2.1.1 Applications Open Area Meeting (apparea)

NOTE: This charter is a snapshot of the 63rd IETF Meeting in Paris, France. It may now be out-of-date.

Last Modified: 2005-06-02


Keith Moore <moore@cs.utk.edu>

Applications Area Director(s):

Ted Hardie <hardie@qualcomm.com>
Scott Hollenbeck <sah@428cobrajet.net>

Applications Area Advisor:

Scott Hollenbeck <sah@428cobrajet.net>

Mailing Lists:

General Discussion:
To Subscribe:

Description of Working Group:

Goals and Milestones:

No Current Internet-Drafts

No Request For Comments

Current Meeting Report

apparea Apps Area meeting
Monday Aug. 1, 900

Normal intro talk (agenda and blue sheets)

New WG, BOFs, and BOFs
    Meeting the first time
    Still under consideration
    IESG is still considering
- Remote UI BOF
    First time
    Could be called "remote widget management"
    Second time
    Been going on for a while
    Somewhat controversial
IMA - Internationalization of eMail Address
    Presented by James Seng
    Mostly about local side i18n
    Some communities of users have wanted this
    Renewed effort, particular in Asia
    JET group working together on this
    Sender's agent creates with punycode
    Recipeint's MDA does the conversion back to
    New mailing list is at imaa@ietf.org
    John Klensin pointed out

Format for IPv6 Scope Zone Identifiers in Linteral URIs
    Presented by Bill Fenner
    Addresses have [] and :
    Current system doesn't allow specifying scope addresses
    draft-fenner-literal-zone proposes a format
    Doesn't fit the scope zone spec: that one uses %
    Picked _ for now, but that might change
    Don't make the app do extra work for scoped zones
    Does using this format break current URI usage?
    Keith Moore suggested using % instead; Bill pointed out that this would need to be escaped
    Chris Newman really wants this new syntax to be aligned with the 2821
    John Klensin wants Bill to look carefully at the other URI specials

Native Host Identity Protocol APIs
    Presented by Andre Gurtov from HIP RG
    HIP has a WG and RG for longer-term
    Shim layer between IP and Apps layers
    Lots of new terminology
    One new layer
    Legacy APIs have one new API to say "use HIP or fail"
    New native HIP API
        Introduces new socket family, similar to BSD sockets
        Can be used to figure if HIP is supported locally
    Long list of comparisons of legacy API and native API
    Native API allows use of session-length APIs
    Can be implemented by DNS or distributed hash table
    Eric Rescorla notes that this doesn't look like BSD sockets
    Christian Huitema said that there should be a WG for making an API
    Keith Moore worries that creating an API now will limit the use of HIP in the future; also thinks that there may need a more generic API for more than HIP
    Scott said a WG is possible, but so is Informational RFCs

TIme Passes, Security Changes
    Presented by Christian Huitema
    Takes 1 ms to verify MD5 checksums
    Can use this for dictionary attacks for cracking passwords
    Today there are much wider dictionaries
    This attack is often used on hash(challenge, password)
    Cracking can happen with a few seconds
    Zombies can be rented for $0.10 per week on the underground market
    Strong password = 32 bits of entropy
        Can be cracked for less that $0.01
    Pass phrase = 40 bits of entropy
        Crack for $0.20
    7 random characters = 47 bits of entropy
        Crack for $50
    If the password is generated by user, it can be cracked
    If the passowrd is memorable, it is probably able to be cracked
    Some protocols can make this much harder
    Average user will connect to the free internet
    Opens up easy man-in-the-middle attack
        Allows easy spoofing
        Can listen to the traffic
    Hiding the SSID opens up to the "evil twin attack"
    Rogue APs can answer to probes, always saying "yes, that's me".
        Don't reply on challenge-response protocols without first identifying the server in a strong fashion
        Identify your server to prevent man-in-the-middle attacks
        Encrypt the session
        Use a secure framework like IPsec or SSL, secure RPC, secure web services
    Sam Hartman agrees mostly, particularly about identifying the server
    Eric Rescorla pointed out that there are many different things mixed in these proposals, and there are some good password-strengthing protocols

What's going on in URIs
    Presented by Larry Masinter
    Revising the registration guidelines
    Moving specs along to standards track
    gopher, prosper, telnet, wais is already in RFC Editor queue
    Larry is working on file, ftp, and mailto:
    Usefor is working on news
    All discussions are on uri@w3.org

Open mic
    Dave Crocker encouraged people to come to MASS BOF
    Keith Moore noted that proposals for getting rid of bad email harm the mail system


Internationalization of eMail Address
Format for IPv6 Scope Zone Identifiers in Literal URIs
Native Host Identity Protocol APIs
Application-Level Security Vulnerabilities
Current State of URI Work