Security Area Open Meeting (SAAG) Minutes Meeting : IETF 75, Thursday 30 July 2009, 13:00-15:00 Location: Stockholm City Conference Center, Congresshall A Chairs : Pasi Eronen and Tim Polk Minutes : Jim Schaad (+some notes by Pasi based on audio recording) Version : 2 (2009-08-19) ---------------------------------------------------------------------- Due to scheduling constraints, the meeting started with two invited presentations instead of WG reports. 1. W3C Security Update (Yves Lafon) Richard Graveman?: What is CVE? Common Vulnerabilities and Exposures, standard database of threats. ---------- 2. Tunnelling of Explicit Congestion Notification (Bob Briscoe) Bob: Plead for review of document. Paul Hoffman: We have not yet seen it, please bring to IPSECME. Bob: Formal request is going to IPSECME (later from chairs), but wanted general request as well. ---------- 3. WG reports WG reports in email: ipsecme, emu, sasl, isms, nea, dkim, pkix, keyprov, kitten, krb-wg ipsecme: Paul Hoffman said WG is close to completing some work items, and talked about taking on new work. Folks with ipsec related drafts should get on the list. emu: Alan DeKok noted that people want to carry authorization information inside EAP, which has been usually authentication only. hokey: Tina Tsou (new HOKEY co-chair) noted that HOKEY is rechartering to take on new work items. isms: Pasi and Tim welcomed new ISMS co-chair, Russ Mundy. syslog: Pasi mentioned that SYSLOG also talked about rechartering; some items are security-related and some are not. At this time, only one item (syslog-over-dtls) got support, so will stay in security area. keyprov: ADs thanked Sean Turner for stepping in to chair the session as neither of the co-chairs were in Stockholm. tls: will meet tomorrow; Joe Salowey said the main topics will be cached information optimizations, heartbeat for DTLS, and identity-based encryption. Not meeting this time: btns (report in email), ltans (Carl Wallace: not much going on; new version of dssc posted); msec (Tim: not much activity), smime (report in email) Tim noted that folks interested in having a BOF in Hiroshima (or even Anaheim) need to start working on it soon, and take look at RFC 5434. Paul mentioned "home gateways" bar-BOF on Monday also had security things, what unmanaged home firewalls do. ---------- 4. IBAKE: Identity Based Authenticated Key Exchange (Igor Faynberg) Doug Otis (Trend Micro): Note well - may be similar to other patent materials our company has bought. Tim: Does Lucent have IPR Igor: Not that I know of. Sean Turner: Some work in SMIME, not a lot of review/interest because of the IPR problems. Igor: There exists an official general Lucent disclosure. Believes that totally different issue. Richard Graveman: Use a signature rather than an encryption. Just as rich a set of literature on IBE sig as encrypt. Yet another word: certificate-less encryption - tries to get a balance between identity based and the escrow. Simon Josefsson: Interested in reading draft. Q - are you proposing to get an ID? Tim - Q - do people want to read and review Igor: Yes Simon: Interested in reading and getting ipr disclores listed Yaron: Guess at discussion Pasi doesn't want to have today - Would like not to ignore technology just because IPR exists on some items. Let standards body and industry determine whether technology is relevant in light of IPR. Ekr: I don't really understand why one would want to pursue this general line of development: most of the benefits of IBE pertain to non-interactive protocols. Given that you've bothered to obtain credentials, why not just do ephemeral DH authenticated by those credentials. WRT to IPR, there are indeed patents on IBE but as far as I'm aware the appropriate disclosures have been posted. Igor: There is a big brother w/ key - Ekr: what does this bring to the party? Stephen Kent/Igor: discussion of how this scheme is functionally closer to performing DH w/ IB signature scheme than other IB encryption techniques Dan Harkins: please write ID. Richard Graveman: Note that this requires new view of revocation. ---------- 5. Open mike Paul Hoffman: More drafts on firewalls - might be something security area need tos look at - most people consider firewalls to be part of security. Pasi: One if the drafts is hard to find because it does not use the word "firewall" (draft-ietf-v6ops-cpe-simple-security). Paul: In that world "CPE" is the base item that they think of. Calling them "home" things, even though SOHO comes in this. Magnus Nystrom: XML security work comments - new work on derived keys for encryption purpores. Work is leveraged by the keyprov working group. Should look at this in SAAG as well. New document on hybrid ciphers - key and data encapsulations. Provide tighter security proofs than existing key wrap things. Bit more generic - some associated work in the S/MIME working group. See ISO x9.83 (?) Pasi: New draft by Hugo and me on hmac key derivation function (draft-krawczyk-hkdf), related to SAAG presentation in San Francisco. Paul Hoffman: IPR issues that are security related? - It seems that in the wave of IPR mania, seem to be comming from security documents. One of things that needs to be done is determine community consensus that advantages of work outweigh the document. Need to be able to see the scale of what IPR balance means. Pasi: Most IPR disclosures are not in security area. No idea why all of the recent discussions seem to about security. More of an issue for AD sponsored docs that WG docs, for WG documents we have rough WG consensus when we get to IETF last call. Most LC comments are negative - need more positive input if we are going to get balanced input. Tim: Important thing is community consensus - not IPR - although IPR usually impacts community consensus. It is always hard to measure consensus, especially for individual submissions. Documents out of WG have already demonstrated some support. Doug Otis: Advantages in the Identum screen is sender side encryption - allows corp to see what is going on outbound stream - facilitates output mailings. Advantages may not be overwhelming. ----------------------------------------------------------------------