IETF
saag
saag@jabber.ietf.org
Thursday, March 6, 2014< ^ >
hillbrad has set the subject to: http://tools.ietf.org/agenda/85/agenda-85-saag.html
Room Configuration
Room Occupants

GMT+0
[12:48:55] Adam Montville joins the room
[12:51:08] Adam Montville leaves the room
[12:52:00] ilari.liusvaara joins the room
[12:53:40] Adam Montville joins the room
[12:56:12] tlyu@mit.edu joins the room
[12:57:17] jimsch1 joins the room
[12:57:45] Franck Martin joins the room
[12:58:16] <Adam Montville> Anyone have audio working?
[12:59:10] Barry Leiba joins the room
[12:59:15] sftcd joins the room
[12:59:50] Olafur Gudmundsson joins the room
[13:00:10] paulwouters joins the room
[13:00:34] Adam Montville leaves the room
[13:00:35] yaron.sheffer joins the room
[13:01:08] dseomn joins the room
[13:01:08] <yaron.sheffer> Anybody has an audio URL that works?
[13:01:10] Adam Montville joins the room
[13:01:15] rigo joins the room
[13:01:33] <jimsch1> audio is now up
[13:01:43] kivinen joins the room
[13:01:50] <Adam Montville> affirm
[13:02:06] <rigo> WG status (&lt;10 mins)                                                                             
[13:02:12] <yaron.sheffer> Yes, thanks.
[13:02:14] <rigo> starting to scribe                                                                             
[13:02:36] <Adam Montville> Are any decks planned to be shared in some way?
[13:02:47] <Adam Montville> I don't see decks available on the tools agenda
[13:02:57] <rigo> Stephen presenting Agenda                                                                             
[13:03:21] <jimsch1> https://datatracker.ietf.org/meeting/89/materials.html#sec  slides are here
[13:03:31] <rigo> Sean leaving, receiving a bottle                                                                             
[13:03:35] <rigo> applause                                                                             
[13:03:41] <rigo> standing ovations                                                                             
[13:03:48] <Adam Montville> +many
[13:04:06] derek joins the room
[13:04:22] <derek> We thanked Sean
[13:04:29] renzoe joins the room
[13:04:36] <derek> Now going through the WGs
[13:05:31] <rigo> dane: invitation for new proposal                                                                             
[13:06:09] <rigo> Olafur Gudmundsson: overflowed people in room, running code, email transfer and xmpp documents expected                                                                             
[13:06:18] Dan York joins the room
[13:06:24] antonioaraujob@jappix.com joins the room
[13:06:24] <derek> karen: jose is meeting this afternoon
[13:06:46] sean.turner@jabber.psg.com joins the room
[13:06:49] Joe Hildebrand joins the room
[13:07:10] <derek> yoav: websec has 1 doc in the final stages.
[13:07:19] <derek> hoping it gets done soon
[13:08:09] <derek> ekr: httpbis -- couple topics..  security of hpac (compression scheme), concern about leaking info
[13:08:19] Karen O'Donoghue joins the room
[13:08:27] <derek> other major issue: to what extent should we allow "http over tls" when you don't have "https" URIs
[13:08:56] <derek> wouldn't hurt to have more eyeballs
[13:09:54] cw joins the room
[13:10:04] m&m joins the room
[13:10:31] linus joins the room
[13:11:12] <rigo> KARP automated key management and looking for help for security review                                                                             
[13:11:38] metricamerica joins the room
[13:11:40] satoru.kanno@jabber.org joins the room
[13:12:36] <rigo> SIDR: met on tuesday. Changes on exisiting document. Two revisions and one extension. OID signature algo extension. Revisions to ease deployments                                                                             
[13:13:27] <rigo> change of semantics of certificates, basic part of arch. Improve resilience against errors. Comments sympathetic to the prob, but not sure about solutions. Energetic discussions, but no commitment                                                                             
[13:13:52] russ joins the room
[13:14:04] <rigo> discussion about rsync. Need replacement at some point                                                                             
[13:14:22] <rigo> deployment experience in Ecuador presented in SIDAR this time                                                                             
[13:15:30] <rigo> WPKI: will send out vendor survey. Responses are incomplete. We need more complete record from experts. Have promises, but no delivery yet. Gonna extend deadline, but not indefinitely. Meet later today.                                                                              
[13:17:16] npdoty joins the room
[13:17:42] <rigo> UTA (hasn't met yet) , will meet Friday morning. TLS is most popular protocol. Sometimes not really clear how to use it. Group will look into current practices and find out why TLS has difficulties in deployments. Looking at communalities and differences, and how it can be applied to specific application                                                                             
[13:17:48] Steve Olshansky joins the room
[13:17:49] <rigo> Mention DNS clash?                                                                             
[13:18:43] <rigo> will mention, could take advantage of TLS. Took place at BOF. Today the last session there will be additional discussion about DNS. Geo discussion will be tomorrow                                                                             
[13:19:37] <rigo> TCPM? TCPCrypt. around for a while. Looking into the problem.                                                                              
