Date   

Re: Runtime Online dependency - recommendation proposal

Hampus Tjader
 

Hi,

 

I will not be able to attend the review meeting of 16th July due to my vacation. Please see the provided comments from my company in the attachment. We see the modification of N-3 requirement as an important update before final approval.

 

Best regards,

Hampus

 

 

 

Hampus Tjäder

4G5G Product Architecture O&M and Security

 

Ericsson

Datalinjen 4

58330, Linköping, Sweden

Mobile: +46 107113292

ericsson.com

 

 

 

-----Original Message-----
From: onap-seccom@... <onap-seccom@...> On Behalf Of Horn, Linda (Nokia - US/Murray Hill) via Lists.Onap.Org
Sent: den 26 juni 2019 14:31
To: Pawlak Paweł 3 - Korpo <Pawel.Pawlak3@...>
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

Pawel,

 

Before or after the SECCOM call on July 16 is fine with me - whichever is better for others.

 

Linda

-----------------------------------------------------------------------------------

Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia        

Phone:  +1-908-679-6580

 

-----Original Message-----

From: Pawlak Paweł 3 - Korpo <Pawel.Pawlak3@...>

Sent: Wednesday, June 26, 2019 3:02 AM

To: Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>

Cc: onap-seccom@...

Subject: RE: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

Hello Linda,

Following the discussions below I would like to propose a dedicated call on 16th of July either before or after SECCOM meeting.

Please let us know your availabilities.

 

Best regards

 

Paweł Pawlak

 

ONAP SECCOM Chair

Leader in IT & Network Convergent Operations FT/TGI/OLN/QOP/OST

 

Orange Polska S.A.

Corporate Services Agency

 

Obrzeżna 7, 02-691 Warszawa

tel. +48 22 699 52 17

fax +48 22 857 99 86

tel. mob. +48 501 501 030

 

   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.

__________________________________________________________________

Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

 

-----Original Message-----

From: Horn, Linda (Nokia - US/Murray Hill) [mailto:linda.horn@...]

Sent: Wednesday, June 12, 2019 9:18 PM

To: MACH Natacha TGI/OLS; ZWARICO, AMY; Pawlak Paweł 3 - Korpo; onap-seccom@...

Subject: RE: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

Natacha,

 

Thank you for reviewing.  My comments are in the attached doc.  BTW there is a version v7 now but it has minor changes so your comments are still valid.

 

Linda

-----------------------------------------------------------------------------------

Linda S. Horn, DMTS

Cloud RAN Solution Definition and Architecture

Mobile Networks, Nokia        

Phone:  +1-908-679-6580

 

-----Original Message-----

From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org

Sent: Friday, June 07, 2019 10:19 AM

To: ZWARICO, AMY <az9121@...>; PAWLAK Pawel O-PL <pawel.pawlak3@...>; onap-seccom@...

Cc: onap-seccom@...

Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

hello,

 

Thanks for the comments, and here are some remarks for understanding first.

I hopr that we could discuss this document next week?

 

Regards

natacha

________________________________________

De : onap-seccom@... [onap-seccom@...] de la part de ZWARICO, AMY [az9121@...] Envoyé : jeudi 6 juin 2019 21:41 À : PAWLAK Pawel O-PL; onap-seccom@... Objet : Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

I found another typo and made some other minor wording changes.

 

-----Original Message-----

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Pawel Pawlak via Lists.Onap.Org

Sent: Thursday, June 06, 2019 7:33 AM

To: onap-seccom@...

Cc: onap-seccom@...

Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

I have corrected 2 typos...

Best regards

 

Paweł Pawlak

 

ONAP SECCOM Chair

Leader in IT & Network Convergent Operations FT/TGI/OLN/QOP/OST

 

Orange Polska S.A.

Corporate Services Agency

 

Obrzeżna 7, 02-691 Warszawa

tel. +48 22 699 52 17

fax +48 22 857 99 86

tel. mob. +48 501 501 030

 

   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.

__________________________________________________________________

Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

 

 

-----Original Message-----

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY

Sent: Wednesday, June 5, 2019 11:14 PM

To: k.opasiak@...; CLOSE, PIERRE; onap-seccom@...

Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

Very nice.

 

I made minor wording changes to slides 1,4,5,6 The only substantive changes: in all of the nonfunctional requirements I changed "should" to "shall", which makes the requirement stronger.

 

-Amy

-----Original Message-----

From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Krzysztof Opasiak via Lists.Onap.Org

Sent: Wednesday, June 05, 2019 4:01 PM

To: CLOSE, PIERRE <pierre.close@...>; onap-seccom@...

Cc: onap-seccom@...

Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

 

 

 

On 05.06.2019 15:58, Close, Pierre wrote:

> Hello Krzysztof,

> It probably makes more sense to merge the two, if you don't mind, since they aim to achieve the same goal, and so that there is a centralized recommendation.

 

I tried to merged your remarks into the presentation, you can see the result in attachment.

 

Feel free to comment & modify.

 

Best regards,

--

Krzysztof Opasiak

Samsung R&D Institute Poland

Samsung Electronics

 

 

 

 

 

 

 

 

 

 

 

 

 

_________________________________________________________________________________________________________________________

 

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

 

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.

If you have received this email in error, please notify the sender and delete this message and its attachments.

As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.

Thank you.

 

 

 

 

 

 

 


Re: ONAP Dublin - Please update your JIRA tickets accordingly

Catherine LEFEVRE
 

Thank you so much Krzysztof

-----Original Message-----
From: Krzysztof Opasiak [mailto:k.opasiak@...]
Sent: Friday, July 05, 2019 10:54 PM
To: Lefevre, Catherine <catherine.lefevre@...>; onap-seccom@...; jbaker@...
Subject: Re: [Onap-seccom] ONAP Dublin - Please update your JIRA tickets accordingly

Dear Catherine and Jim,


On 05.07.2019 11:34, Catherine LEFEVRE wrote:
Good morning ONAP Security Subcommittee, Jim,

Can you please review and update the following JIRA tickets
accordingly considering that the Dublin Release is not completed?

