3.2.
Objective
The objective has to be to provide, at short notice, solutions which can respond to the most urgent needs of users, service providers and manufacturers. This includes the use of common IT-security evaluation criteria. These should be conceived as open towards future requirements and solutions.
3.3.
Status and trends
Some user groups have developed techniques and procedures for their specific use responding, in particular, to the need for authentication, integrity and non-repudiation. In general, magnetic cards or smart cards are being used. Some are using more or less sophisticated cryptographic techniques. Often this implied the definition of user-group specific ‘authorities’. However, it is difficult to generalize these techniques and methods to meet the needs of an open environment.
ISO is working on OSI Information System Security (ISO DIS 7498-2) and CCITT in the context of X400. It is also possible to insert security segments into the messages. Authentication, integrity and non-repudiation are being addressed as part of the messages (EDIFACT) as well as part of the X400 MHS.
At present, the Electronic Data Interchange (EDI) legal framework is still at the stage of conception. The International Chamber of Commerce has published uniform rules of conduct for the exchange of commercial data via telecommunications networks.
Several countries (e.g. Germany, France, the United Kingdom and the United States) have developed, or are developing, criteria to evaluate the trustworthiness of IT and telecommunication products and systems and the corresponding procedures for conducting evaluations. These criteria have been co-ordinated with the national manufacturers and will lead to an increasing number of reliable products and systems starting with simple products. The establishment of national organizations which will conduct evaluations and offer certificates will support this trend.
Confidentiality provision is considered by most users as less immediately important. In the future, however, this situation is likely to change as advanced communication services and, in particular, mobile services will have become all-pervasive.
3.4.
Requirements, options and priorities
It is essential to develop as soon as possible the procedures, standards, products and tools suited to assure security both in information systems as such (computers, peripherals) and in public communications networks. A high priority should be given to authentication, integrity and non-repudiation. Pilot projects should be carried out to establish the validity of the proposed solutions. Solutions to priority needs on EDI are looked at in the TEDIS programme within the more general content of this action plan.
4.
Action line IV — Development of specifications, standardization, evaluation and certification in respect of the security of information systems
4.1.
Feedback