Home Work Packages

WP1: ASSERT model and language

WP Leader: UMA

This work package aims at defining a language to capture the semantics of certification activities and results for services and service–oriented applications, in a machine–processable way. In particular, the language shall enable the comparison of certificates and the selection of services based on different aspects contained in the certificates. Comparison will not only be binary for equality, but will support richer relations and the establishing of partial orderings, which will happen according to some dimension of the certificate (issuer, properties, method of assessment, strength of evidences, etc.). Along with the language we will also define mechanisms for reasoning about those relations between certificates along different dimensions. Additionally, the language shall contain means to represent in a reusable way specific certification schemes.

Certification schemes for services and service–oriented applications can be based on many different techniques and are therefore very heterogeneous in nature. Therefore this WP will aim at providing a language that is able to capture the most important aspects of the certification activity and can be extended to cover domain–specific needs. The language will be designed in a modular way, so that each ASSERT certificate can contain the necessary modules to ensure the accuracy and completeness of the representation. In particular, the language must contain modules for: (i) the certification process; (ii) the certification results; (iii) the properties proven; and (iv) the service/application being certified. To deal with the heterogeneity, we will introduce the concept of certification profile, which will be used to represent specific certification schemes (e.g. CC EAL4). Each certification profile will contain two main elements: a certificate template (a specific instance of the ASSERT certificate language) and a series of partial orderings of certificates along the different dimensions considered in the certification scheme being represented. The WP will also produce certification profiles for some well–known certification schemes. Tasks 1.2 to 1.6 will follow an iterative approach and contribute to the three incremental versions of the specification of the ASSERT Model and Language

Task 1.1: State of the art in certification specification (Leader: UMA, M1-M3):

This task is concerned with bibliographic research on the certification specification, specially focused on the analysis of the different usages and characteristics of existing certification schemes and standards, and on the representation of the security properties and the evidences asserted in the certificates. Additionally, standard formats for digital certificates and assertions (in particular, X.509v3 attribute certificates and SAML assertions) will be revised and analyzed. Relevant material will be collected from standardization bodies, scientific journals, conference proceedings, books, public deliverables of relevant research projects, and specific publications from industrial organizations.

Task 1.2: ASSERT core language (Leader: UMA, M4-M36):
This task will deal with the identification, abstraction and expression of the aspects that characterize a ASSERT certification process. The output of this task will be the ASSERT model and language requirements analysis.

Task 1.3: ASSERT process language module (Leader: UMA, M4-M33):
This task will deal with the identification, abstraction and expression of the aspects that characterize a certification process and the definition of a representation of these aspects suitable for automated processing, but also for human inspection. This task will be based on the results of task 1.1. The output of this task will be the ASSERT language module for certification schemes

Task 1.4: ASSERT results language module (Leader: UMA, M7-M36):

This task will deal with the identification, abstraction and expression of the aspects that characterize the possible ASSERT certification results. The nature of these results is very heterogeneous. Therefore, means for establishing relations between different results are an essential part of this model. To better understand the nature of the relations we are considering here we can use the following example: a proven evidence (e.g. Service A has successfully passed a penetration testing) contributes to (increases the trust on the fulfillment of) a property (e.g. confidentiality of the data managed by Service A), therefore we need to consider these relations when designing the language.

Task 1.5: Service/application language module (Leader: UMA, M7-M36):
In this task we undertake the modelling of the target service or application, including all certification–relevant aspects. Among the aspects to consider here is the relation of the certificate contents to the interface of the application and in case there is a description of the interface (e.g. using IDL or WSDL), the relation to this description. A key aspect in this module will be the mechanism to bind the certificate to the service or application. This mechanism (and the language to represent it) has to deal with the heterogeneity of service and application types and instances, and has to be flexible and extensible to ensure its survivability to the new developments in computing models and paradigms.

Task 1.6: Property language module (Leader: UMA, M7-M36):
This task will define a language to represent the security properties asserted by the certificate. This model will be related to the formal specification of security properties defined on WP5 and to the ontology defined in WP3 but will concentrate on the representation of the operational aspects required to enable reasoning about certificates on the property dimension. In the simplest case, the representation of the property could be constituted by the unique identifier of the property in the ASSERT ontology. However, there are many other aspects that could enrich this representation like versions, validity periods, property parameters, etc.

Task 1.7: ASSERT profiles (Leader: UMA, M13-M18):
In this task we design mechanisms to describe certification schemes. For this, we will use the concept of certificate profile, which will represent a specific certification scheme (e.g. CC EAL4, coverISO9001, SAS70, Common criteria). The goal is to allow the homogenous representation of specific certification schemes. The task will also produce certification profiles for some well–known certification schemes.

template joomla