IETF
saag
saag@jabber.ietf.org
Thursday, March 14, 2013< ^ >
hillbrad has set the subject to: http://tools.ietf.org/agenda/85/agenda-85-saag.html
Room Configuration
Room Occupants

GMT+0
[18:42:07] kaduk@mit.edu/barnowl joins the room
[18:46:22] cabo joins the room
[18:46:36] cabo leaves the room
[18:56:26] kmurchison joins the room
[18:56:58] tlyu joins the room
[19:00:02] bortzmeyer joins the room
[19:02:08] Juan Pedro Cerezo joins the room
[19:06:26] <tlyu> the audio stream seems to have disconnected, and i can't seem to reconnect
[19:06:33] yuioku.yj joins the room
[19:07:06] sftcd joins the room
[19:07:08] <kmurchison> yes, audio has gone silent
[19:07:23] <kaduk@mit.edu/barnowl> Same here.
[19:07:38] <sftcd> nobody is saying anything:-)
[19:07:44] <kaduk@mit.edu/barnowl> (Though tlyu and I are on the same subnet.)
[19:07:48] <sftcd> hear that?
[19:08:06] <kaduk@mit.edu/barnowl> Hear nothing.
[19:08:18] nico joins the room
[19:08:24] <kmurchison> no.  there was background noise earlier, now its dead silent.  no hiss or anything
[19:08:35] <sftcd> works in the room, lemme check
[19:08:35] <tlyu> i think the server is sending 404s
[19:08:37] <nico> FYI, the sound feed for Caribbean 4 is broken
[19:08:38] <kaduk@mit.edu/barnowl> My player does not even think it is playing.
[19:08:47] <sftcd> ah, thanks nico, that way all day?
[19:08:48] <nico> it is sending 404s
[19:08:52] <nico> no clue
[19:08:55] <nico> just tried today
[19:08:58] <nico> just now
[19:09:08] <tlyu> just started doing that about 5 minutes ago
[19:09:18] <sftcd> I sent a mail to the NOC
[19:10:01] bkihara.l joins the room
[19:14:15] Sean Turner joins the room
[19:14:24] barryleiba joins the room
[19:14:46] hildjj joins the room
[19:14:54] =JeffH joins the room
[19:14:59] cabo joins the room
[19:15:01] kazubu joins the room
[19:15:03] <tlyu> still no luck on the audio stream for me
[19:15:29] ewburger joins the room
[19:15:38] <barryleiba> I'll try another mic.  Tell me if you hear me in a minute.
[19:15:51] <ewburger> Here is your humble Jabber scribe. Let me know if you want to speak.
[19:15:54] <ewburger> Can you hear Larry?
[19:16:03] <kaduk@mit.edu/barnowl> The problem is elsewhere than the microphone.
[19:16:04] <tlyu> no, it's a server problem as far as i can tell (with the audio stream)
[19:16:10] <barryleiba> Trouble report has been made.
[19:16:22] Rhys Smith joins the room
[19:16:43] synp joins the room
[19:17:09] m&m joins the room
[19:17:10] <ewburger> About WEBSEC
[19:17:49] <ewburger> Could you hear the last discussion?
[19:17:59] Will Fiveash joins the room
[19:18:09] <ewburger> Brian Weis
[19:18:16] <tlyu> no, the server seems to be giving 404s, so no way i can hear anything
[19:18:48] <ewburger> Sandy Murphy: SIDR - draft for getting keys into routers; IPR issue; APNIC issue for data from other RIRs; RPKI performance issues
[19:18:55] <kaduk@mit.edu/barnowl> In other news, tools.ietf.org is being very sluggish for me right now.
[19:19:02] <ewburger> Routing Area had discussion on Trust Routers
[19:19:10] <ewburger> Yoshiro Yoneya - PRECISE
[19:19:22] <barryleiba> That's PRECIS
[19:19:40] <ewburger> Barry - always correcting my pfellin
[19:19:43] <Sean Turner> yeah i know silly autocorrect
[19:19:47] <Will Fiveash> @tlyu I can't hear anything either
[19:20:13] <ewburger> Sharon Boyen - WPKOPS
[19:20:23] <tlyu> other streams are also returning 404s from the server
[19:20:32] <ewburger> Documenting actual behavior for browser and server PKI
[19:20:33] <nico> also, the recordings for some meetings are not up
[19:20:36] <ewburger> No drafts yet
[19:20:38] <nico> was KITTEN not recorrded?
