D9.7 Standards activity report

Contributing Partners

UNIL, UNI PASSAU, AIT

Executive Summary

The standardisation activity, which spanned over the entire duration of the project, started with one year of analysis, planning, and preparation. A standardisation plan was developed (D9.5, M12) and its implementation decided by the project plenary. In course of the imple-mentation, we established liaisons with two working groups of the ISO/IEC JTC1 SC 27 “IT Security”1: WG2 "Cryptography and Security Mechanisms" for activities concerning low level cryptographic primitives, and WG4 "Security Controls and Services” for activities on a service level; and participated for one year (March 2017 – Feb. 2018) in the specialist task force ETSI TC CYBER STF5292 which produced a Technical Specification in the field of attribute based credentials.
In the ISO, we attended four of ISO/IEC’s semi-annual meetings around the world and also participated in standardisation work between the meetings. Detailed intermediate reporting can be found in D9.6 (M24) and D9.3 (M30). To secure our impact, three project partners also sought accreditation through the mirror committees of SC27 of two European national bodies (of Germany and Austria). Through the national bodies we were able to contribute about 90 comments for the standard ISO/IEC 19086-4 “Cloud computing Service Level Agreement (SLA) framework - Part 4: Security and privacy” of WG4, which defines objec-tives to be negotiated between cloud providers and customers in a cloud SLA. Through the leverage of our national bodies’ voting rights, we were able to add several objectives to the standard for the kinds of services and tools that we developed in the project. In more detail: objectives for integrity protection of data in motion, for anonymous and pseudonymous au-thentication support and for data minimisation cryptographic controls. We also contributed a complete overhaul of a “Cryptography Component”, which is central to the standard, by systematically extending its scope to confidentiality and integrity protection not only “in motion” (as previously proposed), but also “at rest” and “during computation”.
In WG2 we carried out an operation through three of the ISO meetings: We proposed and organized a “study period” on the potential instantiation of a new standard for redactable signatures, being one of the core technologies proposed in PRISMACLOUD. Based on positive evaluation and feedback, we proposed a new “work item” (i.e. to develop a new stand-ard) and finally found the support of five other national bodies to officially start the new standard ISO/IEC 23264 “Information technology – Security techniques – Redaction of au-thentic data”. ISO/IEC 23264 will be a standard, proposed and shaped by a H2020 project3. A first “working draft” version (of 15 pages) was prepared by project partners UNI PAS-SAU, AIT—and was just by the time of this writing (19 June, 2018) sent out by ISO on its world-wide list with a call for contribution (See Appendix for this version).
A critical assessment of our activities confirms that we could achieve actual dissemination of project results into standards even during the relatively short (for standardisation processes) project duration of 3.5 years. We were certainly also lucky to encounter standards in project stages suitable for our contribution—and to receive within the ISO context the support of colleagues from research, industry, and administration for our plans. But we also could se-cure the continuation of the standardisation activity beyond project end—with AIT and UNI PASSAU having declared to remain active in cloud security and privacy standardisation in ISO SC27 and to continue to drive the standardisation activities that sprung off the PRISMACLOUD project.