draft-ietf-opsec-efforts-17.txt   draft-ietf-opsec-efforts-18.txt 
Network Working Group C. Lonvick Network Working Group C. Lonvick
Internet-Draft D. Spak Internet-Draft D. Spak
Intended status: Informational Cisco Systems Intended status: Informational Cisco Systems
Expires: March 26, 2012 September 23, 2011 Expires: October 20, 2012 April 18, 2012
Security Best Practices Efforts and Documents Security Best Practices Efforts and Documents
draft-ietf-opsec-efforts-17.txt draft-ietf-opsec-efforts-18.txt
Abstract Abstract
This document provides a snapshot of the current efforts to define or This document provides a snapshot of the current efforts to define or
apply security requirements in various Standards Developing apply security requirements in various Standards Developing
Organizations (SDO). Organizations (SDO).
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on October 20, 2012.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 26, 2012.
Copyright Notice Copyright Notice
Copyright (c) 2011 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6
3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7
3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7
3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7
3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7
3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8
skipping to change at page 2, line 33 skipping to change at page 2, line 29
4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10
4.3. ANSI - The American National Standards Institute . . . . . 11 4.3. ANSI - The American National Standards Institute . . . . . 11
4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11
4.4. ATIS - Alliance for Telecommunications Industry 4.4. ATIS - Alliance for Telecommunications Industry
Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11
4.4.1. ATIS NPRQ - Network Performance, Reliability, and 4.4.1. ATIS NPRQ - Network Performance, Reliability, and
Quality of Service Committee, formerly T1A1 . . . . . 12 Quality of Service Committee, formerly T1A1 . . . . . 12
4.4.2. ATIS TMOC - Telecom Management and Operations 4.4.2. ATIS TMOC - Telecom Management and Operations
Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13
4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13
4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14
4.7. ETSI - The European Telecommunications Standard 4.7. ETSI - The European Telecommunications Standard
Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14
4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15
4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15
4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16
4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16
4.9. IEEE - The Institute of Electrical and Electronics 4.9. IEEE - The Institute of Electrical and Electronics
Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16
4.9.1. IEEE Computer Society's Technical Committee on 4.9.1. IEEE Computer Society's Technical Committee on
Security and Privacy . . . . . . . . . . . . . . . . . 16 Security and Privacy . . . . . . . . . . . . . . . . . 17
4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17
4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17
4.11. INCITS - InterNational Committee for Information 4.11. INCITS - InterNational Committee for Information
Technology Standards . . . . . . . . . . . . . . . . . . . 16 Technology Standards . . . . . . . . . . . . . . . . . . . 17
4.11.1. Identification Cards and Related Devices (B10) . . . . 17 4.11.1. Identification Cards and Related Devices (B10) . . . . 17
4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18
4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18
4.12. ISO - The International Organization for 4.12. ISO - The International Organization for
Standardization . . . . . . . . . . . . . . . . . . . . . 17 Standardization . . . . . . . . . . . . . . . . . . . . . 18
4.13. ITU - International Telecommunication Union . . . . . . . 18 4.13. ITU - International Telecommunication Union . . . . . . . 19
4.13.1. ITU Telecommunication Standardization Sector - 4.13.1. ITU Telecommunication Standardization Sector -
ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19
4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19
4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20
4.14. OASIS - Organization for the Advancement of 4.14. OASIS - Organization for the Advancement of
Structured Information Standards . . . . . . . . . . . . . 20 Structured Information Standards . . . . . . . . . . . . . 20
4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21
4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21
4.16. NRIC - The Network Reliability and Interoperability 4.16. National Security Telecommunications Advisory
Council . . . . . . . . . . . . . . . . . . . . . . . . . 21 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22
4.17. National Security Telecommunications Advisory 4.17. TIA - The Telecommunications Industry Association . . . . 22
Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21 4.17.1. APCO Project 25 Public Safety Standards . . . . . . . 22
4.18. TIA - The Telecommunications Industry Association . . . . 22 4.18. TTA - Telecommunications Technology Association . . . . . 23
4.18.1. Critical Infrastructure Protection (CIP) and 4.19. The World Wide Web Consortium . . . . . . . . . . . . . . 23
Homeland Security (HS) . . . . . . . . . . . . . . . . 22 4.20. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.18.2. Commercial Encryption Source Code and Related 4.20.1. Security Management . . . . . . . . . . . . . . . . . 24
Information . . . . . . . . . . . . . . . . . . . . . 23 5. Security Best Practices Efforts and Documents . . . . . . . . 25
4.19. TTA - Telecommunications Technology Association . . . . . 23 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 25
4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 25
4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24
4.21.1. Security Management . . . . . . . . . . . . . . . . . 24
5. Security Best Practices Efforts and Documents . . . . . . . . 26
5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26
5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26
5.3. ATIS-0300276.2008 - Operations, Administration, 5.3. ATIS-0300276.2008 - Operations, Administration,
Maintenance, and Provisioning Security Requirements Maintenance, and Provisioning Security Requirements
for the Public Telecommunications Network: A Baseline for the Public Telecommunications Network: A Baseline
of Security Requirements for the Management Plane . . . . 26 of Security Requirements for the Management Plane . . . . 25