+ 24 Tickets OJSI

Jira query:

status != Closed AND status != Done AND project != "Sandbox Project"
AND project != CI-Management AND project != "ONAP TSC" AND fixVersion
= "Dublin Release" AND project = OJSI ORDER BY key ASC, priority DESC,
updated DESC
I've put together some dashboard to help you better underestand the current status of OJSI tickets:

https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.onap.org_display_DW_OJSI-2BTickets-2BStatus&d=DwIC-g&c=LFYZ-o9_HUMeMTSQicvjIg&r=ZglJ8LOeAfevY7wWaSximhFMAzXaMdza5QYCg-DW6SU&m=gYz6ii8Y9q-xaUM974QmxAztgyV1-ocVsGwL2t0rEEY&s=P0_mfCboP61Rz6CDUXufEFqMlhGMzK1F7WDHoFf4Ai8&e=

I'll provide some more details on it during Monday PTL call.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics


Re: ONAP Dublin - Please update your JIRA tickets accordingly

Krzysztof Opasiak
 

Dear Catherine and Jim,


On 05.07.2019 11:34, Catherine LEFEVRE wrote:
Good morning ONAP Security Subcommittee, Jim,
Can you please review and update the following JIRA tickets accordingly considering that the Dublin Release is not completed?
+ 24 Tickets OJSI
Jira query:
status != Closed AND status != Done AND project != "Sandbox Project" AND project != CI-Management AND project != "ONAP TSC" AND fixVersion = "Dublin Release" AND project = OJSI ORDER BY key ASC, priority DESC, updated DESC
I've put together some dashboard to help you better underestand the current status of OJSI tickets:

https://wiki.onap.org/display/DW/OJSI+Tickets+Status

I'll provide some more details on it during Monday PTL call.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics


ONAP Dublin - Please update your JIRA tickets accordingly

Catherine LEFEVRE
 

Good morning ONAP Security Subcommittee, Jim,

 

Can you please review and update the following JIRA tickets accordingly considering that the Dublin Release is not completed?

 

 

+ 24 Tickets OJSI

 

Jira query:

status != Closed AND status != Done AND project != "Sandbox Project" AND project != CI-Management AND project != "ONAP TSC" AND fixVersion = "Dublin Release" AND project = OJSI ORDER BY key ASC, priority DESC, updated DESC

 

Many thanks & regards

Catherine

 

Catherine Lefèvre

AVP Software Development & Engineering

 

AT&T Labs – Network Cloud & Infrastructure

D2 Platform & Systems Development

ECOMP/RUBY/SPP-NEAM-Appl. Servers/SIA

ONAP TSC Chair

 

 

Phone: +32 81 84 09 08

Mobile: +32 475 77 36 73

catherine.lefevre@...

 

TEXTING and DRIVING… It Can Wait

AT&T

BUROGEST OFFICE PARK SA

Avenue des Dessus-de-Lives, 2

5101 Loyers (Namur)

Belgium

 

 

NOTE: This email (or its attachments) contains information belonging to the sender, which may be confidential. proprietary and/or legally privileged. The information is intended only for the use of the individual(s) or entity(ies) named above. If you are not the intended recipient, you are hereby notified that any disclosure, distribution or taking of any action in reliance on the content of this is strictly forbidden. If you have received this e-mail in error please immediately notify the sender identified above

 


Re: Communication matrix

Harald Fuchs
 

Hi Natacha,

I think this is a really good format and excellent outcome.

So far I have only minor “semantic” comments, but admit I’m no native speaker :-).

So I would change the “outcoming” to “outgoing” and the incoming_outcoming tag to “direction” or something similar especially as there is a third value possible.

KR

Harald

 

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: 27 June, 2019 17:27
To: Hampus Tjader <hampus.tjader@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Communication matrix

 

Hello,

 

many thanks for your feedback.

Your remark is really relevant, indeed the  “external communication” is related to “platform external” components also.

So i will add a tag regarding the hosting of TLS server or TLS client, as attached.

What do you think of this new version?

 

regards

natacha


De : onap-seccom@... [onap-seccom@...] de la part de Hampus Tjader [hampus.tjader@...]
Envoyé : mercredi 26 juin 2019 13:55
À : MACH Natacha TGI/OLS; onap-seccom@...
Objet : Re: [Onap-seccom] Communication matrix

Hi Natacha,

 

Great work with the matrix!

 

I have a question regarding the “external communication”. My assumption is that this category will also be used for “platform external” components, e.g say between DCAE-yyy and xNF.

Does the “communication_initiator” in this case then define the entity acting as TLS server or is it more related to who is initiating the connection (not related to TLS handshake)?  
Could be interesting to highlight this for platform-external interfaces, thus whether external facing ONAP components are hosting a TLS server or TLS client. It would also be good from a security perspective to have this inventory of platform-externally open ports for the ONAP components, so we in the future might be able to decrease the platform external attack vector.

 

Best regards,

Hampus

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: den 25 juni 2019 16:46
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] Communication matrix

 

Hello,

 

As discussed during the SECCOM of last week, i am sharing with you a proposal regarding the YAML file for the communication matrix work item.

 

Please share your comments, and then we can propose it to the PTLs.

 

Many thanks and best regards

Natacha

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- back to [crypto_certificate_verification]:

Amy Zwarico
 

Very nice deck.

I suggest adding the following checks which are part of certificate validation:

1.      Check that the cert is still within its validity period.

2.      Perform the cryptography to ensure that the sender of the cert possesses the private key

For extra credit, the cert should be checked against a Certificate Revocation List (CRL).

 

From: HANSEN, TONY L
Sent: Friday, June 28, 2019 3:57 PM
To: natacha.mach@...; onap-seccom@...
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>; ZWARICO, AMY <az9121@...>; CLOSE, PIERRE <pierre.close@...>; GATHMAN, JONATHAN C <jonathan.gathman@...>
Subject: Re: [Onap-seccom] next steps with CII -- back to [crypto_certificate_verification]:

 

Here are updated slides from what Pawel showed on Tuesday. These are intended to be shared on the PTL meeting next Monday. If you have any comments, PLEASE share them.

 

Thank you.

 

                Tony

 

From: "HANSEN, TONY L" <tony@...>
Date: Thursday, June 27, 2019 at 12:31 PM
To: "natacha.mach@..." <natacha.mach@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: Re: [Onap-seccom] next steps with CII -- back to [crypto_certificate_verification]:

 

Thank you, Natacha, for your comments. I also listened to the conversation on this week’s SECCOM meeting, which I unfortunately had to miss.

