[CESG] CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book, Issue 3)
CCSDS Secretariat
thomas.gannett at tgannett.net
Wed Jan 24 16:52:57 UTC 2024
Dear CESG Members,
Conditions for approval of CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book, Issue 3) have been disposed to the satisfaction of the AD(s) who voted to approve with conditions. The Secretariat will now proceed with CMC polling to authorize publication.
-------------- next part --------------
From: Ignacio Aguilar Sanchez <Ignacio.Aguilar.Sanchez at esa.int>
Sent: Wednesday, January 24, 2024 2:40 AM
To: Thomas Gannett
Cc: Tomaso.deCola at dlr.de; Erik.Barkley at jpl.nasa.gov;
jonathan.j.wilmot at nasa.gov; Howard.Weiss at parsons.com
Subject: RE: [Secretariat] [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish
CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book,
Issue 3)
Categories: Poll Condition Closure
Dear Tom,
This satisfies my conditions for approval.
Thank you,
Ignacio
Ignacio Aguilar Sánchez
Communication Systems Engineer
Electrical Engineering Department
European Space Research and Technology Centre
Keplerlaan 1, PO Box 299, 2200 AG Noordwijk, The Netherlands
Mob.+31641360257
Fax +31715655418
Email: ignacio.aguilar.sanchez at esa.int
www.esa.int
From: Thomas Gannett <thomas.gannett at tgannett.net>
Sent: Tuesday, January 23, 2024 6:39 PM
To: Ignacio Aguilar Sanchez <Ignacio.Aguilar.Sanchez at esa.int>; Howard.Weiss at parsons.com
Cc: Tomaso.deCola at dlr.de; Erik.Barkley at jpl.nasa.gov; jonathan.j.wilmot at nasa.gov
Subject: RE: [Secretariat] [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3,
Information Security Glossary of Terms (Magenta Book, Issue 3)
Dear Ignacio:
Howie indicated to me in a separate email thread that he intended to accept your PIDs, and I have
updated the document to incorporate your proposed changes.
Please indicate by return email if this response satisfies your conditions for approval.
Best regards,
Tom
Logothete, L.L.C.
thomas.gannett at tgannett.net
+1 443 472 0805
* * * * * * * * * * * * * * * * * * * * * * * *
From: Secretariat <secretariat-bounces at mailman.ccsds.org> on behalf of
Tomaso.deCola--- via Secretariat <secretariat at mailman.ccsds.org>
Sent: Monday, January 22, 2024 4:56 AM
To: Ignacio.Aguilar.Sanchez at esa.int; Howard.Weiss at parsons.com
Cc: secretariat at mailman.ccsds.org; Erik.Barkley at jpl.nasa.gov;
jonathan.j.wilmot at nasa.gov
Subject: Re: [Secretariat] [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish
CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book,
Issue 3)
Hi both,
I’m afraid Ignacio is right. I’ve checked my local notes on this book and indeed I raised the condition
related to 4a and 4b references. I’ve just checked what proposed to fix the points I’’ve raised, and I’m
fine with that. As such, my conditions can be considered dispositioned.
Best Regards,
Tomaso
Von: Ignacio Aguilar Sanchez <Ignacio.Aguilar.Sanchez at esa.int>
Gesendet: Montag, 22. Januar 2024 09:10
An: Howard.Weiss at parsons.com
Cc: secretariat at mailman.ccsds.org; Erik.Barkley at jpl.nasa.gov; jonathan.j.wilmot at nasa.gov; de Cola,
Tomaso <Tomaso.deCola at dlr.de>
Betreff: RE: [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information
Security Glossary of Terms (Magenta Book, Issue 3)
Howie,
I believe there is a confusion with my feedback on this poll.
The comments supposedly coming from me were coming from Tomaso de Cola, on copy.
Sorry that I did not notice this earlier.
I am reattaching my PIDs to this poll in this e-mail.
