-
Notifications
You must be signed in to change notification settings - Fork 6
ItuProcessForOpenC2Adoption
It is planned that the ITU will adopt OpenC2 just as it has with SAML, XACML, CAP and other OASIS standards. This page will to try to explain the process so OpenC2 can achieve its goals withwith minimal (but not zero) headache.
The International Telecommunications Union is an UN Agency and the oldest de jure (eg backed by international treaties) standards body. The ITU is actually the oldest international organization still in existence. The ITU's mission:
"Founded in 1865 to facilitate international connectivity in communications networks, we allocate global radio spectrum and satellite orbits, develop the technical standards that ensure networks and technologies seamlessly interconnect, and strive to improve access to ICTs to underserved communities worldwide...ITU is committed to connecting all the world's people – wherever they live and whatever their means. Through our work, we protect and support everyone's right to communicate...."
The other two "formal" de jure international SDO's (Standards Development Organizations) are IEC and ISO. The ITU has 3 divisions:
- ITU-T - Standards
- aside - ITU-T calls it's standards "recommendations" since in most cases they are not international law and it is up to the individual governments to decide on laws and regulations
- ITU-D - Development
- mission - "The mission of the ITU-D is to promote the right of people across the globe to communicate through access to infrastructure, information and communication services." Ie "Develop Countries", not sofware or hardware development
- ITU-R - Radio
- Spectrum allocation, etc
Each of the 3 sectors has UN staff that support it. TSB (Telecommunications Standards Bureau) supports the ITU-T. Likewise TDB/TRB support ITU-D/ITU-R. This page will focus on ITU-T since that is who would adopt OpenC2 as an "X Series" (aka "X dot") recommendation.
The ITU-T is organized as "Study Groups" of which SG17 Security is who matters to OpenC2.
Each SG is organized into Working Parties, and each Working Party contains several questions. To first order, an ITU question is analogous to an OASIS TC. Many questions are 'larger' than a typical TC. For example, SG 17 Question 4 covers STIX, TAXII, OpenC2, CACAO, and several other topics. Each question has a Rapporteur or two co-Rapporteurs, and may have associate Rapporteurs as well. Individual recommendations also have one or more editors.
The ITU has a broader reach than OASIS, especially in the developing world. If particular processes are followed (more later), adoption by the ITU would likely result in the translation of the standard in several other languages. For example, X.1215 on STIX use cases was approved in Jan 2019 and is available in English, Arabic, Chinese, Spanish, French, and Russian as is shown here
The ITU has a process for recognizing other SDO's. It is documented in the ITU "A Series" Recommendations. The A series recommendations (and all ITU recommendations as well as other ITU publications such as Technical Reports) are freely available here. The ITU maintains a list of it's relationships and it is available here. As can be seen from the list, the ITU recognizes OASIS as a A.4/A.5 organization. This basically means ITU and OASIS can communicate and have agreed on how ITU can adopt OASIS work.
put in more:
- CAP
- xacml
- saml
- stix/taxii
An ITU question can decide to adopt an OASIS Standard as an ITU Recommendation. Note "OASIS Standard" not "Committee Specification". This is the current agreement between the two organizations and was based on several factors. So if OpenC2 would need to move beyond it's current (Mar-2020) state before ITU would adopt. Ie Step 0 of the process is OpenC2 proposing one or more CS to become OASIS Standards, and the OASIS membership approving it/them as OASIS Standards.
One a document is a OASIS Standard, the OpenC2 TC (Duncan needs to finish)
- approval is agree/determine/consent
- TAP, AAP
- liaison statement, liaison officer
- A.5, A.25
- incorporate by inclusion (could get translated) or by reference (only the ITU sentence referencing it gets translated)
- IPR statements and form to be filled out
- "stable text", one month rule
when ITU approves a rec it the report must have two items:
- A.5 justification for normative references other than ITU, ISO, IEC in Recommendations`
- A.25 justification for any incorporation of text (in whole or in part, with or without modification) of documents from another organization into an ITU-T Recommendation (or another ITU-T document)`
Usually both say "none". In our case, we will need to fill in the 'justifications'. It would go smoother if OC2 provided draft proposed text in the liaison to ITU. Typically each 'justification' would be a standalone document with a summary and an annex in a form the ITU likes. For example, at the March-2020 ITU SG meeting X.1364 was approved. A copy is in ExampleA5Justification. The sections are:
- Section 1 Introduction
- Section 2 Referred documents and respective justifications
- Annex 1 A.5 justification for the reference to ETSI TS 123 401 V15.8.0 (2019-10)
- Annex 2 A.5 justification for the reference to ETSI TS 123 501 V15.6.0 (2019-10)
You will note they have separate annexes for the two different standards that they are incorporating.
For the introductions, we could keep the initial paragraph but obviously we would modify the wording of the 2nd paragraph to reference our attached standard in a liaison statement. At the ITU meeting, they would modify it again to reference wherever they put our document.
Each of the annexes contains 10 sections. Note the original had 87 items in section 8 so they are abbreviated here. In our case, section 8 would include how every many references are in our standard.