© OASIS 2004
Overview of OASIS Process and Technical Work
ITU-T SG17 meetingITU-T SG17 meetingGeneva, 11 March 2004Geneva, 11 March 2004
Karl Best, OASISKarl Best, OASIS
© OASIS 2004
oasis-open.orgoasis-open.org
Who is OASISThe OASIS Conceptual ModelWhy StandardsOASIS work in Security
Agenda
© OASIS 2004
Who is OASIS?
© OASIS 2004
oasis-open.orgoasis-open.orgOverview
OASIS is an international consortium dedicated to developing and promoting the adoption of e-business specifications
Member-elected Board of Directors and Technical Advisory Board; member-driven standards process
Members of OASIS are providers, users and specialists of standards-based technologies and include organizations, individuals, industry groups, and government agencies.
International, not-for-profit, open, independent Successful through industry-wide collaboration
© OASIS 2004
oasis-open.orgoasis-open.orgOASIS technical work
The OASIS technical agenda is set by our members; bottom-up approach
Technical committees formed by the proposal of our members
Each Technical Committee sets its own scope, schedule, and deliverables
More than 60 Technical Committees in a variety of topic areas E-business Security Web services Public sector
© OASIS 2004
oasis-open.orgoasis-open.orgOASIS standards process
Specifications are created under an open, democratic, vendor-neutral process Any interested parties may either participate or comment No one organization can dictate the specification Ensures that specifications meet everyone’s needs, not
just largest players’ All discussion open to public inspection and
comment Bi-level approval process
TC approves Committee Draft OASIS members approve OASIS Standard
Resulting work is representative broad range of industry, not just any one vendor’s view
© OASIS 2004
oasis-open.orgoasis-open.org
Progression/Approval of OASIS technical work
1. Any three or more OASIS members propose creation of a technical committee (TC)
2. Existing technical work submitted to TC; or TC starts work at the beginning. TC conducts and completes technical work; open and publicly viewable
3. TC votes to approve work as an OASIS Committee Draft
4. TC conducts public review, and three or more OASIS members must implement the specification
5. TC revises and re-approves the specification6. TC votes to submit the Committee Draft to OASIS
membership for consideration7. OASIS membership reviews, approves the
Committee Draft as an OASIS Standard
© OASIS 2004
oasis-open.orgoasis-open.orgWhat sets OASIS apart
Established, legitimate, and neutralPublished and consistent rules and
processHigh degree of open access, publicly
visible, accountableHigh degree of responsible coordination
with other SDOs
© OASIS 2004
The OASIS Conceptual Model
© OASIS 2004
oasis-open.orgoasis-open.org
A model to describe the technical activities of industry organizations Descriptive, not Prescriptive
Identify overlaps for the purpose of increasing collaboration
Identify gaps for the purpose of starting new work
Purpose of a Conceptual Model
© OASIS 2004
oasis-open.orgoasis-open.org
Previous Work: ISO Open EDI Model
Source: ISO/IEC 14662, “Information Technology – Open-EDI Reference Model”, First Edition, December 15, 1997
© OASIS 2004
oasis-open.orgoasis-open.orgPrevious Work: BIC B2B Model
Source: Business Internet Consortium (BIC) Whitepaper, “High-Level Conceptual Model for B2B Integration ”, March 02, 2002
© OASIS 2004
oasis-open.orgoasis-open.org
OASIS Conceptual Model for eBusiness standards
