Security Area Open Meeting -------------------------- Thursday, July 23, 2015 (CEST) 13:00-15:00 Thursday Afternoon session I Thanks to Hannes Tschofenig and Mike Jones for minutes. Reports from various working groups =================================== Almost all went sent via email to the saag list. Hannes Tschofenig talked about OAuth status. 6 RFCs published since last meeting. Developed plan next steps Leif Johansson talked about UTA status. Getting "doneish" Want more views of work on MTA, etc. Huge influx of new stuff They hope to be done in a few months Four new working groups were added since the last meeting Kathleen talked about I2NSF. Consensus in the room to write specs, to implement and deploying solutions. More tweaking needs to be done. CrypTech Randy Bush ======== Randy goes through the slides. Yaron Sheffer: The hardware level interface is PSKC#11. Randy: Yes, that's the standard you would expect. Yaron: This means that the ARM processor are part of the security boundary. Randy: Yes. Yaron: Goals: I would have expect to see an audit. We have seen with software that an audit is essential. Randy: I agree but I don't have funds Tim Shepherd: How do you get trustable tool chains? Randy: How do I trust my compiler, Verilog compiler, etc.? Very difficult question since there is very little open source code available for some of the tool chains. Richard Barnes: You made an initial selection of algorithms. Is there a possibility to produce a design that is a subset of those algorithm. Randy: In your build you can select what goes into the FPGA. State of Transport Security in the E-Mail Ecosystem at Large Aaron Zauner ============================================================ Daniel Kahn Gilmoe (DKG): There are submission servers that need to be investigated. Aaron: I have just finished the run yesterday. No statistics generated yet. Carsten Bormann: We should compare our data. We have found more weak keys. Tony Hansen: Do you have the certificate chains? Aaon: Yes. Orit Levin: Maybe you can upload them to the certificate transparency store. Tony: There is also the implicit port for submission. Aaron: Yes. Talked to Chris Newman about this topic. UTA is currently working on TLS for email. It would be good to feed data back into the group Some observations about TLS in the Web Richard Barnes & Rich Salz ====================================== Browser-side Perspective (Richard) Server-side Perspective (Rich) DKG: Can you explain the volume? Richard: These are the absolute numbers. Patrick Hallstrom: Are you also looking at the speed of the handshake? Rich: The speed various on the speed of the network; not so much about the processor speed. Yaron: Do you have work ongoing to get more precise statistics? Richard: We are trying to figure out how to do these detailed measurements in a privacy sensitive manner. Maybe there is a methodology to aggregate data. ?: Is there any impact on the users with the use of more encrypted traffic? Rich: No. ?: But you have to wait longer for the handshake. Richard: There is some latency but we are hoping to improve the latency with TLS 1.3. TLS also uses mechanisms to resume the previous session. With HTTP/2 there is also the ability to re-use an existing session. Lack of automated EAP Configuration Stefan Winter =================================== Phill Hallam Baker (PHB): I like the proposal but I was not too happy with the statement that this is a user problem. If you, as a user, have to do anything at all then you do it wrong. Stefan: We also look at dynamic discovery techniques. Entity Key Discovery Matt Miller ==================== Mike Jones: Do questions go to the list or directly to the author? Stephen: We can use the SAAG list where discussions happen today. Paul Hoffman: If there is a mailing list setup for this topic then it shouldn't be setup around this document since the other alternative (by Chris Newman) is better for the majority of use cases. Richard: I haven't evaluated the proposals but I believe it is important work. Update of Secure DHCPv6 Dacheng Zhang ======================= Randy: The draft does not say what the assumptions about the environment are. The coffee shop scenario you mentioned is the most difficult one. TOFU does not work there. You have to establish trust; whether you use certificates or something else does not matter. Trust is local and you have to establish that trust first. If you use TOFU in the enterprise then you are naive about the nature of the enterprise. Stephen Farrell: Please help these folks if you can Max Pritkin: I think we are seeing bootstrapping and keying infrastructure all over the place and we have to work on those conversations together. It is the same conversation. Managing Radio Networks in an Encrypted World Workshop Natasha Rooney ====================================================== Announcement about the upcoming IAB workshop on this topic. Wes George: Is this workshop going to be streamed. I don't have enough to contribute but I would like to hear what is being discussed. Natasha: At the moment you still have to send a position paper. Stephen: We'll investigate streaming. Open Mic ======== Dave Crocker: Hannes has identified an issue that is more general than security. There is probably doing the work accidentally. The only approach to deal with this is to do a survey -- a crowd sourcing. Kathleen: If you are out there and you see this overlap then you need to need to report this. Rich: A wiki with some of the commonly used terms would be helpful. Kathleen: Maybe we can have a repository of newer terms. Randy: Hannes has a specific problem -- introduction. Bob Moskowitz: There is not one problem. There are different questions and they require different solutions. PHB: What do I need to introduce my light bulb to. It is easy to say that this is an introduction problem. You have to say what infrastructure people have in their houses. Wendy Selzer: I would like to point to some new work on the Web Application security working group. We are going to do a suite of specs to make it easier to update websites to HTTPS, etc. The W3C TAG has published a few findings, including the support for end-to-end security, and unsanctioned web tracking. Stephen asked about what do do with the discussions regarding RFC 1984 on the SAAG mailing list. About 50% of people said they understood the issues. Few to none wanted to open-up and edit 1984 afresh. There did however seem to be consensus to turn RFC 1984 into a BCP without revising the document at all (or changing RFC number), as suggested on the list by Carsten. Dino Farrinici: I came to this group a year ago and we wanted to develop a dataplane security for LISP. I wanted to thank for the resources and time from the SAAG for the help. Robin Wilton: Wants to point out that there is still a concern about surveillance and in the UK there are even discussions to disallow encryption.