[OAUTH-WG] New Liaison Statement, "LS on the new work item on Functional requirements for the integrated authentication service of telecommunication operators"

[Liaison Statement Management Tool <statements@ietf.org>]

Title: LS on the new work item on Functional requirements for the integrated authentication service of telecommunication operators
Submission Date: 2024-03-26
URL of the IETF Web page: https://datatracker.ietf.org/liaison/1904/

From: Xiaoya Yang <tsbsg17@itu.int>
To: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>,Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: Hannes Tschofenig <Hannes.Tschofenig@gmx.net>,Web Authorization Protocol Discussion List <oauth@ietf.org>,Scott Mansfield <Scott.Mansfield@Ericsson.com>,itu-t-liaison@iab.org <itu-t-liaison@iab.org>,Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>,Paul Wouters <paul.wouters@aiven.io>,Deb Cooley <debcooley1@gmail.com>
Response Contacts: hyyoum@sch.ac.kr, jhnah@etri.re.kr, gaofeng149@chinaunicom.cn
Technical Contacts: 
Purpose: For information

Body: ITU-T Study Group 17 informs ISO/IEC JTC 1/SC 27/WG 2&WG 5, IETF Security OAuth about the establishment of a new work item ITU-T X.ias (Functional requirements for the integrated authentication service of telecommunication operators), which was approved at the ITU-T SG17 meeting (20 February. - 1 March 2024).

The new work item would recommend an integrated authentication service provided by telecommunication operators.

ITU-T SG17 looks forward to keeping continued collaboration and exchange with you on the topics of authentication service and beyond.

Attachment (1):
- Scope and Summary of new work item on ITU-T X.ias, Functional requirements for the integrated authentication service of telecommunication operators
 
Attachment 1

Draft Recommendation ITU-T X.ias 
Functional requirements for the integrated authentication service of telecommunication operators

Scope:
This Draft Recommendation would recommend an integrated authentication service provided by telecommunication operators. The integrated authentication service would utilize the published authentication standardization works to combine the popular authentication capabilities (such as authentication factors, protocols, etc.) so as to be secure and flexible. This recommendation would identify the security risks on the authentication process and function required by the enterprise customers. Then it would analyze the security and usability requirements of an authentication service. And it would recommend functional requirements of the integrated authentication service on framework, management, processes, network resources, protocols and terminal characteristics, respectively. The enterprise customers could adopt and customize the integrated authentication service with the full consideration of security and usability. It is important to note that the users’ identity, password, certificate and token will be stored within and controlled by the business application, not the integrated authentication service.

Summary:
The security of identity authentication would be the first gate to ensure business security, and it should be one of the most basic security service. So many other security services depend on it. Once the identity authentication system was breached, most of security measures of a business system would become vulnerable. At present, so many enterprises (esp. small and medium-sized ones) have not yet been able to establish their own comprehensive identity authentication systems with full consideration of security and protection requirements. So that, it would be hard to resist network attack threats such as authentication information leakage, malicious login, and password brute force cracking, which would pose huge security risks to their businesses.
Telecommunication operators have comprehensive communication network infrastructures and security management technology protection systems. Currently, telecommunication operators provide users with not only large-scale connection services, but also a large number of information services. Furthermore, users would have convenient and unique identity labels based on mobile phone numbers and SIM cards prvoided by telecommunication operators. 
Therefore, it is necessary to establish integrated authentication service standards for telecommunications operators to regulate the market, enhance the quality of authentication services, and ensure the security of account systems. This recommendation proposes an integrated authentication service framework for telecommunications operators, outlining the security technical requirements for the infrastructure, functions, management systems, and network architecture of telecommunications operator integrated authentication services. This recommendation provides standard references for the research of secure authentication capabilities, security deployment, and security assessments for the integrated authentication service system of telecommunications operators.
Attachments:

    sp17-sg17-oLS-00124
    https://www.ietf.org/lib/dt/documents/LIAISON/liaison-2024-03-26-itu-t-sg-17-oauth-ls-on-the-new-work-item-on-functional-requirements-for-the-integrated-authentication-service-of-telecommunication-o-attachment-1.docx