[19:20:53] <kaduk@mit.edu/barnowl> Have audio.
[19:21:03] <Will Fiveash> audio just started working for me
[19:21:05] <ewburger> Paul Hoffman - DANE
[19:21:14] <nico> audio is back, yeah
[19:21:21] <ewburger> Issue of DANE and SRV records.
[19:21:30] <ewburger> If you thought it was done, it isn't :-)
[19:22:13] <ewburger> CFRG meets tomorrow
[19:23:05] <ewburger> Security discussion on JOSE; Maybe something on hashes
[19:23:09] <ewburger> (Kevin Igoe)
[19:23:25] <ewburger> Now up: Quynh Dang: presentation on SHA-3
[19:24:00] kmurchison leaves the room
[19:24:15] kmurchison joins the room
[19:24:23] semery joins the room
[19:24:32] PHB joins the room
[19:25:52] Gabriel Montenegro joins the room
[19:28:23] marcos joins the room
[19:28:33] <ewburger> I would let you know what slide we are on, but (1) the slides do not seem to be posted and (2) the slides do not have slide numbers. Boo Hiss!
[19:28:58] <Sean Turner> the slides are posted
[19:29:02] <nico> this PDF is also particularly CPU intensive
[19:29:12] <kmurchison> sounds like slide 5
[19:29:14] <ewburger> where?
[19:29:19] <Rhys Smith> slide: [keccak features]
[19:29:20] <barryleiba> http://www.ietf.org/proceedings/86/slides/slides-86-saag-3.pdf
[19:29:26] <Sean Turner> thanks barry
[19:29:31] <nico> neither the built-in Chrome nor FF (PDF.js) PDF viewers could manage it
[19:29:32] <kmurchison> now on slide 6
[19:29:32] <ewburger> thanks!
[19:30:15] <kaduk@mit.edu/barnowl> pdf.js is doing okay for me.
[19:30:27] <ewburger> me, too
[19:31:29] <ewburger> FIPS will standardize, not necessarily IETF
[19:31:35] <ewburger> slide 7 - Under Consideration for SHA-3
[19:33:22] sm joins the room
[19:35:32] kmurchison leaves the room
[19:36:05] kmurchison joins the room
[19:37:14] <ewburger> Slide 8 - Other Features for standardization considerations
[19:38:48] <ewburger> Slide 9 - Comments
[19:39:30] satoru.kanno@gmail.com joins the room
[19:40:30] <ewburger> Any questions from the remote audience?
[19:41:02] <ewburger> Never mind... questions at open mic time.
[19:41:18] <ewburger> Next: Cyrus Daboo on iSchedule/DKIM
[19:41:28] Karen O'Donoghue joins the room
[19:41:50] <ewburger> Slide 2
[19:41:52] <ewburger> Overview
[19:42:06] tlyu leaves the room
[19:42:12] tlyu joins the room
[19:42:51] <ewburger> DKIM Changes
[19:43:01] <ewburger> (OK, where are these slides, Barry?)
[19:43:49] stpeter joins the room
[19:43:54] <kmurchison> http://www.ietf.org/proceedings/86/slides/slides-86-saag-0.pdf
[19:44:04] <ewburger> Thanks :-)
[19:44:28] <ewburger> Slie 4 - DKIM CHanges #2
[19:44:53] bortzmeyer leaves the room
[19:45:24] <ewburger> Slide 4 - DKIM Changes #3
[19:45:28] <ewburger> ^4^5
[19:47:23] <ewburger> Questions:
[19:47:27] <ewburger> Murry @ mic
[19:47:35] <ewburger> He will work on drafts & write code
[19:47:59] <ewburger> Peter St. Andre @ mic
[19:48:28] <ewburger> use of finding certificates over HTTP looks a lot like what XMPP is doing for non-PKI use of finding certs; POSH - PKIX over secure HTTP
[19:48:40] <ewburger> some overlap, maybe
[19:49:24] <ewburger> Joe Hildebrand @ mic
[19:49:39] <ewburger> Hannes @ mic
[19:49:55] kmurchison leaves the room
[19:50:07] <ewburger> Asking about confidentiality requirements, as calendar info is sensitive
[19:50:30] <ewburger> If end-to-end, why worry about proxies in the middle and using TLS?