5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 26
5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 26
5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
5.7. Operational Security Requirements for IP Network 5.7. Operational Security Requirements for IP Network
Infrastructure : Advanced Requirements . . . . . . . . . . 29 Infrastructure : Advanced Requirements . . . . . . . . . . 28
5.8. ISO JTC 1/SC 27 - Information security Technology 5.8. ISO JTC 1/SC 27 - Information security Technology
techniques . . . . . . . . . . . . . . . . . . . . . . . . 29 techniques . . . . . . . . . . . . . . . . . . . . . . . . 28
5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 28
5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 28
5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 30
5.12. OASIS Security Technical Committees . . . . . . . . . . . 32 5.12. OASIS Security Technical Committees . . . . . . . . . . . 31
5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 31
5.14. TIA - Critical Infrastructure Protection (CIP) and 5.14. TIA - Critical Infrastructure Protection (CIP) and
Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32 Homeland Security (HS) . . . . . . . . . . . . . . . . . . 31
5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 32
5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 32
5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 32
5.18. SANS Information Security Reading Room . . . . . . . . . . 33 5.18. SANS Information Security Reading Room . . . . . . . . . . 33
6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36
9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 37
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
The Internet is being recognized as a critical infrastructure similar The Internet is being recognized as a critical infrastructure similar
in nature to the power grid and a potable water supply. Just like in nature to the power grid and a potable water supply. Just like
those infrastructures, means are needed to provide resiliency and those infrastructures, means are needed to provide resiliency and
adaptability to the Internet so that it remains consistently adaptability to the Internet so that it remains consistently
available to the public throughout the world even during times of available to the public throughout the world even during times of
duress or attack. For this reason, many SDOs are developing duress or attack. For this reason, many SDOs are developing
standards with hopes of retaining an acceptable level, or even standards with hopes of retaining an acceptable level, or even
skipping to change at page 6, line 8 skipping to change at page 5, line 8
described in the Working Group Charter. The authors have agreed to described in the Working Group Charter. The authors have agreed to
keep this document current and request that those who read it will keep this document current and request that those who read it will
submit corrections or comments. submit corrections or comments.
Comments on this document may be addressed to the OpSec Working Group Comments on this document may be addressed to the OpSec Working Group
or directly to the authors. or directly to the authors.
opsec@ops.ietf.org opsec@ops.ietf.org
This document will be updated in sections. The most recently updated This document will be updated in sections. The most recently updated
part of this document is Section 5. part of this document is Section 4.
2. Format of this Document 2. Format of this Document
The body of this document has three sections. The body of this document has three sections.
The first part of the body of this document, Section 3, contains a The first part of the body of this document, Section 3, contains a
listing of online glossaries relating to networking and security. It listing of online glossaries relating to networking and security. It
is very important that the definitions of words relating to security is very important that the definitions of words relating to security
and security events be consistent. Inconsistencies between the and security events be consistent. Inconsistencies between the
useage of words on standards is unacceptable as it would prevent a useage of words on standards is unacceptable as it would prevent a
skipping to change at page 11, line 18 skipping to change at page 10, line 18
appear to be developing security related standards. These SDOs are appear to be developing security related standards. These SDOs are
listed in alphabetical order. listed in alphabetical order.
Note: The authors would appreciate corrections and additions. This Note: The authors would appreciate corrections and additions. This
note will be removed before publication as an RFC. note will be removed before publication as an RFC.
4.1. 3GPP - Third Generation Partnership Project 4.1. 3GPP - Third Generation Partnership Project
http://www.3gpp.org/ http://www.3gpp.org/
The 3rd Generation Partnership Project (3GPP) is a collaboration The 3rd Generation Partnership Project (3GPP) unites [Six]
agreement formed in December 1998. The collaboration agreement is telecommunications standards bodies, known as "Organizational
comprised of several telecommunications standards bodies which are Partners" and provides their members with a stable environment to
known as "Organizational Partners". The current Organizational produce the highly successful Reports and Specifications that define
Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 3GPP technologies.
4.2. 3GPP2 - Third Generation Partnership Project 2 4.2. 3GPP2 - Third Generation Partnership Project 2
http://www.3gpp2.org/ http://www.3gpp2.org/
The Third Generation Partnership Project 2 (3GPP2) is: The Third Generation Partnership Project 2 (3GPP2) is:
a collaborative third generation (3G) telecommunications a collaborative third generation (3G) telecommunications
specifications-setting project specifications-setting project
skipping to change at page 12, line 45 skipping to change at page 11, line 45
standards affecting the Financial Services Industry; (4) Focusing on standards affecting the Financial Services Industry; (4) Focusing on
current and future standards needs of the Financial Services current and future standards needs of the Financial Services
Industry; (5) Promoting use of Financial Services Industry standards; Industry; (5) Promoting use of Financial Services Industry standards;
and (6) Participating and promoting the development of international and (6) Participating and promoting the development of international
standards. standards.
