Executive Summary
ITU-T Study Group 17, Security, meeting
14 – 23 March 2016, Geneva/Switzerland
150 participants (10 less than at the previous SG17 meeting, 200 pre-registered); 27 Member States, 18 Sector Members, 3 Associates, and 2 Academia. Several invited experts. Increased participation of Member States from of developing countries.
- New participation from: Latvia, Alibaba, InterDigital Communications, Aetna (new Associate to SG17), Bournemouth University.
SG17 vice chairmen vacancies:
- Arab Region: SG17 vice Chairman from UAE left and the post is vacant. A replacement is sought.
- Americas Region: SG17 vice Chairman from Mexico has never participated. A replacement is sought.
SG17 appointments:
- Ms Yiwen WANG as an additional Q1/17 Associate Rapporteur as proposed by China (P.R.); she will be sharing responsibilities with Mr Chen for updating the security roadmap.
- Mr Heung Ryong OH (Korea, Republic of) and Ms Zhiyuan HU (Alcatel-Lucent Shanghai Bell Co. Ltd) to co-chair the Q2/17 sessions.
- Mr Yanbin ZHANG as new Q5/17 Rapporteur, as proposed by China (P.R.).
- Mr Yutaka MIYAKE to be acting Q6/17 Rapporteur for the first three days of the meeting.
- Mr Jeong-Jun SUH to be acting Q6/17 associate Rapporteur for the first three days of the meeting.
- Mr Bo YU as an additional Q6/17 associate Rapporteur, as proposed by China (P.R.).
Meeting input and organizations
- Contributions: 81 (77 last time, stable), two contributions were withdrawn.
- TDs: 415 (37 more than in the previous meeting). This includes 54 incoming liaison statements, and 32 outgoing liaison statements.
- Busy and productive 7th meeting of this study period having 8 working days.
- Two SG17 open, extended management team meetings were held (during the weekends), complemented by the SG17 security coordination meeting.
- Many parallel meetings per quarter each day. Many sessions were equipped with AdobeConnect teleconferencing to allow participation from remote.
Meeting Output
The SG17 plenary meeting:
- Approved five draft new ITU-T Recommendations and one draft revised Recommendation announced for TAP in accordance with WTSA-12 Resolution 1, Section 9. Details are in Annex A a).
- Approved one new Amendment, agreed two new Supplements, and approved one revised Implementer's guide. Details are in Annex A c).
- Determined (TAP) three draft new ITU-T Recommendations in accordance with WTSA-12 Resolution 1, Section 9. Details are in Annex A d).
- Consented (AAP) two draft new ITU-T Recommendations, ten draft revised ITU-T Recommendations, and one draft Corrigendum for Last Call according to Recommendation ITU-T A.8. Details are in Annex A e).
- Agreed nine new work items to be added to the SG17 work programme. Details are in Annex B.
Coordination and promotion activities:
- One Joint Coordination Activity on COP meeting under the SG17 parent-ship was held.
- One Joint Coordination Activity on IdM meeting under the SG17 parent-ship was held and coordination took place with SG2, SG20 on IoT identification; OASIS, FIDO Alliance and GLEIF shared information.
- A joint session of Q4/17 and Q10/17 was held on addressing security challenges through IdM and cybersecurity standardization. The joint session shared the positive outlook that these developments in IdM and cybersecurity, together with associated ecosystems in private and public sectors will help address security challenges in each of the Member States, where ITU-T can play considerable role to facilitate proliferation of standards.
Correspondence Groups:
Two Correspondence Groups were continued, and two CGs were terminated.
- CG-CYBEX: Continued Correspondence Group on cybersecurity information exchange capabilities.
- CG-IoTSec: Continued (joint with SG20) Correspondence Group on Security and Privacy for IoT to improve the report to TSAG on security and privacy aspects of IoT.
- SG17 is continuing its efforts on identifying new areas for standardization using an orchestrated Q1/17 mailing list.
Other highlights
- Seven special sessions were held to off-load the plenaries from debates:
- on bridging the standardization gap. The SG17 regional group for Africa presented its activity report which was agreed;
- on collaboration between SG17 and SG20 on IoT security. This special session included participation of the SG20 chairman and several SG20 management team members (remotely). It gave support to Contribution C 489 from United States. The meeting concluded to continue using the Correspondence Group (CG-IoTSec) with revised terms of reference for discussion and for finalization of the improved report on security & privacy to TSAG; to collect all comments and views, and to resolve them in the CG-IoTSec; and to include C 489 into the report of this special session.
- on preparation of SG17 for WTSA-16 and the next study period with the finalized suite of 12 Question texts and mandate (in four sessions). Draft Part I and Part II reports were produced and agreed as output of the meeting. In result, SG17 wants to continue all its 12 Questions (only slight amendments were made at this meeting).