Kind regards,
Ignacio
Ignacio Aguilar Sánchez
Communication Systems Engineer
Electrical Engineering Department
European Space Research and Technology Centre
Keplerlaan 1, PO Box 299, 2200 AG Noordwijk, The Netherlands
Mob.+31641360257
Fax +31715655418
Email: ignacio.aguilar.sanchez at esa.int
www.esa.int
From: Howard.Weiss at parsons.com <Howard.Weiss at parsons.com>
Sent: Friday, January 19, 2024 6:28 PM
To: Erik.Barkley at jpl.nasa.gov; Ignacio Aguilar Sanchez <Ignacio.Aguilar.Sanchez at esa.int>;
jonathan.j.wilmot at nasa.gov
Cc: secretariat at mailman.ccsds.org
Subject: RE: [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information
Security Glossary of Terms (Magenta Book, Issue 3)
Erik - based on previous email threads regarding SANA, I am assuming that your concerns are addressed.
Ignacio - regarding the two version of the reference 4a and 4b - good catch! I know I added the second
(4b) reference because some terms were in one but not the other. I went back and found that there
were only 3 terms in 4a that were not in 4b: key stream, malware, and secure hash standard. I am
proposing the removal of 4a and changing all the terms that referenced 4a to 4 which will be the 2022
version of the document.
* Key Stream is known as Stream Cipher in the 2022 document so I propose to point key stream to
the existing stream cipher term,
* Malware is in 4b but points to ‘malicious code and malicious logic.’ However, malicious code
does not actually appear in 4b – only malicious logic. I propose to point malicious
code/malware to NIST SP 800-53 which is reference 7.
* Secure Hash Standard appears in 4a but not in 4b. I propose to add FIPS 180-4 to the list of
references and point to it.
Jonathan – regarding your conditions.
1. I understand how one definition uses ‘resource’ but the other uses ‘object.’ Those are have
typically been interchangeable in security community specifications over the years as well as the
term subject (e.g., subjects and objects). In formalisms, an object is something that a subject
wants/needs access to. Personally I always hated the abstract terms ‘subject’ and ‘object’ but
obviously I had no influence on that. Would you like all of the terms to use ‘object?’ Or all of
them to use ‘reference?’ Or should we add the term ‘object’ (from 4b: ‘passive system-related
entity, including bits, bytes, words, fields, devices, files, records, programs, tables, processes,
programs, segments, directories, processors, and domains that contain or received
information. Access to an object (by a subject) implies access to the information it contains.’) ?
2. Regarding accreditation, it’s done by a senior official who accepts the risk. The senior official
might be known as an accreditation authority/official (AO) or in some cases the authority is
delegated to someone known as a designated accreditation authority (DAO) which can also be
known as a designated approving authority. Personally I think that both the accreditation and
accreditation authority terms are clear since one specifically states a senior official and the other
states the official with the authority to approve.
3. I’m not sure what you mean when you say ‘not have a cohesive se of base terms used in their
definitions?’ These terms and their definitions are sourced from what we consider to be from
authoritative sources and have not been generated by CCSDS.
4. Reference 5 is actually a 2013 document which was used. There is a 2019 version (rev 2) but it
was not used. There is also an online web-based version but when that was used, the source in
the web glossary was used (e.g., NIST online search for ‘secure hash standard’ sources to CNSSI
4009-2015 and FIPS 180-4).
Please respond to this email providing me with your thoughts.
Regards
howie
* * * * * * * * * * * * * * * * * * * * * * * *
From: Secretariat <secretariat-bounces at mailman.ccsds.org> on behalf of Wilmot,
Jonathan J. (GSFC-580.0)[VANTAGE SYSTEMS INC] via Secretariat
<secretariat at mailman.ccsds.org>
Sent: Friday, January 19, 2024 12:43 PM
To: Howard.Weiss at parsons.com; Erik.Barkley at jpl.nasa.gov;
Ignacio.Aguilar.Sanchez at esa.int
Cc: secretariat at mailman.ccsds.org
Subject: Re: [Secretariat] [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish
CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book,
Issue 3)
Categories: Poll Condition Closure
Howie,
I am fine with your responses. I still feel that taking definitions from different references can lead to a
lack of a “cohesive set of base terms” but don’t feel strongly enough to hold the document up.
