Logs for btns, 2006-07-11

[11:08:36] --- mrichardson has left
[11:26:23] --- mrichardson has joined
[11:26:46] --- mrichardson has left
[11:28:55] --- mrichardson has joined
[12:02:02] --- LOGGING STARTED
[12:34:07] --- mrex has joined
[12:39:13] --- jeffa has joined
[12:56:04] --- mrichardson has joined
[12:56:15] --- leifj has joined
[12:57:44] --- jimsch1 has joined
[12:59:34] --- kdz has joined
[13:00:28] <kdz> agenda: http://www3.ietf.org/proceedings/06jul/agenda/btns.txt
[13:00:28] --- Melinda has joined
[13:01:48] --- Jeffrey Altman has joined
[13:02:25] --- touch has joined
[13:03:50] <kdz> Love called for scribes, Jeffrey Altman to take notes for minutes. I to take notes scribe
[13:03:59] --- ryu.inada has joined
[13:04:10] --- admcd has joined
[13:04:14] --- cgn has joined
[13:04:23] <kdz> Love notes that Pekka has stepped down as co-chairs.
[13:04:37] <kdz> Those interested in stepping up should contact Sam.
[13:04:48] <kdz> Now bashing agenda
[13:05:04] --- hartmans has joined
[13:05:19] <kdz> No agenda change, now reviewing document status
[13:05:31] <kdz> btns-prob-and-applic to WGLC soon
[13:06:17] <kdz> rest of WG I-Ds in progress, to be discussed.
[13:06:17] --- julien.bournelle has joined
[13:06:20] <kdz> now on WG background and goals
[13:06:47] --- dumdidum has joined
[13:06:56] <kdz> Goals for this meeting
[13:07:07] <kdz> finish last items on PS/AS
[13:07:19] <kdz> more stuff as indicated on slide
[13:07:40] --- kurosaki has joined
[13:08:02] <kdz> Joe Touch now on btns-prob-and-app
[13:08:43] --- shikob has joined
[13:08:54] --- sakuma.macx has joined
[13:09:23] --- psavola has joined
[13:09:25] --- jgre has joined
[13:10:46] <kdz> Sam asking about Leap of Faith
[13:11:29] --- jhutz has joined
[13:12:21] <jhutz> What he means is "this isn't leap of faith, but I'm calling that anyway, and I'm not arguing with anyone who says I'm wrong"
[13:12:31] <kdz> Mike: LoF not apart of the arch
[13:12:53] <hartmans> What issue is this?
[13:13:11] <hartmans> draft-shirey-secgloss-v2-04.txt defines leap of faith in a manner consistent to how Joe Touch is using it.
[13:13:25] <kdz> There seems to be a leap of faith regarding the term leap of faith
[13:14:10] <kdz> Steve Kent argues that LofF should be in scope
[13:14:33] --- lha has joined
[13:14:39] --- fparent@jabber.org has joined
[13:14:54] <kdz> Sam: BTNS has value without Cred cache
[13:15:14] <kdz> Sam as AD: don't be silent on the matter
[13:16:13] <kdz> Joe agrees with comments from the floor
[13:16:51] <kdz> Sam doesn't care whether this (unauth cred cache) is in this document.
[13:16:56] --- wrstuden has joined
[13:19:29] --- kivinen has joined
[13:19:41] <kdz> dave black: applicability statement doesn't need to explain how to solve cachimg of credentials for "leap of faith", but cached credential is valuable and different from willingess to accept unauthenticated credential from same source
[13:20:09] <kdz> mike: if out-of-scope of WG, then out-of-scope of document
[13:21:24] <kdz> note to lurkers: feel free to back fill
[13:21:55] <kdz> mike: need to specifically include LofF in charter
[13:22:40] <kdz> JeffH: we're in the weeds
[13:23:29] <kdz> nico: LoF requires caching
[13:24:02] --- sftcd has joined
[13:24:19] --- fred.lefebvre has joined
[13:24:22] <kdz> nico: second LoF form: application checking same cred used
[13:24:29] <kdz> Sam and others say not
[13:24:45] <kdz> Nico, too much detail for AS
[13:25:10] <kdz> Sam as AD: charter did not contemplate this work
[13:25:29] <kdz> ... is desirable to complete core work before tackling optional features
[13:25:55] <kdz> ... this feature can likely be easily added later.
