idnits 2.17.1 draft-ietf-opsec-efforts-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 15. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1314. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1325. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1332. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1338. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == No 'Intended status' indicated for this document; assuming Proposed Standard Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (December 17, 2007) is 5973 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 1 error (**), 0 flaws (~~), 2 warnings (==), 7 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group C. Lonvick 3 Internet-Draft D. Spak 4 Expires: June 19, 2008 Cisco Systems 5 December 17, 2007 7 Security Best Practices Efforts and Documents 8 draft-ietf-opsec-efforts-07.txt 10 Status of this Memo 12 By submitting this Internet-Draft, each author represents that any 13 applicable patent or other IPR claims of which he or she is aware 14 have been or will be disclosed, and any of which he or she becomes 15 aware will be disclosed, in accordance with Section 6 of BCP 79. 17 Internet-Drafts are working documents of the Internet Engineering 18 Task Force (IETF), its areas, and its working groups. Note that 19 other groups may also distribute working documents as Internet- 20 Drafts. 22 Internet-Drafts are draft documents valid for a maximum of six months 23 and may be updated, replaced, or obsoleted by other documents at any 24 time. It is inappropriate to use Internet-Drafts as reference 25 material or to cite them other than as "work in progress." 27 The list of current Internet-Drafts can be accessed at 28 http://www.ietf.org/ietf/1id-abstracts.txt. 30 The list of Internet-Draft Shadow Directories can be accessed at 31 http://www.ietf.org/shadow.html. 33 This Internet-Draft will expire on June 19, 2008. 35 Copyright Notice 37 Copyright (C) The IETF Trust (2007). 39 Abstract 41 This document provides a snapshot of the current efforts to define or 42 apply security requirements in various Standards Developing 43 Organizations (SDO). 45 Table of Contents 47 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 48 2. Format of this Document . . . . . . . . . . . . . . . . . . . 7 49 3. Online Security Glossaries . . . . . . . . . . . . . . . . . . 8 50 3.1. ATIS Telecom Glossary 2000 . . . . . . . . . . . . . . . . 8 51 3.2. Internet Security Glossary - RFC 2828 . . . . . . . . . . 8 52 3.3. Compendium of Approved ITU-T Security Definitions . . . . 8 53 3.4. Microsoft Solutions for Security Glossary . . . . . . . . 9 54 3.5. SANS Glossary of Security Terms . . . . . . . . . . . . . 9 55 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler . . . 9 56 4. Standards Developing Organizations . . . . . . . . . . . . . . 10 57 4.1. 3GPP - Third Generation Partnership Project . . . . . . . 10 58 4.2. 3GPP2 - Third Generation Partnership Project 2 . . . . . . 10 59 4.3. ANSI - The American National Standards Institute . . . . . 10 60 4.3.1. Accredited Standards Committee X9 (ASC X9) . . . . . . 10 61 4.4. ATIS - Alliance for Telecommunications Industry 62 Solutions . . . . . . . . . . . . . . . . . . . . . . . . 11 63 4.4.1. ATIS NIPP - Network Interface, Power, and 64 Protection Committee, formerly T1E1 . . . . . . . . . 11 65 4.4.2. ATIS NPRQ - Network Performance, Reliability, and 66 Quality of Service Committee, formerly T1A1 . . . . . 11 67 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly 68 regarding T1M1 O&B . . . . . . . . . . . . . . . . . . 11 69 4.4.4. ATIS OPTXS - Optical Transport and Synchronization 70 Committee, formerly T1X1 . . . . . . . . . . . . . . . 12 71 4.4.5. ATIS TMOC - Telecom Management and Operations 72 Committee, formerly T1M1 OAM&P . . . . . . . . . . . . 12 73 4.4.6. ATIS WTSC - Wireless Technologies and Systems 74 Committee, formerly T1P1 . . . . . . . . . . . . . . . 12 75 4.4.7. ATIS PTSC - Packet Technologies and Systems 76 Committee, formerly T1S1 . . . . . . . . . . . . . . . 12 77 4.4.8. ATIS Protocol Interworking Committee, regarding 78 T1S1 . . . . . . . . . . . . . . . . . . . . . . . . . 13 79 4.5. CC - Common Criteria . . . . . . . . . . . . . . . . . . . 13 80 4.6. DMTF - Distributed Management Task Force, Inc. . . . . . . 13 81 4.7. ETSI - The European Telecommunications Standard 82 Institute . . . . . . . . . . . . . . . . . . . . . . . . 13 83 4.8. GGF - Global Grid Forum . . . . . . . . . . . . . . . . . 13 84 4.9. IEEE - The Institute of Electrical and Electronics 85 Engineers, Inc. . . . . . . . . . . . . . . . . . . . . . 14 87 4.10. IETF - The Internet Engineering Task Force . . . . . . . . 14 88 4.11. INCITS - InterNational Committee for Information 89 Technology Standards . . . . . . . . . . . . . . . . . . . 14 90 4.11.1. INCITS Technical Committee T11 - Fibre Channel 91 Interfaces . . . . . . . . . . . . . . . . . . . . . . 14 92 4.12. ISO - The International Organization for 93 Standardization . . . . . . . . . . . . . . . . . . . . . 14 94 4.13. ITU - International Telecommunication Union . . . . . . . 15 95 4.13.1. ITU Telecommunication Standardization Sector - 96 ITU-T . . . . . . . . . . . . . . . . . . . . . . . . 15 97 4.13.2. ITU Radiocommunication Sector - ITU-R . . . . . . . . 15 98 4.13.3. ITU Telecom Development - ITU-D . . . . . . . . . . . 15 99 4.14. OASIS - Organization for the Advancement of 100 Structured Information Standards . . . . . . . . . . . . . 15 101 4.15. OIF - Optical Internetworking Forum . . . . . . . . . . . 16 102 4.16. NRIC - The Network Reliability and Interoperability 103 Council . . . . . . . . . . . . . . . . . . . . . . . . . 16 104 4.17. National Security Telecommunications Advisory 105 Committee (NSTAC) . . . . . . . . . . . . . . . . . . . . 16 106 4.18. TIA - The Telecommunications Industry Association . . . . 16 107 4.19. TTA - Telecommunications Technology Association . . . . . 17 108 4.20. The World Wide Web Consortium . . . . . . . . . . . . . . 17 109 4.21. Web Services Interoperability Organization (WS-I) . . . . 17 110 5. Security Best Practices Efforts and Documents . . . . . . . . 18 111 5.1. 3GPP - TSG SA WG3 (Security) . . . . . . . . . . . . . . . 18 112 5.2. 3GPP2 - TSG-S Working Group 4 (Security) . . . . . . . . . 18 113 5.3. American National Standard T1.276-2003 - Baseline 114 Security Requirements for the Management Plane . . . . . . 18 115 5.4. DMTF - Security Protection and Management (SPAM) 116 Working Group . . . . . . . . . . . . . . . . . . . . . . 19 117 5.5. DMTF - User and Security Working Group . . . . . . . . . . 19 118 5.6. ATIS Work-Plan to Achieve Interoperable, 119 Implementable, End-To-End Standards and Solutions . . . . 