Qu
ality
of S
erv
ice
s
Ma
na
ge
me
nt
S e
c u
r i t y
XML Syntax
Network
Transport
Generalized Processes
Specialized Processes
Generalized Content
Specialized Content
Messaging
Service Description Language
Presentation Description
Transaction Patterns
Transaction Instance
Repository
Registry / Directory
Process Description Language Content Definition Language
Co
nfo
rma
nc
e a
nd
Inte
rop
era
bility
© OASIS 2004
oasis-open.orgoasis-open.org
OASIS Conceptual Model: populated
Q u a l I t y o f S e r
v I c e s
M a n a g e m e n t
S e c u r i t y
Network
Transport
Generalized Processes
Specialized Processes
Generalized Content
Specialized Content
Transaction Patterns
Transaction Instance
XML Syntax
Messaging
Service Description Language
Presentation Description
Repository
Registry / Directory
Process Description Language Content Definition Language
Conformance and Interoperability
Auto-Repair, C-Trade, Education, eGovernment, ElectionML, eProcurement, Emergency, LegalXML(8), MaterialsML, PLCS, ProdPS, TaxXML
19
ASAP, BCM, BTP, CAM, ebXML-BP, FWSI, TransWS, WSBPEL 8
XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, SPML, WAS, WSDM, WSS
13
Entity-Resolution, RELAX-NG, Topic Maps (3) 5
UIML, WSRP,HumanML
3DSS, ebXML-RegRep, UDDI 3
ebXML-CPPA
1ebXML-MSG, WSRM
2
Conformance, ebXML-IIC, XSLT-Conformance 3
CIQ, UBL, Doc-Book, XLIFF, OpenOffice 5
© OASIS 2004
oasis-open.orgoasis-open.org
OASIS Conceptual Model: populated
Q u a l I t y o f S e r
v I c e s
M a n a g e m e n t
S e c u r i t y
Network
Transport
Generalized Processes
Specialized Processes
Generalized Content
Specialized Content
Transaction Patterns
Transaction Instance
XML Syntax
Messaging
Service Description Language
Presentation Description
Repository
Registry / Directory
Process Description Language Content Definition Language
Conformance and Interoperability
Auto-Repair, C-Trade, Education, eGovernment, ElectionML, eProcurement, Emergency, LegalXML(8), MaterialsML, PLCS, ProdPS, TaxXML
19
ASAP, BCM, BTP, CAM, ebXML-BP, FWSI, TransWS, WSBPEL 8
XACML, AVDL, XCBF, DSS, DSML, XRI, PKI, RLTC, SAML, SPML, WAS, WSDM, WSS
13
UIML, WSRP,HumanML
3DSS, ebXML-RegRep, UDDI 3
ebXML-CPPA
1ebXML-MSG, WSRM
2
CIQ, UBL, Doc-Book, XLIFF, OpenOffice 5
Entity-Resolution, RELAX-NG, Topic Maps (3) 5
Conformance, ebXML-IIC, XSLT-Conformance 3
Final approval
(as of Dec 2003)
Preliminary approval
© OASIS 2004
oasis-open.orgoasis-open.org
Common transport (HTTP, etc.)
Common language (XML)
Viewing web services as a related set of functions
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
© OASIS 2004
oasis-open.orgoasis-open.org
Common transport (HTTP, etc.)
Common language (XML)
Chords: Implementations usually combine functions
Service Discovery
Service Description
Orchestration & Management
Security & Access
Messaging
Data Content
Example: The OASIS Disease Control Interoperability Demo at XML 2003
UBL
XForms
ebXML BP
ebXML Registry
ebXML MSG
ebXML CPP/A
XACML
© OASIS 2004
Why Standards
© OASIS 2004
oasis-open.orgoasis-open.orgWhat is a Standard?
Just anything a single vendor declares is a standard? Or anything on which two or more vendors agree? These may be “specifications”, but not
“standards” from the OASIS point of viewStandards are specifications developed
and/or approved under a Published, consistent process Fair environment, open participation Transparent, accountable, open operations Transparent output
© OASIS 2004
oasis-open.orgoasis-open.orgWhat is a standard?
