1、 International Telecommunication Union ITU-T X.1500.1TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (03/2012) SERIES X: DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY Cybersecurity information exchange Overview of cybersecurity Procedures for the registration of arcs under the object identi
2、fier arc for cybersecurity information exchange Recommendation ITU-T X.1500.1 ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS, OPEN SYSTEM COMMUNICATIONS AND SECURITY PUBLIC DATA NETWORKS X.1X.199 OPEN SYSTEMS INTERCONNECTION X.200X.299 INTERWORKING BETWEEN NETWORKS X.300X.399 MESSAGE HANDLING SYSTEMS
3、X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS X.600X.699 OSI MANAGEMENT X.700X.799 SECURITY X.800X.849 OSI APPLICATIONS X.850X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 INFORMATION AND NETWORK SECURITY General security aspects X.1000X.1029 Network security X.1030X.1049 Security
4、management X.1050X.1069 Telebiometrics X.1080X.1099 SECURE APPLICATIONS AND SERVICES Multicast security X.1100X.1109 Home network security X.1110X.1119 Mobile security X.1120X.1139 Web security X.1140X.1149 Security protocols X.1150X.1159 Peer-to-peer security X.1160X.1169 Networked ID security X.11
5、70X.1179 IPTV security X.1180X.1199 CYBERSPACE SECURITY Cybersecurity X.1200X.1229 Countering spam X.1230X.1249 Identity management X.1250X.1279 SECURE APPLICATIONS AND SERVICES Emergency communications X.1300X.1309 Ubiquitous sensor network security X.1310X.1339 CYBERSECURITY INFORMATION EXCHANGE O
6、verview of cybersecurity X.1500X.1519Vulnerability/state exchange X.1520X.1539 Event/incident/heuristics exchange X.1540X.1549 Exchange of policies X.1550X.1559 Heuristics and information request X.1560X.1569 Identification and discovery X.1570X.1579 Assured exchange X.1580X.1589 For further details
7、, please refer to the list of ITU-T Recommendations. Rec. ITU-T X.1500.1 (03/2012) i Recommendation ITU-T X.1500.1 Procedures for the registration of arcs under the object identifier arc for cybersecurity information exchange Summary Recommendation ITU-T X.1500.1 provides for the registration of OID
8、 arcs which enable coherent, unique and global identification of cybersecurity information as well as for organizations exchanging that information and associated policies. This Recommendation specifies the information and justification to be provided when requesting an OID for cybersecurity informa
9、tion exchange purposes, and the procedures for the operation of the Registration Authority. History Edition Recommendation Approval Study Group 1.0 ITU-T X.1500.1 2012-03-02 17 ii Rec. ITU-T X.1500.1 (03/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized
10、 agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a
11、view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommen
12、dations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conci
13、seness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this Recommendation is voluntary. However, the Recommendation may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the Recommenda
14、tion is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the Recommendation is required of any party.
15、INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Right
16、s, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementers
17、 are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2012 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permi
18、ssion of ITU. Rec. ITU-T X.1500.1 (03/2012) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Recommendation . 2 4 Abbreviations and acronyms 2 5 Conventions 3 6 General 3 7 Responsibilities of the Registration Authority (RA)
19、 3 8 Criteria for acceptance 3 9 Detailed procedures for the operation of the RA 4 9.1 Registration application 4 9.2 Registration announcement 4 9.3 Time-scale for processing applications and publication 4 9.4 Notice of rejection 5 9.5 Change of registration information 5 10 Appeals process 5 Annex
20、 A Register of arcs allocated under the Cybersecurity OID arc . 6 Annex B Rules for allocation of arcs under the country arc . 7 Annex C Rules for allocation of arcs under the international-org arc 9 Rec. ITU-T X.1500.1 (03/2012) 1 Recommendation ITU-T X.1500.1 Procedures for the registration of arc
21、s under the object identifier arc for cybersecurity information exchange 1 Scope This Recommendation specifies the procedures for operating the registration of OID arcs to identify cybersecurity information, organizations exchanging that information, and associated policies under the Cybersecurity I
22、nformation Exchange object identifier arc joint-iso-itu-t(2) cybersecurity(48). 2 References The following ITU-T Recommendations and other references contain provisions which, through reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indic
23、ated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applying the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Re
24、commendations is regularly published. The reference to a document within this Recommendation does not give it, as a stand-alone document, the status of a Recommendation. ITU-T X.660 Recommendation ITU-T X.660 (2011) | ISO/IEC 9834-1:2011, Information technology Procedures for the operation of object
25、 identifier registration authorities: General procedures and top arcs of the international object identifier tree. ITU-T X.680 Recommendation ITU-T X.680 (2008) | ISO/IEC 8824-1:2008, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T X.1500 Recommend
26、ation ITU-T X.1500 (2011), Overview of cybersecurity information exchange. ISO 3166-1 ISO 3166-1:2006, Codes for the representation of names of countries and their subdivisions Part 1: Country codes. ISO/IEC 10646 ISO/IEC 10646:2003, Information technology Universal Multiple-Octet Coded Character Se
27、t (UCS). NOTE Recommendation ITU-T T.55 recommends the use of ISO/IEC 10646 for the representation of the languages of the world. 3 Definitions 3.1 Terms defined elsewhere This Recommendation uses the following terms defined elsewhere: 3.1.1 object identifier ITU-T X.660: An ordered list of primary
28、integer values from the root of the international object identifier tree to a node, which unambiguously identifies that node. 3.1.2 OID internationalized resource identifier ITU-T X.660: An ordered list of Unicode labels from the root of the international object identifier tree that unambiguously id