4.4. ATIS - Alliance for Telecommunications Industry Solutions 4.4. ATIS - Alliance for Telecommunications Industry Solutions
http://www.atis.org/ http://www.atis.org/
ATIS prioritizes the industry's most pressing, technical and ATIS member companies develop the standards and solutions that are
operational issues, and creates interoperable, implementable, end to creating the future of the information and communications technology
end solutions -- standards when the industry needs them and where (ICT) industry. From efforts to realize the cost benefits of cloud
they need them. services, to standards underpinning the nation's emergency
communications system, to improvements in data access to support
health care delivery, or developing new avenues to interactive
sources of entertainment, ATIS' work makes ICT innovation possible.
Over 600 industry professionals from more than 250 communications Through involvement in our committees and forums, ATIS member
companies actively participate in ATIS committees and incubator companies achieve their technical potential and business objectives.
solutions programs. They also get a strategic view of the future of technology to help
them better position their products and services. ATIS members
further benefit from valuable networking opportunities with other
companies leading change in our industry, as well as the insights of
leading CIOs, CTOs and other thought leaders.
ATIS develops standards and solutions addressing a wide range of ATIS gives our members a place at the table where today's ICT
industry issues in a manner that allocates and coordinates industry standards decisions are being made. Our work helps members prepare
resources and produces the greatest return for communications for when the future becomes today. And, with the fast pace of
companies. innovation, the gap between today's technologies and tomorrow's
networks is all but disappearing.
ATIS creates solutions that support the rollout of new products and ATIS creates solutions that support the rollout of new products and
services into the information, entertainment and communications services into the information, entertainment and communications
marketplace. Its activities provide the basis for the industry's marketplace. Its activities provide the basis for the industry's
delivery of: delivery of:
Existing and next generation IP-based infrastructures; Existing and next generation IP-based infrastructures;
Reliable converged multimedia services, including IPTV; Reliable converged multimedia services, including IPTV;
skipping to change at page 14, line 35 skipping to change at page 13, line 46
Representation, Common/Underlying Management Functionality/ Representation, Common/Underlying Management Functionality/
Technology, and Ancillary Functions (such as network tones and Technology, and Ancillary Functions (such as network tones and
announcements). This work requires close and coordinated working announcements). This work requires close and coordinated working
relationships with other domestic and international standards relationships with other domestic and international standards
development organizations and industry forums. development organizations and industry forums.
4.5. CC - Common Criteria 4.5. CC - Common Criteria
http://www.commoncriteriaportal.org/ http://www.commoncriteriaportal.org/
Common Criteria is a framework in which computer system users can The Common Criteria for Information Technology Security Evaluation
specify their security functional and assurance requirements, vendors (CC), and the companion Common Methodology for Information Technology
can then implement and/or make claims about the security attributes Security Evaluation (CEM) are the technical basis for an
of their products, and testing laboratories can evaluate the products international agreement, the Common Criteria Recognition Arrangement
to determine if they actually meet the claims. In other words, (CCRA), which ensures that:
Common Criteria provides assurance that the process of specification,
implementation and evaluation of a computer security product has been Products can be evaluated by competent and independent licensed
conducted in a rigorous and standard manner. [attribute wikipedia] laboratories so as to determine the fulfilment of particular
security properties, to a certain extent or assurance;
Supporting documents, are used within the Common Criteria
certification process to define how the criteria and evaluation
methods are applied when certifying specific technologies;
The certification of the security properties of an evaluated
product can be issued by a number of Certificate Authorizing
Schemes, with this certification being based on the result of
their evaluation;
These certificates are recognized by all the signatories of the
CCRA.
The CC is the driving force for the widest available mutual
recognition of secure IT products. This web portal is available to
support the information on the status of the CCRA, the CC and the
certification schemes, licensed laboratories, certified products and
related information, news and events.
4.6. DMTF - Distributed Management Task Force, Inc. 4.6. DMTF - Distributed Management Task Force, Inc.
http://www.dmtf.org/ http://www.dmtf.org/
DMTF enables more effective management of millions of IT systems DMTF enables more effective management of millions of IT systems
worldwide by bringing the IT industry together to collaborate on the worldwide by bringing the IT industry together to collaborate on the
development, validation and promotion of systems management development, validation and promotion of systems management
standards. DMTF management standards are critical to enabling standards.
management interoperability among multi-vendor systems, tools and
solutions within the enterprise. We are committed to protecting The group spans the industry with 160 member companies and
companies' IT investments by creating standards that promote multi- organizations, and more than 4,000 active participants crossing 43
vendor interoperability. Our dedication to fostering collaboration countries. The DMTF board of directors is led by 15 innovative,
within the industry provides a win-win situation for vendors and IT industry-leading technology companies. They include Advanced Micro
personnel alike. Devices (AMD); Broadcom Corporation; CA, Inc.; Cisco; Citrix Systems,
Inc.; EMC; Fujitsu; HP; Huawei; IBM; Intel Corporation; Microsoft
Corporation; Oracle; RedHat and VMware, Inc.
