--- 1/draft-ietf-opsec-efforts-17.txt 2012-04-18 23:13:57.546671058 +0200 +++ 2/draft-ietf-opsec-efforts-18.txt 2012-04-18 23:13:57.602671158 +0200 @@ -1,62 +1,56 @@ Network Working Group C. Lonvick Internet-Draft D. Spak Intended status: Informational Cisco Systems -Expires: March 26, 2012 September 23, 2011 +Expires: October 20, 2012 April 18, 2012 Security Best Practices Efforts and Documents - draft-ietf-opsec-efforts-17.txt + draft-ietf-opsec-efforts-18.txt Abstract This document provides a snapshot of the current efforts to define or apply security requirements in various Standards Developing Organizations (SDO). Status of this Memo - This Internet-Draft is submitted to IETF in full conformance with the + This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering - Task Force (IETF), its areas, and its working groups. Note that - other groups may also distribute working documents as Internet- - Drafts. + Task Force (IETF). Note that other groups may also distribute + working documents as Internet-Drafts. The list of current Internet- + Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - The list of current Internet-Drafts can be accessed at - http://www.ietf.org/ietf/1id-abstracts.txt. - - The list of Internet-Draft Shadow Directories can be accessed at - http://www.ietf.org/shadow.html. - - This Internet-Draft will expire on March 26, 2012. + This Internet-Draft will expire on October 20, 2012. Copyright Notice - Copyright (c) 2011 IETF Trust and the persons identified as the + Copyright (c) 2012 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as - described in the BSD License. + described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Format of this Document . . . . . . . . . . . . . . . . . . . 6 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 7 3.1. ATIS Telecom Glossary 2007 . . . . . . . . . . . . . . . . 7 3.2. Internet Security Glossary - RFC 4949 . . . . . . . . . . 7 3.3. Compendium of Approved ITU-T Security Definitions . . . . 7 3.4. Microsoft Malware Protection Center . . . . . . . . . . . 8 @@ -68,93 +62,87 @@ 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 4.3. ANSI - The American National Standards Institute . . . . . 11 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 4.4. ATIS - Alliance for Telecommunications Industry Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 4.4.1. ATIS NPRQ - Network Performance, Reliability, and Quality of Service Committee, formerly T1A1 . . . . . 12 4.4.2. ATIS TMOC - Telecom Management and Operations Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 - 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 + 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 4.7. ETSI - The European Telecommunications Standard Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 - 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 14 - 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 14 - 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 15 - 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 15 + 4.7.1. ETSI SEC . . . . . . . . . . . . . . . . . . . . . . . 15 + 4.7.2. ETSI OCG SEC . . . . . . . . . . . . . . . . . . . . . 15 + 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 16 + 4.8.1. Global Grid Forum Security Area . . . . . . . . . . . 16 4.9. IEEE - The Institute of Electrical and Electronics - Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 + Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 16 4.9.1. IEEE Computer Society's Technical Committee on - Security and Privacy . . . . . . . . . . . . . . . . . 16 - 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 16 - 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 16 + Security and Privacy . . . . . . . . . . . . . . . . . 17 + 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 17 + 4.10.1. IETF Security Area . . . . . . . . . . . . . . . . . . 17 4.11. INCITS - InterNational Committee for Information - Technology Standards . . . . . . . . . . . . . . . . . . . 16 + Technology Standards . . . . . . . . . . . . . . . . . . . 17 4.11.1. Identification Cards and Related Devices (B10) . . . . 17 - 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 17 - 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 17 - + 4.11.2. Cyber Security (CS1) . . . . . . . . . . . . . . . . . 18 + 4.11.3. Biometrics (M1) . . . . . . . . . . . . . . . . . . . 18 4.12. ISO - The International Organization for - Standardization . . . . . . . . . . . . . . . . . . . . . 17 - 4.13. ITU - International Telecommunication Union . . . . . . . 18 + Standardization . . . . . . . . . . . . . . . . . . . . . 18 + 4.13. ITU - International Telecommunication Union . . . . . . . 19 4.13.1. ITU Telecommunication Standardization Sector - - ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 18 + ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 19 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 19 - 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 19 + 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 20 4.14. OASIS - Organization for the Advancement of Structured Information Standards . . . . . . . . . . . . . 