idnits 2.17.1 draft-ietf-opsec-efforts-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5 on line 1315. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1292. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1299. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1305. ** This document has an original RFC 3978 Section 5.4 Copyright Line, instead of the newer IETF Trust Copyright according to RFC 4748. ** This document has an original RFC 3978 Section 5.5 Disclaimer, instead of the newer disclaimer which includes the IETF Trust according to RFC 4748. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the RFC 3978 Section 5.4 Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (June 14, 2006) is 6525 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 3 errors (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Expires: December 16, 2006 Cisco Systems 5 June 14, 2006 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-04.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on December 16, 2006. 35 Copyright Notice 37 Copyright (C) The Internet Society (2006). 39 Abstract 41 This document provides a snapshot of the current efforts to define or 42 apply security requirements in various Standards Developing 43 Organizations (SDO). 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 48 2. Conventions Used in This Document . . . . . . . . . . . . . . 7 49 3. Format of this Document . . . . . . . . . . . . . . . . . . . 8 50 4. Online Security Glossaries . . . . . . . . . . . . . . . . . . 9 51 4.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 9 52 4.2. Internet Security Glossary - RFC 2828 . . . . . . . . . . 9 53 4.3. Compendium of Approved ITU-T Security Definitions . . . . 9 54 4.4. Microsoft Solutions for Security Glossary . . . . . . . . 10 55 4.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 10 56 4.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 10 57 5. Standards Developing Organizations . . . . . . . . . . . . . . 11 58 5.1. 3GPP - Third Generation Partnership Project . . . . . . . 11 59 5.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 11 60 5.3. ANSI - The American National Standards Institute . . . . . 11 61 5.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 11 62 5.4. ATIS - Alliance for Telecommunications Industry 63 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 12 64 5.4.1. ATIS NIPP - Network Interface, Power, and 65 Protection Committee, formerly T1E1 . . . . . . . . . 12 66 5.4.2. ATIS NPRQ - Network Performance, Reliability, and 67 Quality of Service Committee, formerly T1A1 . . . . . 12 68 5.4.3. ATIS OBF - Ordering and Billing Forum, formerly 69 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 12 70 5.4.4. ATIS OPTXS - Optical Transport and Synchronization 71 Committee, formerly T1X1 . . . . . . . . . . . . . . . 13 72 5.4.5. ATIS TMOC - Telecom Management and Operations 73 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 13 74 5.4.6. ATIS WTSC - Wireless Technologies and Systems 75 Committee, formerly T1P1 . . . . . . . . . . . . . . . 13 76 5.4.7. ATIS PTSC - Packet Technologies and Systems 77 Committee, formerly T1S1 . . . . . . . . . . . . . . . 13 78 5.4.8. ATIS Protocol Interworking Committee, regarding 79 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 14 80 5.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 14 81 5.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 14 82 5.7. ETSI - The European Telecommunications Standard 83 Institute . . . . . . . . . . . . . . . . . . . . . . . . 14 84 5.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 14 85 5.9. IEEE - The Institute of Electrical and Electronics 86 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 15 87 5.10. IETF - The Internet Engineering Task Force . . . . . . . . 15 88 5.11. INCITS - InterNational Committee for Information 89 Technology Standards . . . . . . . . . . . . . . . . . . . 15 90 5.11.1. INCITS Technical Committee T11 - Fibre Channel 91 Interfaces . . . . . . . . . . . . . . . . . . . . . . 15 92 5.12. ISO - The International Organization for 93 Standardization . . . . . . . . . . . . . . . . . . . . . 15 94 5.13. ITU - International Telecommunication Union . . . . . . . 16 95 5.13.1. ITU Telecommunication Standardization Sector - 96 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 16 97 5.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 16 98 5.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 16 99 5.14. OASIS - Organization for the Advancement of 100 Structured Information Standards . . . . . . . . . . . . . 16 101 5.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 102 5.16. NRIC - The Network Reliability and Interoperability 103 Council . . . . . . . . . . . . . . . . . . . . . . . . . 17 104 5.17. National Security Telecommunications Advisory 105 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 17 106 5.18. TIA - The Telecommunications Industry Association . . . . 17 107 5.19. TTA - Telecommunications Technology Association . . . . . 17 108 5.20. Web Services Interoperability Organization (WS-I) . . . . 18 109 6. Security Best Practices Efforts and Documents . . . . . . . . 19 110 6.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 19 111 6.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 19 112 6.3. American National Standard T1.276-2003 - Baseline 113 Security Requirements for the Management Plane . . . . . . 19 114 6.4. DMTF - Security Protection and Management (SPAM) 115 Working Group . . . . . . . . . . . . . . . . . . . . . . 20 116 6.5. DMTF - User and Security Working Group . . . . . . . . . . 20 117 6.6. ATIS Work-Plan to Achieve Interoperable, 118 Implementable, End-To-End Standards and Solutions . . . . 20 119 6.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 20 120 6.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 21 121 6.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 21 122 6.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 123 6.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 22 124 6.11. Information System Security Assurance Architecture . . . . 22 125 6.12. Operational Security Requirements for IP Network 126 Infrastructure : Advanced Requirements . . . . . . . . . . 22 127 6.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 23 128 6.14. ISO Guidelines for the Management of IT Security - 129 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 23 130 6.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 24 131 6.