[08:07:36] --- sommerfeld has become available
[08:08:07] <sommerfeld> jabber scribing to an empty room
[08:08:27] <sommerfeld> (milestone list)
[08:08:37] <sommerfeld> (pushing milestones out)
[08:09:25] <sommerfeld> paul hoffman: issues sent to the list which got no traction
[08:09:29] --- kivinen has become available
[08:09:58] <sommerfeld> has more issues holding back pending resolution of those issues
[08:10:49] <sommerfeld> sommerfeld: paul: don't hold back
[08:11:32] <sommerfeld> gregory: intentiont o close issues son
[08:11:49] <sommerfeld> russ: approved, move on
[08:12:32] <sommerfeld> presentatations are on website
[08:12:43] <sommerfeld> http://www.icsalabs.com/pki4ipsec
[08:13:39] <sommerfeld> Proposed PKI4IPSEC Cert Mgmt Reqs Doc
[08:14:03] <sommerfeld> Chris Bonatti
[08:14:12] <sommerfeld> (ppage 2)
[08:14:34] <sommerfeld> (personal drafts reposted as WG item)
[08:14:52] <sommerfeld> (page 3)
[08:16:03] <sommerfeld> (page 4)
[08:17:01] <sommerfeld> (page 5)
[08:17:08] <sommerfeld> mostly editorial changes now
[08:17:17] <sommerfeld> id-nits picked
[08:17:32] <sommerfeld> (page 5)
[08:17:57] --- wyllys has become available
[08:17:59] <sommerfeld> (page 6)
[08:18:39] <sommerfeld> need to clarify errro handling....
[08:19:05] <sommerfeld> gregory: take 5 minutes to look at issues?
[08:19:22] <sommerfeld> explain registration template?
[08:19:34] <sommerfeld> chris: vpn admin has separate role from vpn peer
[08:19:57] <sommerfeld> admin submits authorization template to PKI identifying authorizations of vpn peers
[08:20:43] <sommerfeld> vpn peer uses KM protocols to access authorizations..
[08:21:04] --- toro_toro has become available
[08:21:16] <sommerfeld> barbara frasier: vpn admin role, how it relates to IPSP?
[08:21:18] --- toro_toro has left
[08:21:31] <sommerfeld> chris: starting to look at it, not done
[08:21:48] <sommerfeld> could take it in multiple directions
[08:22:19] <sommerfeld> greg: vpn admin does not have to have role beyond pki enrollment
[08:22:29] <sommerfeld> only covers who gets what in the certs
[08:22:40] <sommerfeld> brokering communication between vpn peers and PKI
[08:22:46] --- Mouse has become available
[08:23:03] <sommerfeld> not necessarily standalone device; could be function on one vpn box
[08:23:06] --- tanupoo has become available
[08:23:21] <sommerfeld> fraser: want to avoid confilcts with IPSP
[08:23:31] <sommerfeld> bonatti; currently very high level
[08:23:52] <sommerfeld> specifics of authorizations may be local
[08:24:12] <sommerfeld> gregory: content of templates?
[08:24:28] <sommerfeld> paul hoffmann: rule out of scope?
[08:25:19] <sommerfeld> bonatti: where are interoperabiltiy boundaries?
[08:25:34] <sommerfeld> do we need interoperable interface between vpn admin and pki?
[08:26:33] <sommerfeld> hoffman: ~10 items in template, use web form filled in by human?
[08:26:58] <sommerfeld> leaving as web form is just fine?
[08:27:16] <sommerfeld> bonatti: how does vpn policy interact with ca's policy?
[08:27:56] <sommerfeld> gregory: human discussion happens once; each registration uses that template..
[08:28:01] --- janski has become available
[08:28:57] --- Mouse has left: Disconnected
[08:29:04] <sommerfeld> gregory: scope/boundaries of vpn admin function communicatons? all x509 attributes, or can it be more limited?
[08:29:12] <sommerfeld> need more guidance
[08:29:25] <sommerfeld> bonatti: what you can support needs to be negotiated with pki
[08:29:52] <sommerfeld> authorization mgmt sorely lacking in pki
[08:30:14] <sommerfeld> some things which go beyond x509 syntx
[08:30:27] <sommerfeld> additional privilege mgmt using identity you're requesting..
[08:30:49] <sommerfeld> could have authorization server?
[08:31:19] <sommerfeld> vpn peer: can a peer cancel an authorization?
[08:32:14] <sommerfeld> gregory: agree, should be possible to cancel preauthorization request
[08:32:58] <sommerfeld> bonatti: error handling
[08:33:03] <sommerfeld> for preenrollment
[08:33:21] <sommerfeld> no mechanism in CMC for this. havent' givenit though yet
[08:33:44] <sommerfeld> hoffman: not a lot there for error handling in CMC
[08:33:56] <sommerfeld> may entail more than just a profile of CMC
[08:34:32] <sommerfeld> may need changes to CMC to get the error handling right
[08:34:42] <sommerfeld> might happen after pkix shuts down..