19 120 5.6.1. ATIS Work on Packet Filtering . . . . . . . . . . . . 19 121 5.7. ATIS Work on the NGN . . . . . . . . . . . . . . . . . . . 20 122 5.8. Common Criteria . . . . . . . . . . . . . . . . . . . . . 20 123 5.9. ETSI . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 124 5.10. GGF Security Area (SEC) . . . . . . . . . . . . . . . . . 21 125 5.11. Information System Security Assurance Architecture . . . . 21 126 5.12. Operational Security Requirements for IP Network 127 Infrastructure : Advanced Requirements . . . . . . . . . . 21 128 5.13. INCITS CS1 - Cyber Security . . . . . . . . . . . . . . . 22 129 5.14. ISO Guidelines for the Management of IT Security - 130 GMITS . . . . . . . . . . . . . . . . . . . . . . . . . . 22 131 5.15. ISO JTC 1/SC 27 . . . . . . . . . . . . . . . . . . . . . 23 132 5.16. ITU-T Study Group 2 . . . . . . . . . . . . . . . . . . . 23 133 5.17. ITU-T Recommendation M.3016 . . . . . . . . . . . . . . . 24 134 5.18. ITU-T Recommendation X.805 . . . . . . . . . . . . . . . 24 135 5.19. ITU-T Study Group 16 . . . . . . . . . . . . . . . . . . . 24 136 5.20. ITU-T Study Group 17 . . . . . . . . . . . . . . . . . . . 25 137 5.21. Catalogue of ITU-T Recommendations related to 138 Communications System Security . . . . . . . . . . . . . . 25 139 5.22. ITU-T Security Manual . . . . . . . . . . . . . . . . . . 25 140 5.23. ITU-T NGN Effort . . . . . . . . . . . . . . . . . . . . . 26 141 5.24. NRIC VI Focus Groups . . . . . . . . . . . . . . . . . . . 26 142 5.25. OASIS Security Joint Committee . . . . . . . . . . . . . . 26 143 5.26. OASIS Security Services (SAML) TC . . . . . . . . . . . . 27 144 5.27. OIF Implementation Agreements . . . . . . . . . . . . . . 27 145 5.28. TIA . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 146 5.29. WS-I Basic Security Profile . . . . . . . . . . . . . . . 28 147 6. Security Considerations . . . . . . . . . . . . . . . . . . . 29 148 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 149 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 31 150 9. Changes from Prior Drafts . . . . . . . . . . . . . . . . . . 32 151 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 34 152 Intellectual Property and Copyright Statements . . . . . . . . . . 35 154 1. Introduction 156 The Internet is being recognized as a critical infrastructure similar 157 in nature to the power grid and a potable water supply. Just like 158 those infrastructures, means are needed to provide resiliency and 159 adaptability to the Internet so that it remains consistently 160 available to the public throughout the world even during times of 161 duress or attack. For this reason, many SDOs are developing 162 standards with hopes of retaining an acceptable level, or even 163 improving this availability, to its users. These SDO efforts usually 164 define themselves as "security" efforts. It is the opinion of the 165 authors that there are many different definitions of the term 166 "security" and it may be applied in many diverse ways. As such, we 167 offer no assurance that the term is applied consistently throughout 168 this document. 170 Many of these SDOs have diverse charters and goals and will take 171 entirely different directions in their efforts to provide standards. 172 However, even with that, there will be overlaps in their produced 173 works. If there are overlaps then there is a potential for conflicts 174 and confusion. This may result in: 176 Vendors of networking equipment who are unsure of which standard 177 to follow. 179 Purchasers of networking equipment who are unsure of which 180 standard will best apply to the needs of their business or 181 ogranization. 183 Network Administrators and Operators unsure of which standard to 184 follow to attain the best security for their network. 186 For these reasons, the authors wish to encourage all SDOs who have an 187 interest in producing or in consuming standards relating to good 188 security practices to be consistent in their approach and their 189 recommendations. In many cases, the authors are aware that the SDOs 190 are making good efforts along these lines. However, the authors do 191 not participate in all SDO efforts and cannot know everything that is 192 happening. 194 The OpSec Working Group met at the 61st IETF and agreed that this 195 document could be a useful reference in producing the documents 196 described in the Working Group Charter. The authors have agreed to 197 keep this document current and request that those who read it will 198 submit corrections or comments. 200 Comments on this document may be addressed to the OpSec Working Group 201 or directly to the authors. 203 opsec@ops.ietf.org 205 2. Format of this Document 207 The body of this document has three sections. 209 The first part of the body of this document, Section 3, contains a 210 listing of online glossaries relating to networking and security. It 211 is very important that the definitions of words relating to security 212 and security events be consistent. Inconsistencies between the 213 useage of words on standards is unacceptable as it would prevent a 214 reader of two standards to appropriately relate their 215 recommendations. The authors of this document have not reviewed the 216 definitions of the words in the listed glossaries so can offer no 217 assurance of their alignment. 219 The second part, Section 4, contains a listing of SDOs that appear to 220 be working on security standards. 222 The third part, Section 5, lists the documents which have been found 223 to offer good practices or recommendations for securing networks and 224 networking devices. 226 3. Online Security Glossaries 228 This section contains references to glossaries of network and 229 computer security terms 231 3.1. ATIS Telecom Glossary 2000 233 http://www.atis.org/tg2k/ 235 Under an approved T1 standards project (T1A1-20), an existing 5800- 236 entry, search-enabled hypertext telecommunications glossary titled 237 Federal Standard 1037C, Glossary of Telecommunication Terms was 238 updated and matured into this glossary, T1.523-2001, Telecom Glossary 239 2000. This updated glossary was posted on the Web as an American 240 National Standard (ANS). 