Group were then discussed and some changes made to those, which had been circulated with the last minutes. The final version is as follows:

a.    To provide a focus for the presentation of security concerns regarding SC22/WG15 from the international community

b.    To make appropriate recommendations to SC22/WG15, such that the emerging SC22/WG15 documents will accommodate the security needs of the international community

c.    To seek coordination with similar security efforts undertaken by other international regional or national bodies.


A resolution (#1) was written for submittal to the WGI5, asking for these terms of reference to be approved.

5.    There was then a short report on ths status of P1003.6.  Draft 6 is available and this will become Draft 7 if approved at the next P1003.6 meeting in Danvers on July 15—19. Much work has been done in reformatting the document, doing some of the clean-up requested by this group, and generally getting all the various functions documented.

The targeted balloting date within IEEE has now been moved to after the April 1991 meeting. This is a slippage of 6 months from the original target but is due to the delay in reaching consensus in certain sections. The effects of having to produce a language-independent version have not yet been fully ascertained and this might cause even more slippage. There is much concern about the slippage as many people want a standard as soon as possible.

6.    The issues were then discussed and new ones added to the log (see Attachment). Many of the Danish government requirements had been presented at the P'003.6 meeting and were thought to be "implementation" points rather than "standard interface" questions. The Danish requirements have been added to the issue log for further discussion at the ncxt SSG meeting. It should be remembered that POSIX is defining "Portable Interfaces” and is NOT involved in implementation questions.

7.   General Themes:

The new SC27 Security group and their meetings were of concern and interest to the members present. It would appear that certain things mentioned in the scope of SC27 overlap directly with some of the functions being defined by P1003.6. This could cause problems when P1003.6 comes to the international arena far balloting.  In view of this aresolution (#2) was drawn up for forwarding to WG15.

Thare will also be another Special Working Group on Security meeting sometime in the fall of this year.  The WG15 SRG wants representation at this meeting.  Resolution (#3) wasdrawn up for submittal to WG15.  Mr  Murphy has to supply a new copy of his letter to SC27 for submittal to tha WG15 convener so that it can be forwarded as requested in the resolutions.

8.          The next meeting was scheduled to be held concurrently with the P1003.6 meeting in Danvers on July 13 – 19, 1990 and then in Seattle in October together with the P1003.6 meeting. The meeting closed at13:00 in time for the members to attend the WG15 meeting being held that afternoon.
 
 

RESOLUTIONS

1.    The SC22/WG13 Security Rapporteur Group requests that SC22/WG15 approve the following resolution;

"JTCl SC22/WG15 (POSIX) approves the following terms of reference for the Security rapporteur Group:
 

  1. To provide a focus for the presentation of security concerns regarding SC22/WG15 from the international community.
  2. To make appropriate recommendations to SC22/WG15, such that the emerging SC22/WG15 documents will accommodate the security needs of the international community
  3. To seek co-ordination withsimilar security efforts undertaken by other international, regional, or national bodies."
2.    The JTC1 SC22/WG15 Security Rapporteur Group requests SC23/WG15 to approve the following resolution:

"JTCl SC22/WG15 requests that the US
 

  1. Reviews its POSIX security and security related activities, in view of the proposed seope, program of work, and terms of reference of JTC1 SC27, SC18, and SC21 including their working groups.
  2. Identify the areas of potential overlap, and
  3. Report those findings to SC22/WG15 for its first meeting in 199l."

 

3.   The JTC1 SC22/WG15 Security Rapporteur Group requests that SC22/WG15 approve the following recommendations:

"JTC1 SC22/WG15 recognizes the importance of coordinating its activities with similar activities within JTCl and requests that JTC1 SC22 secretariat
 

  1. forward the attached documents to the proposed SWG on Security workshop as described in JTC1 N799, and
  2. allows that SC22/WG15 nominate a representative to that work-shop."

 

4.    The JTC1 SC22/WG15 Security Rapporteur Group requests that SC22/WG15 approve the following resolution:

"JTC1 SC22/WG15 requests that WG15 request the US member body to forward Draft 7 of P1003.6 to the WG15 members and also to the SC22 members for review and comment.
 

