Zombiesecured Appendix / Sources

This is a great reference guide for end to end protection concerning Enterpise Identity Access and Information Security Management. It also serves as a study guide for Certified Information Systems Security Professional (CISSP), Continuing Professional Education (CPE)'s or general framework research.

Sources for the website include Request for Comments (RFC's), International Organization for Standardization (ISO), National Institute of Standards and Technology (NIST), and other organizations proposed standards. These are the sources which helps us to understand what to use and what not to use:

Good to know's for Identity Access and Information Security Management

  • Fast ID Online (FIDO2) : Standards
  • Kerberos : Protocol Standards
  • Open Authentication (OAuth2) : Protocol Standards
  • OpenID : Specifications
  • Representational State Transfer (REST) : API Standards
  • Security Assertion Markup Language (SAML2) : Standards
  • Simple Object Access Protocol (SOAP 1.2) : API Standards
  • System for Cross-domain Identity Management (SCIM2) : API Specifications
  • Web Services Federation (WS-Federation) : Protocol Specifications
  • Passwordless : Security Architecture

Request for Comments (RFC)

  • RFC3853: S/MIME Advanced Encryption Standard (AES) Requirement for the Session Initiation Protocol (SIP)
  • RFC4627: The application/json Media Type for JavaScript Object Notation (JSON)
  • RFC4641: Domain Name System (DNS) Security (DNSSEC) Operational Practices
  • RFC4648: The Base16, Base32, and Base64 Data Encodings
  • RFC5155: DNS Security (DNSSEC) Hashed Authenticated Denial of Existence
  • RFC5910: Domain Name System (DNS) Security Extensions Mapping for the Extensible Provisioning Protocol (EPP)
  • RFC5915: Elliptic Curve Private Key Structure
  • RFC5958: Asymmetric Key Packages
  • RFC5652: Cryptographic Message Syntax (CMS)
  • RFC5967: The application/pkcs10 Media Type
  • RFC6234: US Secure Hash Algorithms
  • RFC6265: HTTP State Management Mechanism
  • RFC6668: SHA-2 Data Integrity Verification for the Secure Shell (SSH) Transport Layer Protocol
  • RFC6749: OAuth 2.0 Framework
  • RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
  • RFC6797: HTTP Strict Transport Security (HSTS)
  • RFC6819: OAuth 2.0 Threat Model and Security Considerations
  • RFC6962: Certificate Transparency
  • RFC7009: OAuth 2.0 Token Revocation
  • RFC7033: WebFinger
  • RFC7100: Internet Official Protocol Standards
  • RFC7165: JSON Object Signing and Encryption (JOSE)
  • RFC7191: Cryptographic Message Syntax (CMS) Encrypted Key Package Content Type
  • RFC7230: Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing
  • RFC7231: Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content
  • RFC7232: Hypertext Transfer Protocol (HTTP/1.1): Conditional Requests
  • RFC7234: Hypertext Transfer Protocol (HTTP/1.1): Caching
  • RFC7468: Textual Encodings of PKIX, PKCS, and CMS Structures
  • RFC7515: JSON Web Signature (JWS)
  • RFC7516: JSON Web Encryption (JWE)
  • RFC7517: JSON Web Key (JWK)
  • RFC7518: JSON Web Algorithms (JWA)
  • RFC7519: JSON Web Token (JWT)
  • RFC7520: Protecting Content Using JSON Object Signing and Encryption (JOSE)
  • RFC7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7522: Security Assertion Markup Language (SAML) 2.0 Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7540: Hypertext Transfer Protocol Version 2 (HTTP/2)
  • RFC7565: The 'acct' URI Scheme
  • RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
  • RFC7592: OAuth 2.0 Dynamic Client Registration Management Protocol
  • RFC7638: JSON Web Key (JWK) Thumbprint
  • RFC7642: System for Cross-domain Identity Management (SCIM): Definitions, Overview, Concepts, and Requirements
  • RFC7643: System for Cross-domain Identity Management (SCIM): Core Schema
  • RFC7644: System for Cross-domain Identity Management (SCIM): Protocol
  • RFC7662: OAuth 2.0 Token Introspection
  • RFC7748: Elliptic Curves for Security
  • RFC7797: JSON Web Signature (JWS) Unencoded Payload Option