242 3.2. Internet Security Glossary - RFC 2828 244 http://www.ietf.org/rfc/rfc2828.txt 246 Created in May 2000, the document defines itself to be, "an 247 internally consistent, complementary set of abbreviations, 248 definitions, explanations, and recommendations for use of terminology 249 related to information system security." The glossary makes the 250 distinction of the listed definitions throughout the document as 251 being: 253 o a recommended Internet definition 255 o a recommended non-Internet definition 257 o not recommended as the first choice for Internet documents but 258 something that an author of an Internet document would need to 259 know 261 o a definition that shouldn't be used in Internet documents 263 o additional commentary or usage guidance 265 3.3. Compendium of Approved ITU-T Security Definitions 267 http://www.itu.int/itudoc/itu-t/com17/activity/def004.html 269 Addendum to the Compendium of the Approved ITU-T Security-related 270 Definitions 271 http://www.itu.int/itudoc/itu-t/com17/activity/add002.html 273 These extensive materials were created from approved ITU-T 274 Recommendations with a view toward establishing a common 275 understanding and use of security terms within ITU-T. 277 3.4. Microsoft Solutions for Security Glossary 279 http://www.microsoft.com/security/glossary.mspx 281 The Microsoft Solutions for Security Glossary was created to explain 282 the concepts, technologies, and products associated with computer 283 security. This glossary contains several definitions specific to 284 Microsoft proprietary technologies and product solutions. 286 3.5. SANS Glossary of Security Terms 288 http://www.sans.org/resources/glossary.php 290 The SANS Institute (SysAdmin, Audit, Network, Security) was created 291 in 1989 as, "a cooperative research and education organization." 292 Updated in May 2003, SANS cites the NSA for their help in creating 293 the online glossary of security terms. The SANS Institute is also 294 home to many other resources including the SANS Intrusion Detection 295 FAQ and the SANS/FBI Top 20 Vulnerabilities List. 297 3.6. Security Taxonomy and Glossary - Anne & Lynn Wheeler 299 http://www.garlic.com/~lynn/secure.htm 301 Anne and Lynn Wheeler maintain a security taxonomy and glossary with 302 terms merged from AFSEC, AJP, CC1, CC2, CC21 (CC site), CIAO, FCv1, 303 FFIEC, FJC, FTC, IATF V3 (IATF site), IEEE610, ITSEC, Intel, JTC1/ 304 SC27 (SC27 site), KeyAll, MSC, NIST 800-30, 800-33, 800-37, 800-53, 305 800-61, 800-77, 800-83 FIPS140, NASA, NCSC/TG004, NIAP, NSA 306 Intrusion, CNSSI 4009, online security study, RFC1983, RFC2504, 307 RFC2647, RFC2828, TCSEC, TDI, and TNI. 309 4. Standards Developing Organizations 311 This section of this document lists the SDOs, or organizations that 312 appear to be developing security related standards. These SDOs are 313 listed in alphabetical order. 315 Note: The authors would appreciate corrections and additions. This 316 note will be removed before publication as an RFC. 318 4.1. 3GPP - Third Generation Partnership Project 320 http://www.3gpp.org/ 322 The 3rd Generation Partnership Project (3GPP) is a collaboration 323 agreement formed in December 1998. The collaboration agreement is 324 comprised of several telecommunications standards bodies which are 325 known as "Organizational Partners". The current Organizational 326 Partners involved with 3GPP are ARIB, CCSA, ETSI, ATIS, TTA, and TTC. 328 4.2. 3GPP2 - Third Generation Partnership Project 2 330 http://www.3gpp2.org/ 332 Third Generation Partnership Project 2 (3GPP2) is a collaboration 333 among Organizational Partners much like its sister project 3GPP. The 334 Organizational Partners (OPs) currently involved with 3GPP2 are ARIB, 335 CCSA, TIA, TTA, and TTC. In addition to the OPs, 3GPP2 also welcomes 336 the CDMA Development Group and IPv6 Forum as Market Representation 337 Partners for market advice. 339 4.3. ANSI - The American National Standards Institute 341 http://www.ansi.org/ 343 ANSI is a private, non-profit organization that organizes and 344 oversees the U.S. voluntary standardization and conformity assessment 345 system. ANSI was founded October 19, 1918. 347 4.3.1. Accredited Standards Committee X9 (ASC X9) 349 http://www.x9.org/ 351 The Accredited Standards Committee X9 (ASC X9) has the mission to 352 develop, establish, maintain, and promote standards for the Financial 353 Services Industry in order to facilitate delivery of financial 354 services and products. 356 4.4. ATIS - Alliance for Telecommunications Industry Solutions 358 http://www.atis.org/ 360 ATIS is a United States based body that is committed to rapidly 361 developing and promoting technical and operations standards for the 362 communications and related information technologies industry 363 worldwide using pragmatic, flexible and open approach. Committee T1 364 as a group no longer exists as a result of the recent ATIS 365 reorganization on January 1, 2004. ATIS has restructured the former 366 T1 technical subcommittees into full ATIS standards committees to 367 easily identify and promote the nature of standards work each 368 committee performs. Due to the reorganization, some groups may have 369 a new mission and scope statement. 371 4.4.1. ATIS NIPP - Network Interface, Power, and Protection Committee, 372 formerly T1E1 374 http://www.atis.org/0050/index.asp 376 ATIS Network Interface, Power, and Protection Committee develops and 377 recommends standards and technical reports related to power systems, 378 electrical and physical protection for the exchange and interexchange 379 carrier networks, and interfaces associated with user access to 380 telecommunications networks. 382 4.4.2. ATIS NPRQ - Network Performance, Reliability, and Quality of 383 Service Committee, formerly T1A1 385 http://www.atis.org/0010/index.asp 387 ATIS Network Performance, Reliability and Quality of Service 388 Committee develops and recommends standards, requirements, and 389 technical reports related to the performance, reliability, and 390 associated security aspects of communications networks, as well as 391 the processing of voice, audio, data, image, and video signals, and 392 their multimedia integration. 394 4.4.3. ATIS OBF - Ordering and Billing Forum, formerly regarding T1M1 395 O&B 397 http://www.atis.org/obf/index.asp 399 The T1M1 O&B subcommittee has become part of the ATIS Ordering and 400 Billing Forum. 402 The ATIS-sponsored Ordering and Billing Forum (OBF) provides a forum 403 for customers and providers in the telecommunications industry to 404 identify, discuss and resolve national issues which affect ordering, 405 billing, provisioning and exchange of information about access 406 services, other connectivity and related matters. 408 4.4.4. ATIS OPTXS - Optical Transport and Synchronization Committee, 409 formerly T1X1 411 http://www.atis.org/0240/index.asp 413 ATIS Optical Transport and Synchronization Committee develops and 414 recommends standards and prepares technical reports related to 415 telecommunications network technology pertaining to network 416 synchronization interfaces and hierarchical structures including 417 optical technology. 