[13:26:04] <kdz> Joe now on NAT traversal
[13:26:12] --- patchvonbraun has joined
[13:26:54] <kdz> Joe now on non-issues/no-actions
[13:27:27] <hartmans> For the minutes, I explicitly did not go as far as saying that the work was outside the charter, simply that it was not contemplated by the charter.
[13:27:32] <jhutz> Please don't publish a document that uses the phrase "leap of faith" to describe something that is just using unauthenticated credentials without caching.
[13:28:29] <jhutz> I believe the work is within the charter. My reading of the charter gives the group pretty broad latitude in determining what are contexts in which the use of unauthentcated SA's is appropriate.
[13:28:50] <kdz> joe on remaining issues
[13:29:16] <kdz> david black: Asymmetric CBB previously discussed by authors
[13:29:44] --- patchvonbraun has left
[13:29:47] <jhutz> One of the charter items includes a "... document to describe the motivation and goals for having security protocols that support anonymous keying of SA's in general and IPsec and IKE in particular."
[13:29:47] <kdz> ... one side can be in dark
[13:30:43] <jhutz> I think those support saying that lof is one motivation for using unauth'd SA's, and describing it at least enough to understand the scneario
[13:31:25] <jhutz> Actually specifying when and how you do caching might not be clearly within the charter, and I agree with Sam that that can be done later.
[13:31:42] <kdz> Joe goal to WGLC by end of July, forward to IESG in August
[13:32:07] <jhutz> OTOH, I think there needs to be a clear way to specify (as policy) that in the presence of a known key for a peer, you don't do btns
[13:32:25] <kdz> Love asks how many have read the draft, answer 2
[13:32:27] --- patchvonbraun has joined
[13:33:33] <kdz> nico now to discuss BTNS Core
[13:33:36] <mrichardson> http://ox.ca/1ji <- diff of 02/03 of prob/applic.
[13:33:45] --- yushun has joined
[13:33:50] <mrichardson> oops. no. that's not the XML.
[13:34:10] <lha> meh
[13:34:14] --- patchvonbraun has left
[13:34:19] <lha> i just changed the order of the agenda
[13:34:31] <kdz> ... Michael now co-editor
[13:34:45] <kdz> only one person has read the I-D
[13:35:10] --- ldondeti has joined
[13:35:21] <mrichardson> we tried to add some scenarios that explains things.
[13:35:45] <ldondeti> Hi, When is Sam's presentation?
[13:35:55] <lha> it should be now
[13:36:05] <lha> but I misremebered and called up nico
[13:36:14] <lha> it will be in about 25min
[13:36:15] <jhutz> I already can't keep track of the capabilities of the various nodes
[13:36:15] --- fred.lefebvre has left
[13:36:39] <mrichardson> jhutz, sorry. Can you suggest a way to make the nodes more obvious?
[13:36:40] <lha> I'll let michael and nico do their other presentation since they are related
[13:37:03] <jhutz> speakers should stand at the lectern and use the TV for reference
[13:38:02] <jhutz> Maybe, but not at this moment - the amount of time the slide was up was not enough for me to internalize that, so I need to look at the draft
[13:38:37] <mrichardson> http://www.sandelman.ca/tmp/probapp02-03.html
[13:38:54] --- patchvonbraun has joined
[13:40:30] <jimsch1> If something new comes along, can it kill a current btns item?
[13:40:40] <jhutz> So, looking at the diagram and description in -core-01... The textual description captures all the capabilities, but I found it hard to turn that into a good idea what was going on....
[13:41:35] <jhutz> The diagram captures _most_ of it, and is easy to understand. It fails to caputre the major differences between Q and R, or which nodes have fixed vs dynamic addresses.
