TAS³ How To


Warning: Illegal string offset 'thumb' in /home/web/tas3/wp-content/plugins/youtube-with-style/inc/shortcode.php on line 30

The handbook for understanding and installing the framework


The Architecture Explained


Understand the Contractual Framework

TAS3 Contractual Framework – Legal Concepts in Context and Practice

TAS3 provides a governance framework designed to enhance trust and facilitate the responsible exchange of information. TAS³’s approach co-ordinates the development of contract, policy, technology and business requirements at the inception of the project In this section of the “how to” materials, we will walk you through the use and operation of the Governance Infrastructure and Contractual framework.

The first step in any TAS³ implementation is the creation of a TAS³ Consortium. There are a number of different models highlighted on how consortia can be formed, with the most likely initial adoption model being one based on a few strong founding entities. (see part III – section 2).

After an organizational model is determined, implementation of a governance model is required. The end-to-end Trust Assurance of the TAS³ Ecosystem consists of three layers. Each layer is governed by an overarching set of rules, policies and procedures which must be complied with in order to render implementations of TAS³ trustworthy.
The following three layers can be distinguished :

  1. the TAS³ governance layer: this is the layer where the rules and policies of the TAS³ Trust Network are established;
  2. the TAS³ administration layer: this is the layer where the rules and policies which have been established for the Trust Network are enforced;
  3. The TAS³ operational layer: this is the layer where transactions occur in accordance with the rules of the Trust Network.


Figure 1 – Layers and Actors of the TAS³ Ecosystem
(See Part IV – section 2)

The governance layer, must be supported by a contractual framework which must include all users and service providers to assure that obligations can be bound to and enforced by and across all participants.
The three layers of the TAS³ ecosystem are each covered by separate, but interactive contractual elements, that work together and in conjunction with the EULA to both create a binding of obligations across parties and define lines of oversight and responsibility which are the governance framework of TAS³.

The Trust Network Agreement (TNA) is the contract among the founders that establishes the Trust Network and its organisational structure. The TNA further establishes, at a principal level, the operating rules for the Trust Network as a whole, as well as the roles, responsibilities and interactions among the top level administrative and governance bodies including: the (1) Governance Board, the (2) Trust Network Operator (and through it (3) the Accreditation Authority), (4) the Accountability and Oversight Committee, and (5) the Trust Network Advisory Board.
The TNA creates the overall governance infrastructure onto which the more operational elements of the system must be specified. The general specification of overall operating rules occurs in what we call the Ecosystem Contract. The Ecosystem Contract (EC) is the contract which binds all Service Providers joining the Trust Network to their general obligations as participants of the Trust Network.

The Ecosystem (EC) builds upon and must always remain consistent with the Trust Network Agreement. The EC must be formally adopted and approved by the Governance Board (GB). Where the TNA has a more structural function (setting up the Trust Network, defining the roles and responsibilities of the major players in governance and administration and the general rules of TN operation), the EC supports the structural elements of the TNA by binding all parties to more detailed statement of obligations and implementation of TN Policies and high-level rules of the TN; it is an operational document that implements TN requirements related to transactions.

Finally TAS³ encompasses a number of different service providers that may have special requirements related to their functions. These requirements are specified as needed in Participant contracts which are specific to the service provider and context of the transaction and obligation.

End user rights and obligations are set forth in the End User Licensing Agreement (EULA)
(see Part IV – section 3 through 8 )

Four final and important elements of TAS3 that provide coverage from end to end and across the lifecycle of information are:

  • An intake process for service providers that requires that they demonstrate their ability to comply with TAS3 minimum requirements of technology, privacy and security along with any relevant proof/certification of those abilities;
  • An intake/registration process for end users that credentials users to TAS3, provisions the dashboard and helps them set their personal privacy defaults and preferences;
  • (see Part III – section 7)

  • An audit and oversight committee ,as well as audit tools, to help assure proper application of the rules within TAS3 as well as a user centric system that provides transparency into access and use of personal information.
  • Finally, these elements include a complaint and redress mechanism supported in contracts by a liability and partial indemnity schema to help assure credible action can and will be taken in light of complaints.