20 - 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 20 + 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 21 4.15.1. OAM&P Working Group . . . . . . . . . . . . . . . . . 21 - 4.16. NRIC - The Network Reliability and Interoperability - Council . . . . . . . . . . . . . . . . . . . . . . . . . 21 - 4.17. National Security Telecommunications Advisory - Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 21 - 4.18. TIA - The Telecommunications Industry Association . . . . 22 - 4.18.1. Critical Infrastructure Protection (CIP) and - Homeland Security (HS) . . . . . . . . . . . . . . . . 22 - 4.18.2. Commercial Encryption Source Code and Related - Information . . . . . . . . . . . . . . . . . . . . . 23 - 4.19. TTA - Telecommunications Technology Association . . . . . 23 - 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 23 - 4.21. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 - 4.21.1. Security Management . . . . . . . . . . . . . . . . . 24 - 5. Security Best Practices Efforts and Documents . . . . . . . . 26 - 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 26 - 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 26 + 4.16. National Security Telecommunications Advisory + Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 22 + 4.17. TIA - The Telecommunications Industry Association . . . . 22 + 4.17.1. APCO Project 25 Public Safety Standards . . . . . . . 22 + 4.18. TTA - Telecommunications Technology Association . . . . . 23 + 4.19. The World Wide Web Consortium . . . . . . . . . . . . . . 23 + 4.20. TM Forum . . . . . . . . . . . . . . . . . . . . . . . . . 24 + 4.20.1. Security Management . . . . . . . . . . . . . . . . . 24 + 5. Security Best Practices Efforts and Documents . . . . . . . . 25 + 5.1. 3GPP - SA3 - Security . . . . . . . . . . . . . . . . . . 25 + 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 25 5.3. ATIS-0300276.2008 - Operations, Administration, Maintenance, and Provisioning Security Requirements for the Public Telecommunications Network: A Baseline - of Security Requirements for the Management Plane . . . . 26 - 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 27 - 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 27 - 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 + of Security Requirements for the Management Plane . . . . 25 + 5.4. DMTF - Security Modeling Working Group . . . . . . . . . . 26 + 5.5. Common Criteria . . . . . . . . . . . . . . . . . . . . . 26 + 5.6. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 5.7. Operational Security Requirements for IP Network - Infrastructure : Advanced Requirements . . . . . . . . . . 29 + Infrastructure : Advanced Requirements . . . . . . . . . . 28 5.8. ISO JTC 1/SC 27 - Information security Technology - techniques . . . . . . . . . . . . . . . . . . . . . . . . 29 - 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 29 - 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 29 - 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 31 - 5.12. OASIS Security Technical Committees . . . . . . . . . . . 32 - 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 32 + techniques . . . . . . . . . . . . . . . . . . . . . . . . 28 + 5.9. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 28 + 5.10. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 28 + 5.11. NRIC VII Focus Groups . . . . . . . . . . . . . . . . . . 30 + 5.12. OASIS Security Technical Committees . . . . . . . . . . . 31 + 5.13. OIF Implementation Agreements . . . . . . . . . . . . . . 31 5.14. TIA - Critical Infrastructure Protection (CIP) and - Homeland Security (HS) . . . . . . . . . . . . . . . . . . 32 - 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 33 - 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 33 - 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 33 + Homeland Security (HS) . . . . . . . . . . . . . . . . . . 31 + 5.15. NIST Special Publications (800 Series) . . . . . . . . . . 32 + 5.16. NIST Interagency or Internal Reports (NISTIRs) . . . . . . 32 + 5.17. NIST ITL Security Bulletins . . . . . . . . . . . . . . . 32 5.18. SANS Information Security Reading Room . . . . . . . . . . 33 - 6. Security Considerations . . . . . . . . . . . . . . . . . . . 35 - 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 36 - 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 - 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 38 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 42 + 6. Security Considerations . . . . . . . . . . . . . . . . . . . 