 

To summarize the concerns brought up:

  • The CII question is ambiguous and could be read as meaning that using SSL instead of TLS would lead to a N/A answer.
  • We really need to be mandating that projects use TLS in place of SSL.

 

I definitely can see how the question COULD be read that way, so agree that it is ambiguous.

 

The fun thing is that, when there are ambiguities, WE (the SECCOM) get to decide how to interpret it. So my proposal is:

 

  • If a remote site supports SSL, they are covered by this question.

 

(I’ve also filed a github ticket on the CII code about the ambiguity.)

 

Now I know that some of you are probably asking yourselves, but what about the other concern?

 

There are two aspects to the concern, though.

 

  1. We do not control >>remote sites<< that ONAP connects to, so cannot mandate anything about them. We can guarantee that we do certificate verification even when the remote end only does SSL, and we can try to put pressure on them to upgrade. But we don’t control much more.

 

  1. We CAN do things with our own software. For these, though, I think they are adequately covered by other CII issues. In particular:

 

crypto_tls12

The software produced by the project SHOULD/MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

 

crypto_used_network

The software produced by the project SHOULD/MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

 

Both of these are SHOULD questions at the Silver level, and MUST questions at the Gold level.

 

Do we think that these are worth focusing on next? Since they keep coming up, I think this should be the order of the next 6 weeks’ worth of focus topics.

 

CII Badging Focus Topics order

1)      crypto_certificate_verification

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

2)      crypto_used_network

The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

3)      crypto_tls12

The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

4)      crypto_credential_agility

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

5)      crypto_verification_private

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

I’ll post updated slides shortly with the ambiguity dealt with.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Tuesday, June 25, 2019 at 10:42 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello,

 

Many thanks for your answer.

 

Regarding the following statement: 

"The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A)."

 

==> the "not applicable", in my understanding / opinion should not be possible.

TLS should be mandatory, with no other option. If TLS is not possible then the solution is not comptible and the statement unmet.

 

What do you think?

 

best regards

Natacha

 


De : HANSEN, TONY L [tony@...]
Envoyé : jeudi 20 juin 2019 14:27
À : MACH Natacha TGI/OLS; GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- back to [crypto_certificate_verification]:

Tony Hansen
 

Here are updated slides from what Pawel showed on Tuesday. These are intended to be shared on the PTL meeting next Monday. If you have any comments, PLEASE share them.

 

Thank you.

 

                Tony

 

From: "HANSEN, TONY L" <tony@...>
Date: Thursday, June 27, 2019 at 12:31 PM
To: "natacha.mach@..." <natacha.mach@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: Re: [Onap-seccom] next steps with CII -- back to [crypto_certificate_verification]:

 

Thank you, Natacha, for your comments. I also listened to the conversation on this week’s SECCOM meeting, which I unfortunately had to miss.

 

To summarize the concerns brought up:

  • The CII question is ambiguous and could be read as meaning that using SSL instead of TLS would lead to a N/A answer.
  • We really need to be mandating that projects use TLS in place of SSL.

 

I definitely can see how the question COULD be read that way, so agree that it is ambiguous.

 

The fun thing is that, when there are ambiguities, WE (the SECCOM) get to decide how to interpret it. So my proposal is:

 

  • If a remote site supports SSL, they are covered by this question.

 

(I’ve also filed a github ticket on the CII code about the ambiguity.)

 

Now I know that some of you are probably asking yourselves, but what about the other concern?

 

There are two aspects to the concern, though.

 

  1. We do not control >>remote sites<< that ONAP connects to, so cannot mandate anything about them. We can guarantee that we do certificate verification even when the remote end only does SSL, and we can try to put pressure on them to upgrade. But we don’t control much more.

 

  1. We CAN do things with our own software. For these, though, I think they are adequately covered by other CII issues. In particular:

 

crypto_tls12

The software produced by the project SHOULD/MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

 

crypto_used_network

The software produced by the project SHOULD/MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

 

Both of these are SHOULD questions at the Silver level, and MUST questions at the Gold level.

 

Do we think that these are worth focusing on next? Since they keep coming up, I think this should be the order of the next 6 weeks’ worth of focus topics.

 

CII Badging Focus Topics order

  1. crypto_certificate_verification

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  1. crypto_used_network

The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

  1. crypto_tls12

The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

  1. crypto_credential_agility

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

  1. crypto_verification_private

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

I’ll post updated slides shortly with the ambiguity dealt with.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Tuesday, June 25, 2019 at 10:42 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello,

 

Many thanks for your answer.

 

Regarding the following statement: 

"The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A)."

 

==> the "not applicable", in my understanding / opinion should not be possible.

TLS should be mandatory, with no other option. If TLS is not possible then the solution is not comptible and the statement unmet.

 

What do you think?

 

best regards

Natacha

 


De : HANSEN, TONY L [tony@...]
Envoyé : jeudi 20 juin 2019 14:27
À : MACH Natacha TGI/OLS; GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- back to [crypto_certificate_verification]:

Tony Hansen
 

Thank you, Natacha, for your comments. I also listened to the conversation on this week’s SECCOM meeting, which I unfortunately had to miss.

 

To summarize the concerns brought up:

  • The CII question is ambiguous and could be read as meaning that using SSL instead of TLS would lead to a N/A answer.
  • We really need to be mandating that projects use TLS in place of SSL.

 

I definitely can see how the question COULD be read that way, so agree that it is ambiguous.

 

The fun thing is that, when there are ambiguities, WE (the SECCOM) get to decide how to interpret it. So my proposal is:

 

  • If a remote site supports SSL, they are covered by this question.

 

(I’ve also filed a github ticket on the CII code about the ambiguity.)

 

Now I know that some of you are probably asking yourselves, but what about the other concern?

 

There are two aspects to the concern, though.

 

  1. We do not control >>remote sites<< that ONAP connects to, so cannot mandate anything about them. We can guarantee that we do certificate verification even when the remote end only does SSL, and we can try to put pressure on them to upgrade. But we don’t control much more.

 

  1. We CAN do things with our own software. For these, though, I think they are adequately covered by other CII issues. In particular:

 

crypto_tls12

The software produced by the project SHOULD/MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

 

crypto_used_network

The software produced by the project SHOULD/MUST support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

 

Both of these are SHOULD questions at the Silver level, and MUST questions at the Gold level.

 

Do we think that these are worth focusing on next? Since they keep coming up, I think this should be the order of the next 6 weeks’ worth of focus topics.

