Motivation

Recommendations X.1141, X.1142, and X.1143 provide a set of Recommendations that can be used for authentication/authorization and security architecture in mobile Web Services. Recommendation X.1151 and draft Recommendation X.1152 specify a guideline on secure password-based authentication with key exchange and various trusted third party (TTP) services, respectively. Recommendations X.1161 and X.1162 specify a comprehensive framework and mechanisms for the security of peer-to-peer (P2P) services. A continued effort to maintain and enhance these security Recommendations to satisfy the needs of emerging ubiquitous technologies and services is required.

The telecommunications industry has been experiencing an exponential growth in the area of secure application services. Specifically, security of telecommunication-based application services including P2P service, Web Services and TTP is crucial for the further development of the industry. Standardization of the best comprehensive security solutions is vital for the industry, network operators and service providers that operate in a multi-vendor international environment. It is also required to study and develop other types of secure application services such as time stamping services, secure notary services, and PKI-based application services, etc. Web Services security technologies such as security assertion and access control assertion become very critical in telecommunication networks. Question 7/17’s work may use the technologies developed and/or identified by Question 8/17.

Recommendations under responsibility of this Question as of 1 December 2008: X.1141, X.1142, X.1143, X.1151, X.1152, X.1161 and X.1162.

Question

Study items to be considered include, but are not limited to:

1. How should secure application services be identified, discovered, defined, interconnected, and provisioned in various telecommunication services?
2. How should threats behind secure application services be identified and handled?
3. What security techniques are needed for secure application services? For example, what kind of practical security technologies should be provided for telecommunication-based application services (i.e., Web Services) using distributed technologies including Service Oriented Architecture (SOA)-based technologies?
4. What practical security techniques are necessary to provide the convergence services combining various heterogeneous services securely using web technologies such as Web Services and mashups?
5. What security techniques or protocols are needed for emerging secure application services including SOA-based applications?
6. What secure protocols should be applied for secure application services?
7. What are the global solutions for secure application services and their applications?
8. What are the best practices or guidelines for secure application services?
9. What enhancements to existing Recommendations under review or new Recommendations under development should be adopted to reduce impact on climate changes (e.g., energy savings, reduction of green house gas emissions, implementation of monitoring systems, etc.) either directly or indirectly in telecommunication/ICT or in other industries?

Tasks

Tasks include, but are not limited to:

1. In collaboration with other ITU-T study groups and standards development organizations, especially with IETF, ISO/IEC JTC 1/SC 27, produce a comprehensive set of Recommendations for providing comprehensive security solutions for secure application services.
2. Study and define secure application services in various telecommunication services.
3. Identify and study security issues and threats in secure application services.
4. Study and develop security mechanisms for secure application services (e.g., Service Oriented Architecture (SOA)-based technologies such as Web Services).
5. Study and develop interconnectivity mechanisms for secure application services.
6. Study and develop security mechanisms for securing converged services using Web technologies such as Web Services and mashups.
7. Study and develop guidelines for selecting and/or implementing secure application protocols to be used in secure application services.

Relationships

Recommendations: X.800-series and others related to security

Questions: ITU-T Qs 1, 2, 3, 4, 5, 6, 8, 9, 10/17 and 16/13

Study groups: ITU-T SGs 2, 13 and 16

Standardization bodies: ISO/IEC JTC 1/SC 27; IETF; OASIS; Liberty Alliance