419 4.4.5. ATIS TMOC - Telecom Management and Operations Committee, 420 formerly T1M1 OAM&P 422 http://www.atis.org/0130/index.asp 424 ATIS Telecom Management and Operations Committee develops 425 internetwork operations, administration, maintenance and provisioning 426 standards, and technical reports related to interfaces for 427 telecommunications networks. 429 4.4.6. ATIS WTSC - Wireless Technologies and Systems Committee, 430 formerly T1P1 432 http://www.atis.org/0160/index.asp 434 ATIS Wireless Technologies and Systems Committee develops and 435 recommends standards and technical reports related to wireless and/or 436 mobile services and systems, including service descriptions and 437 wireless technologies. 439 4.4.7. ATIS PTSC - Packet Technologies and Systems Committee, formerly 440 T1S1 442 http://www.atis.org/0191/index.asp 444 T1S1 was split into two separate ATIS committees: the ATIS Packet 445 Technologies and Systems Committee and the ATIS Protocol Interworking 446 Committee. PTSC is responsible for producing standards to secure 447 signalling. 449 The basic document is PTSC-SEC-2005-059.doc which is in Letter Ballot 450 at this time. It is expected to move to an ANSI standard. 452 4.4.8. ATIS Protocol Interworking Committee, regarding T1S1 454 T1S1 was split into two separate ATIS committees: the ATIS Packet 455 Technologies and Systems Committee and the ATIS Protocol Interworking 456 Committee. As a result of the reorganization of T1S1, these groups 457 will also probably have a new mission and scope. 459 4.5. CC - Common Criteria 461 http://www.commoncriteriaportal.org/ 463 In June 1993, the sponsoring organizations of the existing US, 464 Canadian, and European criterias (TCSEC, ITSEC, and similar) started 465 the Common Criteria Project to align their separate criteria into a 466 single set of IT security criteria. 468 4.6. DMTF - Distributed Management Task Force, Inc. 470 http://www.dmtf.org/ 472 Founded in 1992, the DMTF brings the technology industry's customers 473 and top vendors together in a collaborative, working group approach 474 that involves DMTF members in all aspects of specification 475 development and refinement. 477 4.7. ETSI - The European Telecommunications Standard Institute 479 http://www.etsi.org/ 481 ETSI is an independent, non-profit organization which produces 482 telecommunications standards. ETSI is based in Sophia-Antipolis in 483 the south of France and maintains a membership from 55 countries. 485 Joint work between ETSI and ITU-T SG-17 487 http://www.tta.or.kr/gsc/upload/ 488 GSC9_Joint_011_Security_Standardization_in_ITU.ppt 490 4.8. GGF - Global Grid Forum 492 http://www.gridforum.org/ 494 The Global Grid Forum (GGF) is a community-initiated forum of 495 thousands of individuals from industry and research leading the 496 global standardization effort for grid computing. GGF's primary 497 objectives are to promote and support the development, deployment, 498 and implementation of grid technologies and applications via the 499 creation and documentation of "best practices" - technical 500 specifications, user experiences, and implementation guidelines. 502 4.9. IEEE - The Institute of Electrical and Electronics Engineers, Inc. 504 http://www.ieee.org/ 506 IEEE is a non-profit, professional association of more than 360,000 507 individual members in approximately 175 countries. The IEEE produces 508 30 percent of the world's published literature in electrical 509 engineering, computers, and control technology through its technical 510 publishing, conferences, and consensus-based standards activities. 512 4.10. IETF - The Internet Engineering Task Force 514 http://www.ietf.org/ 516 IETF is a large, international community open to any interested 517 individual concerned with the evolution of the Internet architecture 518 and the smooth operation of the Internet. 520 4.11. INCITS - InterNational Committee for Information Technology 521 Standards 523 http://www.incits.org/ 525 INCITS focuses upon standardization in the field of Information and 526 Communications Technologies (ICT), encompassing storage, processing, 527 transfer, display, management, organization, and retrieval of 528 information. 530 4.11.1. INCITS Technical Committee T11 - Fibre Channel Interfaces 532 http://www.t11.org/index.htm 534 T11 is responsible for standards development in the areas of 535 Intelligent Peripheral Interface (IPI), High-Performance Parallel 536 Interface (HIPPI) and Fibre Channel (FC). T11 has a project called 537 FC-SP to define Security Protocols for Fibre Channel. 539 FC-SP Project Proposal: 540 ftp://ftp.t11.org/t11/admin/project_proposals/02-036v2.pdf 542 4.12. ISO - The International Organization for Standardization 544 http://www.iso.org/ 546 ISO is a network of the national standards institutes of 148 547 countries, on the basis of one member per country, with a Central 548 Secretariat in Geneva, Switzerland, that coordinates the system. ISO 549 officially began operations on February 23, 1947. 551 4.13. ITU - International Telecommunication Union 553 http://www.itu.int/ 555 The ITU is an international organization within the United Nations 556 System headquartered in Geneva, Switzerland. The ITU is comprised of 557 three sectors: 559 4.13.1. ITU Telecommunication Standardization Sector - ITU-T 561 http://www.itu.int/ITU-T/ 563 ITU-T's mission is to ensure an efficient and on-time production of 564 high quality standards covering all fields of telecommunications. 566 4.13.2. ITU Radiocommunication Sector - ITU-R 568 http://www.itu.int/ITU-R/ 570 The ITU-R plays a vital role in the management of the radio-frequency 571 spectrum and satellite orbits. 573 4.13.3. ITU Telecom Development - ITU-D 575 (also referred as ITU Telecommunication Development Bureau - BDT) 577 http://www.itu.int/ITU-D/ 579 The Telecommunication Development Bureau (BDT) is the executive arm 580 of the Telecommunication Development Sector. Its duties and 581 responsibilities cover a variety of functions ranging from programme 582 supervision and technical advice to the collection, processing and 583 publication of information relevant to telecommunication development. 585 4.14. OASIS - Organization for the Advancement of Structured 586 Information Standards 588 http://www.oasis-open.org/ 590 OASIS is a not-for-profit, international consortium that drives the 591 development, convergence, and adoption of e-business standards. 593 4.15. OIF - Optical Internetworking Forum 595 http://www.oiforum.com/ 597 On April 20, 1998 Cisco Systems and Ciena Corporation announced an 598 industry-wide initiative to create the Optical Internetworking Forum, 599 an open forum focused on accelerating the deployment of optical 600 internetworks. 