 

CII Badging Focus Topics order

  1. crypto_certificate_verification

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  1. crypto_used_network

The software produced by the project SHOULD support secure protocols for all of its network communications, such as SSHv2 or later, TLS1.2 or later (HTTPS), IPsec, SFTP, and SNMPv3. Insecure protocols such as FTP, HTTP, telnet, SSLv3 or earlier, and SSHv1 SHOULD be disabled by default, and only enabled if the user specifically configures it. If the software produced by the project does not support network comunications, select 'not applicable' (N/A).

  1. crypto_tls12

The software produced by the project MUST, if it supports or uses TLS, support at least TLS version 1.2. Note that the predecessor of TLS was called SSL. If the software does not use TLS, select 'not applicable' (N/A).

  1. crypto_credential_agility

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

  1. crypto_verification_private

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

I’ll post updated slides shortly with the ambiguity dealt with.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Tuesday, June 25, 2019 at 10:42 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello,

 

Many thanks for your answer.

 

Regarding the following statement: 

"The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A)."

 

==> the "not applicable", in my understanding / opinion should not be possible.

TLS should be mandatory, with no other option. If TLS is not possible then the solution is not comptible and the statement unmet.

 

What do you think?

 

best regards

Natacha

 


De : HANSEN, TONY L [tony@...]
Envoyé : jeudi 20 juin 2019 14:27
À : MACH Natacha TGI/OLS; GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: Communication matrix

natacha.mach@...
 

Hello,

many thanks for your feedback.
Your remark is really relevant, indeed the  “external communication” is related to “platform external” components also.
So i will add a tag regarding the hosting of TLS server or TLS client, as attached.
What do you think of this new version?

regards
natacha

De : onap-seccom@... [onap-seccom@...] de la part de Hampus Tjader [hampus.tjader@...]
Envoyé : mercredi 26 juin 2019 13:55
À : MACH Natacha TGI/OLS; onap-seccom@...
Objet : Re: [Onap-seccom] Communication matrix

Hi Natacha,

 

Great work with the matrix!

 

I have a question regarding the “external communication”. My assumption is that this category will also be used for “platform external” components, e.g say between DCAE-yyy and xNF.

Does the “communication_initiator” in this case then define the entity acting as TLS server or is it more related to who is initiating the connection (not related to TLS handshake)?  
Could be interesting to highlight this for platform-external interfaces, thus whether external facing ONAP components are hosting a TLS server or TLS client. It would also be good from a security perspective to have this inventory of platform-externally open ports for the ONAP components, so we in the future might be able to decrease the platform external attack vector.

 

Best regards,

Hampus

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: den 25 juni 2019 16:46
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] Communication matrix

 

Hello,

 

As discussed during the SECCOM of last week, i am sharing with you a proposal regarding the YAML file for the communication matrix work item.

 

Please share your comments, and then we can propose it to the PTLs.

 

Many thanks and best regards

Natacha

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.

_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: Runtime Online dependency - recommendation proposal

Horn, Linda (Nokia - US/Murray Hill)
 

Pawel,

Before or after the SECCOM call on July 16 is fine with me - whichever is better for others.

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS
Cloud RAN Solution Definition and Architecture
Mobile Networks, Nokia
Phone:  +1-908-679-6580

-----Original Message-----
From: Pawlak Paweł 3 - Korpo <Pawel.Pawlak3@...>
Sent: Wednesday, June 26, 2019 3:02 AM
To: Horn, Linda (Nokia - US/Murray Hill) <linda.horn@...>
Cc: onap-seccom@...
Subject: RE: [Onap-seccom] Runtime Online dependency - recommendation proposal

Hello Linda,
Following the discussions below I would like to propose a dedicated call on 16th of July either before or after SECCOM meeting.
Please let us know your availabilities.

Best regards

Paweł Pawlak

ONAP SECCOM Chair
Leader in IT & Network Convergent Operations FT/TGI/OLN/QOP/OST

Orange Polska S.A.
Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

-----Original Message-----
From: Horn, Linda (Nokia - US/Murray Hill) [mailto:linda.horn@...]
Sent: Wednesday, June 12, 2019 9:18 PM
To: MACH Natacha TGI/OLS; ZWARICO, AMY; Pawlak Paweł 3 - Korpo; onap-seccom@...
Subject: RE: [Onap-seccom] Runtime Online dependency - recommendation proposal

Natacha,

Thank you for reviewing. My comments are in the attached doc. BTW there is a version v7 now but it has minor changes so your comments are still valid.

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS
Cloud RAN Solution Definition and Architecture
Mobile Networks, Nokia
Phone:  +1-908-679-6580

-----Original Message-----
From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: Friday, June 07, 2019 10:19 AM
To: ZWARICO, AMY <az9121@...>; PAWLAK Pawel O-PL <pawel.pawlak3@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

hello,

Thanks for the comments, and here are some remarks for understanding first.
I hopr that we could discuss this document next week?

Regards
natacha
________________________________________
De : onap-seccom@... [onap-seccom@...] de la part de ZWARICO, AMY [az9121@...] Envoyé : jeudi 6 juin 2019 21:41 À : PAWLAK Pawel O-PL; onap-seccom@... Objet : Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

I found another typo and made some other minor wording changes.

-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Pawel Pawlak via Lists.Onap.Org
Sent: Thursday, June 06, 2019 7:33 AM
To: onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

I have corrected 2 typos...
Best regards

Paweł Pawlak

ONAP SECCOM Chair
Leader in IT & Network Convergent Operations FT/TGI/OLN/QOP/OST

Orange Polska S.A.
Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

 Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.


-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY
Sent: Wednesday, June 5, 2019 11:14 PM
To: k.opasiak@...; CLOSE, PIERRE; onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

Very nice.

I made minor wording changes to slides 1,4,5,6 The only substantive changes: in all of the nonfunctional requirements I changed "should" to "shall", which makes the requirement stronger.

-Amy
-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Krzysztof Opasiak via Lists.Onap.Org
Sent: Wednesday, June 05, 2019 4:01 PM
To: CLOSE, PIERRE <pierre.close@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal



On 05.06.2019 15:58, Close, Pierre wrote:
Hello Krzysztof,

It probably makes more sense to merge the two, if you don't mind, since they aim to achieve the same goal, and so that there is a centralized recommendation.
I tried to merged your remarks into the presentation, you can see the result in attachment.

