Security Standards, Laws, and Guidelines
This page is a subsection of the Crypto link farm.
Links to further crypto and security-related information can be found there.
- A Guide to Understanding Data Remanence in Automated Information Systems
- A Novice's Guide to the IETF
- Good guide to how the IETF works (useful for understanding the IETF standards process).
- ACSI 33
- Security guidelines for Australian government IT systems (typical unclassified-level security guidelines).
- Advanced Encryption Standard (AES) Development Effort
- NIST's AES information page.
- AICPA Exposure Draft of the WebTrust Principles and Criteria
- Webtrust (US and Canadian CPA) CA certification guidelines, brought to you in a Micros~1-friendly format.
- An Analysis of PGP's Trust Model
- ATM Security Page
- Asynchronous Transfer Mode security standards, products, publications, and work in progress.
- Au�.enhandelsgesetz - Dual Use Güter
- Austrian (EU-derived) export restrictions.
- Australian Controls on the export of Defence and Strategic Goods
- Australia's Legal Framework for Electronic Commerce
- Australian government work on establishing a legal framework for e-commerce.
- Banking technology resource home page
- Links to info on ATM's, crypto, standards, publications.
- Biometric Application Programming Interface (BAPI)
- Biometric API documentation and information.
- Canadian Cryptography
- Canadian government position and information on cryptography.
- CAVE encryption algorithm
- The (deliberately crippled) US cellular phone "encryption" algorithm.
- CDSA - Common Data Security Architecture
- CDSA specs from the OpenGroup.
- Cloud Cover
- GCHQ's GAK PKI.
- Commerce At Light Speed-EDI
- Various links to EDI/EDIFACT information.
- Commercial Encryption Export Controls
- ITAR (under new management).
- Common Criteria Project -- HomePage
- ISO 9000 for computer security.
- Common Data Security Architecture
- CDSA specs from Intel (unlike the OpenGroup, you don't have to be a member to get this version).
- Communications Assistance for Law Enforcement Act
- FBI universal surveillance act, since used as a blueprint in other countries (eg Enfopol in Europe).
- Computer seizure guidelines
- US federal guidelines for searching and siezing computers.
- Computer Security Objects Register
- NIST security-related object identifier registry.
- Cryptographic Standards Library
- FIPS 140-1, 46-2, 74, 81, 171, 180, DOD 5200.28-STD (TCSEC), 5220.22-M, NCSC-TG-25.
- Cryptographic Standards Validation Programs at NIST
- Validation information and suites for DES, Skipjack, DSA, and crypto modules.
- CSP Designators
- Crypto designators for WWII-era and early postwar comsec gear.
- DAP Malaysia National Homepage
- Malaysian computer crimes, digital signature, and telemedecine bills.
- Derived Test Requirements for FIPS 140-1
- Requirements for FIPS 140-1 compliance testing.
- Digital Signature Guidelines
- ABA Digital Signature Guidelines
- Draft UNCITRAL
- Draft UN law on electronic commerce.
- Digital Signature Standard Validation System (DSSVS) User's Guide
- Validation suite for DSA and SHA.
- DNSSEC - Securing the Domain Name System
- DNSSEC projects, tools, and information.
- DTI - Strategic Export Controls
- DTI report on tightening export controls further to provide the illision of stopping all crypto getting out.
- ECBS Publications
- European Committee for Banking Standards security-related publications.
- Electronic commerce: Commission proposes electronic signatures Directive
- EU digital signature directive.
- Export Administration Regulations (EAR)
- Latest version of the ITAR (which became the DTR, and now the EAR).
- ECMA Standards (Blue cover)
- EDI Security
- An overview of EDI security.
- EDIFACT Security Implementation Guidelines
- EDIFACT security... dear oh dear.
- EESSI Work Items
- ETSI/CEN digital signature and PKI work in progress.
- Electronic Commerce: A Guide for the Business and Legal Community
- NZ Law Commision report on e-commerce.
- Electronic Commerce, EDI, EDIFACT and Security
- Internet electronic commerce security (PEM, PGP, SHTTP, S/MIME, SET, SSL, etc), EDI security (X.12, EWOS), EDIFACT security, other EDI and EDIFACT standards.
- EMV sets standards for global integration of Chip cards
- Standards for smart cards. smart card terminals, and applications.
- ETSI Publications
- All ETSI standards documents available online for free.