34 + 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 35 + 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 36 + 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 37 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 41 1. Introduction The Internet is being recognized as a critical infrastructure similar in nature to the power grid and a potable water supply. Just like those infrastructures, means are needed to provide resiliency and adaptability to the Internet so that it remains consistently available to the public throughout the world even during times of duress or attack. For this reason, many SDOs are developing standards with hopes of retaining an acceptable level, or even @@ -194,21 +182,21 @@ described in the Working Group Charter. The authors have agreed to keep this document current and request that those who read it will submit corrections or comments. Comments on this document may be addressed to the OpSec Working Group or directly to the authors. opsec@ops.ietf.org This document will be updated in sections. The most recently updated - part of this document is Section 5. + part of this document is Section 4. 2. Format of this Document The body of this document has three sections. The first part of the body of this document, Section 3, contains a listing of online glossaries relating to networking and security. It is very important that the definitions of words relating to security and security events be consistent. Inconsistencies between the useage of words on standards is unacceptable as it would prevent a @@ -334,25 +322,25 @@ appear to be developing security related standards. These SDOs are listed in alphabetical order. Note: The authors would appreciate corrections and additions. This note will be removed before publication as an RFC. 4.1. 3GPP - Third Generation Partnership Project http://www.3gpp.org/ - The 3rd Generation Partnership Project (3GPP) is a collaboration - agreement formed in December 1998. The collaboration agreement is - comprised of several telecommunications standards bodies which are - known as "Organizational Partners". The current Organizational - Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. + The 3rd Generation Partnership Project (3GPP) unites [Six] + telecommunications standards bodies, known as "Organizational + Partners" and provides their members with a stable environment to + produce the highly successful Reports and Specifications that define + 3GPP technologies. 4.2. 3GPP2 - Third Generation Partnership Project 2 http://www.3gpp2.org/ The Third Generation Partnership Project 2 (3GPP2) is: a collaborative third generation (3G) telecommunications specifications-setting project @@ -408,33 +396,41 @@ standards affecting the Financial Services Industry; (4) Focusing on current and future standards needs of the Financial Services Industry; (5) Promoting use of Financial Services Industry standards; and (6) Participating and promoting the development of international standards. 4.4. ATIS - Alliance for Telecommunications Industry Solutions http://www.atis.org/ - ATIS prioritizes the industry's most pressing, technical and - operational issues, and creates interoperable, implementable, end to - end solutions -- standards when the industry needs them and where - they need them. + ATIS member companies develop the standards and solutions that are + creating the future of the information and communications technology + (ICT) industry. From efforts to realize the cost benefits of cloud + services, to standards underpinning the nation's emergency + communications system, to improvements in data access to support + health care delivery, or developing new avenues to interactive + sources of entertainment, ATIS' work makes ICT innovation possible. - Over 600 industry professionals from more than 250 communications - companies actively participate in ATIS committees and incubator - solutions programs. + Through involvement in our committees and forums, ATIS member + companies achieve their technical potential and business objectives. + They also get a strategic view of the future of technology to help + them better position their products and services. ATIS members + further benefit from valuable networking opportunities with other + companies leading change in our industry, as well as the insights of + leading CIOs, CTOs and other thought leaders. - ATIS develops standards and solutions addressing a wide range of - industry issues in a manner that allocates and coordinates industry - resources and produces the greatest return for communications - companies. + ATIS gives our members a place at the table where today's ICT + standards decisions are being made. Our work helps members prepare + for when the future becomes today. And, with the fast pace of + innovation, the gap between today's technologies and tomorrow's + networks is all but disappearing. ATIS creates solutions that support the rollout of new products and services into the information, entertainment and communications marketplace. Its activities provide the basis for the industry's delivery of: Existing and next generation IP-based infrastructures; Reliable converged multimedia services, including IPTV; @@ -496,55 +492,83 @@ Representation, Common/Underlying Management Functionality/ Technology, and Ancillary Functions (such as network tones and announcements). This work requires close and coordinated working relationships with other domestic and international standards development organizations and industry forums. 