With this deep and broad reach, DMTF creates standards that enable
interoperable IT management. DMTF management standards are critical
to enabling management interoperability among multi-vendor systems,
tools and solutions within the enterprise.
4.7. ETSI - The European Telecommunications Standard Institute 4.7. ETSI - The European Telecommunications Standard Institute
http://www.etsi.org/ http://www.etsi.org/
The European Telecommunications Standards Institute (ETSI) produces The European Telecommunications Standards Institute (ETSI) produces
globally-applicable standards for Information and Communications globally-applicable standards for Information and Communications
Technologies (ICT), including fixed, mobile, radio, converged, Technologies (ICT), including fixed, mobile, radio, converged,
broadcast and internet technologies. broadcast and internet technologies.
ETSI is officially recognized by the European Union as a European We are officially recognized by the European Union as a European
Standards Organization. Standards Organization. The high quality of our work and our open
approach to standardization has helped us evolve into a European
roots - global branches operation with a solid reputation for
technical excellence.
4.7.1. ETSI SEC 4.7.1. ETSI SEC
http://portal.etsi.org/portal/server.pt/gateway/ http://portal.etsi.org/portal/server.pt/gateway/
PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp
Board#38 confirmed the closure of TC SEC. Board#38 confirmed the closure of TC SEC.
At the same time it approved the creation of an OCG Ad Hoc group OCG At the same time it approved the creation of an OCG Ad Hoc group OCG
Security Security
skipping to change at page 15, line 45 skipping to change at page 15, line 37
The SEC Working groups (ESI and LI) were closed and TC ESI and a TC The SEC Working groups (ESI and LI) were closed and TC ESI and a TC
LI were created to continue the work. LI were created to continue the work.
All documents and information relevant to ESI and LI are available All documents and information relevant to ESI and LI are available
from the TC ESI and TC LI sites from the TC ESI and TC LI sites
4.7.2. ETSI OCG SEC 4.7.2. ETSI OCG SEC
http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp
The group's primary role is to provide a light-weight horizontal co- The creation of the OCG SEC was decided at the Board #38 on 30 May
2002. The group's primary role is to provide a horizontal co-
ordination structure for security issues that will ensure this work ordination structure for security issues that will ensure this work
is seriously considered in each ETSI TB and that any duplicate or is seriously considered in each ETSI TB and that any duplicate or
conflicting work is detected. To achieve this aim the group should conflicting work is detected. To achieve this aim the group should
mainly conduct its work via email and, where appropriate, co-sited mainly conduct its work via email and, where appropriate, co-sited
"joint security" technical working meetings. "joint security" technical working meetings.
When scheduled, appropriate time at each "joint SEC" meeting should When scheduled, appropriate time at each "joint SEC" meeting should
be allocated during the meetings to allow for: be allocated during the meetings to allow for:
Individual committee activities as well as common work; Individual committee activities as well as common work;
skipping to change at page 16, line 11 skipping to change at page 16, line 4
conflicting work is detected. To achieve this aim the group should conflicting work is detected. To achieve this aim the group should
mainly conduct its work via email and, where appropriate, co-sited mainly conduct its work via email and, where appropriate, co-sited
"joint security" technical working meetings. "joint security" technical working meetings.
When scheduled, appropriate time at each "joint SEC" meeting should When scheduled, appropriate time at each "joint SEC" meeting should
be allocated during the meetings to allow for: be allocated during the meetings to allow for:
Individual committee activities as well as common work; Individual committee activities as well as common work;
Coordination between the committees; and Coordination between the committees; and
Experts to contribute to more than one committee. Experts to contribute to more than one committee.
4.8. GGF - Global Grid Forum 4.8. GGF - Global Grid Forum
http://www.gridforum.org/ http://www.gridforum.org/
The Global Grid Forum (GGF) is a community-initiated forum of OGF is an open community committed to driving the rapid evolution and
thousands of individuals from industry and research leading the adoption of applied distributed computing. Applied Distributed
global standardization effort for grid computing. GGF's primary Computing is critical to developing new, innovative and scalable
objectives are to promote and support the development, deployment, applications and infrastructures that are essential to productivity
and implementation of grid technologies and applications via the in the enterprise and within the science community. OGF accomplishes
creation and documentation of "best practices" - technical its work through open forums that build the community, explore
specifications, user experiences, and implementation guidelines. trends, share best practices and consolidate these best practices
into standards.