Consider the conditions satisfied to proceed to publication.
Kind regards,
Jonathan
From: Howard.Weiss at parsons.com <Howard.Weiss at parsons.com>
Sent: Friday, January 19, 2024 12:28 PM
To: Erik.Barkley at jpl.nasa.gov; Ignacio.Aguilar.Sanchez at esa.int; Wilmot, Jonathan J. (GSFC-
580.0)[VANTAGE SYSTEMS INC] <jonathan.j.wilmot at nasa.gov>
Cc: secretariat at mailman.ccsds.org
Subject: RE: [EXTERNAL] Re: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information
Security Glossary of Terms (Magenta Book, Issue 3)
CAUTION: This email originated from outside of NASA. Please take care when clicking links or opening
attachments. Use the "Report Message" button to report suspicious messages to the NASA SOC.
Erik - based on previous email threads regarding SANA, I am assuming that your concerns are addressed.
Ignacio - regarding the two version of the reference 4a and 4b - good catch! I know I added the second
(4b) reference because some terms were in one but not the other. I went back and found that there
were only 3 terms in 4a that were not in 4b: key stream, malware, and secure hash standard. I am
proposing the removal of 4a and changing all the terms that referenced 4a to 4 which will be the 2022
version of the document.
* Key Stream is known as Stream Cipher in the 2022 document so I propose to point key stream to
the existing stream cipher term,
* Malware is in 4b but points to ‘malicious code and malicious logic.’ However, malicious code
does not actually appear in 4b – only malicious logic. I propose to point malicious
code/malware to NIST SP 800-53 which is reference 7.
* Secure Hash Standard appears in 4a but not in 4b. I propose to add FIPS 180-4 to the list of
references and point to it.
Jonathan – regarding your conditions.
1. I understand how one definition uses ‘resource’ but the other uses ‘object.’ Those are have
typically been interchangeable in security community specifications over the years as well as the
term subject (e.g., subjects and objects). In formalisms, an object is something that a subject
wants/needs access to. Personally I always hated the abstract terms ‘subject’ and ‘object’ but
obviously I had no influence on that. Would you like all of the terms to use ‘object?’ Or all of
them to use ‘reference?’ Or should we add the term ‘object’ (from 4b: ‘passive system-related
entity, including bits, bytes, words, fields, devices, files, records, programs, tables, processes,
programs, segments, directories, processors, and domains that contain or received
information. Access to an object (by a subject) implies access to the information it contains.’) ?
2. Regarding accreditation, it’s done by a senior official who accepts the risk. The senior official
might be known as an accreditation authority/official (AO) or in some cases the authority is
delegated to someone known as a designated accreditation authority (DAO) which can also be
known as a designated approving authority. Personally I think that both the accreditation and
accreditation authority terms are clear since one specifically states a senior official and the other
states the official with the authority to approve.
3. I’m not sure what you mean when you say ‘not have a cohesive se of base terms used in their
definitions?’ These terms and their definitions are sourced from what we consider to be from
authoritative sources and have not been generated by CCSDS.
4. Reference 5 is actually a 2013 document which was used. There is a 2019 version (rev 2) but it
was not used. There is also an online web-based version but when that was used, the source in
the web glossary was used (e.g., NIST online search for ‘secure hash standard’ sources to CNSSI
4009-2015 and FIPS 180-4).
Please respond to this email providing me with your thoughts.
Regards
howie
* * * * * * * * * * * * * * * * * * * * * * * *
From: Barkley, Erik J (US 3970) <erik.j.barkley at jpl.nasa.gov>
Sent: Wednesday, January 17, 2024 4:56 PM
To: Howard.Weiss at parsons.com; Thomas Gannett
Cc: Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov
Subject: RE: [EXTERNAL] RE: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-
3, Information Security Glossary of Terms (Magenta Book, Issue 3)
Categories: Poll Condition Closure
Howie, Tom,
Sounds like you guys are okay with how things are stated currently and ultimately I do not see this as a
serious concern. So I am okay if we move forward with the books as is. Thank you for taking a look and
your consideration.