- ETSI TC SEC Homepage
- ETSI technical committee on security home page.
- Excerpts from the Export Control List of Canada
- The sections which apply to crypto software/hardware.
- Extended Log File Format
- WWW common logfile format.
- Extensions to PGP Key Format
- Extensions to the PGP key format for PGP 5.
- FIPS Home Page
- Federal Information Processing Standards (including many crypto standards).
- German Digital Signature Law
- Draft of the law with related press releases and information.
- GiTS Security
- Crypto security API overview.
- GSM Security and Encryption
- Overview of GSM security and encryption.
- HA-API
- Human Authentication API (biometrics AP).
- IEEE P1363
- RSA, Diffie-Hellman, elliptic curve, and related public-key cryptography (P1363)
- IETF RFC Index
- RFC's indexed in various ways.
- Information Technology Security Branch
- RCMP IT security bulletins and information.
- International Wassenaar Crypto Campaign
- EFA-coordinated Wassenaar crypto campaign.
- Internet drafts
- RFC drafts.
- Internet Mail Standards
- Including S/MIME, PGP/MIME, MSP security in MIME, simple authentication and security layer (SASL), and mail ubiquitous security extensions (MUSE).
- IESS Specs
- Intelsat specs - roll your own Echelon.
- IP Security Protocol (ipsec) Charter
- IPSEC drafts and RFC's.
- IP Security Working Group News
- IPSEC specifications, drafts, related drafts, mailing list archives, and implementations.
- ISAKMP and Oakley Information
- Internet security association and key management protocol information.
- ISO SC27 Standing Document 7
- Abstracts for various ISO security standards.
- ISO Standards
- X.400, 500, 600, 700, 800. Get 'em quick before the ISO forces them offline.
- ISO-IEC-9594
- X.500 standards (including X.509) as Postscript files.
- ISO/IEC 7816 in HTML
- Online version of the ISO 7816 series (non-ISO copyrighted version, save a small fortune).
- ISO/IEC JTC1/SC17 Website
- ISO smart card standards group home page.
- IT Baseline Protection Manual
- BSI (German NSA) infosec manual.
- ITU series X Recommendations - Data networks and open system communication
- This includes X.400 and X.500 security-related standards. Note that you can get a lot of these free elsewhere if you know where to look (check some of the links on this page).
- List of CWAs
- CEN workshop agreements on e-commerce, digital signatures, smart cards.
- Ma�.nahmenkataloge zum Gesetz zur digitalen Signatur
- BSI guidelines for implementing the German digital signature law (algorithms, protocols, and services).
- Malbolge
- Not directly a crypto standard, but it provided the inspiration for the X9.31 signature encoding.
- MEDSEC
- EU medical security and privacy project.
- Microsoft Security Technologies
- Authenticode, CryptoAPI, SSL and PCT, SET.
- MISSI v2.0 Architecture Documents
- MISSI/MSP/SDNS/MSP+MIME specifications.
- Netscape Certificate Extensions Specification
- Netscapes private extensions to X.509.
- NIAP
- NIST/NSA Common Criteria security evaluation program.
- NIST Computer Security Standards
- FIPS and NIST special publications
- NIST's DES Validation List
- List of NIST-validated DES implementations.
- NORMOS: Internet Engineering Standards Repository
- Access to IETF, RIPE, W3C, IANA, and SET standards and drafts by name, number, full-text search, etc.
- NOT the Orange Book
- Far more readable (and therefore useful) form of the Orange Book and other bits of the rainbow.
- Novell Certificate Extension Attributes
- Novell's X.509v3 certificate extensions.
- NT Security - Frequently Asked Questions
- OECD Draft Guidelines fpr Cryptography Policy
- Leaked copies of the OECD crypto guidelines.
- OECD guidelines comments
- Stewart Bakers comments on the creation of the OECD crypto guidelines.
- OID assignments from the top node
- Play the ASN.1 object identifier game! See if you can find an OID for the algorithm you're looking for (and if not, invent your own). Win magnificant prizes, etc etc.
- OII - Electronic Data Interchange Standards
- Links to various EDI standards.
- Open Systems Environment Implementors Workshop
- You may be able to find bits and pieces of X.500 (including X.509) information here which are a lot more up to date than the ISO/ITU ones.
- Orange Book Links
- Orange Book information and products.
- OSS - ASN.1 Reference - ASN.1 Reference Books
- ASN.1 reference material.
