DIGITAL SECURITY CERTIFICATE PROFILES

DSC Profile Semantic Rules

Template Vocabulary

Figure 6.7: Digital Security Certificate Profile Structure

6.7.1 Conceptual Model of Digital Security Certificate Pro-file

In the following, we will introduce the profile structure [116]. ACRT P is composed of three parts:

(i) Certificate Template: specification of the common structure and the values of specific fields mandatory for a given certificate class

(ii) Semantic Rules: specification of the semantics of the certificate class in the form of semantic rules

(iii) Vocabulary: specification of vocabulary terms (ideally ontology-referenced terms) providing restrictions on use of vocabulary for language arte-facts of security certificates of the given certificate class.

Figure 6.7 shows the abstract structure of the CRT P. The three pro-file components provide certificates content uniformity in three different dimensions:

(i) certificate template ensures structural uniformity

(ii) semantic rules ensure integrity of intended semantics of certification (iii) certificate vocabulary ensures common ontology-based ground of terms

and ranges of possible values of certification (in a given domain).

Each of these different profile components are explained in detail in the following sections.

Certificate Template

The certificate template is a partially filled certificate that establishes the common structure and content of all certificates created based on a certificate profile. Therefore, any certificate conforming to a CRT P must include the fields, structure and values defined in the template of the pro-file. A certificate template specifies an incomplete realization of a CRT

105

structure with respect to a given certificate syntax (e.g., XML schema). It is used as baseline for creating new certificates.

Alternatively, a certificate template can be considered as a set of implicit (semantic) rules. These rules are simple and easy to understand. For this reason, it is not required to represent a template as a set of rules, but used as a certificate template – a more intuitive notion for expressing predefined structure and values of profile elements.

Semantic Rules

The Semantic Rules define semantic constraints and dependencies be-tween content of certificate artefacts within a given class ofCRTs. While the implicit rules defined by the certificate template are enough for structure-wise restrictions (requiring an optional element be mandatory, constrain specific structure or content of certificate artefacts, etc.), there are cases where more complex restrictions are needed such as to express artefact dependencies or artefact content constraints.

Semantic rules represent a solution allowing to formulate rules to en-sure integrity of the intended semantics of a given certificate class, i.e., preserving specific semantics of certification artefacts. Semantic rules can be formulated in rule based languages (such as Schematron [156] or vari-ants of OCL [131]) or imperative languages (such as Java or JavaScript) in function of the underlying certificate language and supported implemen-tation. The choice of a language for expressing semantic rules has an im-portant implication to achieve machine processability and reasoning of the rules. The language should allow rich fine-grained expression of patterns over certificates’ content and structure.

Certificate Vocabulary

The certificate vocabulary part of the profile provides a means to define and restrict use of vocabularies on different certificate artefacts. One of the goals of the vocabulary part is to enable specific per profile (i.e., per a class of certificates) integration of the underlying certificate language with different ontology terms coming from different domains of knowledge.

The ontology integration will enhance the semantic robustness among all certificates conforming to a given profile, which have been diminished by flexibility and openness of security certificate languages (models).

Ontologies provide not only a suitable source of semantically defined terms but also provide means to define relations between terms, and equiv-alences between different terms. That gives us a powerful way to query

6.7. DIGITAL SECURITY CERTIFICATE PROFILES

ontologies for different aspects of certification and related semantics.

Restricting the range of values of certificate artefacts to terms defined in ontology will make all certificates, stating conformance to the given profile, processable and comparable on those artefacts as their values are ontology terms with defined semantics and relations among them.

Similarly to the certificate template and semantic rules, one can see the certificate vocabulary section of the profile as a set of implicit rules each one restricting use of vocabulary for certificate artefacts. However, by defining explicit vocabulary section we have, first a more intuitive no-tion for expressing vocabulary restricno-tions and, second enable the use of dynamic values based on queries over ontologies, which otherwise would be difficult to achieve as semantic rules.

The certificate vocabulary section enables the use of static or dynamic vocabularies. A static vocabulary defines actual terms inside a profile. It is suitable for offline processing, but could be out-dated by an ontology evolution/ update. In contrast, a dynamic vocabulary defines actual terms by means of a query over ontology, which requires Internet connection for online processing. Ontology queries will be executed at the time of use of a given profile, i.e., the actual terms (values) will be dynamically retrieved from ontology when the profile is used.

An issuer of a profile may decide to enforce or not the use of vocabular-ies. When a vocabulary specification is defined mandatory the referenced language artefact must have a value from the vocabulary. If a vocabulary is optional the referenced language artefact should have a value from the vocabulary.

6.7.2 Representation of Digital Security Certificate Profile

We have realized a CRT P structure tailored to the ASSERT represen-tation, which we will refer to as ASSERT PROFILE henceforth. Figure 6.8 shows the ASSERT PROFILE structure corresponding to the defined XML schema. For the sake of presentation, we show the profile structure as snippets abstracting away some irrelevant XML schema details to better focus on the actual data elements. We refer to the Appendix B for more details on the actual profile schema.

We will go through each of the main elements. The Issuer field identifies the entity issued (created) the ASSERT profile. The certificate template is called ASSERTTemplate. An ASSERTTemplate contains one element of type ASSERT certificate. Thus, anASSERTTemplate contains an incomplete XML instance of an ASSERT (according to the ASSERT language schema).

The semantic rules are implemented in Schematron [156]. The semantic 107

ASSERTProfile  

Seman9cRules   SchematronRule  

ASSERTVocabulary  

DynamicValue   OntologyURL   QueryType  

Figure 6.8:ASSERT PROFILE Structure

rules section contains a set ofSchematronRuleelements. Schematron is an ISO standard of rule-based validation language expressed in XML. Using Schematron, it is possible to make assertions about the presence or absence of patterns in XML trees.

