ITU-T Study Group 17 Security

1
ITU-T Study Group 17 Security

• An overview for newcomersArkadiy Kremer

February 2012
2
Contents

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

3
Importance of ICT security standardization (1/4)

• National laws are oftentimes inadequate to
  protect against attacks.
• They are insufficient from the timing
  perspective(i.e. laws cannot keep up with the
  pace of technological change),and, since attacks
  are often transnational, national laws may well
  be inapplicable anyway.
• What this means is that the defenses must be
  largely technical, procedural and administrative
  i.e. those that can be addressed in standards.
• The development of standards in an open forum
  that comprises international specialists from a
  wide variety of environments and backgrounds
  provides the best possible opportunity to ensure
  relevant, complete and effective standards.
• SG 17 provides the environment in which such
  standards can be, and are being, developed.

4
Importance of ICT security standardization (2/4)

• The primary challenges are the time it takes to
  develop a standard (compared to the speed of
  technological change and the emergence of new
  threats) and the shortage of skilled and
  available resources.
• We must work quickly to respond to the
  rapidly-evolving technical and threat environment
  but we must also ensure that the standards we
  produce are given sufficient consideration and
  review to ensure that they are complete and
  effective.
• We must recognize and respect the differences in
  developing countries respective environments
  their telecom infrastructures may be at different
  levels of development from those of the developed
  countries their ability to participate in, and
  contribute directly to the security standards
  work may be limited by economic and other
  considerations and their needs and priorities
  may be quite different.

5
Importance of ICT security standardization (3/4)

• ITU-T can help the developing countries by
  fostering awareness of the work we are doing (and
  why we are doing it), by encouraging
  participation in the work particularly via the
  electronic communication facilities now being
  used (e.g. web based meetings and
  teleconferencing), and, most particularly, by
  encouraging the members from the developing
  countries to articulate their concerns and
  priorities regarding the ICT security.
• The members from the developed nations should not
  confuse their own needs with those of the
  developing countries, nor should they make
  assumptions about what the needs and priorities
  of the developing countries may be.

6
Importance of ICT security standardization (4/4)

• For on-going credibility, we need performance
  measures that provide some indication of the
  effectiveness of our standards. In the past there
  has been too much focus on quantity (i.e. how
  many standards are produced) than on the quality
  and effectiveness of the work.
• Going forward, we really need to know which
  standards are being used (and which are not being
  used), how widely they are used, and how
  effective they are.
• This is not going to be easy to determine but it
  would do much more to the ITU-Ts credibility if
  it could demonstrate the value and effectiveness
  of standards that have been developed rather than
  simply saying we produced X number of
  standards.
• The number of standards produced is irrelevant
  what counts is the impact they have.

7

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

8
ITU Plenipotentiary Conference 2010

• Strengthened the role of ITU in ICT security
• Strengthening the role of ITU in building
  confidence and security in the use of information
  and communication technologies (Res. 130)
• The use of telecommunications/information and
  communication technologies for monitoring and
  management in emergency and disaster situations
  for early warning, prevention, mitigation and reli
  ef (Res. 136).
• ITU's role with regard to international public
  policy issues relating to the risk of illicit use
  of information and communication technologies
  (Res. 174)
• ITU role in organizing the work on technical
  aspects of telecommunication networks to support
  the Internet (Res. 178)
• ITU's role in child online protection (Res. 179)
• Definitions and terminology relating to building
  confidence and security in the use of information
  and communication technologies (Res. 181)

9

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

10
SG 17 mandate established by World
Telecommunication Standardization Assembly
(WTSA-08)

• WTSA-08 decided the following for Study Group 17
• Title Security
• Responsible for studies relating to security
  including cybersecurity, countering spam and
  identity management. Also responsible for the
  application of open system communications
  including directory and object identifiers, and
  for technical languages, the method for their
  usage and other issues related to the software
  aspects of telecommunication systems.
• Lead Study Group for
• Telecommunication security
• Identity management
• Languages and description techniques
• Responsible for specific E, F, X and Z series
  Recommendations
• Responsible for 15 Questions
• Chairman Arkadiy Kremer
• Vice chairmen Jianyong Chen, Mohamed M.K. Elhaj,
  Antonio Guimaraes, Patrick Mwesigwa, Koji Nakao,
  Heung Youl Youm

