VoiceXML Forum

The Security and Identity Committee is a newly chartered exploratory committee and its primary objective is to define the scope, deliverables and priorities for a standing committee on security and identity.

The exploratory committee is formed in recognition of the increasing need for VoiceXML applications to play an ever more important and pervasive role in critical applications including those that provide authentication and secure access to applications and system resources. The growing number and continual evolution of security attacks require industry and organizational use of established security methodologies including process-oriented and technical approaches. The expanding regulatory environment also drives the need for secure VoiceXML.

The Security and Identity Committee will develop a Security Framework which is a collection of security-related knowledge within the context of the VoiceXML space. The committee will utilize established security approaches from leading security organizations such as NIST, OWASP and ISO as appropriate and apply them to the VoiceXML space. Developed guidelines are anticipated to identify threats and potential vulnerabilities as well as offer suggested process and technology controls to protect against the threats.

 Some anticipated benefits of the security framework are the following:

• Clarify `secure' solutions, recommended approaches and related standards
• Facilitate deployment of secure VoiceXML within identity applications and frameworks in enterprise and hosted environments
• Instill confidence in secure voice technologies at the executive level and below.
• Mitigate the potential of negative incidences within the VoiceXML space
• Minimize costly rework and delays due to late detection in the development lifecycle of security exposures
• The Security and Identity committee is dedicated to explaining the issues and offering recommendations to executives (decision makers), project/program managers, system architects, voice platform developers (companies), technology providers (i.e. engine vendors), software architects, application developers, and system administrators.

 1 Summary

2 Goals and Scope

This exploratory committee will define the scope and deliverables for a standing committee on security and identity. The composition and interests of the exploratory effort will set the initial agenda but are anticipated to include guidelines covering platform and application security, and guidelines describing techniques and issues related to identity resolution in VoiceXML.

3 Dependencies

 There are several external efforts that may influence the eventual charter for this group.

• Internet Engineering Task Force (IETF) - The IETF has defined many of the security protocols used for exchanging data (media, application documents, etc.) between components of a VoiceXML deployment.
• Open Mobile Alliance (OMA) - The OMA has created several standards covering security for communication between mobile clients and serves and for and identity resolution. This work includes a number of hardware and software mechanisms.
• World Wide Web Consortium (W3C) - The W3C has defined several security mechanisms which may interact with VoiceXML 3.0. There is an established relationship between the W3C and VoiceXML Forum based on a 2001 Memorandum of Understanding.
• OASIS (Organization for the Advancement of Structured Information Standards) - OASIS drives the development, convergence and adoption of open standards for the global information society. They have been instrumental in developing Web, Web Service, SOA, and Security practices and standards.

4 Communications

The committee will meet on a weekly basis via teleconference phone calls, utilize a mailing list, and may engage in periodic workshops. Summaries will be made available for review by VoiceXML Forum members.

This charter was approved under the 30 May 2003 operating policies of the VoiceXML Forum. The terms of those operating policies apply.

Copyright © 2010, VoiceXML Forum. All rights reserved.