Liaison statement
Response to Information on standardization of application security requirements, services and mechanisms
Additional information about IETF liaison relationships is available on the
IETF webpage
and the
Internet Architecture Board liaison webpage.
| State | Posted |
|---|---|
| Submitted Date | 2005-11-30 |
| From Group | SEC |
| From Contact | Sam Hartman |
| To Group | ITU-T-SG-4 |
| To Contacts | tsbsg4@itu.int |
| Cc | sob@harvard.edu housley@vigilsec.com saag@ietf.org chair@ietf.org |
| Response Contact | hartmans-ietf@mit.edu housley@vigilsec.com |
| Technical Contact | hartmans-ietf@mit.edu housley@vigilsec.com |
| Purpose | For information |
| Attachments | (None) |
| Body |
In October of 2005, SG4 wrote to the IETF security area requesting information on application security for management applications. The security area would like to draw your attention to two technologies relevant to management application security. First, RFC 4108, "Using Cryptographic Message Syntax (CMS) to Protect Firmware Packages," (http://www.ietf.org/rfc/rfc4108.txt ) provides an IETF standards -track solution to code signing for firmware images. The abstract follows: This document describes the use of the Cryptographic Message Syntax (CMS) to protect firmware packages, which provide object code for one or more hardware module components. CMS is specified in RFC 3852. A digital signature is used to protect the firmware package from undetected modification and to provide data origin authentication. Encryption is optionally used to protect the firmware package from disclosure, and compression is optionally used to reduce the size of the protected firmware package. A firmware package loading receipt can optionally be generated to acknowledge the successful loading of a firmware package. Similarly, a firmware package load error report can optionally be generated to convey the failure to load a firmware package. In addition, while you are no doubt aware of the Internet X.509 Certificate Profile (http://www.ietf.org/rfc/rfc3280.txt ), we'd like to remind you that this profile defines a KeyPurposeID that can be used to mark a certificate as appropriate for code signing. While not directly related to application security for management applications we'd like to draw your attention to two activities in the security area. The first is the Integrated Security Model for SNMP working group (http://www.ietf.org/html.charters/isms-charter.html ). This working group is chartered to provide a new security model for the Simple Network Management protocol that better meets operators' needs. The syslog working group (http://www.ietf.org/html.charters/syslog-charter.html ) is chartered to add signatures and reliability to the syslog network event logging protocol. Sam Hartman for the IETF Security Area |