In October of 2005, SG4 wrote to the IETF security area requesting
information on application security for management applications.
The security area would like to draw your attention to two
technologies relevant to management application security.
First, RFC 4108, "Using Cryptographic Message Syntax (CMS) to Protect
Packages," (http://www.ietf.org/rfc/rfc4108.txt ) provides an
IETF standards -track solution to code signing for firmware images.
The abstract follows:
This document describes the use of the Cryptographic Message Syntax
(CMS) to protect firmware packages, which provide object code for one
or more hardware module components. CMS is specified in RFC 3852. A
digital signature is used to protect the firmware package from
undetected modification and to provide data origin authentication.
Encryption is optionally used to protect the firmware package from
disclosure, and compression is optionally used to reduce the size of
the protected firmware package. A firmware package loading receipt
can optionally be generated to acknowledge the successful loading of
a firmware package. Similarly, a firmware package load error report
can optionally be generated to convey the failure to load a firmware
In addition, while you are no doubt aware of the Internet X.509
Certificate Profile (http://www.ietf.org/rfc/rfc3280.txt ), we'd like
to remind you that this profile defines a KeyPurposeID that can be
used to mark a certificate as appropriate for code signing.
While not directly related to application security for management
applications we'd like to draw your attention to two activities in the
security area. The first is the Integrated Security Model for SNMP
working group (http://www.ietf.org/html.charters/isms-charter.html
). This working group is chartered to provide a new security model for
the Simple Network Management protocol that better meets operators'
needs. The syslog working group
(http://www.ietf.org/html.charters/syslog-charter.html ) is chartered
to add signatures and reliability to the syslog network event logging
for the IETF Security Area