Zombiesecured Appendix / Sources

This is a great reference guide for end to end protection concerning Enterpise Identity Access, Information and Cyber Security Management. It also serves as a study guide for Certified Information Systems Security Professional (CISSP), Continuing Professional Education (CPE)'s or general framework research.

Sources for the website include Request for Comments (RFC's), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and other organizations proposed standards. These are the sources which helps us to understand what to use and what not to use:

Good to know's for Identity Access and Information Security Management

  • Fast ID Online (FIDO2) : Standards
  • Kerberos : Protocol Standards
  • Open Authentication (OAuth2) : Protocol Standards
  • OpenID : Specifications
  • Representational State Transfer (REST) : API Standards
  • Security Assertion Markup Language (SAML2) : Standards
  • Simple Object Access Protocol (SOAP 1.2) : API Standards
  • System for Cross-domain Identity Management (SCIM2) : API Specifications
  • Web Services Federation (WS-Federation) : Protocol Specifications
  • Passwordless : Security Architecture

Request for Comments (RFC)

  • RFC4648: The Base16, Base32, and Base64 Data Encodings
  • RFC5910: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
  • RFC5915: Elliptic Curve Private Key Structure
  • RFC5958: Asymmetric Key Packages
  • RFC5652: Cryptographic Message Syntax (CMS)
  • RFC5967: The application/pkcs10 Media Type
  • RFC6781: DNSSEC Operational Practices, Version 2
  • RFC6797: HTTP Strict Transport Security (HSTS)
  • RFC6819: OAuth 2.0 Threat Model and Security Considerations
  • RFC6840: Clarifications and Implementation Notes for DNS Security (DNSSEC)
  • RFC6962: Certificate Transparency
  • RFC7009: OAuth 2.0 Token Revocation
  • RFC7033: WebFinger
  • RFC7100: Internet Official Protocol Standards
  • RFC7101: List of Internet Official Protocol Standards
  • RFC7159: The JavaScript Object Notation (JSON) Data Interchange Format
  • RFC7165: JSON Object Signing and Encryption (JOSE)
  • RFC7191: Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type
  • RFC7468: Textual Encodings of PKIX, PKCS, and CMS Structures
  • RFC7515: JSON Web Signature (JWS)
  • RFC7516: JSON Web Encryption (JWE)
  • RFC7517: JSON Web Key (JWK)
  • RFC7518: JSON Web Algorithms (JWA)
  • RFC7519: JSON Web Token (JWT)
  • RFC7520: Protecting Content Using JSON Object Signing and Encryption (JOSE)
  • RFC7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7565: The 'acct' URI Scheme
  • RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
  • RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol
  • RFC7638: JSON Web Key (JWK) Thumbprint
  • RFC7642: System for Cross-domain Identity Management (SCIM): Definitions, Overview, Concepts, and Requirements
  • RFC7643: System for Cross-domain Identity Management (SCIM): Core Schema
  • RFC7644: System for Cross-domain Identity Management (SCIM): Protocol
  • RFC7662: OAuth 2.0 Token Introspection
  • RFC7748: Elliptic Curves for Security
  • RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
  • RFC7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
  • RFC7838: HTTP Alternative Services
  • RFC8070: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
  • RFC8080: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
  • RFC8145: Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
  • RFC8252: OAuth 2.0 for Native Apps
  • RFC8259: The JavaScript Object Notation (JSON) Data Interchange Format
  • RFC8264: Opportunistic Security for HTTP/2
  • RFC8291: Message Encryption for Web Push
  • RFC8310: Usage Profiles for DNS over TLS and DNS over DTLS
  • RFC8399: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
  • RFC8423: Reclassification of Suite B Documents to Historic Status
  • RFC8446: The Transport Layer Security (TLS) Protocol Version 1.3
  • RFC8447: IANA Registry Updates for TLS and DTLS
  • RFC8449: Record Size Limit Extension for TLS
  • RFC8471: The Token Binding Protocol Version 1.0
  • RFC8472: Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
  • RFC8473: Token Binding over HTTP
  • RFC8553: DNS AttrLeaf Changes: Fixing Specifications That Use Underscored Node Names
  • RFC8555: Automatic Certificate Management Environment (ACME)
  • RFC8556: Multicast VPN Using Bit Index Explicit Replication (BIER)
  • RFC8559: Dynamic Authorization Proxying in the Remote Authentication Dial-In User Service (RADIUS) Protocol
  • RFC8562: Bidirectional Forwarding Detection (BFD) for Multipoint Networks
  • RFC8572: Secure Zero Touch Provisioning (SZTP)
  • RFC8576: Internet of Things (IoT) Security: State of the Art and Challenges
  • RFC8588: Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN)
  • RFC8594: The Sunset HTTP Header Field
  • RFC8598: Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)
  • RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange
  • RFC8603: Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile
  • RFC8613: Object Security for Constrained RESTful Environments (OSCORE)
  • RFC8619: Algorithm Identifiers for the HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
  • RFC8620: The JSON Meta Application Protocol (JMAP)
  • RFC8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
  • RFC8628: OAuth 2.0 Device Authorization Grant
  • RFC8636: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility
  • RFC8643: An Opportunistic Approach for Secure Real-time Transport Protocol (OSRTP)
  • RFC8645: Re-keying Mechanisms for Symmetric Keys
  • RFC8649: Hash Of Root Key Certificate Extension
  • RFC8657: Certification Authority Authorization (CAA) Record Extensions for Account URI and Automatic Certificate Management Environment (ACME) Method Binding
  • RFC8659: DNS Certification Authority Authorization (CAA) Resource Record
  • RFC8672: TLS Server Identity Pinning with Tickets
  • RFC8693: OAuth 2.0 Token Exchange
  • RFC8705: OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access Tokens
  • RFC8707: Resource Indicators for OAuth 2.0
  • RFC8709: d25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol
  • RFC8723: Double Encryption Procedures for the Secure Real-Time Transport Protocol (SRTP)
  • RFC8725: JSON Web Token Best Current Practices
  • RFC8727: JSON Binding of the Incident Object Description Exchange Format
  • RFC8731: Secure Shell (SSH) Key Exchange Method Using Curve25519 and Curve448
  • RFC8734: Elliptic Curve Cryptography (ECC) Brainpool Curves for Transport Layer Security (TLS) Version 1.3
  • RFC8743: Multiple Access Management Services Multi-Access Management Services (MAMS)
  • RFC8744: Issues and Requirements for Server Name Identification (SNI) Encryption in TLS
  • RFC8773: TLS 1.3 Extension for Certificate-Based Authentication with an External Pre-Shared Key
  • RFC8805: A Format for Self-Published IP Geolocation Feeds
  • RFC8807: Login Security Extension for the Extensible Provisioning Protocol (EPP)
  • RFC8813: Clarifications for Elliptic Curve Cryptography Subject Public Key Information
  • RFC8829: JavaScript Session Establishment Protocol (JSEP)
  • RFC8879: TLS Certificate Compression
  • RFC8882: DNS-Based Service Discovery (DNS-SD) Privacy and Security Requirements
  • RFC8898: Third-Party Token-Based Authentication and Authorization for Session Initiation Protocol (SIP)
  • RFC8902: TLS Authentication Using Intelligent Transport System (ITS) Certificates
  • RFC8927: JSON Type Definition
  • RFC8945: Secret Key Transaction Authentication for DNS (TSIG)
  • RFC8946: Personal Assertion Token (PASSporT) Extension for Diverted Calls
  • RFC8996: Deprecating TLS 1.0 and TLS 1.1
  • RFC9048: Improved Extensible Authentication Protocol Method for 3GPP Mobile Network Authentication and Key Agreement (EAP-AKA')
  • RFC9063: Host Identity Protocol Architecture
  • RFC9076: DNS Privacy Considerations
  • RFC9083: JSON Responses for the Registration Data Access Protocol (RDAP)
  • RFC9101: The OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR)
  • RFC9110: HTTP Semantics
  • RFC9111: HTTP Caching
  • RFC9112: HTTP/1.1
  • RFC9113: HTTP/2
  • RFC9114: HTTP/3
  • RFC9126: OAuth 2.0 Pushed Authorization Requests
  • RFC9142: Key Exchange (KEX) Method Updates and Recommendations for Secure Shell (SSH)
  • RFC9150: TLS 1.3 Authentication and Integrity-Only Cipher Suites
  • RFC9156: DNS Query Name Minimisation to Improve Privacy
  • RFC9157: Revised IANA Considerations for DNSSEC
  • RFC9200: Authentication and Authorization for Constrained Environments Using the OAuth 2.0 Framework (ACE-OAuth)
  • RFC9201: Additional OAuth Parameters for Authentication and Authorization for Constrained Environments (ACE)
  • RFC9202: Datagram Transport Layer Security (DTLS) Profile for Authentication and Authorization for Constrained Environments (ACE)
  • RFC9203: The Object Security for Constrained RESTful Environments (OSCORE) Profile of the Authentication and Authorization for Constrained Environments (ACE) Framework
  • RFC9204: QPACK: Field Compression for HTTP/3
  • RFC9205: Building Protocols with HTTP
  • RFC9206: Commercial National Security Algorithm (CNSA) Suite Cryptography for Internet Protocol Security (IPsec)
  • RFC9207: OAuth 2.0 Authorization Server Issuer Identification
  • RFC9237: An Authorization Information Format (AIF) for Authentication and Authorization for Constrained Environments (ACE)
  • RFC9258: Importing External Pre-Shared Keys (PSKs) for TLS 1.3
  • RFC9261: Exported Authenticators in TLS
  • RFC9293: Transmission Control Protocol (TCP)
  • RFC9295: Clarifications for Ed25519, Ed448, X25519, and X448 Algorithm Identifiers
  • RFC9298: Proxying UDP in HTTP
  • RFC9299: An Architectural Introduction to the Locator/ID Separation Protocol (LISP)
  • RFC: Domain-based Message Authentication, Reporting & Conformance (DMARC)
  • RFC: Expect-CT Extension for HTTP
  • RFC: HTTPBis Status Pages
  • RFC: OAuth Status Pages
  • RFC: TLS Status Pages
  • User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
  • ZRTP voice encryption by Philip Zimmermann ECC curve
  • ECC in OpenPGP RFC6637
  • Microsoft for Smart Card Authentication
  • OAuth 2.0 Device Flow
  • OAuth 2.0 Token Binding
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
  • OpenID Connect Token Bound Authentication 1.0 Draft 4
  • Extensions to OSPF for Advertising Prefix/Link Administrative Tags
  • Confidentiality in the Face of Pervasive Surveillance
  • The Open Web Application Security Project (OWASP) Certificate and Public Key Pinning
  • The Open Web Application Security Project (OWASP) Injection Theory
  • The Open Web Application Security Project (OWASP) Transport Layer Protection Cheat Sheet Version 2
  • TOR Project Detecting Certificate Authority Compromises and Web Browser Collusion
  • International Organization for Standardization ISO 27000 Series - Information Security Management (ISM)