[13:41:48] <kdz> steve kent (BBN) - spds v. id, consistency issue
[13:42:58] <lha> jimsch1: I asked the question
[13:43:02] <lha> nico doesn't know
[13:43:31] <kdz> nice: 4301 issue, not issue in this I-D
[13:43:35] <lha> 4301 talkes about it
[13:44:24] <kdz> on to example #2
[13:44:31] <jhutz> So, what I get from the text is that Q has exactly the same capabilities as C and D, and so should be described in the diagram as {btns-Q}
[13:44:50] <mrichardson> http://ox.ca/1jk <- core-00 vs core-01. (Yes, we got the expire date wrong)
[13:44:51] <lha> jimsch1: you ok with the answer ?
[13:45:06] <jimsch1> I think so
[13:45:28] <lha> you in the room, listing to audio or just in jabber
[13:45:31] <lha> ?
[13:46:34] <kdz> nico: analysis of example 2 same as in 1
[13:47:03] <kdz> on to example 3
[13:47:13] <kdz> btns only client
[13:48:21] <kdz> analysis with example 3 likewise
[13:49:45] --- dumdidum has left
[13:50:08] <kdz> mike: q on slide 3, discussed for hours how to present this table
[13:50:25] <kdz> q to steve, do you feel comfortable?
[13:50:34] <kdz> steven: you left some things out
[13:51:25] <kdz> steve to offer some slides as examples
[13:51:47] --- dumdidum has joined
[13:51:49] <kdz> steve offers warms fuzzy
[13:53:42] <kdz> steve notes that in the first example, the two inconsistenty items need to be consistent
[13:54:11] <kdz> in pads
[13:54:47] --- jgre has left
[13:55:17] <kdz> pekka savola: have you considered from open service to btns
[13:55:33] <mrichardson> I think he said closed to btns?
[13:55:47] <kdz> Nico, not in this I-D. not sure if its in scope
[13:56:01] <kdz> (I heard open, but ...)
[13:57:12] <ldondeti> isn't Sam's presentation next?
[13:57:27] <kdz> nico: task taken from this is flush this out, resolve inconsistency
[13:57:45] <kdz> love notes that sam presentation will follow mikes
[13:58:02] <kdz> mike on Issues with PAD/SPD and BTNS
[13:58:41] --- nico has joined
[13:59:28] <nico> the task: describe what parts of the PAD/SPD we left out and why
[13:59:52] <nico> and add a field to the PAD figures (match by ID or IP)
[14:00:07] <nico> and make that field consistent with the search-SPD-by field
[14:01:34] <nico> (the issue not in scope was opportunistic BTNS; Michael pointed out RFC4322)
[14:01:50] <nico> (opportunistic IPsec is orthogonal to BTNS)
[14:02:33] <kdz> questions regarding situation?
[14:04:02] <kdz> mike's slides: http://www3.ietf.org/proceedings/06jul/slides/btns-1.pdf
[14:04:27] <kdz> now on "What breaks" (slide 6)
[14:06:32] <kdz> mike: do folks configure wildcard PAD entries
[14:06:47] <kdz> Mike offers examples where he does.
[14:07:32] <kdz> how to fix this: don't do this
[14:08:08] <kdz> joe: gets ahead of mike
[14:10:00] --- psavola has left
[14:11:30] --- patchvonbraun has left
[14:11:53] <kdz> Mike: cannot get in this situation by accident, we need to write this up
[14:12:01] <kdz> open mike
[14:12:29] <kdz> joe: depends on who authc it
[14:15:13] <kdz> nico: can get into this situation without btns
[14:16:07] <kdz> steve: name constraints
[14:16:21] <touch> the question I was asking: can't two different CAs authenticate the same host? if so, the one could be 'more trusted' than the other. in that case, then you have this situation in IPsec. i.e., you want to be able, from the app, to know "who said this was X".
[14:16:53] <kdz> ... can be used to avoid this situation
[14:17:40] --- raeburn has joined
[14:17:45] <touch> The answer appears to be "yes, this can happen in IPsec, and no, there doesn't appear to be an API that already provides this". Although most people don't use existing IPsec this way, it appears to be valid use. Nico suggested that this is important to document - and I agree, but I would like to encourage the description to highlight that this is NOT a BTNS issue, but that BTNS cares deeply that it be resolved.
[14:18:06] <kdz> does your mother have a CA, if so, does she know it?