- On discussion of possible areas for joint ITU-T SG17 and IETF security standards development, which concluded with four identified steps to improve coordination: a) to support a presentation by ITU-T SG17 on its activities and to provide more information to the IETF at the next IETF meetings. Mr Vasiliy Dolmatov is nominated to make a presentation at SAAG, if a speaking slot would be offered. b) to support collaboration through IETF participation in ITU-T SG17 interim Rapporteur group meetings; for example with Question 4/17, Cybersecurity. c) to seek more information from the IETF about its security activities. SG17 invites a representative from the IETF Security Area to participate in and provide a tutorial during our 29 August – 7 September 2016 meeting. A liaison was sent to IETF.
- on outcome and future of CG-investigate with conclusions not to continue this CG with revised ToR, but to suspend this CG, and to reconsider reconstitution of the CG in the next study period after results of the WTSA-16 are available; and to use the Q1/17 mailing list for discussions within SG17 on future standardization strategy of SG17, new issues and technical ideas, where SG17 experts from industry should bring-in topics. An idea was to organize a workshop in 2017 at the first or second SG17 meeting in the next study period.
- on FG-AC deliverables with conclusions that the mailing list of Q1/17 be used to discuss security issues in the deliverables; all Rapporteurs were asked to participate in the Q1/17 mailing list discussion. Mr Koji Nakao was asked to provide a technical analysis of the security aspects in the deliverables. SG17 to organize a session or (mini) workshop at the August/September 2016 SG17 meeting involving all interested parties for preparation of future work items in the next study period.
- Ad-hoc sessions on Security coordination requirements for interconnection of a satellite based network with terrestrial networks for public protection and disaster relief. Issues related to ITU-R, ITU-D and ITU Academy were identified. The ad-hoc sessions demonstrated very practically how it is important to work in a collaborative style with all ITU Sectors.
- The ICT Security Standards Roadmap and the Security Compendia were updated.
Associated events:
Associated events below assisted in identifying new actions for the study group and leverage the collaboration with other organizations and hopefully attract new experts to the ITU-T and SG17 community.
- Mentoring programme for newcomers: Comprehensive programme through tutorials (see below), welcome, feedback session and guided tour, all attended with interest.
- BSG hands-on training session for 15 newcomers from developing countries.
Tutorial presentations:
Eight tutorial presentations were given at this Study Group 17 meeting and found quite some positive interest, addressing SG17 overview for newcomers; presentations from the Rapporteurs of Questions 2, 3, 4, 5, and 6/17; on Digital Object Architecture; and on NextGen (5G) security and the importance of Platform Integrity.
Next SG17 meeting:
- MON 29 August – WED 07 September 2016, Geneva, Switzerland.
- Seven interim Rapporteur Group meetings are planned until August 2016.
- 6 texts are planned for approval or agreement, and up to 42 texts are planned for determination or consent in September 2016.
Annex A
Actions taken on Recommendations, and other texts at the 23 March 2016 SG17 plenary
a) Recommendations approved (TAP – WTSA-12 Resolution 1):
The SG17 plenary meeting approved (TAP) five draft new ITU-T Recommendations and one draft revised ITU-T Recommendation in accordance with WTSA-12 Resolution 1, Section 9.
Q | Acronym | Title | New / Revised | Editor(s) | Location of text | Equivalent e.g., ISO/IEC | Start of work | Timing |
4/17 | X.1521 | Common vulnerability scoring system 3.0 | Revised | Damir Rajnovic | COM 17 – R 49 + TD 2542 | | 2015-09 | 2016-03 |
5/17 | X.1247 | Technical framework for countering mobile messaging spam | New | Feng Gao, Laifu Wang, Junjie Xia, Annan Zhu | COM 17 – R 50 | | 2013-04 | 2016-03 |
8/17 | X.1602 | Security requirements for software as a service application environments | New | Zhaoji Lin, Ruoni Wang, Peng Zhao | COM 17 – R 52 | | 2011-04 | 2016-03 |
8/17 | X.1642 | Guidelines for the operational security of cloud computing | New | Ming Feng, Zhaoji Lin, Jun Shen, Huirong Tian, Laifu Wang | COM 17 – R 53 | | 2012-03 | 2016-03 |
10/17 | X.1256 | Guidelines and framework for sharing network authentication results with service applications | New | Lijun Liu, Min Zuo | COM 17 – R 54 Rev.1 + TD 2566 | | 2009-09 | 2016-03 |
10/17 | X.1257 | Identity and access management taxonomy | New | Radu Marian | COM 17 – R 55 Rev.1 | | 2012-09 | 2016-03 |
Approval of the above Recommendations is reflected in TSB Circular 213 of 4 April 2016.
b) Recommendations (not approved) (TAP – WTSA-12 Resolution 1):
c) Amendment approved, Supplements agreed, Implementer's guide approved:
The SG17 plenary meeting approved one new Amendment, two new Supplements, and one revised Implementer's guide.
