Security Area Open Meeting (SAAG) Minutes Meeting : IETF 77, Thursday 20 March 2008, 13:00-15:00 Location: Anaheim Hilton, California D Chairs : Pasi Eronen (Outgoing), Tim Polk, and Sean Turner (Incoming) Minutes : Tero Kvinen (edited by Tim and Sean) Version : 1 (2010-04-26) ---------------------------------------------------------------------- 1. Appreciation: 7 years service to the community Tim Polk opened the meeting by thanking the outgoing Security Area Director, Pasi Eronen. Tim highlighted a selection of Pasi's many contributions to the community, including contributions to working groups outside of the security area: - Major contributor in IPsec, EAP, IKEv2, TLS, and MOBIKE; - Chair of TLS; - Security AD; - 16 RFCs with more on the way, including draft-krawcyzk-hkdf; and - Tools wizard. Tim also introduced Sean Turner as the incoming Security Area Director. 2. Overview - ADs The ADs opened the meeting with a review of the agenda. 3. WG Reports - WG Chairs Reports of the Security Area Working Groups meeting at IETF 77 were submitted to the SAAG list (see http://www.ietf.org/mail-archive/web/saag/ for details). There were several brief reports at the mike from wgs that were not meeting. Barry Leiba, co-chair of DKIM, indicated that the working group was about to recharter. Completion of the informational deployment document clears the final work item from the initial charter, and the base document is ready to go draft standard. Tim Polk asked if work on interoperability reports was underway to ensure readiness. Barry indicated that some interoperability report work was underway, and additional information from wg participants also indicated readiness from promotion to draft standard. Hannes Tschoefenig, co-chair of KEYPROV, indicated that the working group has three documents in process. Work is finished on 2 of the 3 documents. WGLC for the dynamic symmetric key provision protocol (DSKPP) is underway. That concludes all of the items on the charter. Tom Yu, co-chair of SASL, indicated that sasl has completed most of the charter items. Paul Hoffman, the new co-chair of SMIME, indicated the wg will shut down soon. Any remaining items will go forward as invidual documents. 4. Other WGs and Bar BoFs Barry Leiba reported that the apparea meeting addressed two issues of concern to saag. The first concept was adding a dkim information authentication results header. This would be an update to RFC 5451 and is being discussed on the mail-vet-discuss@mipassoc.org mailing list. The second issue was a new work item for sasl/openid. More security clue is needed, so this might be taken to sasl/sasl+kitten wg, if they recharter and want it. Brian Weis, the co-chair of KARP, noted that the wg had a lively session and discussed threats/requirements, design, and framework documents. He will post to the saag list when new documents are available. Hannes Tschoefenig provided a brief overview of the Oauth problem space. OAUTH previously met as a BOF and had its first wg meeting at IETF 77. Oauth 1.0 already published (based on spec developed outside of IETF); the current WG focus is oauth 2.0. Hannes encouraged saag atendees to participate; the desire for increased security focus was a major incentive to bring this technology into the IETF. Lev Novikov reported that sixteen people attended the High assurance cryptographic API Bar BOF. The initial feedback was the need to clearly define the differences between a high-assurance cryptographic API and those in common use (e.g., pkcs#11.) Sam Hartman invited everyone to attend the upcoming Federated Authentication for Non-Web Application Bar Bof. The concept is federated authentication for other applications than web. There are several documents, including ause cases paper and gss-api mechanisms draft, a description of how this interacts with radius, and two oasis documents. Security discussions in TICTAC and a new MPLS document new document separating router forwarding and control pane were also noted. Peter St. Andre asked for feedback on the Interenet-Draft "Representation and Verification of Application Server Identity", draft-saintandre-tls-server-id-check. This document is under discussion on the cert-id@ietf.org mailing list. There is going to be new revision soon, and Peter indicated he would announce the document on the saag list as well. 5. Invited Presentations 5.1 Fundamental Elliptic Curve Cryptography Algorithms draft-mcgrew-fundamental-ecc-02 David McGrew presented his Fundamental ECC Internet-Draft. This draft demonstrates the maturity of the ECC specifications, which is an essential aspect of trust for cryptographic algorithms. Tim Polk indicated he planned to sponsor publication as a Standards Track RFC, and that this would be an excellent choice for normative references in ECC protocol specifications. Alignment issues with RFC 5114 were discussed. 5.2 MashSSL Quick Summary Ravi Ganesan Ravi Ganeson gave a presentation on the MashSSL project, which is currently underway in W3C. MashSSL relies upon TLS, and addresses the scenario where two servers are communicating on behalf of a client, and wish to ensure that the communication path is transiting that particular client. The discussion focused on the goals and objectives for this work, rather than protocol details, but the discussion demonstrated a need for further coordination. The discussion also identified another important but orthogonal issue. Requirements for IPR disclosure were not expressed to the speaker beforehand, but the presentation met the description of an IETF contribution. As a W3C activity, IPR disclosures had been filed with that organization rather then the IETF. The presenter agreed to submit a disclosure to ensure transparency for this talk, and the ADs agreed to clarify the requirements for invited presentations 6. Open mike time: Paul Hoffman raised concerns about IETF working groups deferring security to later milestones, or to other wgs altogether. He expressed specific concerns about discussion heard earlier in the CORE wg, allocating security responsibilities to the transport layer but specifying bindings for only TCP and UDP. Carsten Bormann, the co-chair of CORE, indicated that CORE had used half its time talking about security, but that specifying the security controls was still premature. Paul did note that the CORE security document was quite good, and had interpreted some discussions in the meeting (e.g., the discussions of object security vs. transport security) as more final.