29、entifies the node in that tree. 3.1.3 primary integer value ITU-T X.660: A primary value of type integer used to unambiguously identify an arc of the international object identifier tree. 2 Rec. ITU-T X.1500.1 (03/2012) 3.1.4 primary value ITU-T X.660: A value of a specified type assigned to an arc
30、of the OID tree that can provide an unambiguous identification of that arc within the set of arcs from its superior node. 3.1.5 registration ITU-T X.660: The assignment of an unambiguous name to an object in a way which makes the assignment available to interested parties. 3.1.6 registration authori
31、ty ITU-T X.660: An entity such as an organization, a standard or an automated facility that performs registration of one or more types of objects. 3.1.7 registration procedures ITU-T X.660: The specified procedures for performing registration and amending (or deleting) existing registrations. 3.1.8
32、secondary identifier ITU-T X.660: A secondary value restricted to the characters forming an (ASN.1) identifier (see ITU-T X.680), assigned either in an ITU-T Recommendation, an International Standard or by some other Registration Authority to an arc of the OID tree. NOTE An arc of the international
33、object identifier tree can have zero or more secondary identifiers. 3.1.9 secondary value ITU-T X.660: A value of some type associated with an arc that provides additional identification useful for human readers, but that does not in general unambiguously identify that arc, and is not normally inclu
34、ded in computer communications. 3.1.10 Unicode character ITU-T X.660: A character from the Unicode character set. 3.1.11 Unicode character set ITU-T X.660: The set of coded characters specified in ISO/IEC 10646. NOTE This is the same character set as that specified in the Unicode Standard. 3.1.12 Un
35、icode label ITU-T X.660: A primary value that consists of an unbounded sequence of Unicode characters that does not contain the SPACE character (see ITU-T X.660, clause 7.5 for other restrictions) used to unambiguously identify an arc of the OID tree. 3.2 Terms defined in this Recommendation This Re
36、commendation defines the following terms: 3.2.1 administrative role (of a Registration Authority): Assigning and making available unambiguous names according to this Recommendation. NOTE This definition is consistent with ITU-T X.660. 3.2.2 cybersecurity information: Any of the categories of informa
37、tion identified in ITU-T X.1500. 3.2.3 cybersecurity organization: Any organizational entity using the model for information exchange specified in ITU-T X.1500. 3.2.4 relevant Question(s): The ITU-T Question(s) responsible for the maintenance of this Recommendation. NOTE At the time of approval of t
38、his Recommendation, the relevant Question is ITU-T Q.4/17. 3.2.5 technical role (of a Registration Authority):Verifying that an application for registration of an OID arc is in accordance with this Recommendation. NOTE This definition is consistent with ITU-T X.660. 4 Abbreviations and acronyms This
39、 Recommendation uses the following abbreviations and acronyms: CYBEX Cybersecurity Information Exchange OID Object Identifier Rec. ITU-T X.1500.1 (03/2012) 3 OID-IRI OID Internationalized Resource Identifier RA Registration Authority 5 Conventions None. 6 General 6.1 This Recommendation defines proc
40、edures for the registration of arcs under the Cybersecurity Information Exchange OID arc joint-iso-itu-t(2) cybersecurity(48). 6.2 According to the requirements and rules of ITU-T X.660, this Recommendation is the RA for allocation of arcs under the Cybersecurity Information Exchange OID arc (by the
41、 progression of amendments to this Recommendation). The RA is operated by the relevant Question(s). 6.3 As the RA for the Cybersecurity Information Exchange OID arc, this Recommendation records the primary integer value, secondary identifiers and Unicode labels assigned to each subsequent arc identi
42、fying cybersecurity information (see Annex A). 6.4 Each RA being assigned a subsequent arc by this Recommendation is then responsible for the allocation of further subsequent arcs in accordance with ITU-T X.660. 7 Responsibilities of the Registration Authority (RA) 7.1 The relevant Question(s) play
43、both the technical role and the administrative role of the RA in accordance with the provisions of this Recommendation. 7.2 With regards to the assignment of arcs, the responsibilities of the relevant Question(s) shall be as follows: a) to receive applications for the allocation of an arc (the requi
44、red content of the application is specified in clause 9.1); b) for each assigned arc, to produce an amendment to (or a new edition of) this Recommendation (see clause 9.3.1), in order to add to Annex A, a record of the assigned primary value, any secondary values and the specification of the categor
45、y of cybersecurity information that is being registered. NOTE In the case of the national RAs mentioned in Annex B and of the RA mentioned in Annex C, this Recommendation is not updated but the assigned arc is added to a web-based registry (see clauses B.4 and C.3). 7.3 If the application is accepte
46、d according to the criteria of clause 8, the arc shall be allocated and a registration announcement shall be sent to the applicant as specified in clauses 9.2 and 9.3.2. 7.4 If the application is not accepted, the application shall be rejected by sending a notice of rejection as specified in clauses
47、 9.4 and 9.3.2. The appeals process is specified in clause 10. 8 Criteria for acceptance 8.1 An application is accepted if, in the technical judgment of the relevant Question(s), the requested OID will identify cybersecurity information as described in ITU-T X.1500 and be used on a worldwide basis.
48、8.2 The application shall identify the time-scale within which the relevant cybersecurity information is to be used within applications or services. The application shall be rejected if the time-scale exceeds 12 months, and can be voided if it is not in use within that time-scale. NOTE The primary i
49、nteger value of a voided application shall not be reused within the next five years. 4 Rec. ITU-T X.1500.1 (03/2012) 9 Detailed procedures for the operation of the RA 9.1 Registration application The application shall include at least the following information: a) name of any legally constituted and verifiable organization involved in the exchange of cybersecurity information, and submitting the application; b) name, postal mail address, e-mail addre