4.8.1. Global Grid Forum Security Area 4.8.1. Global Grid Forum Security Area
http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7
The Security Area is concerned with technical and operational The Security Area is concerned with technical and operational
security issues in Grid environments, including authentication, security issues in Grid environments, including authentication,
authorization, privacy, confidentiality, auditing, firewalls, trust authorization, privacy, confidentiality, auditing, firewalls, trust
establishment, policy establishment, and dynamics, scalability and establishment, policy establishment, and dynamics, scalability and
management aspects of all of the above. management aspects of all of the above.
skipping to change at page 18, line 46 skipping to change at page 18, line 38
testing and reporting. The goal of M1's work is to accelerate the testing and reporting. The goal of M1's work is to accelerate the
deployment of significantly better, standards-based security deployment of significantly better, standards-based security
solutions for purposes, such as, homeland defense and the prevention solutions for purposes, such as, homeland defense and the prevention
of identity theft as well as other government and commercial of identity theft as well as other government and commercial
applications based on biometric personal authentication. applications based on biometric personal authentication.
4.12. ISO - The International Organization for Standardization 4.12. ISO - The International Organization for Standardization
http://www.iso.org/ http://www.iso.org/
SO (International Organization for Standardization) is the world's ISO (International Organization for Standardization) is the world's
largest developer and publisher of International Standards. largest developer and publisher of International Standards.
ISO is a network of the national standards institutes of 160 ISO is a network of the national standards institutes of 163
countries, one member per country, with a Central Secretariat in countries, one member per country, with a Central Secretariat in
Geneva, Switzerland, that coordinates the system. Geneva, Switzerland, that coordinates the system.
ISO is a non-governmental organization that forms a bridge between ISO is a non-governmental organization that forms a bridge between
the public and private sectors. On the one hand, many of its member the public and private sectors. On the one hand, many of its member
institutes are part of the governmental structure of their countries, institutes are part of the governmental structure of their countries,
or are mandated by their government. On the other hand, other or are mandated by their government. On the other hand, other
members have their roots uniquely in the private sector, having been members have their roots uniquely in the private sector, having been
set up by national partnerships of industry associations. set up by national partnerships of industry associations.
Therefore, ISO enables a consensus to be reached on solutions that Therefore, ISO enables a consensus to be reached on solutions that
meet both the requirements of business and the broader needs of meet both the requirements of business and the broader needs of
society. society.
4.13. ITU - International Telecommunication Union 4.13. ITU - International Telecommunication Union
http://www.itu.int/ http://www.itu.int/
ITU is the leading United Nations agency for information and ITU (International Telecommunication Union) is the United Nations
communication technology issues, and the global focal point for specialized agency for information and communication technologies -
governments and the private sector in developing networks and ICTs.
services. For 145 years, ITU has coordinated the shared global use
of the radio spectrum, promoted international cooperation in
assigning satellite orbits, worked to improve telecommunication
infrastructure in the developing world, established the worldwide
standards that foster seamless interconnection of a vast range of
communications systems and addressed the global challenges of our
times, such as mitigating climate change and strengthening
cybersecurity.
ITU also organizes worldwide and regional exhibitions and forums, We allocate global radio spectrum and satellite orbits, develop the
such as ITU TELECOM WORLD, bringing together the most influential technical standards that ensure networks and technologies seamlessly
representatives of government and the telecommunications and ICT interconnect, and strive to improve access to ICTs to underserved
industry to exchange ideas, knowledge and technology for the benefit communities worldwide.
of the global community, and in particular the developing world.
From broadband Internet to latest-generation wireless technologies, ITU is committed to connecting all the world's people - wherever they
from aeronautical and maritime navigation to radio astronomy and live and whatever their means. Through our work, we protect and
satellite-based meteorology, from convergence in fixed-mobile phone, support everyone's fundamental right to communicate.
Internet access, data, voice and TV broadcasting to next-generation
networks, ITU is committed to connecting the world.
The ITU is comprised of three sectors: The ITU is comprised of three sectors:
4.13.1. ITU Telecommunication Standardization Sector - ITU-T 4.13.1. ITU Telecommunication Standardization Sector - ITU-T
http://www.itu.int/ITU-T/ http://www.itu.int/ITU-T/
ITU-T Recommendations are defining elements in information and ITU-T Recommendations are defining elements in information and
communication technologies (ICTs) infrastructure. Whether we communication technologies (ICTs) infrastructure. Whether we
exchange voice, data or video messages, communications cannot take exchange voice, data or video messages, communications cannot take
skipping to change at page 21, line 21 skipping to change at page 20, line 52
OASIS (Organization for the Advancement of Structured Information OASIS (Organization for the Advancement of Structured Information
Standards) is a not-for-profit consortium that drives the Standards) is a not-for-profit consortium that drives the
development, convergence and adoption of open standards for the development, convergence and adoption of open standards for the
global information society. The consortium produces more Web global information society. The consortium produces more Web
services standards than any other organization along with standards services standards than any other organization along with standards
for security, e-business, and standardization efforts in the public for security, e-business, and standardization efforts in the public
sector and for application-specific markets. Founded in 1993, OASIS sector and for application-specific markets. Founded in 1993, OASIS
has more than 5,000 participants representing over 600 organizations has more than 5,000 participants representing over 600 organizations
and individual members in 100 countries. and individual members in 100 countries.