[13:19:48] SM joins the room
[13:20:52] <rigo> CFRG: focus on small number of things. New elliptic curve in 2014. Trying to move towards that. That is what most talks were about. Also about passwords.                                                                              
[13:21:09] <rigo> presentation from David on signature on post quantum time                                                                             
[13:21:38] <rigo> if quantum computers come, have to run for shelter quickly                                                                             
[13:21:52] <rigo> invited outside experts to do that                                                                             
[13:22:00] <rigo> Stephen, also mentioned in chacha                                                                             
[13:22:04] fanf joins the room
[13:22:32] Dan York has set the subject to: SAAG at IETF89: https://datatracker.ietf.org/meeting/89/agenda/saag/
[13:22:43] kohei.kasamatsu130 joins the room
[13:22:43] <rigo> ... cool down cha cha, also EU work on stream crypto                                                                             
[13:23:17] <rigo> expensive to run. NIST took 25 FTE to do ??                                                                             
[13:23:46] <rigo> David suggested to make a webex meeting with cryptographers and engineers                                                                             
[13:24:27] <rigo> DNSE: idea is to look into encryption of queries for confidentiality. Lots of interest                                                                             
[13:24:32] stpeter joins the room
[13:24:36] <rigo> but probs.                                                                              
[13:24:53] <rigo> hopefully get some momentum                                                                             
[13:25:05] <rigo> ACE: is looking at ACL in internet of things                                                                             
[13:25:18] <derek> And now onto the presentations
[13:25:32] <rigo> Stephen presenting #strint                                                                             
[13:25:44] <rigo> http://www.w3.org/2014/strint                                                                             
[13:25:55] <rigo> minutes linked from reports page                                                                             
[13:28:51] stpeter leaves the room
[13:28:53] <rigo> Stephen with results from #strint                                                                             
[13:29:01] <rigo> 1/ Crypto works                                                                             
[13:29:08] <rigo> 2/ data minimization is hard                                                                             
[13:29:19] <rigo> 3/ have look into threat model                                                                             
[13:29:19] wseltzer joins the room
[13:29:20] wseltzer leaves the room
[13:29:32] <rigo> 4/ opportunistic keying and encryption                                                                             
[13:29:38] wseltzer joins the room
[13:30:32] <rigo> Policy: should better explain to policy people what impact things generate, explain technology better                                                                             
[13:30:47] <rigo> Guidance for every day implementations                                                                             
[13:30:55] <rigo> easier configurations                                                                             
[13:31:31] <rigo> lots of bikeshedding on captive portals                                                                             
[13:31:44] <rigo> Break outs                                                                             
[13:32:13] <rigo> on by default: All ex AD will write a doc about how to turn on by default                                                                             
[13:32:57] <rigo> Flag day for handling certificate in browser                                                                             
[13:33:24] <rigo> Chrome team: Ben Laurie was there, not on Chrome                                                                             
[13:33:34] <rigo> no engagement from Chrome                                                                             
[13:34:18] <rigo> Stuart: Routing and transport have done blue sky brainstorming and sent to Stephen                                                                             
[13:35:13] <rigo> Now presentation from Russ Housely: Guidelines for Cryptographic Agility                                                                             
[13:36:18] stpeter joins the room
[13:38:00] Olafur Gudmundsson leaves the room
[13:41:43] g.e.montenegro joins the room
[13:45:31] Wolfgang Beck (remote) joins the room
[13:46:27] Olafur Gudmundsson joins the room
[13:47:43] <rigo> ??: Mandatory to implement(2) slide. Great step in right direction. Why not have an IETF wide document for profiles of mandatory to implement algos. This would be one central document                                                                             
[13:48:21] <sftcd> stefan santesson
[13:48:22] <rigo> russ: understand issue: specifying the mandatory algo may not be as straightforward                                                                             
[13:48:25] <Franck Martin> I have been wondering how to upgrade DKIM....