11

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

12
Study Group 17 Overview

• Primary focus is to build confidence and security
  in the use of Information and Communication
  Technologies (ICTs)
• Meets twice a year. Last meeting had 171
  participants from 21 Member States, 20 Sector
  Members and 7 Associates.
• As of 16 October 2011, SG 17 is responsible for
  279 approved Recommendations, 11 approved
  Supplements and 3 approved Implementers Guides
  in the E, F, X and Z series.
• Large program of work
• 23 new work items added to work program in 2011
• 33 Recommendations, 22 Corrigenda and 3
  Supplements approved or entered approval process
  in 2011
• 143 new or revised Recommendations and other
  texts are under development for approval in 2012
  or later
• Work organized into 3 Working Parties with 15
  Questions
• 5 Correspondence groups
• See SG 17 web page for more informationhttp//itu
  .int/ITU-T/studygroups/com17

13
SG 17, Security
Identity management and languages
Working Party 1
Working Party 2
Working Party 3
Network and information security
Q10 IdM
Securityproject
Application security
Q1
Ubiquitousservices
Q11 Directory, PKI and PMI
Q6
Q2 Architecture
Q12 ASN.1, OID
Q7 Applications
Q3 ISM
Q13 Languages
Q8 SOA
Q4 Cybersecurity
Q14 Testing
Q9 Telebiometrics
Counteringspam
Q5
Q15 OSI
WP 1
WP 2
WP 3
14
Study Group 17 is the Lead Study Group on?
Telecommunication security? Identity management
(IdM)? Languages and description techniques

• A study group may be designated by WTSA or TSAG
  as the lead study group for ITU-T studies forming
  a defined programme of work involving a number of
  study groups.
• This lead study group is responsible for the
  study of the appropriate core Questions.
• In addition, in consultation with the relevant
  study groups and in collaboration, where
  appropriate, with other standards bodies, the
  lead study group has the responsibility to define
  and maintain the overall framework and to
  coordinate, assign (recognizing the mandates of
  the study groups) and prioritize the studies to
  be carried out by the study groups, and to ensure
  the preparation of consistent, complete and
  timely Recommendations.
• Extracted from WTSA-08 Resolution 1

15
SG 17 is Parent for Joint Coordination
Activities (JCAs) on? Identity management?
Conformance interoperability testing

• A joint coordination activity (JCA) is a tool for
  management of the work programme of ITU-T when
  there is a need to address a broad subject
  covering the area of competence of more than one
  study group. A JCA may help to coordinate the
  planned work effort in terms of subject matter,
  time-frames for meetings, collocated meetings
  where necessary and publication goals including,
  where appropriate, release planning of the
  resulting Recommendations.
• The establishment of a JCA aims mainly at
  improving coordination and planning. The work
  itself will continue to be conducted by the
  relevant study groups and the results are subject
  to the normal approval processes within each
  study group. A JCA may identify technical and
  strategic issues within the scope of its
  coordination role, but will not perform technical
  studies nor write Recommendations. A JCA may also
  address coordination of activities with
  recognized standards development organizations
  (SDOs) and forums, including periodic discussion
  of work plans and schedules of deliverables. The
  study groups take JCA suggestions into
  consideration as they carry out their work.
• Extracted from Recommendation ITU-T A.1

16
Additional Security Work

• Cloud Computing Security
• Expected transfer in early 2012 of security work
  from ITU-T Focus Group on Cloud Computing to SG
  17
• Smart Grid Security
• Expected transfer in early 2012 of security work
  from ITU-T Focus Group on Smart Grid to SG 17
• Child Online Protection
• Correspondence group currently looking at what
  aspects are appropriate given SG 17 mandate and
  area of expertise
• MoU UNODC-ITU
• ITU-T Secretary General signed MoU with United
  Nations Office on Drugs and Crime (UNODC) Role
  of SG 17 needs further consideration
• SG 17 has prepared first draft of 17 proposed
  Questions for the 2013-2016 study period

17
Working Party 1/17Network and information
security
Chairman Koji Nakao
Q1 Telecommunications systems security project
Q2 Security architecture and framework
Q3 Telecommunications information security
management
Q4 Cybersecurity
Q5
Countering spam by technical means
18
Question 1/17Telecommunications systems security
project