Feel free to comment & modify.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics













_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: Communication matrix

Hampus Tjader
 

Hi Natacha,

 

Great work with the matrix!

 

I have a question regarding the “external communication”. My assumption is that this category will also be used for “platform external” components, e.g say between DCAE-yyy and xNF.

Does the “communication_initiator” in this case then define the entity acting as TLS server or is it more related to who is initiating the connection (not related to TLS handshake)?  
Could be interesting to highlight this for platform-external interfaces, thus whether external facing ONAP components are hosting a TLS server or TLS client. It would also be good from a security perspective to have this inventory of platform-externally open ports for the ONAP components, so we in the future might be able to decrease the platform external attack vector.

 

Best regards,

Hampus

 

From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: den 25 juni 2019 16:46
To: onap-seccom@...
Cc: onap-seccom@...
Subject: [Onap-seccom] Communication matrix

 

Hello,

 

As discussed during the SECCOM of last week, i am sharing with you a proposal regarding the YAML file for the communication matrix work item.

 

Please share your comments, and then we can propose it to the PTLs.

 

Many thanks and best regards

Natacha

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: Runtime Online dependency - recommendation proposal

Pawel Pawlak
 

Hello Linda,
Following the discussions below I would like to propose a dedicated call on 16th of July either before or after SECCOM meeting.
Please let us know your availabilities.

Best regards

Paweł Pawlak

ONAP SECCOM Chair
Leader in IT & Network Convergent Operations
FT/TGI/OLN/QOP/OST

Orange Polska S.A.
Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

   Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.

-----Original Message-----
From: Horn, Linda (Nokia - US/Murray Hill) [mailto:linda.horn@...]
Sent: Wednesday, June 12, 2019 9:18 PM
To: MACH Natacha TGI/OLS; ZWARICO, AMY; Pawlak Paweł 3 - Korpo; onap-seccom@...
Subject: RE: [Onap-seccom] Runtime Online dependency - recommendation proposal

Natacha,

Thank you for reviewing. My comments are in the attached doc. BTW there is a version v7 now but it has minor changes so your comments are still valid.

Linda
-----------------------------------------------------------------------------------
Linda S. Horn, DMTS
Cloud RAN Solution Definition and Architecture
Mobile Networks, Nokia
Phone:  +1-908-679-6580

-----Original Message-----
From: onap-seccom@... <onap-seccom@...> On Behalf Of natacha.mach via Lists.Onap.Org
Sent: Friday, June 07, 2019 10:19 AM
To: ZWARICO, AMY <az9121@...>; PAWLAK Pawel O-PL <pawel.pawlak3@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

hello,

Thanks for the comments, and here are some remarks for understanding first.
I hopr that we could discuss this document next week?

Regards
natacha
________________________________________
De : onap-seccom@... [onap-seccom@...] de la part de ZWARICO, AMY [az9121@...] Envoyé : jeudi 6 juin 2019 21:41 À : PAWLAK Pawel O-PL; onap-seccom@... Objet : Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

I found another typo and made some other minor wording changes.

-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Pawel Pawlak via Lists.Onap.Org
Sent: Thursday, June 06, 2019 7:33 AM
To: onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

I have corrected 2 typos...
Best regards

Paweł Pawlak

ONAP SECCOM Chair
Leader in IT & Network Convergent Operations FT/TGI/OLN/QOP/OST

Orange Polska S.A.
Corporate Services Agency

Obrzeżna 7, 02-691 Warszawa
tel. +48 22 699 52 17
fax +48 22 857 99 86
tel. mob. +48 501 501 030

 Czy musisz drukować tę wiadomość? Pomyśl o środowisku.
__________________________________________________________________
Treść tej wiadomości jest własnością Orange Polska i zawiera informacje stanowiące tajemnicę przedsiębiorstwa Orange Polska. Jeżeli nie jesteście Państwo jej adresatem, bądź otrzymaliście ją przez pomyłkę, prosimy o powiadomienie o tym nadawcy oraz trwałe jej usunięcie. Orange Polska Spółka Akcyjna z siedzibą i adresem w Warszawie (02-326) przy Al. Jerozolimskich 160, wpisana do Rejestru Przedsiębiorców prowadzonego przez Sąd Rejonowy dla m.st. Warszawy XII Wydział Gospodarczy Krajowego Rejestru Sądowego pod numerem 0000010681; REGON 012100784, NIP 526-02-50-995; z pokrytym w całości kapitałem zakładowym wynoszącym 3.937.072.437 złotych.


-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of ZWARICO, AMY
Sent: Wednesday, June 5, 2019 11:14 PM
To: k.opasiak@...; CLOSE, PIERRE; onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal

Very nice.

I made minor wording changes to slides 1,4,5,6 The only substantive changes: in all of the nonfunctional requirements I changed "should" to "shall", which makes the requirement stronger.

-Amy
-----Original Message-----
From: onap-seccom@... [mailto:onap-seccom@...] On Behalf Of Krzysztof Opasiak via Lists.Onap.Org
Sent: Wednesday, June 05, 2019 4:01 PM
To: CLOSE, PIERRE <pierre.close@...>; onap-seccom@...
Cc: onap-seccom@...
Subject: Re: [Onap-seccom] Runtime Online dependency - recommendation proposal



On 05.06.2019 15:58, Close, Pierre wrote:
Hello Krzysztof,

It probably makes more sense to merge the two, if you don't mind, since they aim to achieve the same goal, and so that there is a centralized recommendation.
I tried to merged your remarks into the presentation, you can see the result in attachment.

Feel free to comment & modify.

Best regards,
--
Krzysztof Opasiak
Samsung R&D Institute Poland
Samsung Electronics













_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Communication matrix

natacha.mach@...
 

Hello,

As discussed during the SECCOM of last week, i am sharing with you a proposal regarding the YAML file for the communication matrix work item.

Please share your comments, and then we can propose it to the PTLs.

Many thanks and best regards
Natacha
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- focus on crypto_credential_agility

natacha.mach@...
 

Hello,

Many thanks for your answer.

Regarding the following statement: 
"The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A)."

==> the "not applicable", in my understanding / opinion should not be possible.
TLS should be mandatory, with no other option. If TLS is not possible then the solution is not comptible and the statement unmet.