[13:48:46] <rigo> Dan Brasso: Does this also cover hashes?                                                                             
[13:48:50] semery joins the room
[13:49:02] <rigo> russ: yes, it covers hash agility                                                                             
[13:49:15] <rigo> ?? does it create a registry?                                                                             
[13:49:33] <rigo> russ: per protocol                                                                             
[13:50:08] <rigo> Aaron Kaplan: for me how far upgrade things in practice. This is too slow, 50% of servers remain unpatched                                                                             
[13:50:35] <rigo> russ: Co-editor was Steve Bellovin, took as 10 years from Sha1 to Sha256                                                                             
[13:51:05] <rigo> PHB: bits are hard for semantic algos, are "and the modes". What form of sig you will specify                                                                             
[13:51:24] <rigo> most apps not choosing cipher algo, come through platforms                                                                             
[13:52:07] <rigo> which algos to use, but not security, security is not saying must use this, but by saying do NOT use that algo                                                                             
[13:52:14] <rigo> russ: confirms                                                                             
[13:52:57] <sftcd> http://tools.ietf.org/html/draft-iab-crypto-alg-agility-00
[13:53:36] <rigo> Wes Hardacker: are you stating why you have to publish more algos at once                                                                             
[13:53:38] <rigo> russ: no                                                                             
[13:53:43] <rigo> Wes: really important                                                                             
[13:54:43] <rigo> Stephen: We will use the SAAG list for this and continue discussion there. Review encouraged                                                                             
[13:54:50] <rigo> many people show hands for review                                                                             
[13:55:32] <rigo> Next presentation: Matt Miller XMPP end to end encryption                                                                             
[13:55:34] Dan York leaves the room
[13:55:44] <rigo> OTR has issues                                                                             
[13:55:59] <rigo> but widely used                                                                             
[13:56:12] <rigo> no stable reference yet                                                                             
[13:56:29] <rigo> covers the chat, not other info                                                                             
[13:56:42] <rigo> and mulit-device issues                                                                             
[13:56:46] Dan York joins the room
[13:58:00] <rigo> ??: under way to write the transfer, and covers more than plain text                                                                             
[13:58:16] <sftcd> paul wouters @ mic
[13:58:33] <rigo> can someone give adium money so they can cover the multi device thingy?                                                                             
[13:58:53] <rigo> draft-miller-xmpp-e2e                                                                             
[14:00:57] wseltzer joins the room
[14:01:19] <rigo> Peter St.Andre: xmpp speak, important what he said. OTR was developed to do cross platform,                                                                              
[14:01:55] <rigo> ... only protects textual parts (Hi how are you). We also use it for signalling for webrtc                                                                             
[14:02:29] <rigo> ... cant protect ip addresses and signalling. Also xmpp for internet of things, can't protect that for the moment                                                                             
[14:03:00] <rigo> ... we want to have draft for OTR, but doesn't protect                                                                             
[14:03:32] <rigo> ... so have either to fix OTR or do something else                                                                             
[14:04:24] <rigo> (co-chair of xmpp): we have to tackle this, people from this group should help                                                                             
[14:04:38] <jimsch1> Was Joe Hildebrand
[14:05:03] <rigo> sftcd: using OTR for a while. Not perfect, but there.                                                                              
[14:05:22] <rigo> general discussion to move blame for nothing happening from xmpp to saag and back                                                                             
[14:06:05] <rigo> sftcd: not concentrating on all use cases, but on the important stuff. Will it be as easy as OTR                                                                             
[14:06:35] <rigo> Miller: we're aiming at that, as easy as OTR for users                                                                             