• Security Coordination
• Coordinate security matters within SG 17, with
  ITU-T SGs, ITU-D and externally with other SDOs
• Maintain reference information on LSG security
  webpage
• ICT Security Standards Roadmap
• Searchable database of approved ICT security
  standards from ITU-T, ISO/IEC, ETSI and others
• Security Compendium
• Catalogue of approved security-related
  Recommendations and security definitions
  extracted from approved Recommendations
• ITU-T Security Manual
• 4th edition published in 4Q/2009 5th edition
  planned for 2012
• Bridging the standardization gap

19
Question 1/17 (cntd)Telecommunications systems
security project

• Security standardization strategy Define a
  top-down approach to complement the
  contribution-driven work
• to ensure the continued relevance of security
  standards by keeping them current with
  rapidly-developing technologies and operators
  trends (in e-commerce, e-payments, e-banking,
  telemedicine, fraud-monitoring, fraud-management,
  fraud identification, digital identity,
  infrastructure creation, billing systems, IPTV,
  Video-on-demand, grid network computing,
  ubiquitous networks, etc.)
• to follow-up on considerable attention recently
  given to trust between network providers and
  communication infrastructure vendors, in
  particular for communication hardware and
  software security, issues of how trust can be
  established and/or enhanced would need to be
  considered
• Rapporteur Antonio Guimaraes

20
Question 2/17Security Architecture and Framework

• Responsible for general security architecture and
  framework for telecommunication systems
• Recommendation in approval process
• X.1037, Architectural systems for security
  controls for preventing fraudulent activities in
  public carrier networks
• Recommendations currently under study include
• X.gsiiso, Guidelines on security of the
  individual information service for operators
• X.ncns-1, National IP-based Public Networks
  Security Center for Developing Countries
• X.ipv6-secguide, Technical guideline on deploying
  IPv6
• X.hns, Heterarchic for secure distributed
  services networks
• 25 Recommendations and 2 Supplements approved
• Relationships with ISO/IEC JTC 1 SCs 27 and 37,
  IEC TC 25, ISO TC 12, IETF, ATIS, ETSI, 3GPP,
  3GPP2
• Rapporteur Patrick Mwesigwa

21
Question 3/17Telecommunications information
security management

• Responsible for information security management -
  X.1051, etc.
• Recommendations approved May 2011
• X.1052, Information security management framework
• X.1057, Asset management guidelines in
  telecommunication organizations
• Developing specific guidelines including
• X.gpim, Guideline for management of
  personallyidentifiable information for
  telecommunication org.
• X.isgf, Governance of information security (w/SC
  27)
• X.sgsm, Security management guidelines for
  smalland medium-sized telecommunication
  organizations
• X.mgv6, Security management guideline
  forimplementation of IPv6 environment
• Supplement - User guide for X.1051
• Information security incident management for
  developing countries
• Close collaboration with ISO/IEC JTC 1/SC 27
• Rapporteur Miho Naganuma

22
Question 4/17 Cybersecurity

• Cybersecurity by design no longer possible a new
  paradigm
• know your weaknesses ? minimize the
  vulnerabilities
• know your attacks ? share the heuristics within
  trust communities
• Current work program (28 Recommendations under
  development)
• X.1500 suite Cybersecurity Information Exchange
  (CYBEX) non-prescriptive, extensible,
  complementary techniques for the new paradigm
• Weakness, vulnerability and state
• Event, incident, and heuristics
• Information exchange policy
• Identification, discovery, and query
• Identity assurance
• Exchange protocols
• Non-CYBEX deliverables include compendiums and
  guidelines for
• SIP server protection
• Abnormal traffic detection
• Botnet mitigation
• Attack source attribution (including traceback)
• Trusted standards availability
• Extensive relationships with many external bodies

