CONTROL security level

1. Common Control framework CommonCtlFramework
2. openOSI Control framework openosiCtlFramework
3. openOSI Control Functions openosiCtlFunctions
4. openOSI Control Implementation openosiCtlImplementation

Common Control framework

topControl

When building an Internet of trust all partners are concerned by the Control level which is defined as follows:

1. Auditing
   • logging
   • logging analysis
   • Archiving
2. Quality control
   • Documentation
   • Procedures and formal business processes
   • Quality framework such as ISO-9000 series
   • Security framework such as Common Criteria
     • Risk assessment
     • Security target (Description of security functionality & associated requirements)
     • Protection profiles (Set of security requirements & associated Evaluation Assurance Level - EAL)
     • Evaluation Assurance levels EAL-1 to EAL7
3. Intellectual Property Management (IPR)
   • License
   • Digital rights management (DRM) and Enterprise-DRM - X.509 aware
     • Open Digital Rights Language (ODRL)
     • eXtensible rights Markup Language XrML - (MPEG-21) ISO/IEC 21000-5 standard
4. Privacy protection procedures
   • Compliance with Ethic
   • Compliance with laws
     • EU Data protection
     • US legal framework for privacy
       • Consumers' personal information
       • Financial companies: Gramm-Leach-Bliley Act GLBACT
       • Chidren's privacy
       • Credit reporting
       • Privacy of Personal Health Information - Summary
     • CANADA, JAPAN, SWITZERLAND

The overall objective of the Control security level is to give a feed back of Identification, Authentication and Authorization processes efficiency against risk analysis and constraints of ethic and law for privacy protection. Therefore the Control security level is mainly the place for definition of security policies

Digital rights management and Control level When DRM are implemented in such a way: copy protection and technical protection measures are enforced, the related processes belong to the Authorization security level.

openOSI Control framework: openOSI as Identity provider

topControl

openOSI Control level is related to its management of openOSI directory, holding virtual identities with strong identifiers.

Virtual identity

This is a core openOSI concept. In many operations over Internet, there is no need to deal with a real identity. What is needed is :

• To ensure that behind a virtual identity a human exists (otherwise its a host, a service, a document or a media)
• The virtual identity has attached resources
• The virtual identity has an acceptable duration
• The virtual identity has the required attributes

A virtual identity is defined as a fragment of a real identity targeted to a field of interest, and to the underlying "space of exchanges". I believe that development of virtual identities is an enabling framework for Internet2 development (An Internet of services). It is also a core element of privacy enhancement technologies, which foster and ease acceptability of controls developed for a web of trust. That is personal risk assessment leads to fragment risks linked to Internet activities (Fishing, children abuse, identity theft, hijacking of private data collected for an accepted purpose, unlawful use of private data regarding notably archiving ....)

openOSI Control functions

topControl

openOSI helps Control process with the following resources:

• Documentation about Identification
• [Audit Logging Procedures]
• [Privacy of Personal Information]
• [Intellectual Property Rights]
• Governing Law
• [Compliance with Applicable Law]
• Certificate delivery limitations
• [Certificate, CRL, and OCSP Profiless ]
• [Compliance Audit and Other Assessment]

openOSI Control implementation

topControl

openOSI relies on the following LDAP directory

openOSI directory directory.openosi.org CN=directory.openosi.org OU=VirtualHost DC=openosi DC=org

Type LDAP LDAPS port tcp:636

openOSI Base DN OU=VirtualPeople DC=openosi DC=org

DNSSEC trust anchor