ISO/IEC JTC 1/SC 27 - Working Group - Trip Report

Hi Andreas Fuchsberger here again....

Introduction

The most recent ISO/IEC JTC1/SC 27 (Subcommittee) Working Group (WG) meetings took place from 6th – 10th October 2008 in Limassol, Cyprus. As is set out by SC27’s charter all 5 Working Group meetings took place in parallel, allowing National Body (NB) experts to participate in more than WG during the week. The 5 Working Groups are:

· · Working Group 1: Information Security Management Systems (ISMS)

· · Working Group 2: Cryptography and Security Mechanisms

· · Working Group 3: Security Evaluation Criteria

· · Working Group 4: Security Controls and Services

· · Working Group 5: Privacy and Identity Management

As it physically not possible to attend all meetings simultaneously, this reports details results for the WG 2, 4 and 5, that were obtained either through attendance by the author or trusted reports available to the author.

Access currently to the various stages of the Working Drafts (WD) used to produce International Standards (IS) are usually restricted to active participants in the standards process. However it is usually easy to gain access by contacting your National Body of ISO/IEC JTC 1/SC 27.

Report from WG 2: Cryptography and Security Mechanisms

WG2 had a busy meeting and a large number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 2 meeting was well attended with 41 participants in total, representing 12 National Bodies; as the Japanese NB had the strongest attendance with 17 participants.

Noteworthy is the update of Standing Document SD 12 Cryptographic algorithms and key lengths, to be used as guidance which cryptographic algorithms should be used in production systems with their appropriate recommended key lengths. Also noteworthy is the new Study Period on Secret Sharing Mechanisms prompted by the presentation to WG 5 on Privacy Enhancing Technologies by the Japanese expert, Kazue Sako.

WG 2 initiated one New Work Item on Lightweight Cryptography and the following new Study Periods:

· · Lightweight cryptographic mechanisms

· · Key establishment mechanisms for multiple entities and German NB proposal on Group key management

· · Secret sharing mechanisms

· · Parsing ambiguity attacks

Report from WG4: Security Controls and Services

WG4 had a busy meeting and number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 4 meeting was well attended with 62 participants in total, representing 16 National Bodies, the Japanese NB had the strongest attendance with 11 participants.

WG 5 is a relatively new WG as such this was only the 6th meeting. This is reflected through by the relevant immaturity of the documents so far, the majority being WDs, with exception of Network Security Part 1, which was inherited from WG 1 when WG 4 was created.

Of particular interest to is the progress that has been made in Application security: part 1.

WG 4 imitated 2 new Work Items:

· · Guidelines for Identification, Collection and/or Acquisition and Preservation of Digital Evidence

· · Guidelines for Security of Outsourcing

Report from WG5: Privacy and Identity Management

WG5 had a busy meeting and number of standards and documents were edited during the working group sessions and new versions will be available by the editors and distributed to National Bodies (NBs) for review at the next meeting (Note: NBs are not required to distribute Working Drafts (WDs), however it is common practice):

The WG 5 meeting was well attended with over 40 participants in total. The terms of reference of WG 5 covers both Privacy and Identity Management, and experts were present from both areas.

WG 5 is a relatively new WG as such this was only the 6th meeting. This is reflected through by the relevant immaturity of the documents so far, the majority being WDs.

Noteworthy is the progression of 2900 Privacy Framework to CD stage. The Study Period (SP) on Access Control Mechanisms prompted by the Chinese NB contribution during the 4th WG 5 meeting, for which the author was Rappateur was concluded with recommendation to SC 27 Plenary to start on new SC 27 wide Study Period on Access Control. The author was volunteered as Rappateur for the new Study Period and also volunteered for the WG 5 drafting committee, that met after the closing the WG meeting throughout the week.

WG 5 imitated 2 new Work Items:

· · Privacy Capability Maturity Model and

· · Requirements for Relative Anonymity with Identity Escrow

Next Meetings

The next SC 27 WG meetings were agreed as:

· 2009-05-04 - 2009-05-08 Beijing, China

· 2009-11-02 - 2009-11-06 Redmond, WA, USA

TCG Fast track

The regular WG meetings were followed by a one day meeting to agree to fast track the adoption of the Trusted Computing Group (TCG) standards.