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 24 132 6.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 25 133 6.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 25 134 6.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 25 135 6.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 26 136 6.21. Catalogue of ITU-T Recommendations related to 137 Communications System Security . . . . . . . . . . . . . . 26 138 6.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 26 139 6.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 27 140 6.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 27 141 6.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 27 142 6.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 28 143 6.27. OIF Implementation Agreements . . . . . . . . . . . . . . 28 144 6.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 145 6.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 146 7. Security Considerations . . . . . . . . . . . . . . . . . . . 30 147 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 31 148 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 32 149 10. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 33 150 11. Normative References . . . . . . . . . . . . . . . . . . . . . 34 151 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 35 152 Intellectual Property and Copyright Statements . . . . . . . . . . 36 154 1. Introduction 156 The Internet is being recognized as a critical infrastructure similar 157 in nature to the power grid and a potable water supply. Just like 158 those infrastructures, means are needed to provide resiliency and 159 adaptability to the Internet so that it remains consistently 160 available to the public throughout the world even during times of 161 duress or attack. For this reason, many SDOs are developing 162 standards with hopes of retaining an acceptable level, or even 163 improving this availability, to its users. These SDO efforts usually 164 define themselves as "security" efforts. It is the opinion of the 165 authors that there are many different definitions of the term 166 "security" and it may be applied in many diverse ways. As such, we 167 offer no assurance that the term is applied consistently throughout 168 this document. 170 Many of these SDOs have diverse charters and goals and will take 171 entirely different directions in their efforts to provide standards. 172 However, even with that, there will be overlaps in their produced 173 works. If there are overlaps then there is a potential for conflicts 174 and confusion. This may result in: 176 Vendors of networking equipment who are unsure of which standard 177 to follow. 179 Purchasers of networking equipment who are unsure of which 180 standard will best apply to the needs of their business or 181 ogranization. 183 Network Administrators and Operators unsure of which standard to 184 follow to attain the best security for their network. 186 For these reasons, the authors wish to encourage all SDOs who have an 187 interest in producing or in consuming standards relating to good 188 security practices to be consistent in their approach and their 189 recommendations. In many cases, the authors are aware that the SDOs 190 are making good efforts along these lines. However, the authors do 191 not participate in all SDO efforts and cannot know everything that is 192 happening. 194 The OpSec Working Group met at the 61st IETF and agreed that this 195 document could be a useful reference in producing the documents 196 described in the Working Group Charter. The authors have agreed to 197 keep this document current and request that those who read it will 198 submit corrections or comments. 200 Comments on this document may be addressed to the OpSec Working Group 201 or directly to the authors. 203 opsec@ops.ietf.org 205 2. Conventions Used in This Document 207 This document shall use the keywords "MUST", "MUST NOT", "REQUIRED", 208 "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", 209 and "OPTIONAL" to describe requirements. These keywords are to be 210 interpreted as described in [1]. 212 3. Format of this Document 214 The body of this document has three sections. 216 The first part of the body of this document, Section 4, contains a 217 listing of online glossaries relating to networking and security. It 218 is very important that the definitions of words relating to security 219 and security events be consistent. Inconsistencies between the 220 useage of words on standards is unacceptable as it would prevent a 221 reader of two standards to appropriately relate their 222 recommendations. The authors of this document have not reviewed the 223 definitions of the words in the listed glossaries so can offer no 224 assurance of their alignment. 226 The second part, Section 5, contains a listing of SDOs that appear to 227 be working on security standards. 229 The third part, Section 6, lists the documents which have been found 230 to offer good practices or recommendations for securing networks and 231 networking devices. 233 4. Online Security Glossaries 235 This section contains references to glossaries of network and 236 computer security terms 238 4.1. ATIS Telecom Glossary 2000 240 http://www.atis.org/tg2k/ 242 Under an approved T1 standards project (T1A1-20), an existing 5800- 243 entry, search-enabled hypertext telecommunications glossary titled 244 Federal Standard 1037C, Glossary of Telecommunication Terms was 245 updated and matured into this glossary, T1.523-2001, Telecom Glossary 246 2000. This updated glossary was posted on the Web as an American 247 National Standard (ANS). 249 4.2. Internet Security Glossary - RFC 2828 251 http://www.ietf.org/rfc/rfc2828.txt 253 Created in May 2000, the document defines itself to be, "an 254 internally consistent, complementary set of abbreviations, 255 definitions, explanations, and recommendations for use of terminology 256 related to information system security." The glossary makes the 257 distinction of the listed definitions throughout the document as 258 being: 260 o a recommended Internet definition 262 o a recommended non-Internet definition 264 o not recommended as the first choice for Internet documents but 265 something that an author of an Internet document would need to 266 know 268 o a definition that shouldn't be used in Internet documents 270 o additional commentary or usage guidance 272 4.3. Compendium of Approved ITU-T Security Definitions 274 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 276 Addendum to the Compendium of the Approved ITU-T Security-related 277 Definitions 278 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 280 These extensive materials were created from approved ITU-T 281 Recommendations with a view toward establishing a common 282 understanding and use of security terms within ITU-T. 284 4.4. Microsoft Solutions for Security Glossary 286 http://www.microsoft.com/security/glossary.mspx 288 The Microsoft Solutions for Security Glossary was created to explain 289 the concepts, technologies, and products associated with computer 290 security. This glossary contains several definitions specific to 291 Microsoft proprietary technologies and product solutions. 