[08:35:03] <sommerfeld> greg: CMC author has revision in progress
[08:35:33] <sommerfeld> jim schaad: (cmc author): still open to changes (before next IETF)
[08:35:38] <sommerfeld> attempt to contain changes
[08:35:40] <sommerfeld> ?
[08:35:44] <sommerfeld> no.
[08:35:49] <sommerfeld> russ: ok with that
[08:36:01] <sommerfeld> hofman: bump priority
[08:36:29] --- Mouse has become available
[08:36:38] <sommerfeld> (page 7)
[08:36:55] <sommerfeld> issue tracker http://rt.psg.com/
[08:37:24] <sommerfeld> bonatti: weed out editorial stuff from issue list
[08:37:45] --- wyllys has left
[08:37:48] <sommerfeld> gregory: need quicker resolution on some issues (CMC)
[08:38:36] <sommerfeld> propose: bar BOF or interimm eeting to close issues out to get progress in 2 months
[08:39:03] <sommerfeld> bonatti: yes
[08:39:10] <sommerfeld> hoffmann: not now, brain fried
[08:40:06] <sommerfeld> russ also volunteers for interim group
[08:40:17] <sommerfeld> (end presentation)
[08:40:44] <sommerfeld> Korver presentation
[08:41:17] <sommerfeld> ikecert-profile-03 draft
[08:41:46] <sommerfeld> (page 2)
[08:42:00] <sommerfeld> (oops, no page numbers in this one)
[08:43:50] <sommerfeld> gregory: ipr issues with CDP?
[08:45:34] <sommerfeld> hoffman: text may be sufficient for interop w/o CDP
[08:46:05] <sommerfeld> kent: without revocation, certificates are like diamonds (are forever)
[08:46:14] <sommerfeld> hoffman: still have expiration dates..
[08:47:08] <sommerfeld> (issues 654, 576 - OOB)
[08:47:33] <sommerfeld> flipped back and forth on what and how much goes OOB vs in-band in IKE
[08:48:34] <sommerfeld> option A: all other info besides end entity cert should be OOB
[08:48:46] <sommerfeld> option B: should send trust anchor, interemdiate, revocation in-band
[08:49:03] <sommerfeld> korver: nobody sends trust anchors in band
[08:49:20] <sommerfeld> russ: subordinate to trust anchor..
[08:50:09] <sommerfeld> gregory: all sorts of intermediate midpoints
[08:50:23] <sommerfeld> chairs thought they had closure
[08:50:39] <sommerfeld> slew of responses during last call which appeared to ocme o uto fnowhere
[08:50:52] <sommerfeld> came out of nowhere
[08:51:04] <sommerfeld> bring up here to attempt to resolve
[08:51:43] <sommerfeld> pros of more inband: more backwards compatible, and don't have good OOB mechanism yet; seems to work already
[08:52:08] <sommerfeld> cons: message size bloat
[08:59:32] <sommerfeld> me at mike: don't let go with both hands
[08:59:49] <sommerfeld> kent: neither CMC, etc., are appropriate for use here
[09:00:34] <sommerfeld> kent: pkix: repositories distinct from CA's
[09:01:02] <sommerfeld> protocols never designed for getting anyone else's certs
[09:01:15] <sommerfeld> kent: udp fragmentation is the real issue
[09:01:38] <sommerfeld> kent: until we haev concrete descriptin of how to do this, premature tos ay SHOULD NOT do inband
[09:02:42] <sommerfeld> kent: ietf is schitzo regarding manual configuration
[09:03:32] <sommerfeld> need alternative on the table first
[09:04:13] <sommerfeld> kaufman: inevitable that this will b econtetnious
[09:04:37] <sommerfeld> bias towards backwards compat
[09:04:55] <sommerfeld> look at what ssl does as precedent
[09:05:12] <sommerfeld> important that there be something in-band for hierarchy
[09:05:38] <sommerfeld> hoffman: agree with kent (!!!)
[09:06:00] <sommerfeld> hold profile until UDP fragmentation resolved
[09:06:17] <sommerfeld> hoffman: need to worry about revocation info for interemdiate certs, too.
[09:07:05] <sommerfeld> korver: in practice, we don't have revocation yet
[09:09:42] <sommerfeld> hoffman: interemdiate certs need t obe configured, too
[09:09:48] <sommerfeld> korver: no you don't
[09:10:31] <sommerfeld> wes hardaker: not clear who the target audience is
[09:11:10] <sommerfeld> 90% case probably does not have intermediate certs
[09:11:18] <sommerfeld> (US Government is the exception)
[09:11:49] <sommerfeld> tero: never send trust anchor in band
[09:11:53] <sommerfeld> no point.
[09:12:19] <sommerfeld> revocation: never need to send in band
[09:14:54] <sommerfeld> tero: two certs will probably fit
[09:15:03] <sommerfeld> should finish profile, not wait for mechanism.
[09:15:17] <sommerfeld> more important t oget progile out than wait for OOB mechanism to appear
[09:15:37] <sommerfeld> stephan ? from microsoft:
[09:15:54] <sommerfeld> validation of revocation info may require additional certs
[09:16:00] <sommerfeld> complex problem space
[09:16:25] <sommerfeld> ??: revocation info doesn't have to be megabytes; OCSP may be <1K per cert
[09:16:33] <sommerfeld> (anyone gett hat name?)
