IT Security

This specification defines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. Conceptually, one or more public key credentials, each scoped to a given WebAuthn Relying Party, are created by and bound to authenticators as requested by the web application. The user agent mediates access to authenticators and their public key credentials in order to preserve user privacy. Authenticators are responsible for ensuring that no operation is performed without user consent. Authenticators provide cryptographic proof of their properties to Relying Parties via attestation. This specification also describes the functional model for WebAuthn conformant authenticators, including their signature and attestation functionality.

This specification describes an imperative API enabling a website to request a user’s credentials from a user agent, and to help the user agent correctly store user credentials for future use.

The Permissions Standard defines common infrastructure for other specifications that need to interact with browser permissions. It also defines an API to allow web applications to query and request changes to the status of a given permission.

The CSA Quantum Safe Security Working Group's goal is to address key generation and transmission methods that will aid the industry in understanding quantum-safe methods for protecting their data through quantum key distribution (QKD) -- a physics‐based technology to securely deliver keys-- and post-quantum cryptography (PQC) -- mathematical algorithms that are resistant to quantum computing. The goal of the working group is to support the quantum‐safe cryptography community in development and deployment of a framework to protect data whether in movement or at rest.

The purpose of this research will be to identify consensus definitions of what Security as a Service means, to categorize the different types of Security as a Service and to provide guidance to organizations on reasonable implementation practices.

This Technical Report aims to help citizens to understand the relevance of using electronic signature within their day-to-day lives. It also explains the legal and the technical backgrounds of electronic signatures. This document gives guidance on the use of electronic signatures and addresses typical practical questions the citizen may have on how to proceed to electronically sign, where to find the suitable applications and material.

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16]. The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6). The target audience of this document includes: - business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs; - application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used; - developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

The development of standards for the protection of information and ICT. This includes generic methods, techniques and guidelines to address both security and privacy aspects, such as:

• Security requirements capture methodology;
• Management of information and ICT security; in particular information security management systems (ISMS), security processes, security controls and services;
• Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information;
• Security management support documentation including terminology, guidelines as well as procedures for the registration of security components;
• Security aspects of identity management, biometrics and privacy;
• Conformance assessment, accreditation and auditing requirements in the area of information security;
• Security evaluation criteria and methodology.

SC 27 engages in active liaison and collaboration with appropriate bodies to ensure the proper development and application of SC 27 standards and technical reports in relevant areas.

SC 17 continues to deliver card standards that are ubiquitous in their use by the worldwide cards industry. Perhaps the biggest issue facing the cards world and particularly payments cards, is the need to expand the Issuer Identification Numbering scheme (IINs) from its present 6-digit IIN to an 8-digit IIN going forward. Support from ISO to spread the word in this regard would be very much appreciated by the experts in SC17.

Standardization in the area of:

• Identification and related documents
• Cards
• Security devices and tokens

and interface associated with their use in inter-industry applications and international interchange

The OASIS XSPA TC works to standardize the way healthcare providers, hospitals, pharmacies, and insurance companies exchange privacy policies, consent directives, and authorizations within and between healthcare organizations. The OASIS Cross-Enterprise Security and Privacy Authorization (XSPA) Technical Committee will specify healthcare profiles of existing OASIS standards to support reliable, auditable methods of confirming personal identity, official authorization status, and role attributes. This work aligns with security specifications being developed within the U.S. Healthcare Information Technology Standards Panel (HITSP).

The Security Assertion Markup Language (SAML), developed by the Security Services Technical Committee of OASIS, is an XML-based framework for communicating user authentication, entitlement, and attribute information. As its name suggests, SAML allows business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is often a human user) to other entities, such as a partner company or another enterprise application.
 
If you are a manager looking for a high-level overview of SAML, the Executive Overview is recommended. If you are looking for a technical introduction to SAML concepts and capabilities, it is recommended to start with the Technical Overview. Additional technical information, including the complete set of SAML specifications, can be found in the knowledgebase at saml.xml.org.