293 4.5. SANS Glossary of Security Terms 295 http://www.sans.org/resources/glossary.php 297 The SANS Institute (SysAdmin, Audit, Network, Security) was created 298 in 1989 as, "a cooperative research and education organization." 299 Updated in May 2003, SANS cites the NSA for their help in creating 300 the online glossary of security terms. The SANS Institute is also 301 home to many other resources including the SANS Intrusion Detection 302 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 304 4.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 306 http://www.garlic.com/~lynn/secure.htm 308 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 309 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 310 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 311 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 312 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 313 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 314 RFC2647, RFC2828, TCSEC, TDI, and TNI. 316 5. Standards Developing Organizations 318 This section of this document lists the SDOs, or organizations that 319 appear to be developing security related standards. These SDOs are 320 listed in alphabetical order. 322 Note: The authors would appreciate corrections and additions. This 323 note will be removed before publication as an RFC. 325 5.1. 3GPP - Third Generation Partnership Project 327 http://www.3gpp.org/ 329 The 3rd Generation Partnership Project (3GPP) is a collaboration 330 agreement formed in December 1998. The collaboration agreement is 331 comprised of several telecommunications standards bodies which are 332 known as "Organizational Partners". The current Organizational 333 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 335 5.2. 3GPP2 - Third Generation Partnership Project 2 337 http://www.3gpp2.org/ 339 Third Generation Partnership Project 2 (3GPP2) is a collaboration 340 among Organizational Partners much like its sister project 3GPP. The 341 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 342 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 343 the CDMA Development Group and IPv6 Forum as Market Representation 344 Partners for market advice. 346 5.3. ANSI - The American National Standards Institute 348 http://www.ansi.org/ 350 ANSI is a private, non-profit organization that organizes and 351 oversees the U.S. voluntary standardization and conformity assessment 352 system. ANSI was founded October 19, 1918. 354 5.3.1. Accredited Standards Committee X9 (ASC X9) 356 http://www.x9.org/ 358 The Accredited Standards Committee X9 (ASC X9) has the mission to 359 develop, establish, maintain, and promote standards for the Financial 360 Services Industry in order to facilitate delivery of financial 361 services and products. 363 5.4. ATIS - Alliance for Telecommunications Industry Solutions 365 http://www.atis.org/ 367 ATIS is a United States based body that is committed to rapidly 368 developing and promoting technical and operations standards for the 369 communications and related information technologies industry 370 worldwide using pragmatic, flexible and open approach. Committee T1 371 as a group no longer exists as a result of the recent ATIS 372 reorganization on January 1, 2004. ATIS has restructured the former 373 T1 technical subcommittees into full ATIS standards committees to 374 easily identify and promote the nature of standards work each 375 committee performs. Due to the reorganization, some groups may have 376 a new mission and scope statement. 378 5.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee, 379 formerly T1E1 381 http://www.atis.org/0050/index.asp 383 ATIS Network Interface, Power, and Protection Committee develops and 384 recommends standards and technical reports related to power systems, 385 electrical and physical protection for the exchange and interexchange 386 carrier networks, and interfaces associated with user access to 387 telecommunications networks. 389 5.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of 390 Service Committee, formerly T1A1 392 http://www.atis.org/0010/index.asp 394 ATIS Network Performance, Reliability and Quality of Service 395 Committee develops and recommends standards, requirements, and 396 technical reports related to the performance, reliability, and 397 associated security aspects of communications networks, as well as 398 the processing of voice, audio, data, image, and video signals, and 399 their multimedia integration. 401 5.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1 402 O&B 404 http://www.atis.org/obf/index.asp 406 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 407 Billing Forum. 409 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 410 for customers and providers in the telecommunications industry to 411 identify, discuss and resolve national issues which affect ordering, 412 billing, provisioning and exchange of information about access 413 services, other connectivity and related matters. 415 5.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee, 416 formerly T1X1 418 http://www.atis.org/0240/index.asp 420 ATIS Optical Transport and Synchronization Committee develops and 421 recommends standards and prepares technical reports related to 422 telecommunications network technology pertaining to network 423 synchronization interfaces and hierarchical structures including 424 optical technology. 426 5.4.5. ATIS TMOC - Telecom Management and Operations Committee, 427 formerly T1M1 OAM&P 429 http://www.atis.org/0130/index.asp 431 ATIS Telecom Management and Operations Committee develops 432 internetwork operations, administration, maintenance and provisioning 433 standards, and technical reports related to interfaces for 434 telecommunications networks. 