23
Question 4/17 (cntd)Cybersecurity

• Key achievements
• X.1205, Overview of cybersecurity  
• X.1206, A vendor-neutral framework for automatic
  notification of security related information and
  dissemination of updates  
• X.1207, Guidelines for telecommunication service
  providers for addressing the risk of spyware and
  potentially unwanted software
• X.1209, Capabilities and their context scenarios
  for cybersecurity information sharing and
  exchange
• X.1303, Common alerting protocol
• X.1500, Overview of cybersecurity information
  exchange (CYBEX)
• X.1520, Common vulnerabilities and exposures
  (CVE)
• X.1521, Common vulnerability scoring system
  (CVSS)
• X.1570, Discovery mechanisms in the exchange of
  cybersecurity information
• X.Sup.8, Supplement on best practices against
  botnet threats
• X.Sup.9, Guidelines for reducing malware in ICT
  networks
• X.Sup.10, Usability of network traceback
• Recommendations in approval process
• X.1500.1, Procedures for the registration of arcs
  under OID arc for CYBEX
• X.1524, Common weakness enumeration (CWE)
• X.1541, Incident object description exchange
  format
• Rapporteur Anthony Rutkowski

24
Question 5/17Countering spam by technical means

• Lead group in ITU-T on countering spam by
  technical means in support of WTSA-08 Resolution
  52 (Countering and combating spam)
• 7 Recommendations and 2 Supplements approved. 3
  draft texts under development (see structure in
  next slide)
• X.oacms, Overall aspects of countering messaging
  spam in mobile networks
• X.ticvs, Technologies involved in countering
  voice spam in telecommunication organizations
• Supplement, Functions and interfaces for
  countering e-mail spam using botnet information
• Effective cooperation with ITU-D, IETF, ISO/IEC
  JTC 1, 3GPP, OECD, MAAWG , ENISA and other
  organizations
• Rapporteur Hongwei Luo

25
Question 5/17 (cntd)Countering spam by
technical means
26
Working Party 2/17Application Security

• Chairman Heung Youl Youm

Q6
Security aspects of ubiquitous telecommunication
services
Q7 Secure application services
Q8 Service oriented architecture security
Q9 Telebiometrics
27
Question 6/17Security aspects of ubiquitous
telecommunication services

• Multicast security
• X.1101, Security requirements and framework for
  multicast communication
• Home network security
• X.1111, Framework for security technologies for
  home network
• X.1112, Device certificate profile for the home
  network
• X.1113, Guideline on user authentication
  mechanism for home network services
• X.1114, Authorization framework for home network
• Mobile security
• X.1121, Framework of security technologies for
  mobile end-to-end data communications  
• X.1122, Guideline for implementing secure mobile
  systems based on PKI  
• X.1123, Differentiated security service for
  secure mobile end-to-end data communication  
• X.1124, Authentication architecture for mobile
  end-to-end data communication  
• X.1125, Correlative reacting system in mobile
  data communication
• X.msec-5, Security requirements and mechanism for
  reconfiguration of mobile device with multiple
  communication interfaces
• X.msec-6, Security aspects of mobile phones
• Networked ID security
• X.1171, Threats and requirements for protection
  of personally identifiable information in
  applications using tag-based identification
• X.1175, Guidelines on protection of personally
  identifiable information in the application of
  RFID technology

28
Question 6/17 (cntd)Security aspects of
ubiquitous telecommunication services

• IPTV security
• X.1191, Functional requirements and architecture
  for IPTV security aspects
• X.1192, Functional requirements and mechanisms
  for secure transcodable scheme of IPTV
• X.1193, Key management framework for secure IPTV
  services
• X.1195, Service and content protection (SCP)
  interoperability scheme
• X.iptvsec-4, Algorithm selection scheme for
  service and content protection (SCP) descrambling
• X.iptvsec-6, Framework for the downloadable
  service and content protection (SCP) system in
  the mobile IPTV environment
• X.iptvsec-7, Guidelines on criteria for selecting
  cryptographic algorithms for the IPTV service and
  content protection (SCP)
• X.iptvsec-8, Virtual machine-based security
  platform for renewable service and content
  protection (SCP)
• Ubiquitous sensor network security 
• X.1311, Information technology Security
  framework for ubiquitous sensor network (w/SC 6)
• X.1312, Ubiquitous sensor network (USN)
  middleware security guidelines
• X.usnsec-3, Secure routing mechanisms for
  wireless sensor network
• X.unsec-1, Security requirements and framework of
  ubiquitous networking
• Close relationship with JCA-IPTV and ISO/IEC JTC
  1/SC 6/WG 7
• Rapporteur Jonghyun Baek