What do you think?

best regards
Natacha


De : HANSEN, TONY L [tony@...]
Envoyé : jeudi 20 juin 2019 14:27
À : MACH Natacha TGI/OLS; GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- focus on crypto_credential_agility

Tony Hansen
 

Thank you for your email, Natacha.

 

These are both very important considerations, and they are covered under other CII topics:

 

The comment about hashing passwords is covered under the CII topic [crypto_password_storage]:

 

If the software produced by the project causes the storing of passwords for authentication of external users, the passwords MUST be stored as iterated hashes with a per-user salt by using a key stretching (iterated) algorithm (e.g., PBKDF2, Bcrypt or Scrypt).

 

The comment about TLS certification verification is covered under the CII topic [crypto_certificate_verification]:

 

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

There is another thread on the [onap-seccom] mailing list that is focusing on the [crypto_certificate_verification] CII topic. Please take a look there and make sure that your concerns regarding certification verification are being sufficiently addressed.

 

Thank you again for your email, Natacha.

 

                Tony

 

From: "natacha.mach@..." <natacha.mach@...>
Date: Thursday, June 20, 2019 at 5:41 AM
To: "HANSEN, TONY L" <tony@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: PAWLAK Pawel O-PL <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: RE:[Onap-seccom] next steps with CII -- focus on crypto_credential_agility

 

Hello 

 

Thanks for these informations.

 

i have 2 comments / questions:

- The storage of password must be hashed.

- regarding the following statement:

If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.

  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

 

==> is TLS is available, the certificate verification should be mandatory.

 

What do you think?

 

Regards

Natacha

 

 

 

 

 


De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  1. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

1.      Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

c.       If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]

_________________________________________________________________________________________________________________________
 
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
 
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- focus on crypto_credential_agility

Jonathan Gathman <jonathan.gathman@...>
 

I have thought about this over the years doing “AAF/CADI”.  Hopefully, the solution that exists with AAF/CADI may help frame the thoughts.

 

AXIOM: All decryption must start from initializing information

COROLLARY 1: This initializing information must take the form of Something You Have, or Something You Know

COROLLARY 2: It is impractical to query a person each and every time a Process in a system needs to start.

COROLLARY 3: Since a Computer doesn’t “have” anything but access to storage, ultimately, you must put some sort of key on disk/chip *

 

Given this Axiom and these Corollaries, AAF/CADI solves this in this way. 

 

For any given Namespace (Application) configuration, we can generate a “keyfile”.

 

Ex: org.onap.aai.keyfile

 

This contains a AES-256 level key which is, of course Symmetrical.  Immediately upon creation, is set to “400” for Unix Systems, which denies access to any User on a UNIX based system except the User himself and root (O/S level Access Control)

 

This keyfile is used to encrypt/decrypt passwords contained in Property Files

 

These can be put in manually, or can be generated, as we do with AAF Certman Generation

 

Ex: When AAF Agent generates Certs, typical scenario is to encase the Private key and Trust Chain into a PKCS12 file (.p12)

 

Therefore, Agent (real time) for aai

 

  1. Gets Cert and Private Key from Certman Process
  2. Generates a Password
  3. Creates the org.onap.aai.p12 file using Password
  4. Adds Private Key and Certs (Trust Chain)
  5. Writes to disk
  6. Encrypts the Password using org.onap.aai.keyfile
  7. Saves the Encrypted password into org.onap.aai.cred.props in the form “key_password=enc:<encrypted key>”

 

What exists, therefore, is a set of files on the disk, in a well known configuration directory (In ONAP K8S, I have standardized on “/opt/app/osaaf/etc”)

If you watched one of the demos, these are what were created.

400   org.onap.aai.keyfile

640   org.onap.aai.p12

640   org.onap.aai.cred.props

 

(more generated, but these are the only ones outlined)

 

*NOTE: There are some efforts to expand the list of “Something a Computer Has”.

  • Intel has provided ONAP with Chip level storage based on PKCS11.  I personally do not know how this can be applied to Kubernetes, whose main function is to remove Services from any direct access to hardware or dependency on it.
  • Intel has provide the SMS service to ONAP.  However, in order to securely access, the App still needs to be able to get an initial key from disk, so it solves some issues, but still requires something like the above to get the APP’s Credentials.

 

 

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Wednesday, June 19, 2019 at 10:34 PM
To: "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_credential_agility

 

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]


Re: next steps with CII -- focus on crypto_credential_agility

natacha.mach@...
 

Hello 

Thanks for these informations.

i have 2 comments / questions:
- The storage of password must be hashed.
- regarding the following statement:
If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
  • Click [Unmet]
  • FILE A JIRA against your project
  • In the description, explain what you don’t do
  • Include the current date at the end of your explanation, as in [2019/06/24]
  • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
  • Include the JIRA ticket number(s) in your answer.

==> is TLS is available, the certificate verification should be mandatory.

What do you think?

Regards
Natacha






De : onap-seccom@... [onap-seccom@...] de la part de Tony Hansen [tony@...]
Envoyé : jeudi 20 juin 2019 05:34
À : GATHMAN, JONATHAN C; onap-seccom@...
Cc : PAWLAK Pawel O-PL; ZWARICO, AMY; CLOSE, PIERRE
Objet : Re: [Onap-seccom] next steps with CII -- focus on crypto_credential_agility

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.


Re: next steps with CII -- focus on crypto_credential_agility

Tony Hansen
 

This message focuses on [crypto_credential_agility].

 

Reminder about the CII text:

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

My take is that this one covers both the credentials needed to access remote services by the application AND the credentials used for authentication of others connecting to the application.

 

  1. Correct, no hard coding of passwords within the source code.
  2. Good questions on containers. I’m not sure what the answers are.
    1. Kubernetes secrets would probably satisfy the requirement.
  3. It seems that AAF would be a perfectly reasonable way to satisfy this requirement.

 

One aspect is that if you have passwords (or hashes of the passwords, etc), should be saved in the a different file from where other configuration values are stored.

 

Additional discussion is welcome.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

. . .

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

. . .

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]


Re: next steps with CII -- focus on crypto_certificate_verification

Tony Hansen
 

Great summary, Jonathan. I like it. :)

 

I realized that this statement hadn’t been explicitly listed before:

 

If the remote API has both non-TLS and TLS endpoints/options available, make certain that the TLS endpoint is being used. For example, if the remote API can be invoked either with HTTP or HTTPS, make certain that HTTPS is being used.