Secretaries Notes:

The WG15 meeting following this meeting in fact approved the above resolutions with some minor changes.  SC22 was requested to forward the fact that a member of the WG15 SRG would attend the SWG on Security and the contact point should be Kevin Murphy.  It is then up to the SRG to decide who should or can attend the workshop when more information is available concerning date and time. The terms of reference were also accepted without modification.
 
 
R. Elliott June 16 1990 4 SC22/WG15 N087

 

ISO/IEC JTC1 SC22/WG15 Security Rapporteur Group
Meetingat AFNOR, Paris on June 12, 1990

Attendee List


Country Name Address Phone
France Gerald Krummeck X/Open Security WG
BULL SA,
1 Rue de Provence
38432 Echirolles
France		 +33 7639 7725
France Claude Bourstin AFNOR STIA
Tour Europe
92049 Paris La
Defense
France		 +331 42 91 5705
France Herve Schauer Herve Schauer
Consultants
142 rue de Rivoli
75001 Paris
France		 +331 4638 8990
Germany Ron Elliott DIN Rapporteur
IBM Deutschland
Kst 2751
Postfach 80 08 80
7000 Stuttgart 80
Germany		 +49 7031 185097

Fax:
+49 7031 185064
UK Kevin Murphy SRG Rapporteur
British Telecom
1 Cutler St.
Ipswich IP1 1UX
England		 +44 473 224573

Fax:
+44 473 214035
USA John Hill UNISYS
MS EB-130
P.O. Box 300
Blue Bell, PA 19424
USA
USA Alan Weaver IBM
Zip 2902
11400 Burnet Rd.
Austin, TX 78758
USA		 +1 512-823-2611

 
 
 

ISO/IEC JTC1 SC22/WG15 Security Rapporteur Group

Issue List

1.    Document Format   Action:

The P1003.6 WG has discussed these points and during the rework of the document for Draft 7 some of the references have already been removed. Considerable work will be done in the next few months to make the document ISO like.
 
 

 2.    Scope The scope of P1003.6 should be extended to encompass the following functions:
  a. X.400, X.500, etc.
b. Information labelling, including hard copy labelling
c. transportable label format


Action:

Information labelling has been moved into the work being done by P1003.6. Draft 8 should contain the functions offered on this topic.

All the other topics are currently considered out-of-scope for this version of P1003.6
 
 

 3.    Authentication There have been many comments/requests for P1003.6 to cover the topic of Authentication. This has been discussed at length by the working group and the decision is as follows:

Action:

It is not thought feasible to put this item into the scope of work for the current draft. The main reasons being:

a. It is not understood what sort of interface os expected to be defined which would help make an application portable.

b. It is NOT the intention of P1003.6 to define authenticatlon methods as these are rapidly changing and it is really an implementation question. e.g. password entering from a terminal as against using a "smart card".


It is understood, however, that other functions, notably in the network area, require to be able to authenticate the request for information that is arriving at thair node. P1003.6 is liaising with the network people to ensure that the problems are fully understood on both sides. If it is possible to define a portable interface requirement for authentication, then P1003.6 will review this requirement for inclusion in a revision of their standard.
 
 

The following points have been received from Denmark and have been included here for consistency. They will be discussed at the next meeting to see whether the group believes that they belong as issues against P1003.6 or whether they are in fact implementation details or recommendations to users:
4.    Differentiated Access
Deletion of data may only be done from designated terminals and only by specially authorized users. This might also be true of the printing of lists containing certain persons information. 5.    Security report All unauthorized access-attempts should be logged. It a specific number of such attempts from the same terminal are logged within a specified time-frame, then this should be printed and immediate action should be taken. 6.    Usaqe Statistics At least once a month usage-statistics should be printed. For every operator it shall specify which transactions have been accessed or attempted to be accessed, as well as the number of times this has happened for each transaction. 7.    Complete Logging  
A complete log/audit trail of all transaction made should be maintained. The log should at least contain the time, operator, transaction type, and person/seek-criteria that was the object. The log shall be kept at least six months. 8.    Chance of Operator  
Passwords should be keyed-in non-readable and when the operator leaves the terminal precautions should be taken such that a password is required to use the terminal again. 9.    Password-ageing  
The password should be changed at LEAST once a year. Rules pertaining to the length etc. should also exist.