ISO/IEC JTC1 SC22/WG15  RGSec N017

Definition of the Security Services for Distributed/Network Environments

I.   Administration

Candidate(s) for Chair, Technical Editor and Secretary
 
Name Company Role
TBS Chair
TBS Vice-chair
TBS Secretary
TBS Technical Editor

II.  Working Group

 
No. of active participants: TBS
No. of correspondent members identified: TBS
Breakdown of active participants; Producer: TBS
User: TBS
Other: TBS
     
No. of companies/interests represented: TBS
International participation identified:  X-Open

III. Deliverable Documents

Reference Model for inclusion In P1003.0
Expected size: TBS
Project time frame: First Draft: TBS
Start Balloting; TBS
Candidate for "base document": P1003.0

Standard for Distributed Security Services.
Expected size: TBS
Project time frame: First Draft: TBS
Start Balloting; TBS
Candidate for "base document": None

IV.  Scope Statement

The definition of the model, distributed services, and administrative functions required to support security in a network environment.

A  reference model  to  cover the distributed  security services and their administration will be produced for inclusion in P1003.0. This model will be based on the work currently done by other standards organisations and the practical implementations being developed in this area.

This model will then be the basis for the investigation of existing mechanisms and interfaces developed to supply these services, such as Kerberos by the MIT Project Athena, GSSAPI by DEC, Project MAXSIX and the ECMA SESAME project.

Further relevant input vill be solicited.

A standardized

Administration API
Application Access API
will be produced for the distributed security services identified defining the abstract syntax and high level protocol for such services as authentication and key distribution.

V.   Overlap/Dependencies on other work

TCOS standards assumed: P1003.6, .7, .8, .12, .17

The  Security group   (P1003.6),  Administration group (P1003.7) and the Distributed Services groups (P1003.8, .12, .17) will need to be aware of the work done under this PAR and be prepared to coordinate their standards with it.

All these 5 groups are doing work which overlaps in some way with this area. The work done under this PAR will be a focus for these areas of overlap.

VI. User Need

This area of overlap between the Security, Administration and Distributed Services groups has been identified by the liaison group formed to invesgitage the interactions between these groups.

The work is required to allow the synchronisation and harnonization of the standards of .6, .7 and .DS. and to ensure compatibility and interoperability with the current work of the other organisations.

The need for this work is immediate to bridge the gap between the work currently being done to produce practical solutions to these problems and the emerging ISO standards.

VII. How will this overlap/overload affected Interests?

The work is specifically designed to cover the overlap between these 3 areas.

It will also overlap the work of proprietary network management systems and organisations such as OSF and UI.

It will use the work currently being done by such organisations  and  will provide  a  focus  for the hamonization of such developments,

VIII. Commitment to TCOS-SEC Raquirementst

Yes

IX. Relation to IS0 structure and other coordination issues

Coordination will be needed with a range of ISO groups and others which are working in this area. The major one identified are:
 
ISO/IEC JTC1/SC27 IT Security Techniques
ISO/IEC JTC1/SC22 (WG15)  Languages (Covers POSIX Security)
ISO/IEC JTC1/SC6 OSI Lover Layers
ISO/IEC JTC1/SC21 OSI Architecture Upper Layers
ECMA/TC32 Security in Open Systems
ECMA/TC46 Security Framework
CCITT/SVGII/Q19 Distributed Application Security

The work of other such as:
ISO/IEC JTC1/SC18
ISO/IEC JTC1/SC25
ISO/IEC JTC1/SWG-EDI
ISO TC 68/SC2
EWOS MHS(X.400)
X500
may also need to be considered.

X.   Proposed positioning In TCOS numbering scheme, document scheme associated ISO document scheme

TBS

XII. What objections have been identified to this area of work, or expected base document(s)?

None

 

Background to the Distributed Security Services PAR

1.     Need for the Work

1.1    The Liaison Group set up to identify areas of overlap and interdependency between the POSIX groups covering Security (1003.6), System Administration (1003.7) and Distributed Systems (1003.8, .12. .17. 1224 and 1228} has identified the area of trusted networks, authentication within networks and networtt management as one where work on harmontzatfan and synchronization between the groups is required.

1.2    Work is in progress within other organisations which overlaps this same area and there is the possibility of problems wtth compatibility and interoperabffity unless this area is addressed.

1.3    Commercial pressures are already forcing the development of proprietary solutions to address the practical problems of security in a distributed and networked environment and work is need to bridge the gap between these devetopments and the emerging ISO standards.
 

2.     Work to be Done

2.1    As part of the review and update of the 1003.0 reference models, a model covering the provision and administration of distributed security services needs to be produced. This would seem most appropriate as an additional subsection to section 5.2 System Security and Privacy Services. This section already references the need for services of this type.

2.2    The current body of work covering the area of trusted networks, from other organisations concerned with the development of standards and those producing commercial solutions, needs to be reviewed and evaluated.

2.3    Using the outcome of this evaluation a set of APIs covering

need to be produced for each of the services identified within the model
 

3.     Basis for the Work

3.1    IS 7498-2 Security Addendum covering Architectural Framework/Security Services is a basis for the development of the model.  Possible candidate services are: 3.2    Kerberos, produced as part of the MIT Project Athena, which already forms part of several implementations can be used as a starting point for the development of the API

3.3    It is unlikely that Kerberos will provide a standard in itself and the work of other organisations such as:

will also need to be reviewed to see what contribution it can make.

3.4    There are also some basic choices about the use of particular mechanisms such as the choice between:

which will also need to be addressed as part of this work.
 

4.     Worked Other Organisations

4.1    The work of the ISO/IECJTC1 groups abo needs to be considered to see how compatibility can be maintained. The Catalogue of JTC1 Security Related Prefects (JCT1/SC22 N849) contains a list of such projects. The major groups producing work in this area are:
ISO/IEC JTC1/SC27                 FT Security Techniqu—
ISO/IEC JTC1/SC22 (WG15)     Languages (Covers POSIX Security)
ISO/1EC JTC1/SC6                  OSI Lower Layers
ISO/IEC JTC1/SC21                 OSI Architecture Upper Layers


4.2   Within CCITT

CCITT/SVGII/Q19           Distributed Application Security


4.3    Within ECMA

ECMA/TC32              Security in Open Systems
ECMA/TC46              Security Framework


4.4    The work of several others organisations overlap various aspects of security and may need to be considered eg.

ISO/(EC JTC1/SC18
ISO/IEC JTC1/SC25
ISO/IEC JTC1/SWG-EDI
ISO TC 68/SC2
EWOS MHS(X.400)
X500