Best regards,
-Erik
From: Howard.Weiss at parsons.com <Howard.Weiss at parsons.com>
Sent: Wednesday, January 17, 2024 8:48
To: Thomas Gannett <thomas.gannett at tgannett.net>; Barkley, Erik J (US 3970)
<erik.j.barkley at jpl.nasa.gov>
Cc: Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov
Subject: Re: [EXTERNAL] RE: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information
Security Glossary of Terms (Magenta Book, Issue 3)
Erik
I fully agree with Tom's assessment. The intent of the Information Security Glossary (as a MB)
was as a normative reference for other books. We found that there was a lot of duplication of
effort in creating glossaries for each book, often with inconsistent definitions. The glossary was
to unify the definitions which are mostly based on 'official' sources (e.g., ISO, NIST) unless they
were not available forcing us to look elsewhere. The glossary was originally published as a
Green Book but it was pointed out several years ago that Green Books could not be used as
normative references and hence the change to a Magenta Book for the previously published
revision.
The fact that SANA is creating an on-line glossary (of all CCSDS terms, not just security) is a
great service for one-off searches but has no bearing on the normative referential use of the
Information Security Glossary in other documents.
Ignacio and Jonathan - I have quickly reviewed your comments and will address them in the next
few days.
regards
howie
HOWARD WEISS, CISSP
PARSONS Federal
7110 Samuel Morse Drive
Columbia, MD 21046
443-430-8089 (office) / 443-494-9087 (cell)
howard.weiss at parsons.com
www.parsons.com
Please consider the environment before printing this message
From: Thomas Gannett <thomas.gannett at tgannett.net>
Sent: Wednesday, January 17, 2024 11:37 AM
To: 'Barkley, Erik J (US 3970)'
Cc: Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov; Weiss, Howard [US-US]
Subject: RE: [EXTERNAL] RE: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information
Security Glossary of Terms (Magenta Book, Issue 3)
Erik:
SANA Considerations are intended to document SANA interactions that create registries on which a Blue Book
relies. In the case of the SANA Glossary entries, no SANA interactions take place: the Secretariat populates the
SANA Glossary. Also, the standalone Security Glossary does not rely on the SANA Glossary (the opposite is the
case).
Beyond that, the purpose of the Security Glossary is to provide a single reference for terms used in other CCSDS
security documents, so it is probably not desirable to draw significant attention in that document to the SANA
Glossary, where security terms are a small subset of the whole and where those terms may have alternate
definitions in conflict with the preferred ones in the Security Glossary.
I would say if you feel some sort of reference to the SANA Glossary is necessary, it belongs in the Foreword or
Introduction. But I leave it to you and Howie to sort that out. (I was only trying to move things along.)
Tom
Logothete, L.L.C.
thomas.gannett at tgannett.net
+1 443 472 0805
-----Original Message-----
From: Barkley, Erik J (US 3970) [mailto:erik.j.barkley at jpl.nasa.gov]
Sent: Tuesday, January 16, 2024 8:27 PM
To: Thomas Gannett
Cc: Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov; Howard.Weiss at parsons.com
Subject: RE: [EXTERNAL] RE: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information Security
Glossary of Terms (Magenta Book, Issue 3)
Tom,
I think it is going in the right direction. Does there need to be anything in the MB that indicates that the terms go
into the SANA Glossary? Granted that presumably all terms from BBs and MBs automatically go into the SANA
glossary, but given that 350.8-M-3 specifically caries "Glossary" as part of its title, then perhaps there should be a
short SANA considerations section?
Best regards,
-Erik
-----Original Message-----
From: Thomas Gannett <thomas.gannett at tgannett.net>
Sent: Tuesday, January 16, 2024 12:52
To: Barkley, Erik J (US 3970) <erik.j.barkley at jpl.nasa.gov>
Cc: Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov; Howard.Weiss at parsons.com
Subject: [EXTERNAL] RE: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information Security Glossary
of Terms (Magenta Book, Issue 3)
Erik:
The SANA Glossary is populated with definitions from authorized CCSDS publications. We do not have any
mechanism for CCSDS approval of definitions independent of document publication. So when the document has
been authorized for publication by the CMC and published, the SANA Glossary will be update to reflect the
definitions in the new issue.