[19:50:31] kmurchison joins the room
[19:50:52] <ewburger> A: sometime SSL gets offloaded to SSL termination box and then things go in clear text, which can mess with headers
[19:51:02] <ewburger> Now up: Tatu Ylonen
[19:51:08] <ewburger> And, I found it myself: http://www.ietf.org/proceedings/86/slides/slides-86-saag-1.pdf
[19:51:25] <ewburger> slide 2: The Problem We Try to Address
[19:53:41] <ewburger> (Sean - we're still on slide 2...)
[19:53:57] <ewburger> (Thanks)
[19:54:06] <Sean Turner> yep -
[19:55:17] <nico> we've seen this before, no?
[19:55:36] <ewburger> Slide 3 - Main Elements of Solution
[19:55:37] <Sean Turner> it's an update
[19:55:46] tony.l.hansen joins the room
[19:55:47] <kaduk@mit.edu/barnowl> I think we had a talk on this in Atlanta, yes.
[19:55:55] <nico> as I've pointed out before, use of GSS is really the best practice in a corporate environment
[19:56:02] <nico> yes, Atlanta
[19:57:00] <tlyu> i think systems like Kerberos substantially decrease this sort of risk. not clear that other GSS mechs would necessarily
[19:57:16] <nico> escalating privs is often trivial because users often have . in $PATH
[19:57:19] <ewburger> Anything I (or Sean) should bring to the Mic?
[19:57:45] <nico> tlyu: well, ABFAB probably would too, and so would SCRAM, ...
[19:57:57] <nico> and PKU2U and BrowserID
[19:58:27] <nico> basically: anything that deals in names
[19:58:52] <semery> What about non-provisioned clients?
[19:58:59] <nico> one could use a directory of user bare keys too
[19:59:01] <tlyu> i think defaulting to short-lifetime credentials is necessary as well
[19:59:10] <nico> semery: in corporate environments?!
[19:59:18] <semery> :)
[19:59:18] <tlyu> Kerberos does this, but it's less common in X.509 to have short-lived credentials
[19:59:21] <nico> tlyu: sure
[19:59:39] <nico> tlyu: in kx509/kca deployments it's common
[20:00:04] <semery> VPN/DHCP clients.
[20:00:14] <nico> one remediation approach: search for all key files in the filesystems everywhere; also audit uses of keys
[20:00:49] <nico> semery: they should get provisioned or there should be an enrollment process to make provisioning possible, or they should use user credentials
[20:01:12] <nico> (semery is referring to a problem we dealt with at Sun, in Solaris, a long time ago)
[20:01:40] <ewburger> Slide 4 - Next Steps
[20:02:24] <ewburger> Any questions?
[20:02:26] <nico> mic: Tatu, please see comments in jabber room
[20:02:28] <nico> :)
[20:02:31] <ewburger> Hannes Tschofening at mic
[20:02:39] <tlyu> skimming the draft, i think a few generalizations about Kerberos installations aren't aligning with my knowledge of how sites tend to deploy Kerberos
[20:02:42] <ewburger> @nico: all of them?
[20:02:45] <nico> (/me is being lazy; I could grab the jabber log and send it to him :)
[20:02:55] <ewburger> go for it :-P
[20:02:58] <nico> ewburger: no, don't mic all of them
[20:03:05] <nico> just tell Tatu to read the jabber log
[20:03:31] <semery> tlyu: what about FAST capable?
[20:03:35] kmurchison leaves the room
[20:03:52] <ewburger> Sam Hartman at the mic
[20:04:13] Sandra Murphy joins the room
[20:04:18] <tlyu> semery: which of my comments were you addressing with the FAST comment?
[20:04:35] kmurchison joins the room
[20:04:45] <semery> When you skimmed the draft.
[20:06:04] <tlyu> i didn't see any mention of FAST. i was more thinking about getting a TGT means you can log into all hosts (which is a really inadvisable way to configure your deployment)
[20:06:33] <ewburger> Ryan Sleevi on W3C Web Crypto API Update
[20:06:34] <ewburger> http://www.ietf.org/proceedings/86/slides/slides-86-saag-5.pdf
[20:06:43] <ewburger> Slide 2
[20:06:52] <ewburger> Slide 3
[20:07:08] <ewburger> @ Sean - Can't you get your presenters to put slide numbers on their slides?
