Security Area Open Meeting (SAAG) Minutes Meeting : IETF 78, Thursday 29 July 2010, 13:00-15:00 Location: MEC, Auditorium 1 Chairs : Tim Polk and Sean Turner Minutes : David Cooper (edited by Tim and Sean) Version : 1 (2010-08-27) ---------------------------------------------------------------------- 1. Overview - ADs The ADs opened the meeting with a review of the agenda. 2. WG Reports - WG Chairs Reports of the Security Area Working Groups that had already met at IETF 78 were submitted to the SAAG list, along with several wgs that were not meeting at IETF 78. (See http://www.ietf.org/mail-archive/web/saag/ for details.) There were also several brief reports at the mike from wgs that were scheduled to meet later Thursday or on Friday. 3. Invited Presentations 3.1 ECC Efficiencies draft-struik-ecc-efficiencies Rene Struik presented some ECC speedups that can be deployed and still preserve compatibility with the ECC techniques specified in draft-mcgrew-fundamental-ecc. Tim Polk observed that the techniques in this presentation may be useful for very constrained devices. Paul Hoffman observed that the relatively limited performance improvements did not justify the IPR risks given the IPR disclosures prompted by this draft. 3.2 Distributed Security Architecture Within Enterprise Environments (no draft) Radia Pearlman and Ken Grewal presented a distributed security architecture that would permit intermediate devices to look at more of the packet than IPsec or TLS normally exposes. The architecture relies on a server to derive session keys from a secret S, which are then pushed to the client. The server shares S with intermediate boxes that are permitted to inspect packets. The presentation inspired significant interest, but initial response indicated that the technical mechanisms used to solve this problem today might prove to be a simpler solution. 3.3 TLS Server ID Check draft-saintandre-tls-server-id-check Jeff Hodges presented the TLS Server ID Check draft. This document is currently in IETF Last Call for consideration as a Best Current Practice. This draft is an individual submission; given the status it is very important to confirm the community's support. The ADs indicated that the TLS and PKIX chairs were proactively recruiting reviewers to ensure that the document received adequate review. 3.4 Cryptographically Generated Address (CGA) Extension Header for Internet Protocol version 6 (IPv6) draft-dong-savi-cga-header Margaret Wasserman presented draft-dong-savi-cga-header, which specifies an alternative mechanism where CGAs have non-local scope but sacrifice some of the privacy attributes of traditional CGAs. There were questions with respect to whether CGAs were the best mechanism to achieve the draft's goals. SAAG members were encouraged to read and comment on the draft. 3.5 Cipher Suite Proliferation Sean Turner briefly presented the ADs' emerging strategy for cipher suite proliferation. The goal is to establish criteria that determine whether a cipher suite specification should move forward on the standards track, or be published as an Informational RFC. 3.6 Revisiting IPv6 Node Requirements (Thomas Narten) draft-ietf-6man-node-req-bis Thomas Narten presented an update to the draft IPv6 Node requirements; current thinking within 6man would remove the "MUST implement IPsec", but would add a requirement for IKEv2 in implementations that chose to support IPsec. The current standard requires support for mandatory keying. Paul Hoffman stated the document should require that if one implements IPsec and key management, then MUST use IKEv2. Dan Harkins did not believe IKEv2 should be a MUST, preferring to allow implementors to choose other protocols when deemed appropriate. Sam Hartman indicated he support the requirements as specified in the presentation. 4. Open Microphone