OASIS is distinguished by its transparent governance and operating OASIS promotes industry consensus and produces worldwide standards
procedures. Members themselves set the OASIS technical agenda, using for security, Cloud computing, SOA, Web services, the Smart Grid,
a lightweight process expressly designed to promote industry electronic publishing, emergency management, and other areas. OASIS
consensus and unite disparate efforts. Completed work is ratified by open standards offer the potential to lower cost, stimulate
open ballot. Governance is accountable and unrestricted. Officers innovation, grow global markets, and protect the right of free choice
of both the OASIS Board of Directors and Technical Advisory Board are of technology.
chosen by democratic election to serve two-year terms. Consortium
leadership is based on individual merit and is not tied to financial
contribution, corporate standing, or special appointment.
OASIS has several Technical Committees in the Security Category. OASIS has several Technical Committees in the Security Category.
http://www.oasis-open.org/committees/tc_cat.php?cat=security http://www.oasis-open.org/committees/tc_cat.php?cat=security
4.15. OIF - Optical Internetworking Forum 4.15. OIF - Optical Internetworking Forum
http://www.oiforum.com/ http://www.oiforum.com/
"The Optical Internetworking Forum (OIF) promotes the development and "The Optical Internetworking Forum (OIF) promotes the development and
skipping to change at page 22, line 33 skipping to change at page 22, line 12
The scope includes but is not limited to a) planning, engineering and The scope includes but is not limited to a) planning, engineering and
provisioning of network resources; b) operations, maintenance or provisioning of network resources; b) operations, maintenance or
administration use cases and processes; and c) management administration use cases and processes; and c) management
functionality and interfaces for operations support systems and functionality and interfaces for operations support systems and
interoperable network equipment. Within its scope are Fault, interoperable network equipment. Within its scope are Fault,
Configuration, Accounting, Performance and Security Management Configuration, Accounting, Performance and Security Management
(FCAPS) and Security. The OAM&P working group will also account for (FCAPS) and Security. The OAM&P working group will also account for
work by related standards development organizations (SDOs), identify work by related standards development organizations (SDOs), identify
gaps and formulate OIF input to other SDOs as may be appropriate. gaps and formulate OIF input to other SDOs as may be appropriate.
4.16. NRIC - The Network Reliability and Interoperability Council 4.16. National Security Telecommunications Advisory Committee (NSTAC)
http://www.nric.org/
The mission of the NRIC is partner with the Federal Communications
Commission, the communications industry and public safety to
facilitate enhancement of emergency communications networks, homeland
security, and best practices across the burgeoning telecommunications
industry.
It appears that the last NRIC Council concluded in 2005.
4.17. National Security Telecommunications Advisory Committee (NSTAC)
http://www.ncs.gov/nstac/nstac.html http://www.ncs.gov/nstac/nstac.html
President Ronald Reagan created the National Security Meeting our Nation's critical national security and emergency
Telecommunications Advisory Committee (NSTAC) by Executive Order preparedness (NS/EP) challenges demands attention to many issues.
12382 in September 1982. Composed of up to 30 industry chief Among these, none could be more important than the availability and
executives representing the major communications and network service reliability of telecommunication services. The President's National
providers and information technology, finance, and aerospace Security Telecommunications Advisory Committee (NSTAC) mission is to
companies, the NSTAC provides industry-based advice and expertise to provide the U.S. Government the best possible industry advice in
the President on issues and problems related to implementing national these areas.
security and emergency preparedness (NS/EP) communications policy.
Since its inception, the NSTAC has addressed a wide range of policy
and technical issues regarding communications, information systems,
information assurance, critical infrastructure protection, and other
NS/EP communications concerns.
The mission of the NSTAC: Meeting our Nation's critical national
security and emergency preparedness (NS/EP) challenges demands
attention to many issues. Among these, none could be more important
than the availability and reliability of telecommunication services.
The President's National Security Telecommunications Advisory
Committee (NSTAC) mission is to provide the U.S. Government the best
possible industry advice in these areas.