436 5.4.6. ATIS WTSC - Wireless Technologies and Systems Committee, 437 formerly T1P1 439 http://www.atis.org/0160/index.asp 441 ATIS Wireless Technologies and Systems Committee develops and 442 recommends standards and technical reports related to wireless and/or 443 mobile services and systems, including service descriptions and 444 wireless technologies. 446 5.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly 447 T1S1 449 http://www.atis.org/0191/index.asp 451 T1S1 was split into two separate ATIS committees: the ATIS Packet 452 Technologies and Systems Committee and the ATIS Protocol Interworking 453 Committee. PTSC is responsible for producing standards to secure 454 signalling. 456 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 457 at this time. It is expected to move to an ANSI standard. 459 5.4.8. ATIS Protocol Interworking Committee, regarding T1S1 461 T1S1 was split into two separate ATIS committees: the ATIS Packet 462 Technologies and Systems Committee and the ATIS Protocol Interworking 463 Committee. As a result of the reorganization of T1S1, these groups 464 will also probably have a new mission and scope. 466 5.5. CC - Common Criteria 468 http://www.commoncriteriaportal.org/ 470 In June 1993, the sponsoring organizations of the existing US, 471 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 472 the Common Criteria Project to align their separate criteria into a 473 single set of IT security criteria. 475 5.6. DMTF - Distributed Management Task Force, Inc. 477 http://www.dmtf.org/ 479 Founded in 1992, the DMTF brings the technology industry's customers 480 and top vendors together in a collaborative, working group approach 481 that involves DMTF members in all aspects of specification 482 development and refinement. 484 5.7. ETSI - The European Telecommunications Standard Institute 486 http://www.etsi.org/ 488 ETSI is an independent, non-profit organization which produces 489 telecommunications standards. ETSI is based in Sophia-Antipolis in 490 the south of France and maintains a membership from 55 countries. 492 Joint work between ETSI and ITU-T SG-17 494 http://www.tta.or.kr/gsc/upload/ 495 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 497 5.8. GGF - Global Grid Forum 499 http://www.gridforum.org/ 501 The Global Grid Forum (GGF) is a community-initiated forum of 502 thousands of individuals from industry and research leading the 503 global standardization effort for grid computing. GGF's primary 504 objectives are to promote and support the development, deployment, 505 and implementation of grid technologies and applications via the 506 creation and documentation of "best practices" - technical 507 specifications, user experiences, and implementation guidelines. 509 5.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 511 http://www.ieee.org/ 513 IEEE is a non-profit, professional association of more than 360,000 514 individual members in approximately 175 countries. The IEEE produces 515 30 percent of the world's published literature in electrical 516 engineering, computers, and control technology through its technical 517 publishing, conferences, and consensus-based standards activities. 519 5.10. IETF - The Internet Engineering Task Force 521 http://www.ietf.org/ 523 IETF is a large, international community open to any interested 524 individual concerned with the evolution of the Internet architecture 525 and the smooth operation of the Internet. 527 5.11. INCITS - InterNational Committee for Information Technology 528 Standards 530 http://www.incits.org/ 532 INCITS focuses upon standardization in the field of Information and 533 Communications Technologies (ICT), encompassing storage, processing, 534 transfer, display, management, organization, and retrieval of 535 information. 537 5.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces 539 http://www.t11.org/index.htm 541 T11 is responsible for standards development in the areas of 542 Intelligent Peripheral Interface (IPI), High-Performance Parallel 543 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 544 FC-SP to define Security Protocols for Fibre Channel. 546 FC-SP Project Proposal: 547 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 549 5.12. ISO - The International Organization for Standardization 551 http://www.iso.org/ 553 ISO is a network of the national standards institutes of 148 554 countries, on the basis of one member per country, with a Central 555 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 556 officially began operations on February 23, 1947. 558 5.13. ITU - International Telecommunication Union 560 http://www.itu.int/ 562 The ITU is an international organization within the United Nations 563 System headquartered in Geneva, Switzerland. The ITU is comprised of 564 three sectors: 566 5.13.1. ITU Telecommunication Standardization Sector - ITU-T 568 http://www.itu.int/ITU-T/ 570 ITU-T's mission is to ensure an efficient and on-time production of 571 high quality standards covering all fields of telecommunications. 573 5.13.2. ITU Radiocommunication Sector - ITU-R 575 http://www.itu.int/ITU-R/ 577 The ITU-R plays a vital role in the management of the radio-frequency 578 spectrum and satellite orbits. 580 5.13.3. ITU Telecom Development - ITU-D 582 (also referred as ITU Telecommunication Development Bureau - BDT) 584 http://www.itu.int/ITU-D/ 586 The Telecommunication Development Bureau (BDT) is the executive arm 587 of the Telecommunication Development Sector. Its duties and 588 responsibilities cover a variety of functions ranging from programme 589 supervision and technical advice to the collection, processing and 590 publication of information relevant to telecommunication development. 592 5.14. OASIS - Organization for the Advancement of Structured 593 Information Standards 595 http://www.oasis-open.org/ 597 OASIS is a not-for-profit, international consortium that drives the 598 development, convergence, and adoption of e-business standards. 600 5.15. OIF - Optical Internetworking Forum 602 http://www.oiforum.com/ 603 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 604 industry-wide initiative to create the Optical Internetworking Forum, 605 an open forum focused on accelerating the deployment of optical 606 internetworks. 608 5.16. NRIC - The Network Reliability and Interoperability Council 610 http://www.nric.org/ 612 The purposes of the Committee are to give telecommunications industry 613 leaders the opportunity to provide recommendations to the FCC and to 614 the industry that assure optimal reliability and interoperability of 615 telecommunications networks. The Committee addresses topics in the 616 area of Homeland Security, reliability, interoperability, and 617 broadband deployment. 