602 4.16. NRIC - The Network Reliability and Interoperability Council 604 http://www.nric.org/ 606 The purposes of the Committee are to give telecommunications industry 607 leaders the opportunity to provide recommendations to the FCC and to 608 the industry that assure optimal reliability and interoperability of 609 telecommunications networks. The Committee addresses topics in the 610 area of Homeland Security, reliability, interoperability, and 611 broadband deployment. 613 4.17. National Security Telecommunications Advisory Committee (NSTAC) 615 http://www.ncs.gov/nstac/nstac.html 617 President Ronald Reagan created the National Security 618 Telecommunications Advisory Committee (NSTAC) by Executive Order 619 12382 in September 1982. Since then, the NSTAC has served four 620 presidents. Composed of up to 30 industry chief executives 621 representing the major communications and network service providers 622 and information technology, finance, and aerospace companies, the 623 NSTAC provides industry-based advice and expertise to the President 624 on issues and problems related to implementing national security and 625 emergency preparedness (NS/EP) communications policy. Since its 626 inception, the NSTAC has addressed a wide range of policy and 627 technical issues regarding communications, information systems, 628 information assurance, critical infrastructure protection, and other 629 NS/EP communications concerns. 631 4.18. TIA - The Telecommunications Industry Association 633 http://www.tiaonline.org/ 635 TIA is accredited by ANSI to develop voluntary industry standards for 636 a wide variety of telecommunications products. TIA's Standards and 637 Technology Department is composed of five divisions: Fiber Optics, 638 User Premises Equipment, Network Equipment, Wireless Communications 639 and Satellite Communications. 641 4.19. TTA - Telecommunications Technology Association 643 http://www.tta.or.kr/Home2003/main/index.jsp 644 http://www.tta.or.kr/English/new/main/index.htm (English) 646 TTA (Telecommunications Technology Association) is a IT standards 647 organization that develops new standards and provides one-stop 648 services for the establishment of IT standards as well as providing 649 testing and certification for IT products. 651 4.20. The World Wide Web Consortium 653 http://www.w3.org/Consortium/ 655 The World Wide Web Consortium (W3C) is an international consortium 656 where Member organizations, a full-time staff, and the public work 657 together to develop Web standards. W3C's mission is: To lead the 658 World Wide Web to its full potential by developing protocols and 659 guidelines that ensure long-term growth for the Web. 661 The security work within the W3C 663 http://www.w3.org/Security/Activity 665 4.21. Web Services Interoperability Organization (WS-I) 667 http://www.ws-i.org/ 669 WS-I is an open, industry organization chartered to promote Web 670 services interoperability across platforms, operating systems, and 671 programming languages. The organization works across the industry 672 and standards organizations to respond to customer needs by providing 673 guidance, best practices, and resources for developing Web services 674 solutions. 676 5. Security Best Practices Efforts and Documents 678 This section lists the works produced by the SDOs. 680 5.1. 3GPP - TSG SA WG3 (Security) 682 http://www.3gpp.org/TB/SA/SA3/SA3.htm 684 TSG SA WG3 Security is responsible for the security of the 3GPP 685 system, performing analyses of potential security threats to the 686 system, considering the new threats introduced by the IP based 687 services and systems and setting the security requirements for the 688 overall 3GPP system. 690 Specifications: 691 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--S3.htm 693 Work Items: 694 http://www.3gpp.org/ftp/Specs/html-info/TSG-WG--s3--wis.htm 696 3GPP Confidentiality and Integrity algorithms: 697 http://www.3gpp.org/TB/Other/algorithms.htm 699 5.2. 3GPP2 - TSG-S Working Group 4 (Security) 701 http://www.3gpp2.org/Public_html/S/index.cfm 703 The Services and Systems Aspects TSG (TSG-S) is responsible for the 704 development of service capability requirements for systems based on 705 3GPP2 specifications. Among its responsibilities TSG-S is addressing 706 management, technical coordination, as well as architectural and 707 requirements development associated with all end-to-end features, 708 services and system capabilities including, but not limited to, 709 security and QoS. 711 TSG-S Specifications: 712 http://www.3gpp2.org/Public_html/specs/index.cfm#tsgs 714 5.3. American National Standard T1.276-2003 - Baseline Security 715 Requirements for the Management Plane 717 Abstract: This standard contains a set of baseline security 718 requirements for the management plane. The President's National 719 Security Telecommunications Advisory Committee Network Security 720 Information Exchange (NSIE) and Government NSIE jointly established a 721 Security Requirements Working Group (SRWG) to examine the security 722 requirements for controlling access to the public switched network, 723 in particular with respect to the emerging next generation network. 725 In the telecommunications industry, this access incorporates 726 operation, administration, maintenance, and provisioning for network 727 elements and various supporting systems and databases. Members of 728 the SRWG, from a cross-section of telecommunications carriers and 729 vendors, developed an initial list of security requirements that 730 would allow vendors, government departments and agencies, and service 731 providers to implement a secure telecommunications network management 732 infrastructure. This initial list of security requirements was 733 submitted as a contribution to Committee T1 - Telecommunications, 734 Working Group T1M1.5 for consideration as a standard. The 735 requirements outlined in this document will allow vendors, government 736 departments and agencies, and service providers to implement a secure 737 telecommunications network management infrastructure. 739 Documents: 740 http://webstore.ansi.org/ansidocstore/product.asp?sku=T1%2E276%2D2003 742 5.4. DMTF - Security Protection and Management (SPAM) Working Group 744 http://www.dmtf.org/about/committees/spamWGCharter.pdf 746 The Working Group will define a CIM Common Model that addresses 747 security protection and detection technologies, which may include 748 devices and services, and classifies security information, attacks, 749 and responses. 751 5.5. DMTF - User and Security Working Group 753 http://www.dmtf.org/about/committees/userWGCharter.pdf 755 The User and Security Working Group defines objects and access 756 methods required for principals - where principals include users, 757 groups, software agents, systems, and organizations. 