4.5. CC - Common Criteria http://www.commoncriteriaportal.org/ - Common Criteria is a framework in which computer system users can - specify their security functional and assurance requirements, vendors - can then implement and/or make claims about the security attributes - of their products, and testing laboratories can evaluate the products - to determine if they actually meet the claims. In other words, - Common Criteria provides assurance that the process of specification, - implementation and evaluation of a computer security product has been - conducted in a rigorous and standard manner. [attribute wikipedia] + The Common Criteria for Information Technology Security Evaluation + (CC), and the companion Common Methodology for Information Technology + Security Evaluation (CEM) are the technical basis for an + international agreement, the Common Criteria Recognition Arrangement + (CCRA), which ensures that: + + Products can be evaluated by competent and independent licensed + laboratories so as to determine the fulfilment of particular + security properties, to a certain extent or assurance; + + Supporting documents, are used within the Common Criteria + certification process to define how the criteria and evaluation + methods are applied when certifying specific technologies; + + The certification of the security properties of an evaluated + product can be issued by a number of Certificate Authorizing + Schemes, with this certification being based on the result of + their evaluation; + + These certificates are recognized by all the signatories of the + CCRA. + + The CC is the driving force for the widest available mutual + recognition of secure IT products. This web portal is available to + support the information on the status of the CCRA, the CC and the + certification schemes, licensed laboratories, certified products and + related information, news and events. 4.6. DMTF - Distributed Management Task Force, Inc. http://www.dmtf.org/ DMTF enables more effective management of millions of IT systems worldwide by bringing the IT industry together to collaborate on the development, validation and promotion of systems management - standards. DMTF management standards are critical to enabling - management interoperability among multi-vendor systems, tools and - solutions within the enterprise. We are committed to protecting - companies' IT investments by creating standards that promote multi- - vendor interoperability. Our dedication to fostering collaboration - within the industry provides a win-win situation for vendors and IT - personnel alike. + standards. + + The group spans the industry with 160 member companies and + organizations, and more than 4,000 active participants crossing 43 + countries. The DMTF board of directors is led by 15 innovative, + industry-leading technology companies. They include Advanced Micro + Devices (AMD); Broadcom Corporation; CA, Inc.; Cisco; Citrix Systems, + Inc.; EMC; Fujitsu; HP; Huawei; IBM; Intel Corporation; Microsoft + Corporation; Oracle; RedHat and VMware, Inc. + + With this deep and broad reach, DMTF creates standards that enable + interoperable IT management. DMTF management standards are critical + to enabling management interoperability among multi-vendor systems, + tools and solutions within the enterprise. 4.7. ETSI - The European Telecommunications Standard Institute http://www.etsi.org/ - The European Telecommunications Standards Institute (ETSI) produces globally-applicable standards for Information and Communications Technologies (ICT), including fixed, mobile, radio, converged, broadcast and internet technologies. - ETSI is officially recognized by the European Union as a European - Standards Organization. + We are officially recognized by the European Union as a European + Standards Organization. The high quality of our work and our open + approach to standardization has helped us evolve into a European + roots - global branches operation with a solid reputation for + technical excellence. 4.7.1. ETSI SEC http://portal.etsi.org/portal/server.pt/gateway/ PTARGS_0_13938_491_312_425_43/tb/closed_tb/sec.asp Board#38 confirmed the closure of TC SEC. At the same time it approved the creation of an OCG Ad Hoc group OCG Security @@ -554,21 +578,22 @@ The SEC Working groups (ESI and LI) were closed and TC ESI and a TC LI were created to continue the work. All documents and information relevant to ESI and LI are available from the TC ESI and TC LI sites 4.7.2. ETSI OCG SEC http://portal.etsi.org/ocgsecurity/OCG_security_ToR.asp - The group's primary role is to provide a light-weight horizontal co- + The creation of the OCG SEC was decided at the Board #38 on 30 May + 2002. The group's primary role is to provide a horizontal co- ordination structure for security issues that will ensure this work is seriously considered in each ETSI TB and that any duplicate or conflicting work is detected. To achieve this aim the group should mainly conduct its work via email and, where appropriate, co-sited "joint security" technical working meetings. When scheduled, appropriate time at each "joint SEC" meeting should be allocated during the meetings to allow for: Individual committee activities as well as common work; @@ -567,34 +592,34 @@ conflicting work is detected. To achieve this aim the group should mainly conduct its work via email and, where appropriate, co-sited "joint security" technical working meetings. When scheduled, appropriate time at each "joint SEC" meeting should be allocated during the meetings to allow for: Individual committee activities as well as common work; Coordination between the committees; and - Experts to contribute to more than one committee. 