619 5.17. National Security Telecommunications Advisory Committee (NSTAC) 621 http://www.ncs.gov/nstac/nstac.html 623 President Ronald Reagan created the National Security 624 Telecommunications Advisory Committee (NSTAC) by Executive Order 625 12382 in September 1982. Since then, the NSTAC has served four 626 presidents. Composed of up to 30 industry chief executives 627 representing the major communications and network service providers 628 and information technology, finance, and aerospace companies, the 629 NSTAC provides industry-based advice and expertise to the President 630 on issues and problems related to implementing national security and 631 emergency preparedness (NS/EP) communications policy. Since its 632 inception, the NSTAC has addressed a wide range of policy and 633 technical issues regarding communications, information systems, 634 information assurance, critical infrastructure protection, and other 635 NS/EP communications concerns. 637 5.18. TIA - The Telecommunications Industry Association 639 http://www.tiaonline.org/ 641 TIA is accredited by ANSI to develop voluntary industry standards for 642 a wide variety of telecommunications products. TIA's Standards and 643 Technology Department is composed of five divisions: Fiber Optics, 644 User Premises Equipment, Network Equipment, Wireless Communications 645 and Satellite Communications. 647 5.19. TTA - Telecommunications Technology Association 649 http://www.tta.or.kr/Home2003/main/index.jsp 650 http://www.tta.or.kr/English/new/main/index.htm (English) 651 TTA (Telecommunications Technology Association) is a IT standards 652 organization that develops new standards and provides one-stop 653 services for the establishment of IT standards as well as providing 654 testing and certification for IT products. 656 5.20. Web Services Interoperability Organization (WS-I) 658 http://www.ws-i.org/ 660 WS-I is an open, industry organization chartered to promote Web 661 services interoperability across platforms, operating systems, and 662 programming languages. The organization works across the industry 663 and standards organizations to respond to customer needs by providing 664 guidance, best practices, and resources for developing Web services 665 solutions. 667 6. Security Best Practices Efforts and Documents 669 This section lists the works produced by the SDOs. 671 6.1. 3GPP - TSG SA WG3 (Security) 673 http://www.3gpp.org/TB/SA/SA3/SA3.htm 675 TSG SA WG3 Security is responsible for the security of the 3GPP 676 system, performing analyses of potential security threats to the 677 system, considering the new threats introduced by the IP based 678 services and systems and setting the security requirements for the 679 overall 3GPP system. 681 Specifications: 682 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 684 Work Items: 685 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 687 3GPP Confidentiality and Integrity algorithms: 688 http://www.3gpp.org/TB/Other/algorithms.htm 690 6.2. 3GPP2 - TSG-S Working Group 4 (Security) 692 http://www.3gpp2.org/Public_html/S/index.cfm 694 The Services and Systems Aspects TSG (TSG-S) is responsible for the 695 development of service capability requirements for systems based on 696 3GPP2 specifications. Among its responsibilities TSG-S is addressing 697 management, technical coordination, as well as architectural and 698 requirements development associated with all end-to-end features, 699 services and system capabilities including, but not limited to, 700 security and QoS. 702 TSG-S Specifications: 703 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 705 6.3. American National Standard T1.276-2003 - Baseline Security 706 Requirements for the Management Plane 708 Abstract: This standard contains a set of baseline security 709 requirements for the management plane. The President's National 710 Security Telecommunications Advisory Committee Network Security 711 Information Exchange (NSIE) and Government NSIE jointly established a 712 Security Requirements Working Group (SRWG) to examine the security 713 requirements for controlling access to the public switched network, 714 in particular with respect to the emerging next generation network. 716 In the telecommunications industry, this access incorporates 717 operation, administration, maintenance, and provisioning for network 718 elements and various supporting systems and databases. Members of 719 the SRWG, from a cross-section of telecommunications carriers and 720 vendors, developed an initial list of security requirements that 721 would allow vendors, government departments and agencies, and service 722 providers to implement a secure telecommunications network management 723 infrastructure. This initial list of security requirements was 724 submitted as a contribution to Committee T1 - Telecommunications, 725 Working Group T1M1.5 for consideration as a standard. The 726 requirements outlined in this document will allow vendors, government 727 departments and agencies, and service providers to implement a secure 728 telecommunications network management infrastructure. 730 Documents: 731 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 733 6.4. DMTF - Security Protection and Management (SPAM) Working Group 735 http://www.dmtf.org/about/committees/spamWGCharter.pdf 737 The Working Group will define a CIM Common Model that addresses 738 security protection and detection technologies, which may include 739 devices and services, and classifies security information, attacks, 740 and responses. 742 6.5. DMTF - User and Security Working Group 744 http://www.dmtf.org/about/committees/userWGCharter.pdf 746 The User and Security Working Group defines objects and access 747 methods required for principals - where principals include users, 748 groups, software agents, systems, and organizations. 750 6.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 751 Standards and Solutions 753 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 755 The ATIS TOPS Security Focus Group has made recommendations on work 756 items needed to be performed by other SDOs. 758 6.6.1. ATIS Work on Packet Filtering 760 A part of the ATIS Work Plan was to define how disruptions may be 761 prevented by filtering unwanted traffic at the edges of the network. 