The certificate vocabulary is calledASSERTVocabulary, which contains a set ofVocabulary elements, each one defining a specific vocabulary per an artefact (or set of artefacts) of an ASSERT. AnASSERTElement, part of the Vocabulary, identifies theASSERTfield(s) where specific vocabulary will be applied. Currently, we support the use of XPath [179] as a query language to identify nodes ofASSERTSwhere the vocabulary is to be applied. There is a choice ofEnumerationorRangetype of a Vocabulary. The former defines an explicit set of values, while the latter instead defines a range of values in the form ofFromandToboundaries, such as integer range, double range (e.g. , percentage), date range, etc. Each of the Enumeration and Range types are further defined as a choice ofDynamicValuesorStaticValueswith an attribute field Mandatory indicating mandatory or optional use of the vocabulary data.

TheDynamicValues artefact defines an OntologyURI of how to retrieve the ontology. TheOntologySyntaxspecifies the ontology syntax. The Query-Typeidentifies the query language used to encode the query, and the actual query value. We currently support the use of SPARQL [165] as an RDF query language to retrieve information and manipulate data stored in RDF format. The StaticValues artefact defines a set of vocabulary terms as a simple list of values, or in case of aRangetype a single vocabulary term.

6.7. DIGITAL SECURITY CERTIFICATE PROFILES

6.7.3 ASSERT Profile Usage

Listing 6.15: Assert Profile Example

1 <ASSERTProfile>

21 [Property integrity check] ASSERT.ASSERTCore.SecurityProperty.

22 PropertyAbstractCategory has to match the same value of ASSERT.

23 ASSERTTypeSpecific.ASSERT-E.Property.PropertyName

We present an example of the usage of the ASSERT PROFILE by a certi-fication authority. We show the ability to express realistic constraints that must be enforced during the certification process.

Let us assume that there a certification authority, AmazingTrust, is au-thorized by national regulators to issue CC certifications. AmazingTrust is authorized to certify services that are offered as SaaS offerings and can issue certifications up to EAL4. Considering that AmazingTrust wants to issue digital security certificates (ASSERTS), they might want to ensure that all theASSERTSproduced must meet certain common guidelines such as:

109

1. Should only certify services that are offered as Software as a Service.

2. All ASSERTS produced must use the vocabulary that is based on an authorized ontology from the CC body contained as static values in the template

3. AllASSERTSproduced at EAL4, must be produced by test-based certi-fication process.

4. AllASSERTSissued must have the issuer field filled correctly

These constraints can be captured in anASSERTprofile as shown in List-ing 6.15. The profile defines followList-ing constraints on ASSERTS issued by AmazingTrust. TheASSERTTemplatedefines that allASSERTSconforming to this profile must:

• be for software-as-a-service (SaaS) model services, i.e., all ASSERTS must have TargetOfCertification element with an attribute Type qual-ified as “http://example.org/cc/ontology/cc-language#Software-as-a-service”

• be issued by theAmazingTrustas issuer, i.e., allASSERTSmust have an ASSERTIssuer element with the defined value structure (conforming to X.509 subject structure) “O=AmazingTrust, OU=ASSERT ISSUER, C=FR”

• be produced by a test-based certification process, i.e. must contain ASSERT-E type-specific structure, but without defining any particular content for the structure. This means that ASSERTS stating confor-mance to the profile can contain any specificASSERT-Econtent The SemanticRules section defines one Schematron rule, which forces the security property abstract category value as defined in the SecurityProp-erty element in the ASSERTCore match the value of the PropertyName of Property definition ofASSERT-E. Such an integrity constraint is difficult to enforce without a semantic rule.

The ASSERTVocabulary defines two vocabularies – one for the Prop-ertyAbstractCategoryattribute of theSecurityPropertyelement, and another one for thePropertyContextattribute of the same SecurityProperty element based on an ontology that is approved by CC bodies. The first vocabulary defines static values of the CIA triad – Confidentiality, Integrity and Avail-ability – as terms from an ontology specific definition, and marks those as mandatory. The second vocabulary defines optional values for the arte-factPropertyContext, such asStorage, Transit and Usage, as terms from an ontology-specific definition.

6.7. DIGITAL SECURITY CERTIFICATE PROFILES

Conclusion

In this chapter, we presented the concept of Digital Security Certifi-cate CRT, which is designed to be a certification scheme independent, machine processable, descriptive security certificate. We have presented an XML based language (ASSERT language) to represent the contents of the CRT and explained the integration of external vocabularies into the ASSERT. In addition, we presented the concept of a Digital Security Cer-tificate Profile, that helps in the generation of uniform CRTs. We believe that a wider adoption of these concepts will provide security assurance in business-critical domains such as financial, defence and healthcare [72].

Publications

The contents of this chapter have been discussed in the following pub-lications:

? S. P. Kaluvuri, H. Koshutanski, F. D. Cerbo, and A. Ma˜na. Secu-rity assurance of services through digital secuSecu-rity certificates. In Web Services (ICWS), 2013 IEEE 20th International Conference on, pages 539–546. IEEE, 2013.

? S. P. Kaluvuri, H. Koshutanski, F. Di Cerbo, R. Menicocci, and A.

Ma˜na.A digital security certificate framework for services. International Journal of Services Computing, 1(1), 2013.

? V. Lotz, F. Di Cerbo, M. Bezzi, S. P. Kaluvuri, A. Sabetta, and S. Tra-belsi. Security certification for service-based business ecosystems. The Computer Journal, page 101, 2013