[10:56:42] --- tlyu has joined
[10:56:57] --- tlyu has left
[11:04:10] --- tlyu has joined
[11:04:15] --- hartmans has joined
[11:04:22] --- lha has joined
[11:06:12] --- Jeffrey Altman has joined
[11:07:50] <hartmans> Speak up if you are not here and you join this room
[11:09:21] --- raeburn@jis.mit.edu has joined
[11:10:29] <Jeffrey Altman> The Interim meeting is beginning. A green blue sheet is being circulated.
[11:10:40] <Jeffrey Altman> Breakfast is not here yet.
[11:11:05] <Jeffrey Altman> Klaus is going to talk to the group for a few minutes. J.K. says breakfast in ten minutes.
[11:12:48] <Jeffrey Altman> Klaus Schutz, Director of Development, Windows Security Access Control begins his presentation.
[11:14:02] <Jeffrey Altman> welcome to microsoft. ten partner organizations are here from around the world.
[11:15:52] <Jeffrey Altman> Kerberos is "THE" authentication protocol for Windows in Enterprises. Integrated with AD. Windows has a highly skilled team of engineers working on Kerberos. IETF partitipation through Larry Zhu, Paul Leach and J.K.
[11:17:33] <Jeffrey Altman> Microsoft is committed to interoperability. Extensive testing against MIT and Heimdal. Develop tools such as GssMonger. Passing interoperability tests against third party implementations is a sign off criteria
[11:18:18] <Jeffrey Altman>
[11:18:47] --- Jeffrey Altman has left
[11:20:24] --- Jeffrey Altman has joined
[11:20:46] * Jeffrey Altman has changed the subject to: Interim Kerberos WG Meeting
[11:23:59] <Jeffrey Altman> Doug: Homeland Security Directive 12 indicates that all govt employees must use smart cards next year. However, there are few guidelines for what extensions will be present. For example, the UPN may not be present. I want to make sure that Microsoft is on board.
[11:24:54] <Jeffrey Altman> Klaus: Microsoft is performing work in this area. Recommend putting you in touch with the engineers working on those particular areas.
[11:25:25] <Jeffrey Altman> Larry: I am trying to set up a meeting.
[11:28:34] <Jeffrey Altman> jhutz: pkinit is not on the agenda. one remaining issue. since we are waiting for breakfast. The remaining issue is on advice for PKI deployers with regards to what should be placed into a cert in order for the client to be able to determine that the cert is meant to be used for authenticating a KDC. The second part was advice to PKI operators on what techniques should be provided to restrict the ability of use for the generated certs.
[11:35:55] <Jeffrey Altman> Discussion of Vista release date and access to non-public builds. Speak with JK if you wish to obtain access to interim builds. There are partner programs available that can be used to provide access. Klaus leaves
[11:36:51] <Jeffrey Altman> now we wait for breakfast to arrive
[11:38:07] <raeburn@jis.mit.edu> draft-jaganathan-rc4-hmac-01.txt
[11:45:35] <Jeffrey Altman> folks are grumpy because Kerberos does not work through the Microsoft firewall
[11:48:59] <raeburn@jis.mit.edu> http://larry.masinter.net/draft-masinter-ior.html .xml .txt
[11:51:51] <hartmans> http://larry.masinter.net/draft-masinter-ior.txt
[12:00:12] <Jeffrey Altman> Agenda Bashing.
[12:00:22] <Jeffrey Altman> <still no breakfast>
[12:01:53] <Jeffrey Altman> * Sam will discuss process for moving documents along the standards track
[12:02:13] <Jeffrey Altman> * review of "Formalizing IETF Interoperability Reporting"
[12:02:19] <Jeffrey Altman> taking breakfast break
[12:28:29] --- nico has joined
[12:28:34] <nico> hi
[12:39:15] <Jeffrey Altman> breakfast is over
[12:39:58] <raeburn@jis.mit.edu> and Sam is eating ice cream
[12:40:09] <raeburn@jis.mit.edu> hi Nico
[12:45:18] <Jeffrey Altman> Sam to discuss "process"
[12:45:27] <Jeffrey Altman> speaking as area director
[12:46:14] <Jeffrey Altman> fill in boxes in the data tracker, issue last call, get no complaints, and we move on. to reduce the risk of complaints, there are some conditions we must meet:
[12:46:32] <Jeffrey Altman> * six months since the RFC was published.