- PKCS
- RSADSI Public Key Cryptography Standards.
- PKCS #11
- PKCS #11 information, implementations, vendors, utilities.
- Posix.1e
- Never-finished Posix standard for security interfaces to handle ACL's, auditing, capabilities, and information labelling.
- Public Key Infrastructure References
- Public-key infrastructures (X.509, X-509-related, RFC's, other documents).
- Rainbow Books
- The DoD rainbow books and other security publications.
- Rainbow Series Library
- DOD Rainbow books as text, PDF, or Postscript.
- RFCs about Security
- Security RFC's sorted by title (also available sorted by number and author(s)).
- secg - standards for efficient cryptography group
- Certicom's ECC standards effort.
- Secure HTTP Information
- S-HTTP specs and information.
- Security & Electronic Commerce
- X/Open security, DCE, and GCS-API.
- Security Guidelines
- Australia/NZ GOSIP security guidelines.
- Security Multiparts for MIME
- Various security extensions for MIME.
- Security Standards
- Catalogue of international security-related standards and standards organisations.
- Security Technologies
- Microsofts security standardisation efforts.
- SET (Secure Electronic Transactions)
- SET message definitions.
- SET Electronic Commerce
- SET standards, and updates.
- Signature Directive Consultation
- Comments on proposed EU digital signature directive.
- Signaturgesetz (SigG) / Europäische Gesetzgebung
- Background information for the German digital signature law.
- SKIPJACK and KEA Algorithms
- Specifications for Skipjack and KEA from Clipper.
- Skipjack: KEA Errata
- Errata for KEA test vectors in original spec.
- Software Industry Issues: Digital Signatures
- Links to various digital signature law initiatives.
- Source Code Review Guidelines
- General guidelines for writing security-conscious code.
- Speech Recognition API (SRAPI) Home Page
- Speech recognition/speaker verification AP.
- SSL 3.0 Specification
- SSL 3.0 spec (online version and as a PS file.
- Summary of Changes to WA List
- Summary of the changes made from Wassenaar'96 to Wassenaar'99.
- TACACS+ FAQ
- Cisco's TACACS+ FAQ.
- Technical Advisory Committee to Develop a Federal Infomation Processing Standard for the Federal Key Management Infrastructure
- US attempt at a GAK standard. One-sentence summary of the results: "We have no idea how to make this thing work".
- Technical Security Standard for Information Technology (TSSIT)
- RCMP security standard.
- Teletrust Algorithmenbeschreibung
- Teletrust security architecture algorithms specification.
- Teletrust Deutschland e.V.
- Industry group/standards body formed to support security and authentication in communications. Page requires Java to be enabled to work.
- The Wassenaar agreement.
- The successor to COCOM, which restricts movements of dangerous technology such as biological, nuclear, and chemical weapons, missiles, artillery, and encryption software.
- TNO-FEL: Common Criteria
- Common security evaluation criteria.
- Transport Layer Security (TLS) Working Group
- Home page of the TLS WG.
- UNCITRAL Home Page
- UN Commission on International Trade Law home page (includes UNCITRAL draft e-commerce law).
- UK ITSEC scheme
- UK ITSEC documentation and information.
- Unix secure source code checklist
- AusCERT checklist for programmers writing security-conscious Unix code.
- Visa-Smart Cards-Protection Profile
- VISA's profile of the Common Criteria for smart cards.
- WA-LIST (98)
- 1998 Wassenaar (more correctly US State Department) control lists as Word and PDF files.
- WA-LIST (98) / HTML
- As above but translated into HTML
- WAP Forum
- WTLS specification.
- Wassenaar an der Donau
- Article about the Wassenaar Secretariat in Vienna.
- Wassenaar Arrangement
- The Wassenaar Arrangement as obtained from leaks or freedom-of-information lawsuits.
- Wassenaar Arrangement - US control lists
- The Wassenaar control lists as crowbarred from the US State Department by an FOIA request.
- Wassenaar Arrangement
- The final solution to the crypto problem.
- What is DMS?
- The Defense Messaging System - like X.400 and X.500, but not as simple.
- Windows Cryptosystem Guidelines
- Security guidelines for encryption under Windows.
- WWW-Security Reference page
- Internet standards bodies, HTTP security proposals, IETF working groups, Internet standards, mailing lists.
- X9 Home Page
- ANSI X.9 standards (including crypto standards).