Please respond by return email if the information above satisfies your condition.
Tom
Logothete, L.L.C.
thomas.gannett at tgannett.net
+1 443 472 0805
-----Original Message-----
From: CCSDS Secretariat [mailto:thomas.gannett at tgannett.net]
Sent: Tuesday, January 16, 2024 3:40 PM
To: Howard.Weiss at parsons.com
Cc: Erik.Barkley at jpl.nasa.gov; Ignacio.Aguilar.Sanchez at esa.int; jonathan.j.wilmot at nasa.gov
Subject: Re: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information Security Glossary of Terms
(Magenta Book, Issue 3)
Dear Document Rapporteur,
The CESG poll to approve publication of CCSDS 350.8-M-3, Information Security Glossary of Terms (Magenta Book,
Issue 3) concluded with conditions. Please negotiate disposition of the conditions directly with the AD(s) who
voted to approve with conditions and CC the Secretariat on all related correspondence.
CESG E-Poll Identifier: CESG-P-2023-12-005 Approval to publish CCSDS 350.8-M-3, Information Security Glossary of
Terms (Magenta Book, Issue 3)
Results of CESG poll beginning 29 December 2023 and ending 12 January 2024:
Abstain: 0 (0%)
Approve Unconditionally: 1 (25%) (Cola) Approve with Conditions: 3 (75%) (Barkley, Aguilar Sanchez,
Wilmot) Disapprove with Comment: 0 (0%)
CONDITIONS/COMMENTS:
Erik Barkley (Approve with Conditions): I am curious as to why we (CCSDS) would not use this MB to establish a
registry of security terms rather than defining them in a document. Perhaps the intention is that the CCSDS
glossary will be the on-line repository of these terms? Seems that some sort of statement and./or treatment with
respect to SANA is needed? At the very least to indicate that that this MB does not involve SANA. But probably
the terms should be recorded in SANA and this should establish the authority/practice for updating the terms
recorded in SANA?
Ignacio Aguilar Sanchez (Approve with Conditions): Just a consideration: references [4a] and [4b] point actually
to two versions of the same document, the update from 2022 and the previous version from 2015. Why not
considering only the version of 2022, i.e. reference [4b]?
Jonathan Wilmot (Approve with Conditions): 1) Should access control and ACL refer to the same term? AC uses
“resource” and ACL uses “object” ACM uses “resource” again. The term “object” is not defined.
2) Is “accreditation” done by an “accreditation authority”, or just a “senior official”? It seems these terms should
have a linkage.
3) An overall concern is that the different referenced sources of terms may not have a cohesive set of base terms
used in their definitions. This could lead to confusion/ambiguities for the reader.
4) The referenced Glossary of Key Information Security Terms (ref 5) is a living online document that does change.
Should this CCSDS document reference the date when the definitions were obtained?
Total Respondents: 4
No response was received from the following Area(s):
SEA
MOIMS
SECRETARIAT INTERPRETATION OF RESULTS: Approved with Conditions
PROPOSED SECRETARIAT ACTION: Generate CMC poll after conditions have been addressed
* * * * * * * * * * * * * * * * * * * * * * * *
NOTICE: This email message and all attachments transmitted with it may contain privileged and confidential
information, and information that is protected by, and proprietary to, Parsons Corporation, and is intended
solely for the use of the addressee for the specific purpose set forth in this communication. If the reader of this
message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution,
copying, or other use of this message or its attachments is strictly prohibited, and you should delete this
message and all copies and backups thereof. The recipient may not further distribute or use any of the
information contained herein without the express written authorization of the sender. If you have received this
message in error, or if you have any questions regarding the use of the proprietary information contained
therein, please contact the sender of this message immediately, and the sender will provide you with further
instructions.
More information about the CESG
mailing list