759 5.6. ATIS Work-Plan to Achieve Interoperable, Implementable, End-To-End 760 Standards and Solutions 762 ftp://ftp.t1.org/T1M1/NEW-T1M1.0/3M101940.pdf 764 The ATIS TOPS Security Focus Group has made recommendations on work 765 items needed to be performed by other SDOs. 767 5.6.1. ATIS Work on Packet Filtering 769 A part of the ATIS Work Plan was to define how disruptions may be 770 prevented by filtering unwanted traffic at the edges of the network. 771 ATIS is developing this work in a document titled, "Traffic Filtering 772 for the Prevention of Unwanted Traffic". 774 5.7. ATIS Work on the NGN 776 http://www.atis.org/tops/WebsiteDocuments/NGN/Working%20Docs/ 777 Part%20I/ATIS_NGN_Part_1_Issue1.pdf 779 In November 2004, ATIS released Part I of the ATIS NGN-FG efforts 780 entitled, "ATIS Next Generation Network (NGN) Framework Part I: NGN 781 Definitions, Requirements, and Architecture, Issue 1.0, November 782 2004." 784 5.8. Common Criteria 786 http://www.commoncriteriaportal.org/ 788 Version 1.0 of the CC was completed in January 1996. Based on a 789 number of trial evaluations and an extensive public review, Version 790 1.0 was extensively revised and CC Version 2.0 was produced in April 791 of 1998. This became ISO International Standard 15408 in 1999. The 792 CC Project subsequently incorporated the minor changes that had 793 resulted in the ISO process, producing CC version 2.1 in August 1999. 794 Version 3.0 was published in June 2005 and is available for comment. 796 The official version of the Common Criteria and of the Common 797 Evaluation Methodology is v2.3 which was published in August 2005. 799 All Common Criteria publications contain: 801 Part 1: Introduction and general model 803 Part 2: Security functional components 805 Part 3: Security assurance components 807 Documents: Common Criteria V2.3 808 http://www.commoncriteriaportal.org/public/expert/index.php?menu=2 810 5.9. ETSI 812 http://www.etsi.org/ 814 The ETSI hosted the ETSI Global Security Conference in late November, 815 2003, which could lead to a standard. 817 Groups related to security located from the ETSI Groups Portal: 819 OCG Security 820 3GPP SA3 822 TISPAN WG7 824 5.10. GGF Security Area (SEC) 826 https://forge.gridforum.org/projects/sec/ 828 The Security Area (SEC) is concerned with various issues relating to 829 authentication and authorization in Grid environments. 831 Working groups: 833 Authorization Frameworks and Mechanisms WG (AuthZ-WG) - 834 https://forge.gridforum.org/projects/authz-wg 836 Certificate Authority Operations Working Group (CAOPS-WG) - 837 https://forge.gridforum.org/projects/caops-wg 839 OGSA Authorization Working Group (OGSA-AUTHZ) - 840 https://forge.gridforum.org/projects/ogsa-authz 842 Grid Security Infrastructure (GSI-WG) - 843 https://forge.gridforum.org/projects/gsi-wg 845 5.11. Information System Security Assurance Architecture 847 IEEE Working Group - http://issaa.org/ 849 Formerly the Security Certification and Accreditation of Information 850 Systems (SCAISWG), IEEE Project 1700's purpose is to develop a draft 851 Standard for Information System Security Assurance Architecture for 852 ballot and during the process begin development of a suite of 853 associated standards for components of that architecture. 855 Documents: http://issaa.org/documents/index.html 857 5.12. Operational Security Requirements for IP Network Infrastructure : 858 Advanced Requirements 860 IETF RFC 3871 862 Abstract: This document defines a list of operational security 863 requirements for the infrastructure of large ISP IP networks (routers 864 and switches). A framework is defined for specifying "profiles", 865 which are collections of requirements applicable to certain network 866 topology contexts (all, core-only, edge-only...). The goal is to 867 provide network operators a clear, concise way of communicating their 868 security requirements to vendors. 870 Documents: 872 ftp://ftp.rfc-editor.org/in-notes/rfc3871.txt 874 5.13. INCITS CS1 - Cyber Security 876 http://cs1.incits.org/ 878 INCITS/CS1 was established in April 2005 to serve as the US TAG for 879 ISO/IEC JTC 1/SC 27 and all SC 27 Working Groups except WG 2 880 (INCITS/T4 serves as the US TAG to SC 27/WG 2). 882 The scope of CS1 explicitly excludes the areas of work on cyber 883 security standardization presently underway in INCITS B10, M1 and T3; 884 as well as other standard groups, such as ATIS, IEEE, IETF, TIA, and 885 X9. INCITS T4's area of work would be narrowed to cryptography 886 projects in ISO/IEC JTC 1/SC 27 WG 2 (Security techniques and 887 mechanisms). 889 5.14. ISO Guidelines for the Management of IT Security - GMITS 891 Guidelines for the Management of IT Security -- Part 1: Concepts and 892 models for IT Security 894 http://www.iso.ch/iso/en/ 895 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21733&ICS1=35 897 Guidelines for the Management of IT Security -- Part 2: Managing and 898 planning IT Security 900 http://www.iso.org/iso/en/ 901 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21755&ICS1=35&ICS2=40& 902 ICS3= 904 Guidelines for the Management of IT Security -- Part 3: Techniques 905 for the management of IT Security 907 http://www.iso.org/iso/en/ 908 CatalogueDetailPage.CatalogueDetail?CSNUMBER=21756&ICS1=35&ICS2=40& 909 ICS3= 911 Guidelines for the Management of IT Security -- Part 4: Selection of 912 safeguards 914 http://www.iso.org/iso/en/ 915 CatalogueDetailPage.CatalogueDetail?CSNUMBER=29240&ICS1=35&ICS2=40& 916 ICS3= 918 Guidelines for the Management of IT Security - Part 5: Management 919 guidance on network security 921 http://www.iso.org/iso/en/ 922 CatalogueDetailPage.CatalogueDetail?CSNUMBER=31142&ICS1=35&ICS2=40& 923 ICS3= 925 Open Systems Interconnection -- Network layer security protocol 927 http://www.iso.org/iso/en/ 928 CatalogueDetailPage.CatalogueDetail?CSNUMBER=22084&ICS1=35&ICS2=100& 929 ICS3=30 931 5.15. ISO JTC 1/SC 27 933 http://www.iso.ch/iso/en/stdsdevelopment/techprog/workprog/ 934 TechnicalProgrammeSCDetailPage.TechnicalProgrammeSCDetail?COMMID=143 936 Several security related ISO projects under JTC 1/SC 27 are listed 937 here such as: 939 IT security techniques -- Entity authentication 941 Security techniques -- Key management 943 Security techniques -- Evaluation criteria for IT security 945 Security techniques -- A framework for IT security assurance 947 IT Security techniques -- Code of practice for information 948 security management 950 Security techniques -- IT network security 952 Guidelines for the implementation, operation and management of 953 Intrusion Detection Systems (IDS) 955 International Security, Trust, and Privacy Alliance -- Privacy 956 Framework 958 5.16. ITU-T Study Group 2 960 http://www.itu.int/ITU-T/studygroups/com02/index.asp 962 Security related recommendations currently under study: 964 E.408 Telecommunication networks security requirements Q.5/2 (was 965 E.sec1) 967 E.409 Incident Organisation and Security Incident Handling Q.5/2 968 (was E.sec2) 970 Note: Access requires TIES account. 