FW: Standard IA Terminology
lohmeyer at t10.org
Mon May 9 11:58:28 PDT 2005
* From the T10 Reflector (t10 at t10.org), posted by:
* John Lohmeyer <lohmeyer at t10.org>
Bob Snively suggested that I forward this message to T10, so here it is! -- John
>From: owner-stds-p1619 at listserv.ieee.org
>[mailto:owner-stds-p1619 at listserv.ieee.org]On Behalf Of Cole, John (Civ,
>Sent: Friday, May 06, 2005 8:27 AM
>To: p1667 at IEEE.ORG
>Cc: STDS-2600 at IEEE.ORG; stds-p1619 at IEEE.ORG; ISSAA at IEEE.ORG; Pressley,
>Anthony (Civ, ARL/CISD); Ellis, Carol (Civ, ARL/CISD); Reschly, Robert
>Subject: Standard IA Terminology
>Referenced below are three efforts to develop consistent usage of
>information assurance (IA) terminology that may interest you. Please
>tell me about others for which there is some kind of accessible
>This letter is prompted by the startup of P1667 and its search for
>standard terms such as "authenticate". Copied on this letter are the
>three other active working groups of the IEEE Information Assurance
>Standards Committee (IASC, see http://ieeeia.org/projects.html for a
>list and descriptions of these).
>There is a well-known lack of standard terminology in the field of
>information assurance (IA). Even "information assurance" needs a
>The IASC plans to start a dictionary/terminology/definitions/glossary
>project, and incorporate or refer to past and present efforts.
>1. In a recent email Ron Ross/NIST wrote:
>"NIST and NIAP do not have official glossaries of computer security
>terminology although we are currently working on a glossary for internal
>use to ensure consistency in usage of terms within our FIPS and Special
>Publications. The closest document to an authoritative source or
>national glossary might be the NSTISSI 4009 which can be obtained at the
>following web site: http://www.cnss.gov. The glossary can be downloaded
>from URL: http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf. Admittedly, the
>CNSS glossary has more of a DOD and national security bent to it. I'm
>not certain if NIST will eventually publish the glossary we are working
>on or keep it for in house use."
>"The emerging NIST glossary of computer security terms will be posted on
>the [www.csrc.nist.gov] web site and updated regularly so it can be used
>by all of our customers as well as our internal staff in house."
>The CNSS terminology document is a re-publication of a very old glossary
>arising from NSA, and focuses on information operations, as opposed to
>the more general field of information assurance.
>IMHO, some of the terms are badly defined. "Authentication", for
>example, has blended "authorization" into its definition. While the two
>are related - one would certain authenticate an authorized user - they
>are very distinct: you can authenticate unauthorized users, for example.
>Just determining the identity of a person or object does not carry with
>it authorization to act. And in the reverse, it is wrong to rely on
>authorization as a means of authentication.
>The glossary NIST is developing for consistent usage sounds very
>Note that this is not a standard according to the document itself.
>3. IEEE P610.9 "IEEE Standard Glossary of Computer Security and Privacy
>In 1997 the IEEE had a general dictionary project numbered 610, under
>which terms were standardized in a number of areas, and these standards
>published. But 610.9, the one area of greatest interest to IASC, was
>withdrawn for reasons unknown without becoming a standard. I have a
>possibly complete paper copy of the P610.9 draft, roughly 60 pages, and
>I am trying to find an electronic copy, track down the author(s).
John Lohmeyer Email: lohmeyer at t10.org
LSI Logic Corp. Voice: +1-719-533-7560
4420 ArrowsWest Dr. Cell: +1-719-338-1642
Colo Spgs, CO 80907
* For T10 Reflector information, send a message with
* 'info t10' (no quotes) in the message body to majordomo at t10.org
More information about the T10