762 ATIS is developing this work in a document titled, "Traffic Filtering 763 for the Prevention of Unwanted Traffic". 765 6.7. ATIS Work on the NGN 767 http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ 768 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 770 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 771 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 772 Definitions, Requirements, and Architecture, Issue 1.0, November 773 2004." 775 6.8. Common Criteria 777 http://www.commoncriteriaportal.org/ 779 Version 1.0 of the CC was completed in January 1996. Based on a 780 number of trial evaluations and an extensive public review, Version 781 1.0 was extensively revised and CC Version 2.0 was produced in April 782 of 1998. This became ISO International Standard 15408 in 1999. The 783 CC Project subsequently incorporated the minor changes that had 784 resulted in the ISO process, producing CC version 2.1 in August 1999. 785 Version 3.0 was published in June 2005 and is available for comment. 787 The official version of the Common Criteria and of the Common 788 Evaluation Methodology is v2.3 which was published in August 2005. 790 All Common Criteria publications contain: 792 Part 1: Introduction and general model 794 Part 2: Security functional components 796 Part 3: Security assurance components 798 Documents: Common Criteria V2.3 799 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 801 6.9. ETSI 803 http://www.etsi.org/ 805 The ETSI hosted the ETSI Global Security Conference in late November, 806 2003, which could lead to a standard. 808 Groups related to security located from the ETSI Groups Portal: 810 OCG Security 811 3GPP SA3 813 TISPAN WG7 815 6.10. GGF Security Area (SEC) 817 https://forge.gridforum.org/projects/sec/ 819 The Security Area (SEC) is concerned with various issues relating to 820 authentication and authorization in Grid environments. 822 Working groups: 824 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 825 https://forge.gridforum.org/projects/authz-wg 827 Certificate Authority Operations Working Group (CAOPS-WG) - 828 https://forge.gridforum.org/projects/caops-wg 830 OGSA Authorization Working Group (OGSA-AUTHZ) - 831 https://forge.gridforum.org/projects/ogsa-authz 833 Grid Security Infrastructure (GSI-WG) - 834 https://forge.gridforum.org/projects/gsi-wg 836 6.11. Information System Security Assurance Architecture 838 IEEE Working Group - http://issaa.org/ 840 Formerly the Security Certification and Accreditation of Information 841 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 842 Standard for Information System Security Assurance Architecture for 843 ballot and during the process begin development of a suite of 844 associated standards for components of that architecture. 846 Documents: http://issaa.org/documents/index.html 848 6.12. Operational Security Requirements for IP Network Infrastructure : 849 Advanced Requirements 851 IETF RFC 3871 853 Abstract: This document defines a list of operational security 854 requirements for the infrastructure of large ISP IP networks (routers 855 and switches). A framework is defined for specifying "profiles", 856 which are collections of requirements applicable to certain network 857 topology contexts (all, core-only, edge-only...). The goal is to 858 provide network operators a clear, concise way of communicating their 859 security requirements to vendors. 861 Documents: 863 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 865 6.13. INCITS CS1 - Cyber Security 867 http://cs1.incits.org/ 869 INCITS/CS1 was established in April 2005 to serve as the US TAG for 870 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 871 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 873 The scope of CS1 explicitly excludes the areas of work on cyber 874 security standardization presently underway in INCITS B10, M1 and T3; 875 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 876 X9. INCITS T4's area of work would be narrowed to cryptography 877 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 878 mechanisms). 880 6.14. ISO Guidelines for the Management of IT Security - GMITS 882 Guidelines for the Management of IT Security -- Part 1: Concepts and 883 models for IT Security 885 http://www.iso.ch/iso/en/ 886 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 888 Guidelines for the Management of IT Security -- Part 2: Managing and 889 planning IT Security 891 http://www.iso.org/iso/en/ 892 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 893 ICS3= 895 Guidelines for the Management of IT Security -- Part 3: Techniques 896 for the management of IT Security 898 http://www.iso.org/iso/en/ 899 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 900 ICS3= 902 Guidelines for the Management of IT Security -- Part 4: Selection of 903 safeguards 905 http://www.iso.org/iso/en/ 906 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 907 ICS3= 909 Guidelines for the Management of IT Security - Part 5: Management 910 guidance on network security 912 http://www.iso.org/iso/en/ 913 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 914 ICS3= 916 Open Systems Interconnection -- Network layer security protocol 918 http://www.iso.org/iso/en/ 919 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 920 ICS3=30 922 6.15. ISO JTC 1/SC 27 924 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 925 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 927 Several security related ISO projects under JTC 1/SC 27 are listed 928 here such as: 930 IT security techniques -- Entity authentication 932 Security techniques -- Key management 934 Security techniques -- Evaluation criteria for IT security 936 Security techniques -- A framework for IT security assurance 938 IT Security techniques -- Code of practice for information 939 security management 941 Security techniques -- IT network security 943 Guidelines for the implementation, operation and management of 944 Intrusion Detection Systems (IDS) 946 International Security, Trust, and Privacy Alliance -- Privacy 947 Framework 949 6.16. ITU-T Study Group 2 951 http://www.itu.int/ITU-T/studygroups/com02/index.asp 953 Security related recommendations currently under study: 955 E.408 Telecommunication networks security requirements Q.5/2 (was 956 E.sec1) 958 E.409 Incident Organisation and Security Incident Handling Q.5/2 959 (was E.sec2) 961 Note: Access requires TIES account. 