972 5.17. ITU-T Recommendation M.3016 974 http://www.itu.int/itudoc/itu-t/com4/contr/068.html 976 This recommendation provides an overview and framework that 977 identifies the security requirements of a TMN and outlines how 978 available security services and mechanisms can be applied within the 979 context of the TMN functional architecture. 981 Question 18 of Study Group 3 is revising Recommendation M.3016. They 982 have taken the original document and are incorporating thoughts from 983 ITU-T Recommendation X.805 and from ANSI T1.276-2003. The group has 984 produced a new series of documents. 986 M.3016.0 - Overview 988 M.3016.1 - Requirements 990 M.3016.2 - Services 992 M.3016.3 - Mechanisms 994 M.3016.4 - Profiles 996 5.18. ITU-T Recommendation X.805 998 http://www.itu.int/itudoc/itu-t/aap/sg17aap/history/x805/x805.html 1000 This Recommendation defines the general security-related 1001 architectural elements that, when appropriately applied, can provide 1002 end-to-end network security. 1004 5.19. ITU-T Study Group 16 1006 http://www.itu.int/ITU-T/studygroups/com16/index.asp 1008 Multimedia Security in Next-Generation Networks (NGN-MM-SEC) 1010 http://www.itu.int/ITU-T/studygroups/com16/sg16-q25.html 1012 5.20. ITU-T Study Group 17 1014 http://www.itu.int/ITU-T/studygroups/com17/index.asp 1016 ITU-T Study Group 17 is the Lead Study Group on Communication System 1017 Security 1019 http://www.itu.int/ITU-T/studygroups/com17/cssecurity.html 1021 Study Group 17 Security Project: 1023 http://www.itu.int/ITU-T/studygroups/com17/security/index.html 1025 During its November 2002 meeting, Study Group 17 agreed to establish 1026 a new project entitled "Security Project" under the leadership of 1027 Q.10/17 to coordinate the ITU-T standardization effort on security. 1028 An analysis of the status on ITU-T Study Group action on information 1029 and communication network security may be found in TSB Circular 147 1030 of 14 February 2003. 1032 5.21. Catalogue of ITU-T Recommendations related to Communications 1033 System Security 1035 http://www.itu.int/itudoc/itu-t/com17/activity/cat004.html 1037 The Catalogue of the approved security Recommendations include those, 1038 designed for security purposes and those, which describe or use of 1039 functions of security interest and need. Although some of the 1040 security related Recommendations includes the phrase "Open Systems 1041 Interconnection", much of the information contained in them is 1042 pertinent to the establishment of security functionality in any 1043 communicating system. 1045 5.22. ITU-T Security Manual 1047 http://www.itu.int/ITU-T/edh/files/security-manual.pdf 1049 TSB is preparing an "ITU-T Security Manual" to provide an overview on 1050 security in telecommunications and information technologies, describe 1051 practical issues, and indicate how the different aspects of security 1052 in today's applications are addressed by ITU-T Recommendations. This 1053 manual has a tutorial character: it collects security related 1054 material from ITU-T Recommendations into one place and explains the 1055 respective relationships. The intended audience for this manual are 1056 engineers and product managers, students and academia, as well as 1057 regulators who want to better understand security aspects in 1058 practical applications. 1060 5.23. ITU-T NGN Effort 1062 http://www.itu.int/ITU-T/2001-2004/com13/ngn2004/index.html 1064 During its January 2002 meeting, SG13 decided to undertake the 1065 preparation of a new ITU-T Project entitled "NGN 2004 Project". At 1066 the November 2002 SG13 meeting, a preliminary description of the 1067 Project was achieved and endorsed by SG13 with the goal to launch the 1068 Project. It is regularly updated since then. 1070 The role of the NGN 2004 Project is to organize and to coordinate 1071 ITU-T activities on Next Generation Networks. Its target is to 1072 produce a first set of Recommendations on NGN by the end of this 1073 study period, i.e. mid-2004. 1075 5.24. NRIC VI Focus Groups 1077 http://www.nric.org/fg/index.html 1079 The Network Reliability and Interoperability Council (NRIC) was 1080 formed with the purpose to provide recommendations to the FCC and to 1081 the industry to assure the reliability and interoperability of 1082 wireless, wireline, satellite, and cable public telecommunications 1083 networks. These documents provide general information and guidance 1084 on NRIC Focus Group 1B (Cybersecurity) Best Practices for the 1085 prevention of cyberattack and for restoration following a 1086 cyberattack. 1088 Documents: 1090 Homeland Defense - Recommendations Published 14-Mar-03 1092 Preventative Best Practices - Recommendations Published 14-Mar-03 1094 Recovery Best Practices - Recommendations Published 14-Mar-03 1096 Best Practice Appendices - Recommendations Published 14-Mar-03 1098 5.25. OASIS Security Joint Committee 1100 http://www.oasis-open.org/committees/ 1101 tc_home.php?wg_abbrev=security-jc 1103 The purpose of the Security JC is to coordinate the technical 1104 activities of multiple security related TCs. The SJC is advisory 1105 only, and has no deliverables. The Security JC will promote the use 1106 of consistent terms, promote re-use, champion an OASIS security 1107 standards model, provide consistent PR, and promote mutuality, 1108 operational independence and ethics. 1110 5.26. OASIS Security Services (SAML) TC 1112 http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security 1114 The Security Services TC is working to advance the Security Assertion 1115 Markup Language (SAML) as an OASIS standard. SAML is an XML 1116 framework for exchanging authentication and authorization 1117 information. 1119 5.27. OIF Implementation Agreements 1121 The OIF has 2 approved Implementation Agreements (IAs) relating to 1122 security. They are: 1124 OIF-SMI-01.0 - Security Management Interfaces to Network Elements 1126 This Implementation Agreement lists objectives for securing OAM&P 1127 interfaces to a Network Element and then specifies ways of using 1128 security systems (e.g., IPsec or TLS) for securing these interfaces. 1129 It summarizes how well each of the systems, used as specified, 1130 satisfies the objectives. 