CURRENT_MEETING_REPORT_ Reported by Charlie Kaufman/Iris Minutes of the Web Transaction Security Working Group (WTS) The WTS Working Group met once at the 33rd IETF on Tuesday, 18 July. This session was the first meeting of the group as an official working group (the group had previously met at the 31st IETF as the HTTPSEC BOF). Charlie Kaufman, as the working group chair called the session to order and presented the following agenda: o Agenda Bashing o Simon Cooper -- Presentation on RUSSL o Doug Rosenthal -- Presentation on GSSAPI approach for WWW o Donald Eastlake -- Presentation on DNS Security o Simon Cooper -- Review of Web Security Requirements Document o Allan Schiffman -- Review of SHTTP Document o Discussion of the WTS Charter Presentation on RUSSL Simon Cooper of Rutgers University detailed work in progress on Rutgers University Secure Services Library (RUSSL), an implementation motivated by the need to provide confidential, authenticated services for HTTP and NNTP as well as other applications. For details see: http://www-ns.rutgers.edu/www-security/archives/0001.html Presentation on GSSAPI Approach for WWW Doug Rosenthal of EINET presented work in progress to explore integration of GSSAPI with WWW clients and servers. This work is based on an implementation of GSS/SPKM using Northern Telecom's Entrust products to demonstrate the feasibility of an approach which is ``architecturally competitive to'' SHTTP in that it allows for negotiation of encryption, authentication and key exchange mechanisms between cooperating entities. Presentation on DNS Security Don Eastlake of CyberCash described a proposal for using some extensions to DNS as the basis public key distribution in the WWW. Details of the extensions can be found in: ftp://ds.internic.net/internet-drafts/draft-ietf-dnssec-secext-04.txt Review of Web Security Requirements Document Simon Cooper of Rutgers University led a review of the document draft-bossert-httpsec-req-00.txt in the context of its satisfying the working groups charter of producing a Web Security Requirements document. A large number of changes were proposed and agreed to at the meeting. A few issues were left unresolved, though none seemed unresolvable. There was consensus that we should incorporate the changes agreed to at the meeting and resolve any remaining issues via the mailing list within a month (i.e., by 18 August) and then propose that the document be advanced to Informational RFC. Review of SHTTP Document Allan Schiffman described changes in the latest revisions to the SHTTP document in the Internet-Draft directories. The changes did not raise any controversies, but there was some discussion of the controversial issue of how SHTTP might be better coordinated with MOSS. It was noted that to some degree this was related to the harder question of coordinating HTTP with MIME (a problem well beyond the scope of this working group). Future Direction of WTS Charlie Kaufman led a discussion of the future direction of the working group. The charter calls for finalizing security requirements at the Stockholm meeting. We narrowly missed that milestone, but agreed to complete it via the list within a month. It also calls for alternative standards-track security specifications to be submitted as Internet-Drafts by the Stockholm meeting and for a reconciled proposal to be finalized at the Dallas IETF in December. No one expressed objections to this timetable. There was discussion of moving the WTS mailing list in order to separate it from the pre-existing mailing list since the list may include people not interested in the workings of the IETF working group. If that happens, an announcement will go out to the existing mailing list inviting people to join the new one.