4.8. GGF - Global Grid Forum http://www.gridforum.org/ - The Global Grid Forum (GGF) is a community-initiated forum of - thousands of individuals from industry and research leading the - global standardization effort for grid computing. GGF's primary - objectives are to promote and support the development, deployment, - and implementation of grid technologies and applications via the - creation and documentation of "best practices" - technical - specifications, user experiences, and implementation guidelines. + OGF is an open community committed to driving the rapid evolution and + adoption of applied distributed computing. Applied Distributed + Computing is critical to developing new, innovative and scalable + applications and infrastructures that are essential to productivity + in the enterprise and within the science community. OGF accomplishes + its work through open forums that build the community, explore + trends, share best practices and consolidate these best practices + into standards. 4.8.1. Global Grid Forum Security Area http://www.ogf.org/gf/group_info/areasgroups.php?area_id=7 The Security Area is concerned with technical and operational security issues in Grid environments, including authentication, authorization, privacy, confidentiality, auditing, firewalls, trust establishment, policy establishment, and dynamics, scalability and management aspects of all of the above. @@ -695,65 +720,54 @@ testing and reporting. The goal of M1's work is to accelerate the deployment of significantly better, standards-based security solutions for purposes, such as, homeland defense and the prevention of identity theft as well as other government and commercial applications based on biometric personal authentication. 4.12. ISO - The International Organization for Standardization http://www.iso.org/ - SO (International Organization for Standardization) is the world's + ISO (International Organization for Standardization) is the world's largest developer and publisher of International Standards. - ISO is a network of the national standards institutes of 160 + ISO is a network of the national standards institutes of 163 countries, one member per country, with a Central Secretariat in Geneva, Switzerland, that coordinates the system. ISO is a non-governmental organization that forms a bridge between the public and private sectors. On the one hand, many of its member institutes are part of the governmental structure of their countries, or are mandated by their government. On the other hand, other members have their roots uniquely in the private sector, having been set up by national partnerships of industry associations. Therefore, ISO enables a consensus to be reached on solutions that meet both the requirements of business and the broader needs of society. 4.13. ITU - International Telecommunication Union http://www.itu.int/ - ITU is the leading United Nations agency for information and - communication technology issues, and the global focal point for - governments and the private sector in developing networks and - services. For 145 years, ITU has coordinated the shared global use - of the radio spectrum, promoted international cooperation in - assigning satellite orbits, worked to improve telecommunication - infrastructure in the developing world, established the worldwide - standards that foster seamless interconnection of a vast range of - communications systems and addressed the global challenges of our - times, such as mitigating climate change and strengthening - cybersecurity. + ITU (International Telecommunication Union) is the United Nations + specialized agency for information and communication technologies - + ICTs. - ITU also organizes worldwide and regional exhibitions and forums, - such as ITU TELECOM WORLD, bringing together the most influential - representatives of government and the telecommunications and ICT - industry to exchange ideas, knowledge and technology for the benefit - of the global community, and in particular the developing world. + We allocate global radio spectrum and satellite orbits, develop the + technical standards that ensure networks and technologies seamlessly + interconnect, and strive to improve access to ICTs to underserved + communities worldwide. - From broadband Internet to latest-generation