4.18. TIA - The Telecommunications Industry Association 4.17. TIA - The Telecommunications Industry Association
http://www.tiaonline.org/ http://www.tiaonline.org/
The Telecommunications Industry Association (TIA) is the leading The Telecommunications Industry Association (TIA) is the leading
trade association representing the global information and trade association representing the global information and
communications technology (ICT) industries through standards communications technology (ICT) industries through standards
development, government affairs, business opportunities, market development, government affairs, business opportunities, market
intelligence, certification and world-wide environmental regulatory intelligence, certification and world-wide environmental regulatory
compliance. With support from its 600 members, TIA enhances the compliance. With support from its 600 members, TIA enhances the
business environment for companies involved in telecommunications, business environment for companies involved in telecommunications,
broadband, mobile wireless, information technology, networks, cable, broadband, mobile wireless, information technology, networks, cable,
satellite, unified communications, emergency communications and the satellite, unified communications, emergency communications and the
greening of technology. TIA is accredited by ANSI. greening of technology. TIA is accredited by ANSI.
4.18.1. Critical Infrastructure Protection (CIP) and Homeland Security 4.17.1. APCO Project 25 Public Safety Standards
(HS)
http://www.tiaonline.org/standards/technology/ciphs/
This TIA webpage identifies and links to many standards, other
technical documents and ongoing activity involving or supporting
TIA's role in Public Safety and Homeland Security, Network Security,
Critical Infrastructure Protection and Assurance, National Security/
Emergency Preparedness, Emergency Communications Services, Emergency
Calling and Location Identification Services, and the Needs of First
Responders. For the purpose of this webpage, national/international
terms relating to public safety and disaster response can be
considered synonymous (and interchangeable) with terms relating to
public protection and disaster relief.
4.18.2. Commercial Encryption Source Code and Related Information http://www.tiaonline.org/all-standards/committees/tr-8
http://www.tiaonline.org/standards/technology/ahag/index.cfm Recognizing the need for common standards for first responders and
homeland security/emergency response professionals, representatives
from the Association of Public Safety Communications Officials
International (APCO), the National Association of State
Telecommunications Directors (NASTD), selected federal agencies and
the National Communications System (NCS) established Project 25
(PDF), a steering committee for selecting voluntary common system
standards for digital public safety radio communications. TIA TR-8
facilitates such work through its role as an ANSI-accredited
Standards Development Organization (SDO) and has developed in TR-8
the 102 series of technical documents. These standards directly
address the guidelines of the Communications Assistance for Law
Enforcement Act (CALEA).
This section seems to link to commercial encryption source code. 4.18. TTA - Telecommunications Technology Association
Access requires agreement to terms and conditions and then
registration.
4.19. TTA - Telecommunications Technology Association http://www.tta.or.kr/
http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp http://www.tta.or.kr/English/index.jsp (English)
(English)
The purpose of TTA is to contribute to the advancement of technology The purpose of TTA is to contribute to the advancement of technology
and the promotion of information and telecommunications services and and the promotion of information and telecommunications services and
industry as well as the development of national economy, by industry as well as the development of national economy, by
effectively stablishing and providing technical standards that effectively stablishing and providing technical standards that
reflect the latest domestic and international technological advances, reflect the latest domestic and international technological advances,
needed for the planning, design and operation of global end-to-end needed for the planning, design and operation of global end-to-end
telecommunications and related information services, in close telecommunications and related information services, in close
collaboration with companies, organizations and groups concerned with collaboration with companies, organizations and groups concerned with
information and telecommunications such as network operators, service information and telecommunications such as network operators, service
providers, equipment manufacturers, academia, R&D institutes, etc. providers, equipment manufacturers, academia, R&D institutes, etc.
4.20. The World Wide Web Consortium 4.19. The World Wide Web Consortium
http://www.w3.org/Consortium/ http://www.w3.org/Consortium/
The World Wide Web Consortium (W3C) is an international community The World Wide Web Consortium (W3C) is an international community
where Member organizations, a full-time staff, and the public work where Member organizations, a full-time staff, and the public work
together to develop Web standards. Led by Web inventor Tim Berners- together to develop Web standards. Led by Web inventor Tim Berners-
Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its
full potential. full potential.
http://www.w3.org/Security/Activity http://www.w3.org/Security/
The work in the W3C Security Activity currently comprises two Working Security online is a vast field that is being worked on by a number
Groups, the Web Security Context Working Group and the XML Security of organizations, including W3C. Mapping the entire field would be a
Working Group. huge endeavor; hence, this page focuses on work that W3C is involved
in.
The Web Security Context Working Group focuses on the challenges that The traditional W3C Security Resources page is no longer maintained,
arise when users encounter currently deployed security technology, but remains online for archival purposes.
such as TLS: While this technology achieves its goals on a technical
level, attackers' strategies shift towards bypassing the security
technology instead of breaking it. When users do not understand the
security context in which they operate, then it becomes easy to
deceive and defraud them. This Working Group is planning to see its
main deliverable, the User Interface Guidelines, through to
Recommendation, but will not engage in additional recommendation
track work beyond this deliverable. The Working Group is currently
operating at reduced Team effort (compared to the initial effort
reserved to this Working Group). Initial (and informal)
conversations about forming an Interest Group that could serve as a
place for community-building and specification review have not led as
far as we had hoped at the previous Advisory Committee Meeting, but
are still on the Team's agenda.