29
Question 7/17Secure application services

• Web security
• X.1141, Security Assertion Markup Language (SAML
  2.0)
• X.1142, eXtensible Access Control Markup Language
  (XACML 2.0)
• X.1143, Security architecture for message
  security in mobile web services
• X.websec-4, Security framework for enhanced web
  based telecommunication services
• Security protocols
• X.1151, Guideline on secure password-based
  authentication protocol with key exchange
• X.1152, Secure end-to-end data communication
  techniques using trusted third party services
• X.1153, A management framework of an one time
  password-based authentication service
• X.sap-4, The general framework of combined
  authentication on multiple identity service
  provider environment
• X.sap-5, Guideline on anonymous authentication
  for e-commerce service
• X.sap-6, An One Time Password-based
  non-repudiation framework
• X.sap-7, The requirements of fraud detection and
  response services for sensitive Information
  Communication Technology
• Peer-to-peer security
• X.1161, Framework for secure peer-to-peer
  communications  
• X.1162, Security architecture and operations for
  peer-to-peer networks
• X.p2p-3, Security requirements and mechanisms of
  peer-to-peer-based telecommunication network
• X.p2p-4, Use of service providers user
  authentication infrastructure to implement PKI
  for peer-to-peer networks
• Relationships include OASIS, OMA, W3C, ISO/IEC
  JTC 1/SC 27, Kantara Initiative

30
Question 8/17Service oriented architecture
security

• Current focus
• Security aspects of cloud computing
• X.ccsec, Security guideline for cloud computing
  in telecommunication area
• X.srfctse, Security requirements and framework of
  cloud based telecommunication service environment
  
• Security aspects of service oriented architecture
  
• X.fsspvn, Framework of the secure service
  platform for virtual network
• X.sfcsc, Security functional requirements for
  software as a service (SaaS) application
  environment
• Working closely with FG on Cloud computing
• Rapporteur Liang Wei

31
Question 9/17Telebiometrics

• Current focus
• Security requirements and guidelines for
  applications of telebiometrics
• Requirements for evaluating security, conformance
  and interoperability with privacy protection
  techniques for applications of telebiometrics
• Requirements for telebiometric applications in a
  high functionality network
• Requirements for telebiometric multi-factor
  authentication techniques based on biometric data
  protection and biometric encryption
• Requirements for appropriate generic protocols
  providing safety, security, privacy protection,
  and consent for manipulating biometric data in
  applications of telebiometrics, e.g., e-health,
  telemedicine
• Approved Recommendations
• X.1080.1, e-Health and world-wide telemedicines -
  Generic telecommunication protocol
• X.1081, The telebiometric multimodal model A
  framework for the specification of security and
  safety aspects of telebiometrics
• X.1082, Telebiometrics related to human
  physiology
• X.1083, Information technology Biometrics
  BioAPI interworking protocol (w/SC 37)
• X.1084, Telebiometrics system mechanism Part 1
  General biometric authentication protocol and
  system model profiles for telecommunications
  systems
• X.1086, Telebiometrics protection procedures
  Part 1 A guideline to technical and managerial
  countermeasures for biometric data security

32
Question 9/17 (cntd)Telebiometrics

• Approved Recommendations (continued)
• X.1088, Telebiometrics digital key framework
  (TDK) A framework for biometric digital key
  generation and protection
• X.1089, Telebiometrics authentication
  infrastructure (TAI)
• X.1090, Authentication framework with one-time
  telebiometric templates
• Recommendations under development
• X.bhsm, Telebiometric authentication framework
  using biometric hardware
• X.gep, A guideline for evaluating telebiometric
  template protection
• X.tam, Guideline to technical and operational
  countermeasurers for telebiometric applications
  using mobile devices
• X.th-series, e-Health and world-wide
  telemedicines
• X.th2, Telebiometrics related to physics
• X.th3, Telebiometrics related to chemistry
• X.th4, Telebiometrics related to biology
• X.th5, Telebiometrics related to culturology
• X.th6, Telebiometrics related to psychology
• X.tif, Integrated framework for telebiometric
  data protection
• Close working relationship with ISO/IEC JTC 1/SCs
  17, 27 and 37, ISO TCs 12, 68 and 215, IEC TC 25,
  IETF, IEEE
• Rapporteur Hale Kim