963 6.17. ITU-T Recommendation M.3016 965 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 967 This recommendation provides an overview and framework that 968 identifies the security requirements of a TMN and outlines how 969 available security services and mechanisms can be applied within the 970 context of the TMN functional architecture. 972 Question 18 of Study Group 3 is revising Recommendation M.3016. They 973 have taken the original document and are incorporating thoughts from 974 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 975 produced a new series of documents. 977 M.3016.0 - Overview 979 M.3016.1 - Requirements 981 M.3016.2 - Services 983 M.3016.3 - Mechanisms 985 M.3016.4 - Profiles 987 6.18. ITU-T Recommendation X.805 989 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 991 This Recommendation defines the general security-related 992 architectural elements that, when appropriately applied, can provide 993 end-to-end network security. 995 6.19. ITU-T Study Group 16 997 http://www.itu.int/ITU-T/studygroups/com16/index.asp 999 Multimedia Security in Next-Generation Networks (NGN-MM-SEC) 1001 http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html 1003 6.20. ITU-T Study Group 17 1005 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1007 ITU-T Study Group 17 is the Lead Study Group on Communication System 1008 Security 1010 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1012 Study Group 17 Security Project: 1014 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1016 During its November 2002 meeting, Study Group 17 agreed to establish 1017 a new project entitled "Security Project" under the leadership of 1018 Q.10/17 to coordinate the ITU-T standardization effort on security. 1019 An analysis of the status on ITU-T Study Group action on information 1020 and communication network security may be found in TSB Circular 147 1021 of 14 February 2003. 1023 6.21. Catalogue of ITU-T Recommendations related to Communications 1024 System Security 1026 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1028 The Catalogue of the approved security Recommendations include those, 1029 designed for security purposes and those, which describe or use of 1030 functions of security interest and need. Although some of the 1031 security related Recommendations includes the phrase "Open Systems 1032 Interconnection", much of the information contained in them is 1033 pertinent to the establishment of security functionality in any 1034 communicating system. 1036 6.22. ITU-T Security Manual 1038 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1040 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1041 security in telecommunications and information technologies, describe 1042 practical issues, and indicate how the different aspects of security 1043 in today's applications are addressed by ITU-T Recommendations. This 1044 manual has a tutorial character: it collects security related 1045 material from ITU-T Recommendations into one place and explains the 1046 respective relationships. The intended audience for this manual are 1047 engineers and product managers, students and academia, as well as 1048 regulators who want to better understand security aspects in 1049 practical applications. 1051 6.23. ITU-T NGN Effort 1053 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1055 During its January 2002 meeting, SG13 decided to undertake the 1056 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1057 the November 2002 SG13 meeting, a preliminary description of the 1058 Project was achieved and endorsed by SG13 with the goal to launch the 1059 Project. It is regularly updated since then. 1061 The role of the NGN 2004 Project is to organize and to coordinate 1062 ITU-T activities on Next Generation Networks. Its target is to 1063 produce a first set of Recommendations on NGN by the end of this 1064 study period, i.e. mid-2004. 1066 6.24. NRIC VI Focus Groups 1068 http://www.nric.org/fg/index.html 1070 The Network Reliability and Interoperability Council (NRIC) was 1071 formed with the purpose to provide recommendations to the FCC and to 1072 the industry to assure the reliability and interoperability of 1073 wireless, wireline, satellite, and cable public telecommunications 1074 networks. These documents provide general information and guidance 1075 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1076 prevention of cyberattack and for restoration following a 1077 cyberattack. 1079 Documents: 1081 Homeland Defense - Recommendations Published 14-Mar-03 1083 Preventative Best Practices - Recommendations Published 14-Mar-03 1085 Recovery Best Practices - Recommendations Published 14-Mar-03 1087 Best Practice Appendices - Recommendations Published 14-Mar-03 1089 6.25. OASIS Security Joint Committee 1091 http://www.oasis-open.org/committees/ 1092 tc_home.php?wg_abbrev=security-jc 1094 The purpose of the Security JC is to coordinate the technical 1095 activities of multiple security related TCs. The SJC is advisory 1096 only, and has no deliverables. The Security JC will promote the use 1097 of consistent terms, promote re-use, champion an OASIS security 1098 standards model, provide consistent PR, and promote mutuality, 1099 operational independence and ethics. 1101 6.26. OASIS Security Services (SAML) TC 1103 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1105 The Security Services TC is working to advance the Security Assertion 1106 Markup Language (SAML) as an OASIS standard. SAML is an XML 1107 framework for exchanging authentication and authorization 1108 information. 1110 6.27. OIF Implementation Agreements 1112 The OIF has 2 approved Implementation Agreements (IAs) relating to 1113 security. They are: 1115 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1117 This Implementation Agreement lists objectives for securing OAM&P 1118 interfaces to a Network Element and then specifies ways of using 1119 security systems (e.g., IPsec or TLS) for securing these interfaces. 1120 It summarizes how well each of the systems, used as specified, 1121 satisfies the objectives. 1123 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1125 This Implementation Agreement defines a common Security Extension for 1126 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1128 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1130 6.28. TIA 1132 The TIA has produced the "Compendium of Emergency Communications and 1133 Communications Network Security-related Work Activities". This 1134 document identifies standards, or other technical documents and 1135 ongoing Emergency/Public Safety Communications and Communications 1136 Network Security-related work activities within TIA and it's 1137 Engineering Committees. Many P25 documents are specifically 1138 detailed. This "living document" is presented for information, 1139 coordination and reference. 