[14:18:51] <kdz> on to sam's presentation
[14:19:07] <kdz> http://www3.ietf.org/proceedings/06jul/slides/btns-2.pdf
[14:22:44] --- sftcd has left: Computer went to sleep
[14:23:21] --- admcd has left: Replaced by new connection
[14:31:18] <kdz> Steve Kent: the selection function outside of the host is a non-issue
[14:33:45] --- mkomu has joined
[14:33:52] <kdz> sam: may need to limit vendors in selection of ?
[14:33:59] --- wrstuden has left: Computer went to sleep
[14:34:24] <mrichardson> limit vendors in how much they innovate from 4301/draft-ietf-btns-*
[14:35:21] <kdz> pekka: useful are to work in
[14:36:59] --- mrichardson has left
[14:37:15] --- mrichardson has joined
[14:37:58] <kdz> david black: applications ought not be in the business of selecting protection barriers
[14:38:26] <kdz> ... what is the API into the Ipsec configuration
[14:39:02] <kdz> Sam: need a way to express Ipsec and application policies together
[14:39:37] --- touch has left
[14:39:38] <kdz> David: who's the peer is layer dependent
[14:39:42] --- julien.bournelle has left: Replaced by new connection
[14:40:23] --- mkomu has left
[14:40:56] <kdz> nico, in regards to "what does this have to with BTNS?" : APIs
[14:41:04] --- nico has left: Disconnected
[14:41:23] --- nico has joined
[14:41:36] --- touch has joined
[14:41:53] <kdz> michael: conclusion is API work is in scope, charter should say so.
[14:42:04] --- Jeffrey Altman has left: Disconnected
[14:42:22] <kdz> Sam thinks charter is explicit enough, but fine with revision
[14:43:26] <kdz> Sam: Apps doesn't mean Apps Area, refers those using BTNS
[14:43:46] --- jimsch1 has left
[14:45:55] <kdz> mike/sam: discussion of two application/two protection barrier policies
[14:45:58] --- dumdidum has left
[14:47:07] <kdz> Sam, we only have one conceptional model (RFC 4301)
[14:47:10] --- nico has left
[14:47:49] <kdz> steve kent: disagrees with some of the examples.
[14:48:45] --- kurosaki has left: Replaced by new connection
[14:49:02] --- dumdidum has joined
[14:53:06] <kdz> Sam: implementors draw the barrier lines, not the spec.
[14:54:35] <kdz> Love: what is the scope of the API/interaction with other wgs
[14:55:13] --- raeburn has left: Disconnected
[14:55:19] <kdz> nico: we discussed two APIs
[14:55:26] --- Melinda has left
[14:55:49] <kdz> latched connections API: who's the peer, what is their certificate, cb, etc.
[14:56:21] <kdz> and policies associated with these connections
[14:56:43] <kdz> PAD/SPD API
[14:57:17] <kdz> 1 or 2 documents?
[14:58:21] --- cgn has left
[14:59:25] --- nico has joined
[14:59:57] --- sakuma.macx has left
[15:00:00] <kdz> unknown speaker: what is the overlap between shim6 and btms
[15:02:24] --- touch has left
[15:02:29] <kdz> mike gives lengthy response
[15:04:29] --- fparent@jabber.org has left
[15:05:14] <kdz> next steps
[15:05:31] <kdz> respin PS/AS document, take to WGLC in August
[15:05:38] <kdz> more work on core document
[15:05:44] <kdz> done, bye
[15:05:45] --- hartmans has left
[15:05:54] --- jeffa has left
[15:05:55] --- shikob has left
[15:06:19] --- kdz has left
[15:07:40] --- yushun has left
[15:07:48] --- ryu.inada has left
[15:07:56] --- kivinen has left: Logged out
[15:08:17] --- leifj has left
[15:08:37] --- lha has left
[15:08:42] --- nico has left
[15:08:55] --- mrex has left
[15:10:52] --- jhutz has left
[15:12:03] --- ldondeti has left
[15:17:52] --- ryu.inada has joined
[15:18:02] --- ryu.inada has left
[15:22:36] --- kdz has joined
[15:23:54] --- sftcd has joined
[15:24:09] --- sftcd has left
[15:25:15] --- dumdidum has left
[16:41:30] --- kdz has left
[18:21:55] --- mrichardson has left
[18:48:38] --- mrichardson has joined