33
Working Party 3/17Identity management and
languages
Chairman Jianyong Chen
Q10 Identity management architecture and
mechanisms
Q11 Directory services, Directory systems, and
public-key/attribute certificates
Q12 ASN.1, Object Identifiers (OIDs) and
associated registration
Q13 Formal languages and telecommunication
software
Q14 Testing languages, methodologies and framework
Q15 Open Systems Interconnection (OSI)
34
Question 10/17Identity Management (IdM)

• Identity Management (IdM)
• IdM is a security enabler by providing trust in
  the identity of both parties to an e-transaction
• IdM also provides network operators an
  opportunity to increase revenues by offering
  advanced identity-based services
• The focus of ITU-Ts IdM work is on global trust
  and interoperability of diverse IdM capabilities
  in telecommunication.
• Work is focused on leveraging and bridging
  existing solutions
• This Question is dedicated to the vision setting
  and the coordination and organization of the
  entire range of IdM activities within ITU-T
• Approved Recommendations
• X.1250, Baseline capabilities for enhanced global
  identity management trust and interoperability
• X.1251, A framework for user control of digital
  identity
• X.1252, Baseline identity management terms and
  definitions
• X.1253, Security guidelines for identity
  management systems
• X.1275, Guidelines on protection of personally
  identifiable information in the application of
  RFID technology
• X.Sup.7, Overview of identity management in the
  context of cybersecurity

35
Question 10/17 (cntd)Identity Management (IdM)

• Key focus
• Adoption of interoperable federated identity
  frameworks that use a variety of authentication
  methods with well understood security and privacy
• Encourage the use of authentication methods
  resistant to known and projected threats
• Provide a general trust model for making
  trust-based authentication decisions between two
  or more parties
• Ensure security of online transactions with focus
  on end-to-end identification and authentication
  of the participants and components involved in
  conducting the transaction, including people,
  devices, and services
• Engagement
• JCA-IdM
• 11 Recommendations under development
• Collaborative work with JTC 1/SC27 on X.eaa,
  Entity authentication assurance framework
• Collaborative work with CA/Browser Forum on
  X.EVcert, Extended validation certificate
  framework
• Related standardization bodies ISO/IEC JTC 1 SCs
  6, 27 and 37 IETF ATIS ETSI/TISPAN OASIS
  Kantara Initiative OMA NIST 3GPP 3GPP2
  Eclipse OpenID Foundation OIX etc.
• Rapporteur Abbie Barbir

36
Question 11/17Directory services, Directory
systems, and Public-key/attribute certificates

• Three Directory Projects
• ITU-T X.500 Series of Recommendations ISO/IEC
  9594 - all parts The Directory
• ITU-T F.5xx - Directory Service - Support of
  tag-based identification services
• ITU-T E.115 - Computerized directory assistance
• X.500 series is a specification for a highly
  secure, versatile and distributed directory
• The X.500 series is under continuous enhancement
• Password policy
• Support of RFID
• Interworking with LDAP
• Support for Identity Management
• X.500 work is collaborative with ISO/IEC JTC 1/SC
  6/WG 8

37
Question 11/17 (cntd)Directory services,
Directory systems, andPublic-key/attribute
certificates

• ITU-T X.509 on public-key/attribute certificates
  is the cornerstone for security
• Base specification for public-key certificates
  and for attribute certificates
• Has a versatile extension feature allowing
  additions of new fields to certificates
• Basic architecture for revocation
• Base specification for Public-Key Infrastructure
  (PKI)
• Base specifications for Privilege Management
  Infrastructure (PMI)
• ITU-T X.509 is used in many different areas
• Basis for eGovernment, eBusiness, etc. all over
  the world
• Used for IPsec, cloud computing, and many other
  areas
• Is the base specification for many other groups
  (PKIX in IETF, ESI in ETSI, CA Browser Forum,
  etc.)
• Rapporteur Erik Andersen