  • RFC7800: Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
  • RFC7838: HTTP Alternative Services
  • RFC8070: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Freshness Extension
  • RFC8145: Signaling Trust Anchor Knowledge in DNS Security Extensions (DNSSEC)
  • RFC8252: OAuth 2.0 for Native Apps
  • RFC8259: The JavaScript Object Notation (JSON) Data Interchange Format
  • RFC8264: Opportunistic Security for HTTP/2
  • RFC8291: Message Encryption for Web Push
  • RFC8310: Usage Profiles for DNS over TLS and DNS over DTLS
  • RFC8399: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
  • RFC8422: Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) 1.2 and Earlier
  • RFC8423: Reclassification of Suite B Documents to Historic Status
  • RFC8446: The Transport Layer Security (TLS) Protocol Version 1.3
  • RFC8447: IANA Registry Updates for TLS and DTLS
  • RFC8449: Record Size Limit Extension for TLS
  • RFC8471: The Token Binding Protocol Version 1.0
  • RFC8472: Transport Layer Security (TLS) Extension for Token Binding Protocol Negotiation
  • RFC8473: Token Binding over HTTP
  • RFC8553: DNS AttrLeaf Changes: Fixing Specifications That Use Underscored Node Names
  • RFC8555: Automatic Certificate Management Environment (ACME)
  • RFC8556: Multicast VPN Using Bit Index Explicit Replication (BIER)
  • RFC8559: Dynamic Authorization Proxying in the Remote Authentication Dial-In User Service (RADIUS) Protocol
  • RFC8562: Bidirectional Forwarding Detection (BFD) for Multipoint Networks
  • RFC8572: Secure Zero Touch Provisioning (SZTP)
  • RFC8576: Internet of Things (IoT) Security: State of the Art and Challenges
  • RFC8588: Personal Assertion Token (PaSSporT) Extension for Signature-based Handling of Asserted information using toKENs (SHAKEN)
  • RFC8594: The Sunset HTTP Header Field
  • RFC8598: Split DNS Configuration for the Internet Key Exchange Protocol Version 2 (IKEv2)
  • RFC8600: Using Extensible Messaging and Presence Protocol (XMPP) for Security Information Exchange
  • RFC8603: Commercial National Security Algorithm (CNSA) Suite Certificate and Certificate Revocation List (CRL) Profile
  • RFC8613: Object Security for Constrained RESTful Environments (OSCORE)
  • RFC8619: Algorithm Identifiers for the HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
  • RFC8620: The JSON Meta Application Protocol (JMAP)
  • RFC8624: Algorithm Implementation Requirements and Usage Guidance for DNSSEC
  • RFC8628: OAuth 2.0 Device Authorization Grant
  • RFC8636: Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) Algorithm Agility
  • RFC8643: An Opportunistic Approach for Secure Real-time Transport Protocol (OSRTP)
  • RFC8645: Re-keying Mechanisms for Symmetric Keys
  • RFC8649: Hash Of Root Key Certificate Extension
  • RFC8080: Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC
  • RFC: Domain-based Message Authentication, Reporting & Conformance (DMARC)
  • RFC: Expect-CT Extension for HTTP
  • RFC: HTTPBis Status Pages
  • RFC: OAuth Status Pages
  • RFC: TLS Status Pages
  • User-Managed Access (UMA) 2.0 Grant for OAuth 2.0 Authorization
  • ZRTP voice encryption by Philip Zimmermann ECC curve
  • ECC in OpenPGP RFC6637
  • Microsoft for Smart Card Authentication
  • OAuth 2.0 Device Flow
  • OAuth 2.0 Token Binding
  • OAuth 2.0 Mutual TLS Client Authentication and Certificate Bound Access Tokens
  • OpenID Connect Token Bound Authentication 1.0 Draft 4
  • Extensions to OSPF for Advertising Prefix/Link Administrative Tags
  • Confidentiality in the Face of Pervasive Surveillance
  • The Open Web Application Security Project (OWASP) Certificate and Public Key Pinning
  • The Open Web Application Security Project (OWASP) Injection Theory
  • The Open Web Application Security Project (OWASP) Data Validation
  • The Open Web Application Security Project (OWASP) Transport Layer Protection Cheat Sheet Version 2
  • TOR Project Detecting Certificate Authority Compromises and Web Browser Collusion
  • International Organization for Standardization ISO 27000 Series - Information Security Management (ISM)