(see Part IV – section 9; annex 7)

All legal and policy documents for this handbook:
Part I
Part II
Part III
Part IV
Part V
Epilogue


Install and configure the reference Architecture

Per decisions of TAS³ General Assembly of 2010-09-13, following declaration was made:

“TAS³ architecture and specifications, as described in public deliverables D2.1, D2.4, and D7.1, are licensed free for implementation and use by anyone. Up to June 2010, TAS³ consortium partners do not hold patents nor will exercise patents that cover implementation and use of the TAS³architecture and specifications of those deliverables. This license is only granted for the specific purpose of correct implementations of TAS³specifications.”

Software Installation

The installation procedures for all the components making up the TAS³architecture can be found under the annex of deliverable D12.4. All the specific details required to install the components have been documented and tested for completeness. Attention should be paid to the dependency order of the TAS³components and the specific prerequisites.

Generally the TAS³architecture can be installed on both Linux and Windows environment. Ubuntu 11.04 (Natty Narwhal) and Windows 7 has been tested. The installation procedures have been validated with components released September 9th, 2011.

These can all be downloaded from the following link:TAS³ Components

Additional support for Installation

The following components get an active support for installation, configuration and bug issues.

Reference Implementation of the Core-Sec Architecture

ZXID.org is the Reference Implementation of the TAS³Core Security Architecture (task T2.14). Download sources from http://www.zxid.org/
Support Mailing List : ZXID mailing list zxid.user@lists.unh.edu archives

TAS³ Authorization Infrastructure

The PERMIS standalone authorisation server is the reference implementation of the TAS³ authorisation infrastructure.
Open source code can be obtained here: www.openpermis.org
Ready to run binary packages can be obtained here: sec.cs.kent.ac.uk/permis

TAS³ Reference Implementation of the OCT Component

The OCT Component in TAS³ implements the idea of on-line compliance testing of access policies within an instantiation of the TAS³ Architecture.
(role)CAST ( ROLE CompliAnce Service on-line Testing ) is the reference implementation of the OCT component. It supports the on-line testing of access policies of SOAP services when the role within the choreography are expressed by means of SAML assertions.
For more information, sources, binaries, and support, please visit : http://labse.isti.cnr.it/tools/rolecast/

TAS³ Compatibility Testing Process

For Service Providers (SPs)

In order to join the TAS³ circle of trust, you need to demonstrate that your installation complies with TAS³ technical interfaces and protocols, and that your configuration meets standards with respect to established practices.

Your system integrator (perhaps your IT department) should install and integrate the desired TAS³ modules, see downloads.

Next you can test you installation against publicly available TAS³ IdPs (Identity Providers).

Testing integration with ZXIDP.org TAS³ supporting IdP:

  • Self-provisioning here.
  • Join the circle of trust here.
  • (Optional) Register web services endpoint here.
  • Create test users here.

Configuration advice here.

For software vendors

As a software vendor of TAS³-compliant software, you need to ensure that your modules interoperate with our reference implementation. That is, your modules must adhere to the specifications laid down in D2.1 and D2.4.

Example protocol messages are documented here (please request an account to access the documentation). Alternative location for example messages: here (no login required).

The following links provide compliance testing facilities.
Depending on which module(s) you are developing, you may need to execute one or more of the following tests.

  • Identity Provider Components: ZXID test suite here.
  • Webservice components: SSO test here.
  • Webservice components: Web service call test here.

Extend TAS³ functionalities

TAS³ has been collaborating with 2 related projects Primelife and Master:

In their daily interaction over the Internet, individuals contribute throughout their life leaving a life-long trail of personal data. Technological advances facilitate extensive data collection, unlimited storage and reuse of the individual’s digital interactions. Today, individuals cannot protect their autonomy and cannot retain control over personal information, irrespective of their activities, as present information technologies hardly consider these requirements. This raises substantial new privacy challenges: how to protect privacy in emerging Internet applications such as collaborative scenarios and virtual communities; and how to maintain life-long privacy. PrimeLife addresses the core privacy and trust issues pertaining to the aforementioned challenges.

MASTER provides methodologies and infrastructure that facilitate monitoring, enforcement, and auditing of security compliance, especially where highly dynamic service oriented architectures are used to support business process enactment in single, multi-domain, and iterated contexts.

The outputs of these 2 projects are supported and can be integrated into TAS³ Architecture to provide extended functionalities in privacy and compliance.