38
Question 12/17Abstract Syntax Notation One
(ASN.1), Object Identifiers (OIDs) and associated
registration

• Developing and maintaining the heavily used
  Abstract Syntax Notation One (ASN.1) and Object
  Identifier (OID) specifications
• Giving advice on the management of OID
  Registration Authorities, particularly within
  developing countries, through the ASN.1 and OID
  Project Leader Olivier Dubuisson
• Approving new top arcs of the Object Identifier
  tree as necessary
• Promoting use of OID resolution system by other
  groups such asSG 16
• Repository of OID allocations and a database of
  ASN.1 modules
• Recommendations are in the X.680 (ASN.1), X.690 (
  ASN.1 Encoding Rules), X.660/X.670 (OID
  Registration), and X.890 (Generic Applications,
  such as Fast Infoset, Fast Web services, etc)
  series
• ASN.1 Packed Encoding Rules reduces the bandwidth
  required for communication thus conserving energy
  (e.g., compared with XML)
• Work is collaborative with ISO/IEC JTC 1/SC 6/WG
  9
• Rapporteur John Larmouth

39
Question 12/17 (cntd)Definition and encoding of
structured data

• This is what ASN.1 has always been about, since
  about 1984, but the terminology is fairly recent.
• A Tutorial on this topic, giving history and
  comparisons of different approaches will be given
  at the Feb 2012 SG 17 meeting, and will be
  available as a TD shortly before the meeting.
• ASN.1 (Abstract Syntax Notation One) is just
  another way of saying description of structured
  data, and its notation and its encoding rules
  have been the primary ITU-T recommended means for
  describing and encoding structured data since
  about 1984.
• It is not appropriate to describe this further
  here, but Q12/17 is actively promoting the term
  description and encoding of structured data as
  what ASN.1 is actually about and continues to
  recommend it for all use by ITU-T Recommendations
  in all Study Groups with such requirements.
  Q12/17 is always prepared to provide assistance
  to other Study Groups in this area.

40
Question 13/17Formal languages and
telecommunication software

• Languages and methods for requirements,
  specification implementation, and Open
  Distributed Processing (ODP)
• Recommendations for ODP (X.900 series in
  collaboration with JTC 1/SC 7/WG 19),
  Specification and Description Language (Z.100
  series), Message Sequence Chart (Z.120 series),
  User Requirements Notation (Z.150 series),
  framework and profiles for Unified Modeling
  Language, as well as use of languages (Z.110,
  Z.111, Z.400, Z.450).
• Updates of Z.100 and Z.150 series are being
  progressed
• These techniques enable high quality
  Recommendations to be written from which formal
  tests can be derived, and products to be cost
  effectively developed.
• Relationship with SDL Forum Society
• Rapporteur Rick Reed

41
Question 14/17Testing languages, methodologies
and framework

• Interoperability and conformance testing
  languages, methodologies and framework
• Responsible for Testing and Test Control Notation
  version 3 (TTCN-3) Recommendations Z.161, Z.162,
  Z.163, Z.164, Z.165, Z.166, Z.167, Z.168, Z.169,
  Z.170
• Further updates on the Z.160-170 series will be
  produced in 2012
• Also responsible for conformance testing
  methodology and framework for protocol
  Recommendations X.290, X.291, X.292, X.293,
  X.294, X.295, X.296, X.Sup4 and X.Sup5
• Provides support for WTSA-08 Resolution 78 on
  conformance and interoperability testing
• Close liaisons with ETSI, SG 11, JCA-CIT
• Rapporteur Dieter Hogrefe

42
Question 15/17Open Systems Interconnection (OSI)

• Ongoing maintenance of the OSI X-series
  Recommendations and the OSI Implementers Guide
• OSI Architecture
• Message Handling
• Transaction Processing
• Commitment, Concurrency and Recovery (CCR)
• Remote Operations
• Reliable Transfer
• Quality of Service
• Upper layers Application, Presentation, and
  Session
• Lower Layers Transport, Network, Data Link, and
  Physical
• 109 approved Recommendations
• Work is carried out in collaboration with ISO/IEC
  JTC 1