1132 OIF - SEP - 01.1 - Security Extension for UNI and NNI 1134 This Implementation Agreement defines a common Security Extension for 1135 securing the protocols used in UNI 1.0, UNI 2.0, and NNI. 1137 Documents: http://www.oiforum.com/public/documents/Security-IA.pdf 1139 5.28. TIA 1141 The TIA has produced the "Compendium of Emergency Communications and 1142 Communications Network Security-related Work Activities". This 1143 document identifies standards, or other technical documents and 1144 ongoing Emergency/Public Safety Communications and Communications 1145 Network Security-related work activities within TIA and it's 1146 Engineering Committees. Many P25 documents are specifically 1147 detailed. This "living document" is presented for information, 1148 coordination and reference. 1150 Documents: http://www.tiaonline.org/standards/technology/ciphs/ 1151 documents/EMTEL_sec.pdf 1153 5.29. WS-I Basic Security Profile 1155 http://www.ws-i.org/Profiles/BasicSecurityProfile-1.0.html 1157 The WS-I Basic Security Profile 1.0 consists of a set of non- 1158 proprietary Web services specifications, along with clarifications 1159 and amendments to those specifications which promote 1160 interoperability. 1162 6. Security Considerations 1164 This document describes efforts to standardize security practices and 1165 documents. As such this document offers no security guidance 1166 whatsoever. 1168 Readers of this document should be aware of the date of publication 1169 of this document. It is feared that they may assume that the 1170 efforts, on-line material, and documents are current whereas they may 1171 not be. Please consider this when reading this document. 1173 7. IANA Considerations 1175 This document does not propose a standard and does not require the 1176 IANA to do anything. 1178 8. Acknowledgments 1180 The following people have contributed to this document. Listing 1181 their names here does not mean that they endorse the document, but 1182 that they have contributed to its substance. 1184 David Black, Mark Ellison, George Jones, Keith McCloghrie, John 1185 McDonough, Art Reilly, Chip Sharp, Dane Skow, Michael Hammer, Bruce 1186 Moon. 1188 9. Changes from Prior Drafts 1190 -00 : Initial draft published as draft-lonvick-sec-efforts-01.txt 1192 -01 : Security Glossaries: 1194 Added ATIS Telecom Glossary 2000, Critical Infrastructure 1195 Glossary of Terms and Acronyms, Microsoft Solutions for 1196 Security Glossary, and USC InfoSec Glossary. 1198 Standards Developing Organizations: 1200 Added DMTF, GGF, INCITS, OASIS, and WS-I 1202 Removal of Committee T1 and modifications to ATIS and former T1 1203 technical subcommittees due to the recent ATIS reorganization. 1205 Efforts and Documents: 1207 Added DMTF User and Security WG, DMTF SPAM WG, GGF Security 1208 Area (SEC), INCITS Technical Committee T4 - Security 1209 Techniques, INCITS Technical Committee T11 - Fibre Channel 1210 Interfaces, ISO JTC 1/SC 27 projects, OASIS Security Joint 1211 Committee, OASIS Security Services TC, and WS-I Basic Security 1212 Profile. 1214 Updated Operational Security Requirements for IP Network 1215 Infrastructure : Advanced Requirements. 1217 -00 : as the WG ID 1219 Added more information about the ITU-T SG3 Q18 effort to modify 1220 ITU-T Recommendation M.3016. 1222 -01 : First revision as the WG ID. 1224 Added information about the NGN in the sections about ATIS, the 1225 NSTAC, and ITU-T. 1227 -02 : Second revision as the WG ID. 1229 Updated the date. 1231 Corrected some url's and the reference to George's RFC. 1233 -03 : Third revision of the WG ID. 1235 Updated the date. 1237 Updated the information about the CC 1239 Added a Conventions section (not sure how this document got to 1240 where it is without that) 1242 -04 : Fourth revision of the WG ID. 1244 Updated the date. 1246 Added Anne & Lynn Wheeler Taxonomy & Security Glossary 1248 CIAO glossary removed. CIAO has been absorbed by DHS and the 1249 glossary is no longer available. 1251 USC glossary removed, could not find it on the site or a reference 1252 to it elsewhere. 1254 Added TTA - Telecommunications Technology Association to SDO 1255 section. 1257 Removed ATIS Security & Emergency Preparedness Activities from 1258 Documents section. Could not find it or a reference to it. 1260 INCITS T4 incorporated into CS1 - T4 section removed 1262 X9 Added to SDO list under ANSI 1264 Various link or grammar fixes. 1266 -05 : Fifth revision of the WG ID. 1268 Updated the date. 1270 Removed the 2119 definitions; this is an informational document. 1272 -06 : Sixth revision of the WG ID. 1274 Updated the date. 1276 Added W3C information. 1278 Note: This section will be removed before publication as an RFC. 1280 Authors' Addresses 1282 Chris Lonvick 1283 Cisco Systems 1284 12515 Research Blvd. 1285 Austin, Texas 78759 1286 US 1288 Phone: +1 512 378 1182 1289 Email: clonvick@cisco.com 1291 David Spak 1292 Cisco Systems 1293 12515 Research Blvd. 1294 Austin, Texas 78759 1295 US 1297 Phone: +1 512 378 1720 1298 Email: dspak@cisco.com 1300 Full Copyright Statement 1302 Copyright (C) The IETF Trust (2007). 1304 This document is subject to the rights, licenses and restrictions 1305 contained in BCP 78, and except as set forth therein, the authors 1306 retain all their rights. 1308 This document and the information contained herein are provided on an 1309 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1310 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1311 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1312 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1313 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1314 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1316 Intellectual Property 1318 The IETF takes no position regarding the validity or scope of any 1319 Intellectual Property Rights or other rights that might be claimed to 1320 pertain to the implementation or use of the technology described in 1321 this document or the extent to which any license under such rights 1322 might or might not be available; nor does it represent that it has 1323 made any independent effort to identify any such rights. Information 1324 on the procedures with respect to rights in RFC documents can be 1325 found in BCP 78 and BCP 79. 1327 Copies of IPR disclosures made to the IETF Secretariat and any 1328 assurances of licenses to be made available, or the result of an 1329 attempt made to obtain a general license or permission for the use of 1330 such proprietary rights by implementers or users of this 1331 specification can be obtained from the IETF on-line IPR repository at 1332 http://www.ietf.org/ipr. 1334 The IETF invites any interested party to bring to its attention any 1335 copyrights, patents or patent applications, or other proprietary 1336 rights that may cover technology that may be required to implement 1337 this standard. Please address the information to the IETF at 1338 ietf-ipr@ietf.org. 1340 Acknowledgment 1342 Funding for the RFC Editor function is provided by the IETF 1343 Administrative Support Activity (IASA).