xAPI Security Policy

Download as .zip Download as .tar.gz View on GitHub

xAPIsec: a Proposal for an Industry-led xAPI Information Security Standard

Rationale and Objective

In accordance with OMB Memorandum M-15-13, which mandates the exclusive use of HTTPS with HSTS across all Federal government web services, it stands to reason that as a DoD initative, xAPI should hold itself, at a minimum, to that standard.

This document intends to establish a set of best practices for secure xAPI usage, hopefully leading to a standard extending xAPI, provisionally termed xAPIsec.

Initial suggestions

The following have been identified as items that should be established as best practices for secure xAPI usage with regards to transport-level security, i.e. the security of the external interface of an LRS:

These mitigate or prevent:

Second Tier: What to Consider

Third Tier: What to Consider

The xAPIsec Effort

It is our desire to establish an industry-driven protocol and standard for xAPI information security.

We would like input from the broad xAPI community and would ask ADL to assist in pushing out the call for feedback. We will be discussing this at the xAPI Bootcamp in July as the effort came out of the work we’ve done in building and testing scalability and security matters throughout the build of our learning record store and visualization layer.

This document should be considered a general draft outline.