43

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

44
Security CoordinationSecurity activities in
other ITU-T Study Groups

• ITU-T SG 2 Operation aspects TMN
• Q3 International Emergency Preference Scheme ,
  ETS/TDR
• Q5 Network and service operations and maintenance
  procedures , E.408
• Q11 TMN security, TMN PKI
• ITU-T SG 9 Integrated broadband cable and TV
• Q3 Conditional access, copy protection, HDLC
  privacy,
• Q7, Q8 DOCSIS privacy/security
• Q9 IPCablecom 2 (IMS w. security), MediaHomeNet
  security gateway, DRM,
• ITU-T SG 11 Signaling Protocols
• Q7 EAP-AKA for NGN
• ITU-T SG 13 Future network
• Q16 Security and identity management for NGN
• Q17 Deep packet inspection
• ITU-T SG 15 Optical Transport Access
• Reliability, availability, Ethernet/MPLS
  protection switching
• ITU-T SG 16 Multimedia
• Secure VoIP and multimedia security (H.233,
  H.234, H.235, H.323, JPEG2000)

45
Coordination with other bodies
Study Group 17
ITU-D, ITU-R, xyz
46
SG 17 collaborative work with ISO/IEC JTC 1
Existing relationships having collaborative
(joint) projects
JTC 1 SG 17 Question Subject
SC 6/WG 7 Q6/17 Ubiquitous networking
SC 6/WG 8 Q11/17 Directory
SC 6/WG 9 Q12/17 ASN.1, OIDs, and Registration Authorities
SC 7/WG 19 Q13/17 Open Distributed Processing (ODP)
SC 27/WG 1 Q3/17 Information Security Management System (ISMS)
SC 27/WG 3 Q2/17 Security architecture
SC 27/WG 5 Q10/17 Identity Management (IdM)
SC 37 Q9/17 Telebiometrics
Note In addition to collaborative work,
extensive communications and liaison
relationships exist with the following JTC 1 SCs
6, 7, 17, 22, 27, 31, 37 and 38 on a wide range
of topics. All SG 17 Questions are involved.
47
SG 17 collaborative work with ISO/IEC JTC 1
(cntd)

• Guide for ITU-T and ISO/IEC JTC 1 Cooperation
• http//itu.int/rec/T-REC-A.23-201002-I!AnnA
• Listing of common text and technically aligned
  Recommendations International Standards
• http//itu.int/oth/T0A0D000011
• Mapping between ISO/IEC International Standards
  and ITU-T Recommendations
• http//itu.int/oth/T0A0D000012
• Relationships of SG 17 Questions with JTC 1
  SCsthat categorizes the nature of relationships
  as
• joint work (e.g., common texts or twin texts)
• technical collaboration by liaison mechanism
• informational liaison
• http//itu.int/en/ITU-T/studygroups/com17/Pages/re
  lationships.aspx

48

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

49
Study Group 17 Meetings

• This meeting
• Monday, 20 February Friday, 2 March 2012(10
  days), Geneva, Switzerland
• Final meeting in 2008-2012 study period
• Monday, 3 September Friday 7, September 2012(5
  days), Geneva, Switzerland.Note may be extended
  to 8 days
• Next study period starts following WTSA-12

50

• Importance of ICT security standardization
• ITU Plenipotentiary Conference (PP-10) actions on
  ICT security
• World Telecommunications Standardization Assembly
  (WTSA-08) mandate for Study Group 17
• Study Group 17 overview
• Security Coordination
• Future meetings
• Useful references

51
Reference links

• Webpage for ITU-T Study Group 17
• http//itu.int/ITU-T/studygroups/com17
• Webpage on ICT security standard roadmap
• http//itu.int/ITU-T/studygroups/com17/ict
• Webpage on ICT cybersecurity organizations
• http//itu.int/ITU-T/studygroups/com17/nfvo
• Webpage for JCA on Identity management
• http//www.itu.int/en/ITU-T/jca/idm/Pages/default.
  aspx
• Webpage for JCA on Conformance and
  interoperability testing
• http//itu.int/en/ITU-T/jca/idm
• Webpage on lead study group on telecommunication
  security
• http//itu.int/en/ITU-T/studygroups/com17/Pages/te
  lesecurity.aspx
• Webpage on lead study group on identity
  management
• http//itu.int/en/ITU-T/studygroups/com17/Pages/id
  m.aspx
• Webpage on lead study group on languages and
  description techniques
• http//itu.int/en/ITU-T/studygroups/com17/Pages/ld
  t.aspx
• Webpage for security workshop on Addressing
  security challenges on a global scale
• http//itu.int/ITU-T/worksem/security/201012