A standard is:publicly available in stable, persistent versionsdeveloped and approved under a published
process open to public input: public comments, public
archives, no NDAssubject to explicit, disclosed IPR termsSee the US, EU, WTO governmental & treaty
definitions of “standards”
Anything else is proprietary:This is a policy distinction, not a pejorative
© OASIS 2004
oasis-open.orgoasis-open.org
Coordination of standards at OASIS
OASIS recognizes the many dependencies across standards organizations Promote interoperability Reduce duplication
OASIS participates in and coordinates with many other standards and industry coordination efforts, e.g., W3C and OASIS management meetings ISO/IEC/ITU/ECE e-business coordination MoU RosettaNet, OMA, AIAG, WS-I, GGF, etc. Cat A liaisons with TC154, various JTC1 SCs A.4 and A.5 recognition from ITU-T
© OASIS 2004
oasis-open.orgoasis-open.org
Coordination of standards at OASIS
OASIS TCs encouraged to establish liaison with applicable working groups at other organizations
Completed OASIS standards can be submitted to other SDOs; promote adoption of completed and approved work ebXML specifications submitted to ISO TC154 SAML, XACML submitted to ITU-T SG17
© OASIS 2004
oasis-open.orgoasis-open.org
Formula for Sustainable StandardsM
arke
t Ado
ptio
n
Open Standardization
Traction
SanctionProprietary JCV Consortia SDO
SGMLISO
XMLW3C
SOAP v1.1 SOAP v1.2W3C
UDDI v2,3UDDI.org
WSDL v1.2W3C
ebMSG v2OASIS
WSDL v1.1
eb Reg v2OASISWS-S v1.0
BPEL4WS WS-BPELOASIS
WS-SOASISWS--*
? UDDI v2,3OASIS
© OASIS 2004
OASIS Work in Security
© OASIS 2004
oasis-open.orgoasis-open.orgOASIS Security TCs
Application Vulnerability Description Language (AVDL)
Digital Signature Services (DSS)eXtensible Access Control Markup
Language (XACML)Provisioning ServicesPublic Key Infrastructure (PKI)Rights Language
© OASIS 2004
oasis-open.orgoasis-open.orgOASIS Security TCs (cont.)
Security Services (SAML)Web Application Security (WAS)Web Services Security (WSS)XML Common Biometric Format (XCBF)
© OASIS 2004
oasis-open.orgoasis-open.org
Application Vulnerability Description Language (AVDL) TC
Started: May 2003Purpose: create a uniform way of
describing application security vulnerabilities; create an XML definition for exchange of information relating to security vulnerabilities of applications exposed to networks.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.org
Digital Signature Services (DSS) TC
Started: December 2002Purpose: develop techniques to support
the processing of digital signatures, including defining an interface for requesting that a web service produce and/or verify a digital signature.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.org
eXtensible Access Control Markup Language (XACML) TC
Started: May 2001Purpose: define a core schema and
corresponding namespace for the expression of authorization policies in XML against objects that are themselves identified in XML.
Status:XACML v1.0 approved as an OASIS Standard, February 2003; continuing work
© OASIS 2004
oasis-open.orgoasis-open.orgProvisioning Services TC
Started: November 2001Purpose: define an XML- based
framework for exchanging information between Provisioning Service Points.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.org
Public Key Infrastructure (PKI) TC
Started: January 2003Purpose: address issues related to the
successful deployment of digital certificates to meet business and security requirements as well as technical and integration/interoperability issues, and increase the awareness of digital certificates as an important component when managing access to network resources.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.orgRights Language TC
Started: May 2002Purpose: define an industry standard for
a digital rights language that supports a wide variety of business models and has an architecture that provides the flexibility to address the needs of the diverse communities that have recognized the need for a rights language.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.orgSecurity Services (SAML) TC
Started: January 2001Purpose: develop an XML framework for
exchanging authentication and authorization information.
Status: SAML v1.1 approved as an OASIS Standard, August 2003; continuing work
© OASIS 2004
oasis-open.orgoasis-open.org
Web Application Security (WAS) TC
Started: July 2003Purpose: produce a classification
scheme for web security vulnerabilities, a model to provide guidance for initial threat, impact and therefore risk ratings, and an XML schema to describe web security conditions that can be used by both assessment and protection tools.
Status: ongoing work
© OASIS 2004
oasis-open.orgoasis-open.org
Web Services Security (WSS) TC
Started: September 2002Purpose: define Web Services security
foundations for higher-level security services which are to be defined in other specifications.
Status: Committee Draft approved and submitted to OASIS membership; approval as OASIS Standard expected end of March 2004
© OASIS 2004
oasis-open.orgoasis-open.org
XML Common Biometric Format (XCBF) TC
Started: March 2002 Purpose: define a common set of secure XML
encodings for the patron formats specified in CBEFF, the Common Biometric Exchange File Format (NISTIR 6529). These XML encodings are based on the ASN.1 schema defined in ANSI X9.84:2003 Biometrics Information Management and Security.
Status: XCBF v1.0 approved as an OASIS Standard, August 2003; continuing work
www.xml.org www.xml.coverpages.org
www.oasis-open.org