Q | Acronym | Title | New / Revised | Editor(s) | Location of Text | Equivalent e.g., ISO/IEC | Start of work | Timing |
4/17 | X.1500 Amd.9 | Overview of cybersecurity information exchange – Amendment 9 – Revised structured cybersecurity information exchange techniques | Note (1) | Youki Kadobayashi | TD 2510 | | 2015-04 | 2016-03 |
5/17 | X.Suppl.25 (X.gcsfmpd)** | Supplement 25 to ITU-T X-series Recommendations –ITU-T X.1231 Supplement on guidance to assist in countering spam for mobile phone developers | New | Tae-Jin Lee, Jeong-Jun Suh | TD 2531 Rev.1 | | 2015-04 | 2016-03 |
6/17 | X.Suppl.26 (X.sgsec-1)** | Supplement 26 to ITU-T X-series Recommendations – ITU-T X.1111 Supplement on security functional architecture for smart grid services using telecommunication networks | New | Mijoo Kim, Jeong-Jun Suh, Mi Yeon Yoon | TD 2591 Rev.2 | | 2012-03 | 2016-03 |
12/17 | Z.Imp100 Note (2) | Specification and Description Language implementer's guide - Version 3.0.0 | Revised | Rick Reed | TD 2378 | | 2015-09 | 2016-03 |
** Supplement for agreement
(1) Amendment 9 supersedes Amendment 8.
(2) Implementer's Guide for approval.
d) Recommendations determined (TAP – WTSA-12 Resolution 1):
The SG17 plenary meeting determined (TAP) three draft new ITU-T Recommendations in accordance with WTSA-12 Resolution 1, Section 9.
Q(1) | Acronym | Title | New / Revised | Editor(s) | Location of text | Equivalent e.g., ISO/IEC | Start of work | Timing |
4/17 | X.1542 (X.simef)* | Session information message exchange format | New | Ik-Kyun Kim, Jong-Hyun Kim | COM 17 – R 61 (TD 2561 Rev.1) | | 2014-09 | 2016-03 |
8/17 | X.1641 (X.CSCDataSec)* | Guidelines for cloud service customer data security | New | Nan Meng, Wei Liang | COM 17 – R 63 (TD 2514 Rev.3) | | 2014-09 | 2016-03 |
10/17, (7/17) | X.1258 (X.eaaa)* | Enhanced entity authentication based on aggregated attributes | New | Tae Kyung Kim, Jae Hoon Nah, Junjie Xia | COM 17 – R 64 (TD 2518 Rev.1) | | 2014-09 | 2016-03 |
(1) In case of joint Question activity, the lead Question is given without parentheses and other Questions are shown in parentheses; such entries are only shown in the table against the lead Question.
Information on the Member States consultation is available in TSB Circular 214 issued 4 April 2016.
e) Recommendations consented for Last Call (AAP – Recommendation ITU-T A.8):
The SG17 plenary meeting gave consent (AAP) to two draft new ITU-T Recommendations, ten draft revised ITU-T Recommendations, and one draft Corrigendum for Last Call according to Recommendation ITU-T A.8:
Q | Acronym | Title | New / Revised | Editor(s) | Location of text | Equivalent e.g., ISO/IEC | Start of work | Timing |
2/17 | X.1033 (X.gsiiso) | Guidelines on security of the individual information service provided by the operators | New | Junjie Xia, Bo Yu | TD 2544 | | 2009-02 | 2016-03 |
3/17 | X.1051rev | Information technology – Security techniques – Code of practice for Information security controls based on ISO/IEC 27002 for telecommunications organizations | Revised | Kyeong Hee Oh, Wataru Senga | TD 2602 Rev.1 | ISO/IEC 27011 | 2013-04 | 2016-03 |
11/17 | X.894 (X.cms) | Information technology – Generic applications of ASN.1 – Cryptographic Message Syntax | New | Jean-Paul Lemaire | TD 2558 Rev.1 | ISO/IEC 24824-4 | 2013-09 | 2016-03 |
11/17 | X.509 Cor.2 | Information technology – Open Systems Interconnection – The Directory: Public-key and attribute certificate frameworks – Technical Corrigendum 2 | | Erik Andersen | TD 2587 | ISO/IEC 9594-8 Cor.2 | 2016-03 | 2016-03 |