1141 Documents: http://www.tiaonline.org/standards/technology/ciphs/ 1142 documents/EMTEL_sec.pdf 1144 6.29. WS-I Basic Security Profile 1146 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1147 The WS-I Basic Security Profile 1.0 consists of a set of non- 1148 proprietary Web services specifications, along with clarifications 1149 and amendments to those specifications which promote 1150 interoperability. 1152 7. Security Considerations 1154 This document describes efforts to standardize security practices and 1155 documents. As such this document offers no security guidance 1156 whatsoever. 1158 Readers of this document should be aware of the date of publication 1159 of this document. It is feared that they may assume that the 1160 efforts, on-line material, and documents are current whereas they may 1161 not be. Please consider this when reading this document. 1163 8. IANA Considerations 1165 This document does not propose a standard and does not require the 1166 IANA to do anything. 1168 9. Acknowledgments 1170 The following people have contributed to this document. Listing 1171 their names here does not mean that they endorse the document, but 1172 that they have contributed to its substance. 1174 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1175 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1176 Moon. 1178 10. Changes from Prior Drafts 1180 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1182 -01 : Security Glossaries: 1184 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1185 Glossary of Terms and Acronyms, Microsoft Solutions for 1186 Security Glossary, and USC InfoSec Glossary. 1188 Standards Developing Organizations: 1190 Added DMTF, GGF, INCITS, OASIS, and WS-I 1192 Removal of Committee T1 and modifications to ATIS and former T1 1193 technical subcommittees due to the recent ATIS reorganization. 1195 Efforts and Documents: 1197 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1198 Area (SEC), INCITS Technical Committee T4 - Security 1199 Techniques, INCITS Technical Committee T11 - Fibre Channel 1200 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1201 Committee, OASIS Security Services TC, and WS-I Basic Security 1202 Profile. 1204 Updated Operational Security Requirements for IP Network 1205 Infrastructure : Advanced Requirements. 1207 -00 : as the WG ID 1209 Added more information about the ITU-T SG3 Q18 effort to modify 1210 ITU-T Recommendation M.3016. 1212 -01 : First revision as the WG ID. 1214 Added information about the NGN in the sections about ATIS, the 1215 NSTAC, and ITU-T. 1217 -02 : Second revision as the WG ID. 1219 Updated the date. 1221 Corrected some url's and the reference to George's RFC. 1223 -03 : Third revision of the WG ID. 1225 Updated the date. 1227 Updated the information about the CC 1229 Added a Conventions section (not sure how this document got to 1230 where it is without that) 1232 -04 : Fourth revision of the WG ID. 1234 Updated the date. 1236 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1238 CIAO glossary removed. CIAO has been absorbed by DHS and the 1239 glossary is no longer available. 1241 USC glossary removed, could not find it on the site or a reference 1242 to it elsewhere. 1244 Added TTA - Telecommunications Technology Association to SDO 1245 section. 1247 Removed ATIS Security & Emergency Preparedness Activities from 1248 Documents section. Could not find it or a reference to it. 1250 INCITS T4 incorporated into CS1 - T4 section removed 1252 X9 Added to SDO list under ANSI 1254 Various link or grammar fixes. 1256 Note: This section will be removed before publication as an RFC. 1258 11. Normative References 1260 [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement 1261 Levels", RFC 2119, STD 14, March 1997. 1263 Authors' Addresses 1265 Chris Lonvick 1266 Cisco Systems 1267 12515 Research Blvd. 1268 Austin, Texas 78759 1269 US 1271 Phone: +1 512 378 1182 1272 Email: clonvick@cisco.com 1274 David Spak 1275 Cisco Systems 1276 12515 Research Blvd. 1277 Austin, Texas 78759 1278 US 1280 Phone: +1 512 378 1720 1281 Email: dspak@cisco.com 1283 Intellectual Property Statement 1285 The IETF takes no position regarding the validity or scope of any 1286 Intellectual Property Rights or other rights that might be claimed to 1287 pertain to the implementation or use of the technology described in 1288 this document or the extent to which any license under such rights 1289 might or might not be available; nor does it represent that it has 1290 made any independent effort to identify any such rights. Information 1291 on the procedures with respect to rights in RFC documents can be 1292 found in BCP 78 and BCP 79. 1294 Copies of IPR disclosures made to the IETF Secretariat and any 1295 assurances of licenses to be made available, or the result of an 1296 attempt made to obtain a general license or permission for the use of 1297 such proprietary rights by implementers or users of this 1298 specification can be obtained from the IETF on-line IPR repository at 1299 http://www.ietf.org/ipr. 1301 The IETF invites any interested party to bring to its attention any 1302 copyrights, patents or patent applications, or other proprietary 1303 rights that may cover technology that may be required to implement 1304 this standard. Please address the information to the IETF at 1305 ietf-ipr@ietf.org. 1307 Disclaimer of Validity 1309 This document and the information contained herein are provided on an 1310 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1311 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE INTERNET 1312 ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, 1313 INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE 1314 INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1315 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1317 Copyright Statement 1319 Copyright (C) The Internet Society (2006). This document is subject 1320 to the rights, licenses and restrictions contained in BCP 78, and 1321 except as set forth therein, the authors retain all their rights. 1323 Acknowledgment 1325 Funding for the RFC Editor function is currently provided by the 1326 Internet Society.