wireless technologies, - from aeronautical and maritime navigation to radio astronomy and - satellite-based meteorology, from convergence in fixed-mobile phone, - Internet access, data, voice and TV broadcasting to next-generation - networks, ITU is committed to connecting the world. + ITU is committed to connecting all the world's people - wherever they + live and whatever their means. Through our work, we protect and + support everyone's fundamental right to communicate. The ITU is comprised of three sectors: 4.13.1. ITU Telecommunication Standardization Sector - ITU-T http://www.itu.int/ITU-T/ ITU-T Recommendations are defining elements in information and communication technologies (ICTs) infrastructure. Whether we exchange voice, data or video messages, communications cannot take @@ -815,29 +829,26 @@ OASIS (Organization for the Advancement of Structured Information Standards) is a not-for-profit consortium that drives the development, convergence and adoption of open standards for the global information society. The consortium produces more Web services standards than any other organization along with standards for security, e-business, and standardization efforts in the public sector and for application-specific markets. Founded in 1993, OASIS has more than 5,000 participants representing over 600 organizations and individual members in 100 countries. - OASIS is distinguished by its transparent governance and operating - procedures. Members themselves set the OASIS technical agenda, using - a lightweight process expressly designed to promote industry - consensus and unite disparate efforts. Completed work is ratified by - open ballot. Governance is accountable and unrestricted. Officers - of both the OASIS Board of Directors and Technical Advisory Board are - chosen by democratic election to serve two-year terms. Consortium - leadership is based on individual merit and is not tied to financial - contribution, corporate standing, or special appointment. + OASIS promotes industry consensus and produces worldwide standards + for security, Cloud computing, SOA, Web services, the Smart Grid, + electronic publishing, emergency management, and other areas. OASIS + open standards offer the potential to lower cost, stimulate + innovation, grow global markets, and protect the right of free choice + of technology. OASIS has several Technical Committees in the Security Category. http://www.oasis-open.org/committees/tc_cat.php?cat=security 4.15. OIF - Optical Internetworking Forum http://www.oiforum.com/ "The Optical Internetworking Forum (OIF) promotes the development and @@ -874,172 +886,118 @@ The scope includes but is not limited to a) planning, engineering and provisioning of network resources; b) operations, maintenance or administration use cases and processes; and c) management functionality and interfaces for operations support systems and interoperable network equipment. Within its scope are Fault, Configuration, Accounting, Performance and Security Management (FCAPS) and Security. The OAM&P working group will also account for work by related standards development organizations (SDOs), identify gaps and formulate OIF input to other SDOs as may be appropriate. -4.16. NRIC - The Network Reliability and Interoperability Council - - http://www.nric.org/ - - The mission of the NRIC is partner with the Federal Communications - Commission, the communications industry and public safety to - facilitate enhancement of emergency communications networks, homeland - security, and best practices across the burgeoning telecommunications - industry. - - It appears that the last NRIC Council concluded in 2005. - -4.17. National Security Telecommunications Advisory Committee (NSTAC) +4.16. National Security Telecommunications Advisory Committee (NSTAC) http://www.ncs.gov/nstac/nstac.html - President Ronald Reagan created the National Security - Telecommunications Advisory Committee (NSTAC) by Executive Order - 12382 in September 1982. Composed of up to 30 industry chief - executives representing the major communications and network service - providers and information technology, finance, and aerospace - companies, the NSTAC provides industry-based advice and expertise to - the President on issues and problems related to implementing national - security and emergency preparedness (NS/EP) communications policy. - Since its inception, the NSTAC has addressed a wide range of policy - and technical issues regarding communications, information systems, - information assurance, critical infrastructure protection, and other - NS/EP communications concerns. - - The mission of the NSTAC: Meeting our Nation's critical national - security and emergency preparedness (NS/EP) challenges demands - attention to many issues. Among these, none could be more important - than the availability and reliability of telecommunication services. - The President's National Security Telecommunications Advisory - Committee (NSTAC) mission is to provide the U.S. Government the best - possible industry