The following are the United States (US) Government based standards

  • National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS)
    • FIPS 140-2 - Security Requirements for Cryptographic Modules
    • FIPS 199 - Standards for Security Categorization of Federal Information and Information Systems
    • FIPS 200 - Minimum Security Requirements for Federal Information and Information Systems
    • FIPS 201 - Personal Identity Verification (PIV) of Federal Employees and Contractors
    • FIPS 202 - SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions
  • National Institute of Standards and Technology (NIST) Projects
  • National Institute of Standards and Technology (NIST) Special Publications (SP) - Wealth of Current Information!
    • SP 800-12 Rev. 1 - An Introduction to Information Security
    • SP 800-37 Rev. 2 - Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
    • SP 800-53 Rev. 5 - Security and Privacy Controls for Information Systems and Organizations
    • SP 800-107 Rev. 1 - Recommendation for Applications Using Approved Hash Algorithms
    • SP 800-125A Rev. 1 - Security Recommendations for Server-based Hypervisor Platforms
    • SP 800-133 Rev. 1 - Recommendation for Cryptographic Key Generation
    • SP 800-162 - Guide to Attribute Based Access Control (ABAC) Definition and Considerations
    • SP 800-163 Rev. 1 - Vetting the Security of Mobile Applications
    • SP 800-177 Rev. 1 - Trustworthy Email
    • SP 800-179 Rev. 1 - Guide to Securing Apple macOS 10.12 Systems for IT Professionals: A NIST Security Configuration Checklist
    • SP 800-184 - Guide for Cybersecurity Event Recovery
    • SP 800-185 - SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash
    • SP 800-190 - Application Container Security Guide
    • SP 800-192 - Verification and Test Methods for Access Control Policies/Models
    • SP 800-205 - Attribute Considerations for Access Control Systems
    • SP 800-207 - Zero Trust Architecture
    • SP 1500-4r1 - NIST Big Data Interoperability Framework: Volume 4, Security and Privacy Version 2
    • SP 1800-3 - Attribute Based Access Control (ABAC)
    • SP 1800-4 - Mobile Device Security: Cloud and Hybrid Builds
    • SP 1800-5 - IT Asset Management
    • SP 1800-6 - Domain Name System-Based Electronic Mail Security
    • SP 1800-9 - Access Rights Management for the Financial Services Sector
    • SP 1800-13 - Mobile Application Single Sign-On: Improving Authentication for Public Safety and First Responders
    • SP 1800-16 - Securing Web Transactions: TLS Server Certificate Management
    • SP 1800-17 - Multifactor Authentication for E-Commerce: Risk-Based, FIDO Universal Second Factor Implementations for Purchasers
    • SP 1800-18 - Privileged Account Management for the Financial Services Sector
    • SP 1800-19 - Trusted Cloud: Security Practice Guide for VMware Hybrid Cloud Infrastructure as a Service (IaaS) Environments
    • SP 1800-21 - Mobile Device Security: Corporate-Owned Personally-Enabled (COPE)
  • United States (US) Commercial National Security Algorithm Suite (CNSA Suite)
  • The Stig - Not the cool driver - DoD Security Technical Implementation Guides (STIGs)

Last updated: October 4th, 2019