The XML Security Working Group started up in summer 2008, and has The Web Security Wiki serves as a place for interested parties in the
decided to publish an interim set of 1.1 specifications as it works Web security community to collect information about security aspects
towards producing a more radical change to XML Signature. The XML of specifications and implementations of Web technologies.
Signature 1.1 and XML Encryption 1.1 specifications clarify and
enhance the previous specifications without introducing breaking
changes, although they do introduce new algorithms.
4.21. TM Forum 4.20. TM Forum
http://www.tmforum.org/ http://www.tmforum.org/
With more than 700 corporate members in 195 countries, TM Forum is TM Forum is a global, non-profit industry association focused on
the world's leading industry association focused on enabling best-in- simplifying the complexity of running a service provider's business.
class IT for service providers in the communications, media and cloud As an established industry thought-leader, the Forum serves as a
service markets. The Forum provides business-critical industry unifying force, enabling more than 850 companies across 195 countries
standards and expertise to enable the creation, delivery and to solve critical business issues through access to a wealth of
monetization of digital services. knowledge, intellectual capital and standards.
TM Forum brings together the world's largest communications,
technology and media companies, providing an innovative, industry-
leading approach to collaborative R&D, along with wide range of
support services including benchmarking, training and certification.
The Forum produces the renowned international Management World
conference series, as well as thought-leading industry research and
publications.
4.21.1. Security Management 4.20.1. Security Management
http://www.tmforum.org/SecurityManagement/9152/home.html http://www.tmforum.org/SecurityManagement/9152/home.html
Securing networks, cyber, clouds, and identity against evolving and Securing networks, cyber, clouds, and identity against evolving and
ever present threats has emerged as a top priority for TM Forum ever present threats has emerged as a top priority for TM Forum
members. In response, the TM Forum's Security Management Initiative members. In response, the TM Forum's Security Management Initiative
was formally launched in 2009. While some of our Security Management was formally launched in 2009. While some of our Security Management
efforts, such as Identity Management, are well established and boast efforts, such as Identity Management, are well established and boast
mature Business Agreements and Interfaces, a series of presentations, mature Business Agreements and Interfaces, a series of presentations,
contributions, and multi-vendor technology demonstrations have jumped contributions, and multi-vendor technology demonstrations have jumped
skipping to change at page 32, line 51 skipping to change at page 30, line 51
the Roadmap. This will enable more timely updating of the the Roadmap. This will enable more timely updating of the
information and will also reduce the overhead in maintaining the information and will also reduce the overhead in maintaining the
information. information.
http://www.itu.int/ITU-T/security/main_table.aspx http://www.itu.int/ITU-T/security/main_table.aspx
5.11. NRIC VII Focus Groups 5.11. NRIC VII Focus Groups
http://www.nric.org/fg/index.html http://www.nric.org/fg/index.html
The mission of the NRIC is partner with the Federal Communications
Commission, the communications industry and public safety to
facilitate enhancement of emergency communications networks, homeland
security, and best practices across the burgeoning telecommunications
industry.
By December 16, 2005, the Council shall present a final report that By December 16, 2005, the Council shall present a final report that
describes, in detail, any additions, deletions, or modifications that describes, in detail, any additions, deletions, or modifications that
should be made to the Homeland Security Best Practices that were should be made to the Homeland Security Best Practices that were
adopted by the preceding Council. adopted by the preceding Council.
Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: Documents in Focus Group 2: Homeland Security, Subcommittee 2.B:
Cyber Security: Cyber Security:
Focus Group 2B Report - Homeland Security Cyber Security Best Focus Group 2B Report - Homeland Security Cyber Security Best
Practices Published 06-Dec-2004 Practices Published 06-Dec-2004
skipping to change at page 42, line 17 skipping to change at page 40, line 17
-16 : Sixteenth revision of the WG ID. -16 : Sixteenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 5. Several Updated the date and reviewed the accuracy of Section 5. Several
changes made. changes made.
-17 : Seventeenth revision of the WG ID. -17 : Seventeenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 3. A couple Updated the date and reviewed the accuracy of Section 3. A couple
of changes made. of changes made.
-18 : Eighteenth revision of the WG ID.
Updated the date and reviewed the accuracy of Section 4. Some
changes made.
Note: This section will be removed before publication as an RFC. Note: This section will be removed before publication as an RFC.
Authors' Addresses Authors' Addresses
Chris Lonvick Chris Lonvick
Cisco Systems Cisco Systems
12515 Research Blvd. 12515 Research Blvd.
Austin, Texas 78759 Austin, Texas 78759
US US
 End of changes. 60 change blocks. 
245 lines changed or deleted 213 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/