[20:08:08] <ewburger> Slide 4 - Background
[20:08:21] <Sean Turner> yeah okay fair point
[20:08:26] sm leaves the room
[20:09:39] Juan Pedro Cerezo leaves the room
[20:09:44] Juan Pedro Cerezo joins the room
[20:09:44] <ewburger> Slide 5 - State of Web Crypto
[20:11:59] <ewburger> Slide 8 - Problems with JS Crypto
[20:12:08] <ewburger> (yes, he blew through 5-7)
[20:12:18] sm joins the room
[20:12:25] <Sean Turner> efficiently
[20:13:08] <ewburger> Slide 9 - Problems with JS Crypto
[20:13:14] <ewburger> (Performance is hard)
[20:13:45] <ewburger> Slide 11: "Web" is a broad term
[20:14:32] <kaduk@mit.edu/barnowl> Y!/G/FB are tracking you, though...
[20:14:53] <ewburger> That's a feature / business 'opportunity' :-)
[20:15:53] <ewburger> Slide 12: What are people actually writing
[20:16:28] <ewburger> Slide 13: Browser Crypto Stack
[20:16:42] tlyu leaves the room
[20:16:43] <ewburger> ^13^14
[20:16:47] tlyu joins the room
[20:17:11] <ewburger> Slide 15: Making it Better
[20:17:19] marcos leaves the room
[20:18:12] sm leaves the room
[20:19:27] <ewburger> Slide 20: Alternatives
[20:19:35] <ewburger> (only API)
[20:20:20] marcos.sanz joins the room
[20:20:41] john.levine joins the room
[20:21:05] <ewburger> Slide 21: Alternatives
[20:21:29] <ewburger> Slide 22: Alternatives
[20:22:10] <ewburger> Slide 23: Alternatives
[20:22:31] <ewburger> Slide 25: JOSE
[20:22:48] tlyu leaves the room
[20:22:53] tlyu joins the room
[20:23:50] <ewburger> Slide 26: JOSE
[20:24:48] mcharlesr joins the room
[20:24:48] mcharlesr is now known as mcr
[20:24:59] mcr is now known as mcharlesr
[20:24:59] mcharlesr is now known as mcr
[20:25:01] mcr is now known as mcharlesr
[20:25:01] mcharlesr is now known as mcr
[20:25:05] mcr is now known as mcharlesr
[20:25:05] mcharlesr is now known as mcr
[20:25:06] <ewburger> Any questions from the remote world?
[20:25:49] <ewburger> Taji Kimura at mic
[20:25:55] synp leaves the room: Computer went to sleep
[20:26:04] <nico> there's been a lot of feedback of the "uh, don't do this in scripts on web pages" type; I assume all such feedback will be ignored, now and forever
[20:26:31] <nico> Matasano had a great blog entry about that
[20:26:36] <bkihara.l> s/Taji/Taiji/
[20:26:39] mcr is now known as mcharlesr
[20:26:39] mcharlesr is now known as mcr
[20:26:41] mcr is now known as mcharlesr
[20:26:42] mcharlesr is now known as mcr
[20:26:59] <ewburger> I stand corrected, Taiji
[20:27:06] <ewburger> (bad eyes)
[20:27:12] <stpeter> ewburger: :)
[20:27:18] mcr is now known as mcharlesr
[20:27:18] mcharlesr is now known as mcr
[20:27:20] mcr is now known as mcharlesr
[20:27:20] mcharlesr is now known as mcr
[20:27:52] <bkihara.l> a too difficult sequence of characters :<
[20:28:05] <ewburger> 8-)
[20:28:54] kmurchison leaves the room
[20:29:23] kmurchison joins the room
[20:29:30] <ewburger> Tony Hansen at mic
[20:30:52] <ewburger> Yaov Nir at mic
[20:31:12] <kaduk@mit.edu/barnowl> Yoav, not Yaov ;)
[20:31:32] <ewburger> That I will blame on left-right hand dyslexia
[20:31:44] mcr is now known as mcharlesr
[20:31:44] mcharlesr is now known as mcr
[20:32:09] <nico> http://www.matasano.com/articles/javascript-cryptography/
[20:35:17] <ewburger> Open mic
[20:35:22] <ewburger> Anything needed to be channeled?
[20:35:25] kmurchison leaves the room
[20:35:27] <ewburger> Hannes at mic
[20:35:29] Gabriel Montenegro leaves the room
[20:35:38] kmurchison joins the room
[20:35:54] <ewburger> Philip Hallem-Baker at mic
[20:35:57] synp joins the room
[20:36:08] <ewburger> Back to SHA-3 NIST presentation
[20:36:46] mcr is now known as mcharlesr
[20:37:49] <ewburger> Quynh Dang at mic
[20:38:25] <nico> TLS WG will have to resist
[20:38:38] <ewburger> Fair to ask for a smaller number of SHA algorithims?
