Liaison statement
Response to Information on standardization of application security requirements, services and mechanisms

Submission date 2005-11-30
From IETF SEC AREA (Sam Hartman)
To ITU-T SG4 (
Response contact,
Technical contact,
Purpose For information
Attachments (None)
In October of 2005, SG4 wrote to the IETF security area requesting
information on application security for management applications.

The security area would like to draw your attention to two
technologies relevant to management application security.

First, RFC 4108, "Using Cryptographic Message Syntax (CMS) to Protect
     Packages," ( ) provides an
IETF standards -track solution to code signing for firmware images.
The abstract follows:

   This document describes the use of the Cryptographic Message Syntax
   (CMS) to protect firmware packages, which provide object code for one
   or more hardware module components.  CMS is specified in RFC 3852.  A
   digital signature is used to protect the firmware package from
   undetected modification and to provide data origin authentication.
   Encryption is optionally used to protect the firmware package from
   disclosure, and compression is optionally used to reduce the size of
   the protected firmware package.  A firmware package loading receipt
   can optionally be generated to acknowledge the successful loading of
   a firmware package.  Similarly, a firmware package load error report
   can optionally be generated to convey the failure to load a firmware

In addition, while you are no doubt aware of the Internet X.509
Certificate Profile ( ), we'd like
to remind you that this profile defines a KeyPurposeID that can be
used to mark a certificate as appropriate for code signing.

While not directly related to application security for management
applications we'd like to draw your attention to two activities in the
security area.  The first is the Integrated Security Model for SNMP
working group (
). This working group is chartered to provide a new security model for
the Simple Network Management protocol that better meets operators'
needs.  The syslog working group
( ) is chartered
to add signatures and reliability to the syslog network event logging

Sam Hartman
for the IETF Security Area