View Issue Details

IDProjectCategoryView StatusLast Update
000220810000-007: Profilespublic2013-03-19 17:06
ReporterJim Luth Assigned ToPaul Hunkar  
PrioritynormalSeverityminorReproducibilityalways
Status closedResolutionfixed 
Fixed in Version1.02 
Summary0002208: Security Profiles should list the NIST expiration date
Description

Security Profiles should list the NIST expiration date

TagsNo tags attached.
Commit Version
Fix Due Date

Relationships

related to 0002318 closedMatthias Damm 10000-004: Services EndpointDescription.securityLevel 

Activities

Jim Luth

2012-09-20 15:15

administrator   ~0004101

Since these are released Profiles, Paul will paste proposed wording for the updates for review into Mantis and only tranfer them to the database after w.g. approval.

Paul Hunkar

2012-11-13 07:59

developer   ~0004225

Last edited: 2012-11-14 15:12

SecurityPolicy - Basic128Rsa15
This security Facet defines a Security Policy for configurations with medium secure. It requires a PKI infrastructure.

As computing power increases, SecurityPolicies are expected to expire. NIST provides guidelines for expected expiration dates for individual algorithms. These guidelines provided recommended dates at which the algorithm should be replaced or upgraded to a more secure algorithm. They do not indicate a failure of the algorithm. Nist recommends users of this SecurityPolicy should consider upgrading it in 2012. Nist also recommends that this SecurityPolicy should be depricated in 2013. OPC recommends that Servers and Client support all security profiles and that developers provided the recommned profile as a default. It is up to an administrator to configure the actual exposed SecurityPolicies.

Other Policies will have same text just different dates

from UA call 11/13/2012 - Reviewed reworded text, but still needs work. - Could use separate conformance units to describe the actions. Other suggestion was to include a “securitylevel” that describe the relative level of security provided by this policy - 0 indicate that it should not be used (i.e. it has been broken).

Paul Hunkar

2012-11-20 05:41

developer   ~0004247

Last edited: 2012-11-20 05:46

SecurityPolicy - Basic128Rsa15
This security Facet defines a Security Policy for configurations with medium secure. It requires a PKI infrastructure.

As computing power increases, SecurityPolicies are expected to expire. NIST provides guidelines for expected expiration dates for individual algorithms. These guidelines provided recommended dates at which the algorithm should be replaced or upgraded to a more secure algorithm. They do not indicate a failure of the algorithm. NIST recommends users of this SecurityPolicy should consider upgrading it in 2012. NIST also recommends that this SecurityPolicy should be deprecated in 2013. OPC recommends that Servers and Client support all security profiles and that developers provided the recommended profile as a default. It is up to an administrator to configure the actual exposed SecurityPolicies.

Propose to also add a conformance unit to each security policies that includes an indication of the security level of the profile. 0 being broken, 1 is less secure than 2 etc. New security profile would just add a new conformance unit with the next number. The conformance unit will indicate that as a default the highest level security policy should be used, but an administrator can enable any security policies that they feel are required. An application can also be configured to use a less secure SecuirtyPolicy, but without any configuration it should use the most secure available security policy. If an application does not it should receive a warning

A conformance Unit will be added for Level 0 which indicate that this security policy has be compromised and should no longer be used any alternate is available. The test results for this conformance unit if it is added to a security policy will include any possible workaround or other changes that could minimize any exploits.

Paul Hunkar

2013-01-07 08:48

developer   ~0004399

Updated text in security policies as described

Jim Luth

2013-03-19 17:06

administrator   ~0004592

verified text in doc

Issue History

Date Modified Username Field Change
2012-09-20 15:07 Jim Luth New Issue
2012-09-20 15:07 Jim Luth Status new => assigned
2012-09-20 15:07 Jim Luth Assigned To => Paul Hunkar
2012-09-20 15:15 Jim Luth Note Added: 0004101
2012-11-13 07:59 Paul Hunkar Note Added: 0004225
2012-11-13 17:30 Paul Hunkar Note Edited: 0004225
2012-11-13 17:34 Paul Hunkar Note Edited: 0004225
2012-11-13 17:41 Paul Hunkar Note Edited: 0004225
2012-11-13 18:37 Paul Hunkar Note Edited: 0004225
2012-11-14 15:12 Jim Luth Note Edited: 0004225
2012-11-20 05:41 Paul Hunkar Note Added: 0004247
2012-11-20 05:46 Paul Hunkar Note Edited: 0004247
2013-01-07 08:48 Paul Hunkar Status assigned => resolved
2013-01-07 08:48 Paul Hunkar Resolution open => fixed
2013-01-07 08:48 Paul Hunkar Note Added: 0004399
2013-01-10 19:55 Karl Deiretsbacher Relationship added related to 0002318
2013-03-19 17:06 Jim Luth Status resolved => closed
2013-03-19 17:06 Jim Luth Note Added: 0004592
2013-03-19 17:06 Jim Luth Fixed in Version => 1.02