advice in these areas. + Meeting our Nation's critical national security and emergency + preparedness (NS/EP) challenges demands attention to many issues. + Among these, none could be more important than the availability and + reliability of telecommunication services. The President's National + Security Telecommunications Advisory Committee (NSTAC) mission is to + provide the U.S. Government the best possible industry advice in + these areas. -4.18. TIA - The Telecommunications Industry Association +4.17. TIA - The Telecommunications Industry Association http://www.tiaonline.org/ The Telecommunications Industry Association (TIA) is the leading trade association representing the global information and communications technology (ICT) industries through standards development, government affairs, business opportunities, market intelligence, certification and world-wide environmental regulatory compliance. With support from its 600 members, TIA enhances the business environment for companies involved in telecommunications, broadband, mobile wireless, information technology, networks, cable, satellite, unified communications, emergency communications and the greening of technology. TIA is accredited by ANSI. -4.18.1. Critical Infrastructure Protection (CIP) and Homeland Security - (HS) - - http://www.tiaonline.org/standards/technology/ciphs/ - - This TIA webpage identifies and links to many standards, other - technical documents and ongoing activity involving or supporting - TIA's role in Public Safety and Homeland Security, Network Security, - Critical Infrastructure Protection and Assurance, National Security/ - Emergency Preparedness, Emergency Communications Services, Emergency - Calling and Location Identification Services, and the Needs of First - Responders. For the purpose of this webpage, national/international - terms relating to public safety and disaster response can be - considered synonymous (and interchangeable) with terms relating to - public protection and disaster relief. +4.17.1. APCO Project 25 Public Safety Standards -4.18.2. Commercial Encryption Source Code and Related Information + http://www.tiaonline.org/all-standards/committees/tr-8 - http://www.tiaonline.org/standards/technology/ahag/index.cfm + Recognizing the need for common standards for first responders and + homeland security/emergency response professionals, representatives + from the Association of Public Safety Communications Officials + International (APCO), the National Association of State + Telecommunications Directors (NASTD), selected federal agencies and + the National Communications System (NCS) established Project 25 + (PDF), a steering committee for selecting voluntary common system + standards for digital public safety radio communications. TIA TR-8 + facilitates such work through its role as an ANSI-accredited + Standards Development Organization (SDO) and has developed in TR-8 + the 102 series of technical documents. These standards directly + address the guidelines of the Communications Assistance for Law + Enforcement Act (CALEA). - This section seems to link to commercial encryption source code. - Access requires agreement to terms and conditions and then - registration. +4.18. TTA - Telecommunications Technology Association -4.19. TTA - Telecommunications Technology Association + http://www.tta.or.kr/ - http://www.tta.or.kr/ http://www.tta.or.kr/English/index.jsp - (English) + http://www.tta.or.kr/English/index.jsp (English) The purpose of TTA is to contribute to the advancement of technology and the promotion of information and telecommunications services and industry as well as the development of national economy, by effectively stablishing and providing technical standards that reflect the latest domestic and international technological advances, needed for the planning, design and operation of global end-to-end telecommunications and related information services, in close collaboration with companies, organizations and groups concerned with information and telecommunications such as network operators, service providers, equipment manufacturers, academia, R&D institutes, etc. -4.20. The World Wide Web Consortium +4.19. The World Wide Web Consortium http://www.w3.org/Consortium/ The World Wide Web Consortium (W3C) is an international community where Member organizations, a full-time staff, and the public work together to develop Web standards. Led by Web inventor Tim Berners- Lee and CEO Jeffrey Jaffe, W3C's mission is to lead the Web to its full potential. - http://www.w3.org/Security/Activity + http://www.w3.org/Security/ - The work in the W3C Security Activity currently comprises two Working - Groups, the Web Security Context Working Group and the XML Security - Working Group. + Security online is a vast field that is being worked on by a number + of organizations, including W3C. Mapping the entire field would be a + huge endeavor; hence, this page focuses on work that W3C is involved + in. - The Web Security Context Working Group focuses on the challenges that - arise when users encounter currently deployed security technology, - such as TLS: While this technology achieves its goals on a technical - level, attackers' strategies shift towards bypassing the security - technology instead of breaking it. When users do not understand the - security context in which they operate, then it becomes easy to - deceive and defraud them. This Working Group is planning to see its - main deliverable, the User Interface Guidelines, through to - Recommendation, but will not engage in additional recommendation - track work beyond this deliverable. The Working Group is currently - operating at reduced Team effort (compared to the initial effort - reserved to this Working Group). Initial (and informal) - conversations about forming an Interest Group that could serve as a - place for community-building and specification review have not led as - far as we had hoped at the previous Advisory Committee Meeting, but - are still on the Team's agenda. + The traditional W3C Security Resources page is no longer maintained, + but remains online for archival purposes. - The XML Security Working Group started up in summer 2008, and has - decided to publish an interim set of 1.1 specifications as it works - towards producing a more radical change to XML Signature. The XML - Signature 1.1 and XML Encryption 1.1 specifications clarify and - enhance the previous specifications without introducing breaking - changes, although they do introduce new algorithms. + The Web Security Wiki serves as a place for interested parties in the + Web security community to collect information about security aspects + of specifications and implementations of Web technologies. -4.21. TM Forum +4.20. TM Forum http://www.tmforum.org/ - With more than 700 corporate members in 195 countries, TM Forum is - the world's leading industry association focused on enabling best-in- - class IT for service providers in the communications, media and cloud - service markets. The Forum provides business-critical industry - standards and expertise to enable the creation, delivery and - monetization of digital services. - - TM Forum brings together the world's largest communications, - technology and media companies, providing an innovative, industry- - leading approach to collaborative R&D, along with wide range of - support services including benchmarking, training and certification. - The Forum produces the renowned international Management World - conference series, as well as thought-leading industry research and - publications. + TM Forum is a global, non-profit industry association focused on + simplifying the complexity of running a service provider's business. + As an established industry thought-leader, the Forum serves as a + unifying force, enabling more than 850 companies across 195 countries + to solve critical business issues through access to a wealth of + knowledge, intellectual capital and standards. -4.21.1. Security Management +4.20.1. Security Management http://www.tmforum.org/SecurityManagement/9152/home.html Securing networks, cyber, clouds, and identity against evolving and ever present threats has emerged as a top priority for TM Forum members. In response, the TM Forum's Security Management Initiative was formally launched in 2009. While some of our Security Management efforts, such as Identity Management, are well established and boast mature Business Agreements and Interfaces, a series of presentations, contributions, and multi-vendor technology demonstrations have jumped @@ -1323,20 +1281,26 @@ the Roadmap. This will enable more timely updating of the information and will also reduce the overhead in maintaining the information. http://www.itu.int/ITU-T/security/main_table.aspx 5.11. NRIC VII Focus Groups http://www.nric.org/fg/index.html + The mission of the NRIC is partner with the Federal Communications + Commission, the communications industry and public safety to + facilitate enhancement of emergency communications networks, homeland + security, and best practices across the burgeoning telecommunications + industry. + By December 16, 2005, the Council shall present a final report that describes, in detail, any additions, deletions, or modifications that should be made to the Homeland Security Best Practices that were adopted by the preceding Council. Documents in Focus Group 2: Homeland Security, Subcommittee 2.B: Cyber Security: Focus Group 2B Report - Homeland Security Cyber Security Best Practices Published 06-Dec-2004 @@ -1609,20 +1573,25 @@ -16 : Sixteenth revision of the WG ID. Updated the date and reviewed the accuracy of Section 5. Several changes made. -17 : Seventeenth revision of the WG ID. Updated the date and reviewed the accuracy of Section 3. A couple of changes made. + -18 : Eighteenth revision of the WG ID. + + Updated the date and reviewed the accuracy of Section 4. Some + changes made. + Note: This section will be removed before publication as an RFC. Authors' Addresses Chris Lonvick Cisco Systems 12515 Research Blvd. Austin, Texas 78759 US