[12:47:27] <Jeffrey Altman> (some say it is six months since document action but it appears to be the actual publication date.) We will probably need extra time to get all of the implementation requirements.
[12:47:47] <Jeffrey Altman> Microsoft might be the only implementation with AD-IF-RELEVANT
[12:48:08] <Jeffrey Altman> second, all normative references must be at the level we are going to or higher.
[12:49:23] <Jeffrey Altman> we dropped the normative reference from 4120 to 4121 but we wanted to be able to move forward without moving forward all of gss
[12:49:47] <Jeffrey Altman> third, we need to identity all of the features in the protocol. and show that for each mandatory and optional feature there are two interoperable implementations.
[12:50:03] <Jeffrey Altman> www.ietf.org/iesg/ link to interoperability reports
[12:50:13] <Jeffrey Altman> they vary widely
[12:50:35] <Jeffrey Altman> http://www.ietf.org/IESG/implementation.html
[12:50:37] <nico> I want to make sure that AD-IF-RELEVANT and AD-KDC-ISSUED stay in. If that means re-testing just that soon after this (so we can implement), I think we should
[12:51:01] <Jeffrey Altman> it means we must implement
[12:51:16] <nico> clearly
[12:52:51] <Jeffrey Altman> an example of a report for a simple protocol http://www.ietf.org/IESG/Implementations/OTP-Draft-implementation
[12:54:11] <raeburn@jis.mit.edu> draft-ietf-idr-bgp-implementation-02.txt in your favorite I-D repository
[12:54:47] <Jeffrey Altman> This is an example at the other end of the spectrum http://tools.ietf.org/wg/idr/draft-ietf-idr-bgp-implementation/draft-ietf-idr-bgp-implementation-02.txt
[12:55:22] <Jeffrey Altman> we are not required to write new code to generate invalid input.
[12:55:31] <Jeffrey Altman> we are not validating compliance
[12:55:48] <Jeffrey Altman> we are demonstrating interoperability between correct implementations
[12:56:08] <Jeffrey Altman> we should not have more than one feature related to proxy tickets
[12:56:36] <nico> are there any uses of proxy tix?
[12:56:53] <Jeffrey Altman> if not, it must be pulled
[12:57:03] <nico> I don't mind that
[12:57:20] <nico> how much time might we have to implement and demo interop for AD-*?
[12:57:35] <nico> or would it be fine to move those to separate standards-track docs?
[12:57:56] <nico> I might not mind the latter... (but of course it's fine, I suppose)
[12:58:38] <Jeffrey Altman> it is unclear how to specify the features for crypto. do we create features by "operation" or by "enctype". clearly, the matrix of both is too detailed.
[12:59:19] <nico> well, that's a toughie
[13:01:19] <Jeffrey Altman> jhutz proposal: for 3961, all we need to show for each operation that there is an application and an enctype for which there is interoperability.
[13:03:17] <Jeffrey Altman> it is proposed that we not test interoperability of the DES enctypes
[13:03:31] --- DaveChristiansen has joined
[13:03:49] <nico> would that mean dropping them?
[13:04:05] <Jeffrey Altman> jhutz believes so
[13:04:07] <nico> ok
[13:04:20] <DaveChristiansen> IMHO, that's just not claiming that they interop (not claiming they don't either, of course...)
[13:04:21] <nico> so that means a new doc for kcrypto
[13:04:39] <Jeffrey Altman> sam wants to do higher level testing of DES and more detailed testing for RC4 and AES
[13:04:53] <nico> higher level?