12/17 | Z.100 | Specification and Description Language - Overview of SDL-2010 | Revised | Rick Reed | TD 2370 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.101 | Specification and Description Language - Basic SDL-2010 | Revised | Rick Reed | TD 2371 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.102 | Specification and Description Language - Comprehensive SDL-2010 | Revised | Rick Reed | TD 2372 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.103 | Specification and Description Language - Shorthand notation and annotation in SDL-2010 | Revised | Rick Reed | TD 2373 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.104 | Specification and Description Language - Data and action language in SDL-2010 | Revised | Rick Reed | TD 2374 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.105 | Specification and Description Language - SDL-2010 combined with ASN.1 modules | Revised | Rick Reed | TD 2375 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.106 | Specification and Description Language - Common interchange format for SDL-2010 | Revised | Rick Reed | TD 2376 Rev.2 | | 2015-09 | 2016-03 |
12/17 | Z.107 | Specification and Description Language - Object-oriented data in SDL-2010 | Revised | Rick Reed | TD 2377 Rev.1 | | 2015-09 | 2016-03 |
12/17 | Z.111 | Notations and guidelines for the definition of ITU-T languages | Revised | Rick Reed | TD 2470 | | 2015-09 | 2016-03 |
(1) Draft Recommendations ITU-T X.1033 (X.gsiiso), X.1051 (revised), X.894 (X.cms), X.509 Cor.2, Z.100 (revised), Z.101 (revised), Z.102 (revised), Z.103 (revised), Z.104 (revised), Z.105 (revised), Z.106 (revised), Z.107 (revised), and Z.111 (revised) were sent to AAP Last Call #77 on 1 April 2016.
Annex B
New work items
The following nine new work items were agreed to be added to the SG17 work programme:
Q(1) | Acronym | Title | AAP/TAP/ Agreement | Editor(s) | Document | Equivalent e.g., ISO/IEC | Timing* |
2/17, (3/17) | X.salcm | Security reference architecture for lifecycle management of e-commerce business data | AAP | Kepeng Li, Zhaoji Lin, Junjie Xia, Feng Zhang | NWI template: COM 17 – R 59 Annex B Attachment 1 Base text: TD 2588 Rev.2 | | 2017-10 |
2/17, (6/17) | X.voLTEsec-1 | Security framework for voice-over-long-term-evolution (VoLTE) network operation | AAP | Haitao Du, Zhaoji Lin, Feng Zhang, Liang Wei | NWI template: COM 17 – R 59 Annex B Attachment 2 Base text: TD 2549 Appendix I | | 2018-04 |
4/17 | X.metric | Metrics for evaluating threat and resilience in cyberspace | TAP | Youki Kadobayashi, Daisuke Miyamoto | NWI template: COM 17 – R 60 Annex A Attachment 1 Base text: C-475 | | 2017 |
6/17 | X.msec-11 | Guidelines on mitigating the negative effects of infected terminals in mobile networks | TAP | Liu Lijun, Chen Zhang, | NWI template: COM 17 – R 65 Annex A Attachment 1 Base text: C-494 (Rev.2) | | 2016-09 |
6/17, 27/16 | X.sotavsu | Non-normative document Secure Over-the-Air Vehicle Software Updates – Operational and Functional Requirements | Agreement | Koji Nakao | NWI template: COM 17 – R 65 Annex A Attachment 2 Base text: TD 2482 Att.1 | | 2016-09 |
8/17 | X.SRIaaS | Security requirements of public infrastructure as a service (IaaS) in cloud computing | TAP | Huamin Jin, Laifu Wang, Mengxi Wang, Shuai Wang | NWI template: COM 17 – R 62 Annex A Attachment 1 Base text: TD 2530 Rev.2 Appendix I | | 2018-4Q |
10/17 | X.1254rev | Entity authentication assurance framework | TAP | Abbie Barbir, Heung-Youl Youm | NWI template: COM 17 – R 62 Annex B Attachment 1 Base text: C 485 | | 2017 |
10/17 | X.te | Trust elevation protocol | AAP | Abbie Barbir, Heung Youl Youm, | NWI template: COM 17 – R 62 Annex B Attachment 2 Base text: TD 2498 | | 2017 |
11/17 | X.jsoner | Information technology – ASN.1 encoding rules: Specification of Javascript Object Notation (JSON) Encoding Rules (JSON/ER) | AAP | Paul E. Thorpe | NWI template: COM 17 – R 66 Annex A Attachment 1 Base text: TD 2624 | ISO/IEC 8825-x | 2018 |
* Target date for consent or determination of Recommendations or for agreement of Supplements or non-normative text
(1) In case of joint Question activity, the lead Question is given without parentheses and other Questions are shown in parentheses; such entries are only shown in the table against the lead Question.