Jamie, Thank you. We understand that these are not to be shared publicly. Dee, please include this as an agenda item fort discussion at the next Steering Committee Meeting. Thanks, John John Sabo CA Technologies Director, Global Government Relations Tel: +1 202-513-6304 Mobile: +1 443-629-6198
john.t.sabo@ca.com From: Jamie Clark [mailto:
jamie.clark@oasis-open.org] Sent: Wednesday, January 12, 2011 10:22 PM To: OASIS ID Trust MS Steering Committee Cc: Dee Schur Subject: [idtrust-sc] Liaison statement 181, ITU-T Study Group 17 [nonpublic] Good afternoon. Attached is a consultation package ("liaison statement") from ITU-T's Study Group 17 on Security, in which the panel seeks OASIS input on several related drafts of proposed "Entity authentication assurance framework" standards. Fort the most part, these are descriptive materials and a glossary about digital identity management methods. The package itself contains several drafts, some of which are not yet public. ITU has requested that we not post those publicly, as you can see from the cover letter appended below. So the documents are attached here -- the Steering Committee's mail list is not publicly archived -- and will be offered to OASIS member experts, but will not be posted to OASIS TC lists (which are publicly archived). Instead, we will suggest that interested TC members contact you or OASIS staff for copies. Please feel free to share them, within OASIS member expert circles, to those who also may comment and agree to maintain their confidentiality. CONTENTS The (compressed file) package of documents includes the following: 1. ls0181-17.doc (original) and ls0181-17.doc.pdf (supplied by us). Cover letter seeking comments. The text of this overview letter is also appended below. 2. ls0181Attach1-17.docx.pdf (converted by us). "Results of X.eaa editing session" cover note, mostly says "please see attachments," referring to the next 3 documents. 3. ls0181Attach1a-17.pptx.pdf (converted by us). One slide, a diagram. 4. ls0181Attach1b-17.docx,pdf (converted by us). Running comments on the draft in question, captioned "Fixing section 8.1") 5. ls0181Attach1c-17.doc (original) and ls0181Attach1c-17.doc.pdf (supplied by us). Draft text of ITU-T recommendation X.eaa: Consists of ISO/IEC JTC 1/SC 27 N9230, captioned: "ISO/IEC 2nd CD 29115 -- Information technology ?? Security techniques ?? Entity authentication assurance framework", dated 2010-12-01, with subsequent marked proposed edits. 6. t-rec-x.1252-52-201004-I!!PDF-E.pdf (public document; not attached here; may be downloaded from
http://www.itu.int/rec/T-REC-X.1252-201004-I ). Approved ITU-T recommendation titled "Baseline identity management terms and definitions", dated April 2010. Note, this is a public document. OASIS NOTES Relevant OASIS entities may choose to provide official collective comments, as a committee drafting & approval exercise under our rules. However, depending on preference and feasibility, the ITU editors probably also would be happy to receive comments from individual experts & companies. Note this ITU SG17 work is being pursued in collaboration with a parallel project of JTC1/SC27 on identity frameworks. Without making any evaluative comparisons, we note that the "levels of assurance", and certain other constructs described in these 2010 drafts, acknowledge and build on some concepts articulated in the 2009-2010 assurance framework materials developed by and shared among NIST, the Kantara Alliance, the Open ID Foundation, and the published requirements of the US federal ICAM program. TEXT OF ITU COVER LETTER SEEKING COMMENT "ITU-T Study Group 17 is the lead study group for identity management (IdM) where Question 10/17 is responsible for IdM. One of our principal deliverables is a draft recommendation, X.eaa, concerning entity authentication assurance framework. This document extends the concepts of the four levels of assurance (LoA) described by the U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-63 to include non-person entities (NPEs) and provides information associated with threats and controls associated with a four level authentication assurance model. We have attached the latest version of this draft ITU-T Recommendation." "We request your input concerning the non-person entity (NPE) concepts and text that is in this draft from your perspective. For example, NPEs which are intelligent terminals are effectively network nodes and therefore may constitute little understood threats to the network." "Therefore, NPEs may have unique authentication requirements. We are also very interested in your feedback on issues associated with authentication of NPEs at various levels of authentication assurance (LoAs)." "Published Recommendation, ITU-T X.1252, Baseline identity Terms and definitions, based on existing terms and definitions unique to our work on IdM is attached. Please review this document and provide feedback concerning any differences between your definitions and ours." " // Attention: Some or all of the material attached to this liaison statement may be subject to ITU copyright. In such a case this will be indicated in the individual document. Such a copyright does not prevent the use of the material for its intended purpose, but it prevents the reproduction of all or part of it in a publication without the authorization of ITU. // " "Attachments 1) Revised draft Recommendation ITU-T X.eaa ?? output draft from Dec 2010 SG17 meeting (TD 1452 Rev.1) 2) Recommendation ITU-T X.1252, Baseline identity management terms and definitions (free download from the web) " ---- If you have any questions about this package, please feel free to contact my colleague Dee Schur or myself. Kind regards JBC ~ James Bryce Clark ~ General Counsel, OASIS ~
http://www.oasis-open.org/who/staff.php#clark @JamieXML