progress of draft H.460.mb "Message Broadcast for H.323 Systems" and related security issues: call for contributions

Dear all,

Q.2/16 has scheduled Draft ITU-T Recommendation H.460.mb “Message Broadcast for H.323 Systems” for possible consent at the forthcoming SG16 meeting in April.

The latest draft of H.460.mb is available at:

http://ftp3.itu.ch/av-arch/avc-site/2005-2008/0511_Gen/AVD-2813a.zip

Unfortunately, Q.25 did not have discussion of the potential security issues around H.460.mb at the last joint Rapporteurs Meeting in November 2005/Geneva.

The draft text raises a few security questions as open issues within Editor notes; there may or may not be more security issues which are not yet identified in the text; and there are also other non-security issues in the document that may deserve some closer view.

Together with Paul Jones (Q.2/16 Rapporteur), I would like to take this opportunity to raise the issue at this point in time with the intention to solicit mailing list discussion and/or call for input contributions into the next SG16 meeting, allowing the two Questions to have a fruitful discussion on the draft and to determine how we move forward.

Allow me to make a couple of remarks and also ask a few guiding questions:

- H.460.mb operates in a multicast environment where H.323-based announcement servers broadcast to a pre-defined set of H.323 receivers/endpoints. As such, we could be interested to study how to secure such an environment. What type of security do we need, how to secure the involved entities?

- To which degree can we leverage existing H.235.x Recommendations for usage in H.460.mb?
- Where (signaling protection, media protection) do we need to study new (multicast) security mechanisms for this particular application?

- Can we re-use any existing work from other groups for this purpose?
- Should security for H.460.mb be addressed at this point in time, or can we add-in whatever security measures are necessary at a later/future point in time?

- If we have to do something at least on security, what should it be about? What is the most pressing requirement from the market point of view?

- Which security infrastructure is adequate for such a multicast scenario? Shared keys, PKI; key management, statically configured, dynamic negotiable?

- …

Looking forward to your interest, feedback, views, contributions…

With kind regards

Martin Euchner.

---------------------------------------------------------------------

| Dipl.-Inf. Rapporteur Q.25/16

| Martin Euchner Phone: +49 89 722 55790

| Siemens AG.....................Fax : +49 89 722 62366

| COM GCM PS 3 mailto:Martin.Euchner@siemens.com

| mailto:martin.euchner@ties.itu.int

| Hofmannstr. 51 Intranet: http://ietf.icn.siemens.de/sr3/Standardisation_Topics/security/

| D-81359 Muenchen Internet: http://www.siemens.de/

| __________________

| Germany

---------------------------------------------------------------------