 

Thanks again for the discussion on this CII issue. It will make the conversation with the PTLs easier.

 

Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 8:50 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_certificate_verification

 

Great Answers, Tony,

  If I could summarize, it is about validating that TLS is 1) used where possible 2) is not disabled (since it is easy in some mechanisms.

 

Appreciate it

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Wednesday, June 19, 2019 at 7:46 AM
To: "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_certificate_verification

 

Thank you all for your responses.

 

Jonathan, the answer to most of these questions SHOULD lie in the realm of no brainers / standard use. But let’s look at [crypto_certificate_verification] for a moment.

 

  • This is about machine-to-machine calls to remote services from within the project’s code to an external service, and not about calls INTO a project’s code (either machine-to-machine or user-to-machine).

 

  • Trust chain (aka CA Server Certificate Chain):
    • If the server on the other end is using a cert from a public trusted CA, then you need a trust chain for that CA.
    • If the server on the other end is using a cert from another CA, then you need a trust chain for that CA.
    • The key is that you need the right trust chain for whatever language you’re dealing with to reach the servers you’re going to.
    • This one should seriously be in the no-brainer category.
    • But what if they turned off verification because they didn’t have access to the remote site’s trust chain? Or didn’t know how to add support for it in the language that they are using?

 

  • Language issues:
    • If Java makes it hard to avoid verification, that’s a good thing.
      • The PTL should check their code base to see if they did it the right way or not.
    • With curl, it is SO easy to just toss the -k into your scripts and forget that you did it.
      • The PTL should check their code base to see if they did it the right way or not.
    • With the python requests library (which most people use these days), you can similarly use a -k-equivalent or do it the right way.
      • The PTL should check their code base to see if they did it the right way or not.
    • The same thing goes for other languages.
      • The PTL should check their code base to see if they did it the right way or not.
    • The PTL can also delegate the code checking.

 

It would be useful for the PTLs to know what to look for in the code. For example, guidance like this would be useful:

If you know your code uses shell scripts and invokes curl or wget, make certain that curl does not use the -k or --insecure option and that wget does not use the --no-check-certificate option.

 

The end result is that if they are NOT doing the right thing with their trust chain OR avoiding verification for any of a myriad of reasons, they need to write JIRA tickets to fix their code.

 

Bottom line: our job is to get them to improve their code. Getting the silver star or gold star from the CII badge is truly secondary.

 

I’ll address the other CII issues separately.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

First, I’m curious as to context.  Are you specifically drawing our Person to App or App to App communications?  Or, given the nature of what ONAP addresses, are you trying to leave room for Communications are a more network level?  When I’m reading these, some of them seen either no-brainers or are standard use for out-of-the-box Client/Server solutions i.e. Java (HTTP/S) with TLS. 

 

Are we trying to codify  what might be stated more baldly “Use the security provided with valid CA structure and don’t disable it” and “Don’t hardcode credentials in Source, and realize that Containers ultimately compiled… you need to provide methods for changing creds”?

 

Here are more detailed questions that I’m hoping will draw out the intentions.

 

Verification

  1. When you are saying TLS verification, are you talking mostly about making sure TLS is running normally, default behavior?    What I mean is that

a.      In Java, for instance, the TLS connections validate all the Certificates in a Trust Chain against Trusted CAs in your Truststore.  You have to go to great pains to, for instance, turn off DNS checking, etc.

b.      In “curl” (do we use curl other than as a convenient Client?) you have to disable TLS Trust with “-k”…

  1. Are you talking about only using Certificates with a Trust Chain to an established CA (or public Trusted CAs)?

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

Verification

  1. This seems to be back to TLS focus, specifically Client.

a.      Are you saying that Client Software needs to first determine if the underyling connection (typically invisible to the top-level client code) is TLS? 

b.      Clients can only Communicate in the manner that the Service Side dictates.

c.       Given this is done at (to quote OSI Level), at a lower communication Layer, what is the practical way for an App to ensure this.

d.      Example: Is it enough to reject any URLs as a client that start with “http:” but not “https”?

 

 

 

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]


Re: next steps with CII -- focus on crypto_certificate_verification

Jonathan Gathman <jonathan.gathman@...>
 

Great Answers, Tony,

  If I could summarize, it is about validating that TLS is 1) used where possible 2) is not disabled (since it is easy in some mechanisms.

 

Appreciate it

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Wednesday, June 19, 2019 at 7:46 AM
To: "GATHMAN, JONATHAN C" <jonathan.gathman@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII -- focus on crypto_certificate_verification

 

Thank you all for your responses.

 

Jonathan, the answer to most of these questions SHOULD lie in the realm of no brainers / standard use. But let’s look at [crypto_certificate_verification] for a moment.

 

  • This is about machine-to-machine calls to remote services from within the project’s code to an external service, and not about calls INTO a project’s code (either machine-to-machine or user-to-machine).

 

  • Trust chain (aka CA Server Certificate Chain):
    • If the server on the other end is using a cert from a public trusted CA, then you need a trust chain for that CA.
    • If the server on the other end is using a cert from another CA, then you need a trust chain for that CA.
    • The key is that you need the right trust chain for whatever language you’re dealing with to reach the servers you’re going to.
    • This one should seriously be in the no-brainer category.
    • But what if they turned off verification because they didn’t have access to the remote site’s trust chain? Or didn’t know how to add support for it in the language that they are using?

 

  • Language issues:
    • If Java makes it hard to avoid verification, that’s a good thing.
      • The PTL should check their code base to see if they did it the right way or not.
    • With curl, it is SO easy to just toss the -k into your scripts and forget that you did it.
      • The PTL should check their code base to see if they did it the right way or not.
    • With the python requests library (which most people use these days), you can similarly use a -k-equivalent or do it the right way.
      • The PTL should check their code base to see if they did it the right way or not.
    • The same thing goes for other languages.
      • The PTL should check their code base to see if they did it the right way or not.
    • The PTL can also delegate the code checking.

 

It would be useful for the PTLs to know what to look for in the code. For example, guidance like this would be useful:

If you know your code uses shell scripts and invokes curl or wget, make certain that curl does not use the -k or --insecure option and that wget does not use the --no-check-certificate option.

 

The end result is that if they are NOT doing the right thing with their trust chain OR avoiding verification for any of a myriad of reasons, they need to write JIRA tickets to fix their code.