[14:07:09] <rigo> Dan Kahn-Gilmor: do you have solution for timing/size issues?                                                                             
[14:07:14] kohei.kasamatsu130 leaves the room
[14:07:21] <rigo> MM: haven't specified, but have some solution                                                                             
[14:07:45] <rigo> s/??/Joe Hildebrand/                                                                             
[14:08:05] <rigo> Dan offers help against traffic analysis                                                                             
[14:08:08] kohei.kasamatsu130 joins the room
[14:08:23] <rigo> .. no algo in OTR, some low spec things                                                                             
[14:08:39] <sftcd> no algorithm agility was the point
[14:09:17] <rigo> ... Paul Wouters: if there is unsecure algo, but should be done if it is too weak                                                                             
[14:09:33] <rigo> ??: is there a possibility to re-use work from ??                                                                             
[14:09:54] <rigo> Wouters: tech secure is OTR with ECC                                                                              
[14:10:11] <rigo> russ: not transition from mandatory to implement?                                                                              
[14:10:21] <rigo> sftcd: only documenting                                                                             
[14:10:31] Olafur Gudmundsson leaves the room
[14:11:09] Dan York leaves the room
[14:11:09] <rigo> paulwouters: Ian Goldberg says once we see that it does not work anymore, we will change. Not touch without need                                                                             
[14:11:21] <rigo> russ: we need a transition way                                                                             
[14:12:13] <rigo> Hannes: different approaches to the same things. Agility vs talking to devs. OTR can not be updated wihtout shipping new software. This is an issues. Multiple levels of agility                                                                             
[14:13:19] <rigo> paulwouters: OTR has numbered ciphers, can assign new numbers and new cipher. Agility is there in the prot, but is preventing two implementatons htat do not talk to each other anymore                                                                             
[14:13:28] <npdoty> s/??/TextSecure from Whisper Systems/
[14:13:34] <npdoty> https://github.com/WhisperSystems/TextSecure/wiki/ProtocolV2
[14:13:56] <rigo> PeterStAndre: upgrade is not so much of an issue                                                                             
[14:14:34] <rigo> PHB: algo break was not all over sudden. It normally takes 10 years from slightly nervous to contentious                                                                             
[14:15:00] <rigo> sha2 is hard to deploy unless every browser is upgraded                                                                             
[14:15:30] <rigo> SteveK: presence protocol is a set of algos, can provide for agility where nto everbody changes                                                                             
[14:15:39] <rigo> the same time                                                                             
[14:15:39] <stpeter> we actually have a spec for that: http://xmpp.org/extensions/xep-0300.html
[14:15:51] <stpeter> (to Steve Kent's point)
[14:16:02] <rigo> TimP: no reason to have pull down menu for ciphers. Only needed if legacy is too weak                                                                             
[14:16:31] wseltzer leaves the room
[14:16:32] <rigo> ... PHB is almost right, but algos phase out 5 years, software upgrade is 10 years                                                                             
[14:16:48] <rigo> JoeH: want the energy to go on xmpp list                                                                             
[14:18:08] Karen O'Donoghue leaves the room
[14:19:16] =jeffh joins the room
[14:19:17] <rigo> PHB: 2 SSL libraries died to coding errors. People were not checking certificates. People said we should get rid of the CAs. Now coding errors, should get rid of the browsers                                                                             
[14:19:26] <Adam Montville> +1 on the test suite
[14:19:28] <rigo> ... definitely need a testsuite                                                                             
[14:19:30] Ben Laurie joins the room
[14:19:35] Karen O'Donoghue joins the room
[14:19:48] <rigo> ?? British computer society: offers help                                                                              
[14:19:57] Karen O'Donoghue leaves the room
[14:20:50] <rigo> ??: agree with PHB, various flaws seen, testsuite can be remote. expect to fail cases coudl be done online.                                                                              
[14:20:59] <rigo> -> some talk about NIST interest                                                                             
[14:21:10] <sftcd> vickor dukovni (probably mispelled sorry)
[14:21:31] <npdoty> http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
[14:21:33] <Adam Montville> They're there and made, but we need a formal testing strategy here I think.  But that begs the question, would IETF perform any sort of certification?