[13:05:12] --- larry has joined
[13:05:36] <Jeffrey Altman> high level. run two apps with DES-CBC-CRC and if they work we are done.
[13:05:49] <DaveChristiansen> IMHO we're not losing anything by testing des and it shouldn't be too hard (depending on how we decide to do the testing)
[13:05:52] <Jeffrey Altman> low level: write tests for individual operations
[13:06:11] <nico> and low-level means, what? testing kcrypto ops directly?
[13:06:20] <nico> how? APIs are needed
[13:06:33] <nico> but, ok, I digress
[13:06:53] <nico> Heimdal and MIT certainly can do it
[13:10:54] <Jeffrey Altman> in order to demonstrate interop for 3961, kerberos is not sufficient because not all operations are used
[13:11:22] <Jeffrey Altman> ken believes a mixture of unit tests and protocol testing is required.
[13:11:40] <nico> ok; will there be enough time to do that this week?
[13:12:00] <nico> is there a plan for on-going interop testing to complete whatever isn't completed this week?
[13:12:43] <Jeffrey Altman> there is no expectation that testing will be completed this week
[13:13:30] <DaveChristiansen> I think the point is to get us on a path to being able to complete the testing.
[13:13:41] <DaveChristiansen> (potentially at a later date)
[13:13:53] <nico> got it
[13:18:46] <Jeffrey Altman> sam: do you need a single implementation that interoperates with all of the required features? MIT and Heimdal interoperate for all of the required features. It may be that we do need to show that for every required and optional feature that there are two implementations for the feature and interoperate. However, we could show that MIT and Microsoft interoperate to get tickets and MIT and Heimdal interoperate to use them.
[13:19:51] <Jeffrey Altman> We should write up any big holes that we find but the existence of an implementation hole does not have to stop forward progress.
[13:24:40] <Jeffrey Altman> jhutz proposal: * list all of the things that people think are features * review and then combine or remove things are too fine grained. Sam: make sure that we have software available to perform the test. If there is no software, then you must question whether it is a feature. If it is a feature, then we might have to revise the document.
[13:26:27] <Jeffrey Altman> It may very well in practice be easier to implement the feature than revise the document
[13:50:34] <Jeffrey Altman> jhutz is starting a spreadsheet. we are heading to lunch
[14:26:52] --- nico has left
[15:04:06] <Jeffrey Altman> back from lunch.
[15:12:37] --- mwchapel has joined
[15:23:21] --- mwchapel has left: Disconnected
[15:41:46] <Jeffrey Altman> For notes to the IESG. We must record the fact that for RFC 3961 implementation report that the authors deem rsa-md4-des-k, des-mac, and des-mac-k are HISTORIC and were documented for informational purposes only.
[15:48:57] <Jeffrey Altman> we agree that if there is a "implementation" test and also one or more "function" tests in the chart, that the "implementation" test will be removed as the "function" test is a proof of implementation
[18:13:03] <Jeffrey Altman> done with 4120
[18:13:03] --- DaveChristiansen has left: Lost connection
[18:13:14] <Jeffrey Altman> taking a break and will attempt 4121 when we return
[18:34:12] <Jeffrey Altman> we are back
[18:48:03] <Jeffrey Altman> although server side rejection of unrecognized authorization data is not a feature because it is an implementation detail, we are going to include it.
[18:48:11] <Jeffrey Altman> there are serious security issues
[18:48:31] <Jeffrey Altman> we will attempt to determine an approach to 4121 tonight.
[18:50:14] <Jeffrey Altman> go over all the messages, and for each message examine the options, and then consider corner cases.
[18:51:03] <Jeffrey Altman> proposed approach from sam. love comments that it looks like the table of contents
[18:51:31] --- hartmans has left
[19:07:07] --- raeburn@jis.mit.edu has left: Logged out
[19:08:18] --- Jeffrey Altman has left
[19:08:24] --- lha has left
[19:08:59] --- tlyu has left: Logged out
[21:09:27] --- nico has joined
[21:10:44] --- nico has left
[21:37:01] --- larry has left