 

Bottom line: our job is to get them to improve their code. Getting the silver star or gold star from the CII badge is truly secondary.

 

I’ll address the other CII issues separately.

 

                Tony

 

From: "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Date: Wednesday, June 19, 2019 at 6:45 AM
To: "HANSEN, TONY L" <tony@...>, "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>
Subject: Re: next steps with CII

 

Question(s), Tony,

 

First, I’m curious as to context.  Are you specifically drawing our Person to App or App to App communications?  Or, given the nature of what ONAP addresses, are you trying to leave room for Communications are a more network level?  When I’m reading these, some of them seen either no-brainers or are standard use for out-of-the-box Client/Server solutions i.e. Java (HTTP/S) with TLS. 

 

Are we trying to codify  what might be stated more baldly “Use the security provided with valid CA structure and don’t disable it” and “Don’t hardcode credentials in Source, and realize that Containers ultimately compiled… you need to provide methods for changing creds”?

 

Here are more detailed questions that I’m hoping will draw out the intentions.

 

Verification

  1. When you are saying TLS verification, are you talking mostly about making sure TLS is running normally, default behavior?    What I mean is that

a.      In Java, for instance, the TLS connections validate all the Certificates in a Trust Chain against Trusted CAs in your Truststore.  You have to go to great pains to, for instance, turn off DNS checking, etc.

b.      In “curl” (do we use curl other than as a convenient Client?) you have to disable TLS Trust with “-k”…

  1. Are you talking about only using Certificates with a Trust Chain to an established CA (or public Trusted CAs)?

 

Agility

  1. Are you talking about storing Credentials, etc, of the App itself, or Clients

a.      By “Compile” are you talking about not Hard Coding Passwords in Source (i.e. .js, java, .c, .cpp, whatever) files.

b.      Or are we realizing that Containers essentially Freeze what used to be dynamic configs, so you have to plan for updates.

                                                      i.      Does “Use docker/kubectl Container Copy instructions” meet this goal?

                                                    ii.      The constant Top priority of “Start from Scratch” makes this difficult, of course.

    1. If Client Creds, it should be pointed out that Apps can use Externalization of Client Creds, which is, of course, the point of AAF (sorry for the plug)

 

Verification

  1. This seems to be back to TLS focus, specifically Client.

a.      Are you saying that Client Software needs to first determine if the underyling connection (typically invisible to the top-level client code) is TLS? 

b.      Clients can only Communicate in the manner that the Service Side dictates.

c.       Given this is done at (to quote OSI Level), at a lower communication Layer, what is the practical way for an App to ensure this.

d.      Example: Is it enough to reject any URLs as a client that start with “http:” but not “https”?

 

 

 

     

 

-- 

Jonathan Gathman

Principled-System Architect

ATO Tech Dev/SEAT/Platform Architecture and Technology Management

 

AT&T Services, Inc.

m  314-550-3312  |  jonathan.gathman@...

 

 

From: "HANSEN, TONY L" <tony@...>
Date: Tuesday, June 18, 2019 at 11:49 AM
To: "onap-seccom@..." <onap-seccom@...>
Cc: Pawlak Paweł 3 - Korpo <pawel.pawlak3@...>, "ZWARICO, AMY" <az9121@...>, "CLOSE, PIERRE" <pierre.close@...>, "GATHMAN, JONATHAN C" <jonathan.gathman@...>
Subject: next steps with CII

 

Here are the next few items that I think we need to work on with respect to moving forward with CII badging. These three have lots of projects marked [?] under the Silver level.

 

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

 

[crypto_credential_agility]

The project MUST support storing authentication credentials (such as passwords and dynamic tokens) and private cryptographic keys in files that are separate from other information (such as configuration files, databases, and logs), and permit users to update and replacement them without code recompilation. If the project never processes authentication credentials and private cryptographic keys, select 'not applicable' (N/A).

 

[crypto_verification_private]

The software produced by the project MUST, if it supports TLS, perform certificate verification before sending HTTP headers with private information (such as secure cookies). If the software does not use TLS, select 'not applicable' (N/A).

 

As discussed at DDF, the idea is that we would

 

Week 1

Introduce a topic at the PTL meeting with instructions.

We give stats on how many projects that have answered this question already.

Week 2

One week later, we check to see what progress there is.

Give kudos to those who have made progress.

We file JIRA tickets on those projects that have not given any answer.

Introduce the next topic, etc

Week 3

We bump up the priority on those tickets.

 

So, for next week’s meeting, here are instructions for [crypto certificate verification]. Comments are welcome.

 

  • This week’s CII issue is

[crypto_certificate_verification]

The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS, including on subresources. If the software does not use TLS, select 'not applicable' (N/A).

  • Visit your project page, and login. (If necessary, go to bestpractices.coreinfrastructure.org and do a search.)
  • Click on the silver button near the top where it says “You can also view your [silver] or [gold] level criteria.”
  • Click the [Edit] button at the top.
  • Scroll to the bottom and click on the v Security banner. Search for “The software produced by the project MUST, if it supports TLS, perform TLS certificate verification by default when using TLS”
  • This question is about places in your software where you invoke external APIs, such as HTTP REST calls or database queries or LDAP.
    • If your project software does not make any external API calls, then select “not applicable”
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes its architecture.
    • If your project software does NOT use TLS for ANY of your external API calls, then select “not applicable”.
      • Click the [N/A] button
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, and its default mode is to do certification verification against a locally maintained list of Certificate Authority certificates.
      • Click [Met]
      • In the description, explain that you do not have any external API calls.
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
    • If your project software uses TLS, but its default mode is NOT to do certificate verification against a locally maintained list of Certificate Authority certificates.
      • Click [Unmet]
      • FILE A JIRA against your project
      • In the description, explain what you don’t do
      • Include the current date at the end of your explanation, as in [2019/06/24]
      • Include a URL to your project’s onap.readthedocs.io page that describes how it uses external APIs.
      • Include the JIRA ticket number(s) in your answer.
    • If some of your software meets the above but other parts do not:
      • Select [Unmet]
      • Include an explanation in the description for each part, following the above instructions.
    • If some of your software meets the above, but other parts do not use TLS,
      • Select [Met]
      • Include an explanation in the description for each part, following the aboe instructions.
  • VERY IMPORTANT: Click one of the green buttons that say [Save (and exit)] or [Save (and continue)]