[14:21:36] <rigo> TimB: large number of test cases, CRLs all available will provide uris                                                                             
[14:21:59] <sean.turner@jabber.psg.com> http://csrc.nist.gov/groups/ST/crypto_apps_infra/pki/pkitesting.html
[14:22:01] <rigo> Dan: serious test cases for DANE, if interest, talk to me                                                                             
[14:22:13] npdoty is 30 seconds faster than sean.turner
[14:22:19] <rigo> sftcd: can do a mailinglist if it helps                                                                             
[14:22:24] <sean.turner@jabber.psg.com> oh beat me ...
[14:22:31] <sean.turner@jabber.psg.com> I owe you some champaign
[14:22:41] kohei.kasamatsu130 leaves the room
[14:22:47] <stpeter> well Sean is unblocked now so processing is really fast ;-)
[14:22:59] Karen O'Donoghue joins the room
[14:23:01] <rigo> ??: we are down to AES. draft is strange because it contains no research proof                                                                             
[14:23:02] stpeter leaves the room
[14:23:08] Dan York joins the room
[14:23:10] <sftcd> yoav nir
[14:23:26] <rigo> stpeter, npdoty is 30 seconds slower than Coralie                                                                             
[14:23:51] <rigo> sean.turner@jabber.psg.com: there is a group in RSAC.                                                                              
[14:24:15] <rigo> STFCD: we wanted not to have a WG.                                                                             
[14:24:17] <sean.turner@jabber.psg.com> ack
[14:24:27] <rigo> ... research groups not producing research is fine                                                                             
[14:24:38] <sean.turner@jabber.psg.com> yeah no security dumping ground group
[14:24:55] <rigo> Barry Leiba: vary about mixed area wg                                                                              
[14:25:38] <rigo> Dave: project absencer                                                                             
[14:26:55] <rigo> Yoav: puzzles, techniques to proof against ddos, some patents in this, some said privately that we were doing it already 1999.                                                                              
[14:27:52] <derek> Yoav: how do get a contact at Sun/Oracle to publish an IPR statement?
[14:28:25] <derek> Rigo: we deal with these issues all the time.  I encourage you to share information in the community.  Organize yourself.
[14:29:10] =jeffh leaves the room
[14:29:18] =jeffh joins the room
[14:29:24] <rigo> PHB: end to end email with s/mime and pgp. PGP got mindshare s/mime got deployment                                                                             
[14:29:38] <rigo> ... things wrong with the current specs, but really slow                                                                             
[14:29:42] <Adam Montville> Decent summary by PHB
[14:29:45] <rigo> ... code on source forge                                                                             
[14:30:35] <sftcd> big problem == key mgmt should NOT get a clap here dudes:-)
[14:30:36] <rigo> ChrisNewman: working on email products, not personally interest. biggest problem is key management. So that people don't see it happen                                                                             
[14:31:01] Joe Hildebrand leaves the room
[14:31:03] <rigo> ... change in industry, the way that ??books get distributed over multiple clients. A lot of work there                                                                             
[14:31:10] Karen O'Donoghue leaves the room
[14:31:15] sean.turner@jabber.psg.com leaves the room
[14:31:15] Dan York leaves the room
[14:31:17] Barry Leiba leaves the room
[14:31:23] semery leaves the room
[14:31:28] g.e.montenegro leaves the room
[14:31:29] SM leaves the room
[14:31:31] yaron.sheffer leaves the room
