Last Modified: 2005-06-02
Monday Aug. 1, 900 Normal intro talk (agenda and blue sheets) New WG, BOFs, and BOFs - CALSIFY Meeting the first time - SLRRP Still under consideration IESG is still considering - Remote UI BOF First time Could be called "remote widget management" - MASS Second time Been going on for a while Somewhat controversial IMA - Internationalization of eMail Address Presented by James Seng Mostly about local side i18n Some communities of users have wanted this Renewed effort, particular in Asia JET group working together on this draft-lee-jet-ima-00.txt Sender's agent creates with punycode Recipeint's MDA does the conversion back to New mailing list is at imaa@ietf.org John Klensin pointed out Format for IPv6 Scope Zone Identifiers in Linteral URIs Presented by Bill Fenner Addresses have [] and : Current system doesn't allow specifying scope addresses draft-fenner-literal-zone proposes a format [v6.fe80::cafe:f00d_de0] Doesn't fit the scope zone spec: that one uses % Picked _ for now, but that might change Don't make the app do extra work for scoped zones Does using this format break current URI usage? Keith Moore suggested using % instead; Bill pointed out that this would need to be escaped Chris Newman really wants this new syntax to be aligned with the 2821 John Klensin wants Bill to look carefully at the other URI specials Native Host Identity Protocol APIs Presented by Andre Gurtov from HIP RG HIP has a WG and RG for longer-term Shim layer between IP and Apps layers Lots of new terminology One new layer Legacy APIs have one new API to say "use HIP or fail" New native HIP API Introduces new socket family, similar to BSD sockets Can be used to figure if HIP is supported locally Long list of comparisons of legacy API and native API Native API allows use of session-length APIs Can be implemented by DNS or distributed hash table Eric Rescorla notes that this doesn't look like BSD sockets Christian Huitema said that there should be a WG for making an API draft-mkomu-hip-native-api Keith Moore worries that creating an API now will limit the use of HIP in the future; also thinks that there may need a more generic API for more than HIP Scott said a WG is possible, but so is Informational RFCs TIme Passes, Security Changes Presented by Christian Huitema Takes 1 ms to verify MD5 checksums Can use this for dictionary attacks for cracking passwords Today there are much wider dictionaries This attack is often used on hash(challenge, password) Cracking can happen with a few seconds Zombies can be rented for $0.10 per week on the underground market Strong password = 32 bits of entropy Can be cracked for less that $0.01 Pass phrase = 40 bits of entropy Crack for $0.20 7 random characters = 47 bits of entropy Crack for $50 If the password is generated by user, it can be cracked If the passowrd is memorable, it is probably able to be cracked Some protocols can make this much harder Average user will connect to the free internet Opens up easy man-in-the-middle attack Allows easy spoofing Can listen to the traffic Hiding the SSID opens up to the "evil twin attack" Rogue APs can answer to probes, always saying "yes, that's me". Recommendations Don't reply on challenge-response protocols without first identifying the server in a strong fashion Identify your server to prevent man-in-the-middle attacks Encrypt the session Use a secure framework like IPsec or SSL, secure RPC, secure web services Sam Hartman agrees mostly, particularly about identifying the server Eric Rescorla pointed out that there are many different things mixed in these proposals, and there are some good password-strengthing protocols What's going on in URIs Presented by Larry Masinter Revising the registration guidelines Moving specs along to standards track gopher, prosper, telnet, wais is already in RFC Editor queue Larry is working on file, ftp, and mailto: Usefor is working on news All discussions are on uri@w3.org Open mic Dave Crocker encouraged people to come to MASS BOF Keith Moore noted that proposals for getting rid of bad email harm the mail system |