datatracker.ietf.org
Sign in
Version 5.7.1.p2, 2014-10-29
Report a bug

Liaison Statement: Response to Information on standardization of application security requirements, services and mechanisms

Submission Date: 2005-11-30
From: IETF SEC AREA (Sam Hartman)
To: ITU-T SG4 (tsbsg4@itu.int)
Cc:sob@harvard.edu
housley@vigilsec.com
saag@ietf.org
chair@ietf.org
Response Contact: hartmans-ietf@mit.edu
housley@vigilsec.com
Technical Contact: hartmans-ietf@mit.edu
housley@vigilsec.com
Purpose: For information
Attachments: (none)
Body:
In October of 2005, SG4 wrote to the IETF security area requesting
information on application security for management applications.




The security area would like to draw your attention to two
technologies relevant to management application security.

First, RFC 4108, "Using Cryptographic Message Syntax (CMS) to Protect
Firmware
     Packages," (http://www.ietf.org/rfc/rfc4108.txt ) provides an
IETF standards -track solution to code signing for firmware images.
The abstract follows:

   This document describes the use of the Cryptographic Message Syntax
   (CMS) to protect firmware packages, which provide object code for
one
   or more hardware module components.  CMS is specified in RFC 3852. 
A
   digital signature is used to protect the firmware package from
   undetected modification and to provide data origin authentication.
   Encryption is optionally used to protect the firmware package from
   disclosure, and compression is optionally used to reduce the size
of
   the protected firmware package.  A firmware package loading receipt
   can optionally be generated to acknowledge the successful loading
of
   a firmware package.  Similarly, a firmware package load error
report
   can optionally be generated to convey the failure to load a
firmware
   package.
                                    

In addition, while you are no doubt aware of the Internet X.509
Certificate Profile (http://www.ietf.org/rfc/rfc3280.txt ), we'd like
to remind you that this profile defines a KeyPurposeID that can be
used to mark a certificate as appropriate for code signing.

While not directly related to application security for management
applications we'd like to draw your attention to two activities in the
security area.  The first is the Integrated Security Model for SNMP
working group (http://www.ietf.org/html.charters/isms-charter.html
). This working group is chartered to provide a new security model for
the Simple Network Management protocol that better meets operators'
needs.  The syslog working group
(http://www.ietf.org/html.charters/syslog-charter.html ) is chartered
to add signatures and reliability to the syslog network event logging
protocol.

Sam Hartman
for the IETF Security Area