[14:31:33] Steve Olshansky leaves the room
[14:31:39] jimsch1 leaves the room
[14:31:41] sftcd leaves the room
[14:31:43] metricamerica leaves the room
[14:32:22] kivinen leaves the room
[14:32:55] rigo leaves the room
[14:33:13] cw leaves the room
[14:33:30] m&m leaves the room
[14:33:31] satoru.kanno@jabber.org leaves the room
[14:33:46] Wolfgang Beck (remote) leaves the room
[14:33:53] satoru.kanno@jabber.org joins the room
[14:34:23] fanf leaves the room
[14:34:31] Franck Martin leaves the room
[14:34:33] renzoe leaves the room
[14:34:44] Adam Montville leaves the room
[14:34:44] npdoty leaves the room
[14:34:45] Dan York joins the room
[14:35:01] satoru.kanno@jabber.org leaves the room
[14:35:19] =jeffh leaves the room
[14:35:27] =jeffh joins the room
[14:35:43] =jeffh leaves the room
[14:35:45] antonioaraujob@jappix.com leaves the room
[14:37:24] satoru.kanno@jabber.org joins the room
[14:37:40] linus leaves the room
[14:39:00] dseomn leaves the room
[14:39:11] tlyu@mit.edu leaves the room
[14:39:42] david joins the room
[14:39:53] sean.turner@jabber.psg.com joins the room
[14:41:11] david leaves the room
[14:41:23] david joins the room
[14:43:26] russ leaves the room
[14:43:58] paulwouters leaves the room
[14:43:58] paulwouters joins the room
[14:45:49] paulwouters leaves the room: Replaced by new connection
[14:45:50] paulwouters joins the room
[14:47:41] david leaves the room
[14:48:35] david joins the room
[14:49:31] wseltzer leaves the room
[14:50:31] satoru.kanno@jabber.org leaves the room
[14:56:15] Dan York leaves the room
[15:01:02] derek leaves the room
[15:01:04] derek joins the room
[15:01:29] sean.turner@jabber.psg.com leaves the room
[15:02:46] david leaves the room: Replaced by new connection
[15:05:15] paulwouters leaves the room
[15:05:52] derek leaves the room
[15:05:56] derek joins the room
[15:06:58] derek leaves the room
[15:07:03] derek joins the room
[15:13:40] satoru.kanno@jabber.org joins the room
[15:14:35] sftcd joins the room
[15:15:44] derek leaves the room
[15:16:25] Olafur Gudmundsson joins the room
[15:17:35] derek joins the room
[15:18:43] derek leaves the room
[15:20:07] Franck Martin joins the room
[15:22:51] Joe Hildebrand joins the room
[15:22:54] Joe Hildebrand leaves the room
[15:23:10] Franck Martin joins the room
[15:23:31] Franck Martin leaves the room
[15:24:26] Karen O'Donoghue joins the room
[15:24:32] sftcd leaves the room
[15:25:09] Karen O'Donoghue leaves the room
[15:25:14] paulwouters joins the room
[15:26:48] satoru.kanno@jabber.org leaves the room
[15:26:57] Franck Martin leaves the room
[15:30:49] wseltzer joins the room
[15:32:31] Olafur Gudmundsson leaves the room
[15:39:17] wseltzer leaves the room
[15:42:22] johntofsohn joins the room
[15:42:26] fanf joins the room
[15:45:27] sean.turner@jabber.psg.com joins the room
[15:45:41] sean.turner@jabber.psg.com leaves the room
[15:59:51] johntofsohn leaves the room
[16:25:43] stpeter joins the room
[16:45:55] fanf leaves the room
[17:02:30] paulwouters leaves the room
[17:04:33] npdoty joins the room
[17:04:45] npdoty leaves the room
[17:12:01] russ joins the room
[17:14:23] russ leaves the room: Replaced by new connection
[17:14:26] russ joins the room
[17:40:17] stpeter leaves the room
[18:22:22] russ leaves the room
[18:22:26] russ joins the room
[18:22:43] russ leaves the room
[18:40:27] fanf joins the room
[18:42:30] russ joins the room
[18:43:08] russ leaves the room: Replaced by new connection
[18:43:10] russ joins the room
[18:44:06] paulwouters joins the room
[18:53:41] paulwouters leaves the room
[19:31:09] fanf leaves the room
[19:36:04] russ leaves the room: Replaced by new connection
[19:36:05] russ joins the room
[19:43:51] russ leaves the room
[19:44:25] ilari.liusvaara leaves the room: offline
[20:54:56] stpeter joins the room
[21:10:17] stpeter leaves the room
[21:26:03] stpeter joins the room
[22:29:09] russ joins the room
[22:33:00] russ leaves the room
[23:12:42] stpeter leaves the room
Powered by ejabberd Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!