The following are the United States (US) Government based standards

  • National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS)
    • FIPS 140-2 - Security Requirements for Cryptographic Modules (Final)
    • FIPS 140-3 - Security Requirements for Cryptographic Modules (Development)
    • FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
    • FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems
    • FIPS 201 - Personal Identity Verification (PIV) of Federal Employees and Contractors
    • FIPS 202 - SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
  • National Institute of Standards and Technology (NIST) Projects
  • National Institute of Standards and Technology (NIST) Special Publications (SP) - Wealth of Current Information!
    • SP 800-12 Rev. 1 - An Introduction to Information Security
    • SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
    • SP 800-53 Rev. 5 - Security and Privacy Controls for Information Systems and Organizations
    • SP 800-107 Rev. 1 - Recommendation for Applications Using Approved Hash Algorithms
    • SP 800-125A Rev. 1 - Security Recommendations for Server-based Hypervisor Platforms
    • SP 800-133 Rev. 1 - Recommendation for Cryptographic Key Generation
    • SP 800-162 - Guide to Attribute Based Access Control (ABAC) Definition and Considerations
    • SP 800-163 Rev. 1 - Vetting the Security of Mobile Applications
    • SP 800-177 Rev. 1 - Trustworthy Email
    • SP 800-179 Rev. 1 - Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist
    • SP 800-184 - Guide for Cybersecurity Event Recovery
    • SP 800-185 - SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
    • SP 800-190 - Application Container Security Guide
    • SP 800-192 - Verification and Test Methods for Access Control Policies/Models
    • SP 800-205 - Attribute Considerations for Access Control Systems
    • SP 800-207 - Zero Trust Architecture
    • SP 1500-4r2 - NIST Big Data Interoperability Framework: Volume 4, Security and Privacy Version 2
    • SP 1800-3 - Attribute Based Access Control (ABAC)
    • SP 1800-4 - Mobile Device Security: Cloud and Hybrid Builds
    • SP 1800-5 - IT Asset Management
    • SP 1800-6 - Domain Name System-Based Electronic Mail Security
    • SP 1800-9 - Access Rights Management for the Financial Services Sector
    • SP 1800-13 - Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders
    • SP 1800-16 - Securing Web Transactions: TLS Server Certificate Management
    • SP 1800-17 - Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
    • SP 1800-18 - Privileged Account Management for the Financial Services Sector
    • SP 1800-19 - Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
    • SP 1800-21 - Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
    • SP 1800-22 - Mobile Device Security: Bring Your Own Device (BYOD)
    • SP 1800-24 - Securing Picture Archiving and Communication System (PACS): Cybersecurity for the Healthcare Sector
    • SP 1800-25 - Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
    • SP 1800-32 - Securing Distributed Energy Resources: An Example of Industrial Internet of Things Cybersecurity
    • SP 1800-34 - Validating the Integrity of Computing Devices
    • SP 1800-35 - Implementing a Zero Trust Architecture
  • United States (US) Commercial National Security Algorithm Suite (CNSA Suite)
  • The Stig - Not the cool driver - DoD Security Technical Implementation Guides (STIGs)