[09:19:17] <sommerfeld> russ: alternative not being considered
[09:19:38] <sommerfeld> split document
[09:19:43] <sommerfeld> leave this issue out
[09:19:54] <sommerfeld> while we sort out in-band/OOB
[09:23:55] <sommerfeld> kaufman: problem is likely unsolvable
[09:24:52] <sommerfeld> by not ruling out alternative visions, you wind up with competing non-interoperable alternates
[09:25:00] <sommerfeld> may be resolved by deployment
[09:25:33] <sommerfeld> bonatti: leaving it out doesn't preclude it in the future
[09:26:55] <sommerfeld> gregory: proposal: change to be moree xplicit that OOB mechanisms coming later
[09:27:00] <sommerfeld> but leave in-band as a MAY
[09:27:40] <sommerfeld> kent: goal is to narrow down the "all kindsof stuff"
[09:30:16] <sommerfeld> kivinen: divide the issue
[09:34:37] <sommerfeld> hums:
[09:35:46] <sommerfeld> allow CRLs in band
[09:35:52] <sommerfeld> allow intermediate certs in band
[09:37:40] <sommerfeld> current proposal: forbid CRLs from being sent in band; refer to CDP, forthcoming work for OOB acquisition
[09:40:38] <sommerfeld> apparent strong consensus (loud to silent) to forbid in-band CRLs
[09:41:28] <sommerfeld> hum #2: forbid intermediate certs, refer to coming work
[09:44:10] <sommerfeld> hum was inconclusive; show of hands was 2/3 for allow intermediate
[09:47:19] <sommerfeld> next question: if there was a viable OOB alternate for intermediate certs, would you consider it?
[09:47:35] <sommerfeld> (no commitment to use)
[09:51:49] <sommerfeld> small number preferred in-band intermediate
[09:52:24] <sommerfeld> wes hardaker: "this is the wrong audience"
[09:52:29] <sommerfeld> need to ask operators
[09:53:12] --- janski has left
[09:53:12] --- janski has become available
[09:54:01] <sommerfeld> taunting: "my customer is smarter than your customer"
[09:54:36] <sommerfeld> tero proposal: remove text referencing intermediate certs
[09:55:02] <sommerfeld> kaufman: goal is to rule out things that IKEv2 couldn't
[09:55:22] <sommerfeld> can we rule out funny orders?
[09:58:59] <sommerfeld> hum: address vs stay silent
[09:59:10] <sommerfeld> preefrence to address but not absolute consensus
[10:01:35] <sommerfeld> (continuing korver presentation)
[10:01:51] <sommerfeld> may not need to submit new draft; will wait for resolution on list
[10:02:49] <sommerfeld> kent: refining the IPsec Peer Authentication Database
[10:03:32] <sommerfeld> 2401bis PAD is vague; need document to refine
[10:04:50] <sommerfeld> PAD specifies how to authenticate each peer, and how to obtain revocation status
[10:05:27] <sommerfeld> specified TSi addresses or symbolic names that a peer is authorized to represent when child SA's are negotiated
[10:06:48] <sommerfeld> describes how the PAD is keyed by various selectors
[10:06:55] <sommerfeld> IKE id payload is the database key
[10:07:27] <sommerfeld> (page 3?) PAD model diagram
[10:09:00] --- Mouse has left
[10:09:08] <sommerfeld> PAD entry could contain end entity cert, or just which trust anchor
[10:11:48] <sommerfeld> (matching rules for the PAD)
[10:12:29] <sommerfeld> want matching rules more flexible than exact match
[10:12:40] <sommerfeld> (more matching)
[10:13:05] <sommerfeld> starname matching for FQDN, RFC822
[10:13:13] <sommerfeld> X.500 matching rules for DNs
[10:13:20] <sommerfeld> addresses: ranges
[10:16:52] <sommerfeld> (two pages of examples)
[10:21:50] <sommerfeld> how to cope with the BTNS effort?
[10:22:36] <sommerfeld> "Is this what we need"? slide (last slide)
[10:23:34] <sommerfeld> need ordered database?
[10:24:31] <sommerfeld> continuity of authentication?
[10:27:34] --- kivinen has left
[10:28:25] <sommerfeld> gregory: slides get us 80-90% of the way there
[10:29:00] <sommerfeld> (wrapping up...)
[10:29:11] <sommerfeld> open issues list?
[10:29:35] <sommerfeld> ??: open issues lkist looked like it was coveerd in the meeting
[10:30:39] <sommerfeld> gregory: let's not miss our deadlines again
[10:31:44] <sommerfeld> concall for interim meeting
[10:31:51] <sommerfeld> (done)
[10:33:36] --- tanupoo has left
[15:43:39] --- paul.knight has become available
[15:46:03] --- paul.knight has left
[16:19:05] --- Mouse has become available
[16:19:51] --- Mouse has left