[20:38:45] <ewburger> Please send info to hash forum mail list.
[20:38:53] <nico> also, it's time to work on extending TLS so we no longer have cartesian cipher suite explosion
[20:39:15] <Sean Turner> @nico that might be cool
[20:39:29] <nico> I don't think we should let TLS issues make NIST standardize fewer SHA-3s
[20:39:31] <Sean Turner> hate registering 30 suites everytime
[20:39:55] <nico> @Sean Turner: I made some noises about this a while back on the TLS list and mostly got booed
[20:40:08] <nico> but really, it's time we started fixing the pain points in TLS
[20:40:10] <Sean Turner> doesn't surprise me ;)
[20:40:24] <nico> because let's face it: TLS sucks now
[20:40:55] <nico> there's probably not a single cipher suite that is sufficiently secure in the face of having to support version nego
[20:41:48] mcharlesr is now known as mcr
[20:41:48] mcr is now known as mcharlesr
[20:42:56] <ewburger> Matt Miller at mic
[20:43:15] <ewburger> XMPP meets tomorrow; might have security implications
[20:43:24] tlyu leaves the room
[20:43:29] tlyu joins the room
[20:44:37] synp leaves the room
[20:44:39] mcharlesr is now known as mcr
[20:44:39] <ewburger> Peter St. Andre at mic
[20:45:35] <ewburger> Joe Hildebrand
[20:46:34] hildjj leaves the room
[20:46:36] Sean Turner leaves the room
[20:46:36] <ewburger> Thanks eveyone!
[20:46:38] <ewburger> bye
[20:46:40] semery leaves the room
[20:46:43] ewburger leaves the room
[20:46:45] bkihara.l leaves the room
[20:46:46] barryleiba leaves the room
[20:46:50] mcr is now known as mcharlesr
[20:47:01] marcos.sanz leaves the room
[20:47:01] m&m leaves the room: Disconnected: connection closed
[20:47:04] PHB leaves the room
[20:47:05] stpeter leaves the room: Disconnected: connection closed
[20:47:12] kmurchison leaves the room
[20:47:27] nico leaves the room
[20:47:56] satoru.kanno@gmail.com leaves the room
[20:48:14] kazubu leaves the room
[20:49:07] mcharlesr leaves the room
[20:49:09] PHB joins the room
[20:49:14] Rhys Smith leaves the room
[20:49:42] Karen O'Donoghue leaves the room
[20:50:25] john.levine leaves the room
[20:50:46] marcos.sanz joins the room
[20:51:25] john.levine joins the room
[20:52:37] =JeffH leaves the room: Logged out
[20:55:54] PHB leaves the room
[20:58:13] john.levine leaves the room
[20:58:58] john.levine joins the room
[21:01:58] sftcd leaves the room
[21:02:01] tlyu leaves the room
[21:02:03] marcos.sanz leaves the room
[21:02:08] john.levine leaves the room
[21:03:06] john.levine joins the room
[21:06:40] Karen O'Donoghue joins the room
[21:08:11] john.levine leaves the room
[21:13:41] yuioku.yj leaves the room
[21:13:46] john.levine joins the room
[21:13:49] cabo leaves the room
[21:15:53] Sandra Murphy leaves the room
[21:21:29] PHB joins the room
[21:22:37] Juan Pedro Cerezo leaves the room
[21:27:21] =JeffH joins the room
[21:27:22] =JeffH leaves the room
[21:30:56] m&m joins the room
[21:31:04] m&m leaves the room: Disconnected: connection closed
[21:31:08] m&m joins the room
[21:32:28] Karen O'Donoghue leaves the room
[21:33:16] john.levine leaves the room
[21:35:47] tony.l.hansen leaves the room
[21:35:54] m&m leaves the room
[21:37:04] satoru.kanno@gmail.com joins the room
[21:37:23] Karen O'Donoghue joins the room
[21:44:43] Sandra Murphy joins the room
[21:45:30] Sandra Murphy leaves the room
[21:46:18] Will Fiveash leaves the room
[21:46:46] Sandra Murphy joins the room
[21:48:11] satoru.kanno@gmail.com leaves the room
[21:49:43] Sandra Murphy leaves the room
[21:57:01] Karen O'Donoghue leaves the room
[22:17:39] PHB leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!