xAPI Security Policy
Switch branches/tags
Nothing to show
Clone or download
Latest commit c2eb3b0 Sep 20, 2016
Failed to load latest commit information.
.gitignore Initial commit Jun 13, 2015
CONTRIBUTORS.org Spell the title right. Nov 24, 2015
LICENSE Initial commit Jun 13, 2015
README.org Update README.org Sep 20, 2016
TODO.org Add TODO.org Jul 17, 2015
xAPIsec.org Rename xapisec.org to xAPIsec.org Feb 13, 2016




xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard

Rationale and Objective

In accordance with OMB Memorandum M-15-13, which mandates the exclusive use of HTTPS with HSTS across all Federal government web services, it stands to reason that as a DoD initative, xAPI should hold itself, at a minimum, to that standard.

This document intends to establish a set of best practices for secure xAPI usage, hopefully leading to a standard extending xAPI, provisionally termed xAPIsec.

Community Resources

Initial suggestions

The following have been identified as items that should be established as best practices for secure xAPI usage with regards to transport-level security, i.e. the security of the external interface of an LRS:

  • Strong signing algorithm SHA-256
  • Strong key exchange (Elliptic-Curve Diffie-Hellman)
  • HSTS with long duration - including subdomains - and preload directive

These mitigate or prevent:

  • message interception
  • MITM attacks
  • message/statement alteration between AP and LRS

Second Tier: What to Consider

  • Infosec standards for Activity Providers considered in isolation from LRS
  • Internals
  • Information architecture
  • Secure network hierarchy for SaaS
  • Data persistence mechanism reliability

Third Tier: What to Consider

  • Full-stack
  • Best practices for intrusion detection sytems
  • Alarm response times
  • Auditing
  • Response to zero-day vulnerabilities
  • CVE response time standards

The xAPIsec Effort

It is our desire to establish an industry-driven protocol and standard for xAPI information security.

We would like input from the broad xAPI community and would ask ADL to assist in pushing out the call for feedback. We will be discussing this at the xAPI Bootcamp in July as the effort came out of the work we’ve done in building and testing scalability and security matters throughout the build of our learning record store and visualization layer.

This document should be considered a general draft outline.