[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Working Group Chair Notes for Security Sessions at IETF 57
- To: iesg@ietf.org
- Subject: Working Group Chair Notes for Security Sessions at IETF 57
- From: Russ Housley <housley@vigilsec.com>
- Date: Fri, 18 Jul 2003 04:17:38 -0400
Here are the notes requested at the IESG Breakfast this morning. Each
session has a short text file.
Russ
The main documents of this group (clarifications and kcrypto) have passed
last call and have been sent to the IESG. Comments received since last
call are minor enough that they can be fixed during the author revision
period.
Sam Hartman has done additional work on a combine-keys function that can
be used by the Extra-TGT draft, and if the author has the time this could
be last-called by the next IETF.
There was a surprising amount of discussion regarding the PKINIT and PKCROSS
drafts. A represenative from CableLabs expressed their concerns regarding
the delay of these drafts (especially PKCROSS), a lack of a timeline
for the extensions document (which PKCROSS depends on), and an offer
of resources to work ont hese documents. The WG committed to producing
a revised timeline, and to commencing work on the Extensions document
as soon as possible (a timeline proposed by the acting chair was to
finish up extensions by August 2004). The ADs pointed out that if we
coordinated with the CableLabs folks, both Extensions and PKCROSS could
proceed simultaneously.
Tim Alsop of Cybersafe UK asked the WG if there was any interesting in
exploring Kerberos/GSSAPI authentication within the context of SAML.
It was the consensus of the WG that this was out-of-scope for this
workingroup.
Leif Johansson spoke briefly about the Kerberos KDC LDAP schema work;
right now the focus of the work was on defining the information model,
and then after that a schema could be defined.
The working group decided that an interim meeting was necessary,
and will decide when/where it should be based on list discussion.
Summary of actions expected before next IETF meeting:
Update working group timelime (include extensions document)
Decide on location of interim meeting.
Hold interim meeting.
Start work on Extensions document.
MSEC WG Meeting Summary & Notes, IETF57 Vienna
----------------------------------------------
The MSEC WG met on Monday night (14 July 2003), with presentations and updates on the current drafts. Presentations were given on GSAKMP, MIKEY, FMKE, DHHMAC and the GKM Architecture draft.
The Re-Charter and New Milestones have been approved by the ADs, but the Re-Charter must be further approved by the IESG.
(1) GSAKMP:
-----------
- The GSAKMP protocol will now be aimed at Standards Track (with the GSAKM_-Light draft being deprecated).
- Although there is a close relationship between the Policy Token and GSAKMP, the Token should be usable with other group-key management protocols and in various areas of application. A possible way forward would be to define a "base-profile" for the token containing fields common to the various key management protocols. Area-specific needs would then be satisfied by adding additional fields ("extensions") to the Token.
- The Policy Token cannot, therefore, be Informational (ie. it must be aimed at Experimental, at least).
(2) MIKEY and DHHMAC:
---------------------
- Most (if not all) issues with regards to MIKEY have been resolved. The DH Mode is now optional, while additional text have been added regarding defining new DH groups and regarding AES Key Wrap (suggestion from AD).
- Since MIKEY has been in WG Last Call status since the last IETF-56, its Last Call must be ended at a given date (decided to be 1 August 2003).
- The WG last call for the DHHMAC draft will follow soon after MIKEY's closing last call. For DHHMAC, this is tentatively 1 September 2003.
(3) GKM-Architecture:
---------------------
- Extensive discussion on this draft, particularly on whether or not it should contain feature-comparisons of the key management protocols.
- One suggestion was to limit the contents of this document to architecture-level descriptions and the explanation of Group Security Associations (GSA).
- Since it was agreed that some guidance document was needed for implementers, the text (in the GKM-Arch draft) describing feature-comparisons will be split-off into a new draft (tentatively titled "Guidance to choosing MSEC Key Management Protocols" or similar). Lakshminath, Hugh and Thomas will be initial contributors to this draft. Other authors sought.
(4) Action Items:
-----------------
(a) Last Call closing date for MIKEY draft Friday 1 August 2003.
(b) Last Call closing date for MSEC Architecture draft Friday 8 August 2003.
(c) Last Call announcement for GKM Architecture draft, will be sent out Friday 1 August 2003 (closing date of 1 September 2003).
(d) Last Call announcement for DHHMAC draft, will be sent out Friday 1 August 2003 (closing date of 1 September 2003).
(5) Others:
-----------
- A separate LKH-Algorithm draft is needed in order to help in implementations. Lakshminath will continue this effort (ps. other authors sought after).
IETF 57 PKIX Session Summary
Extant Documents Status:
Proxy certificates & OCSP v1 (for DRAFT) completed last call
SCVP in last call
Attribute Certificate Policies & LDAP v3 about to enter last call
ECC Curves & Warranty Extension are Informational, about to be forwarded to ADs
Repository Locator Service is Experimental, soon to be forwarded to ADs
Certificate Logotypes in IETF last call
Certificate Extension for Wireless LANs has completed IETF last call and is in IESG queue
Document Action Items:
Need to respond to IESG comments on CRMF, CMP, Policies for Time Stamping Authorities, and Permanent Identifier. This work requires new editors or other volunteers to make the requisite fixes.
PKIX Document Work Activities:
Decision to proceed with 3280 progress to DRAFT, pending submission of interoperability test report. Will initiate new document work on document to advise CAs on conventions for UTF-8 encoding, consistent with DNS work (RFC 3454).
Qualified Certificates RFC to be revised, consistent with ETSI comments, and to align with 3280. Will target progression to DRAFT status, because changes are mostly removing requirements; awaiting new document and test results.
Will continue work on Certificate Path Building as Informational RFC, with wording changes to emphasize that the proposed methods are not mandatory, and that experience in this area is still preliminary.
The SASL working group met on Tuesday for one hour.
The document editor of RFC 2222bis (Alexei) will publish a revision in
the first week of August at which point we will last call it.
The saslprep document is to be revised to include informational
mapping tables but is otherwise ready for last call. New revision
is expected shortly after the meeting and the last call will follow
shortly after it is announced.
Working group participants who made comments during the plain or
anonymous last call need to make sure their comments are reflected in
the current document. The document editor believes that the working
group is done with these two documents although we are not sending
them to the IESG at this time.
The working group decided that AES for digest-md5 will use random IVs
rather than counter mode. Counter mode is harder to implement
correctly.
There is likely to be interest in making the RC4 cipher
mandatory-to-implement for implementations that support
confidentiality with digest-md5. The RC4 cipher is interoperable with
existing implementations and we did not find any problems during the
security review conducted after the last meeting.
Currently, neither integrity protection nor confidentiality is
mandatory-to-implement. At least one participant said he would remove
digest-md5 support rather than implement integrity. The argument is
that you can just use TLS. However, if you just use TLS, you need to
depend on TLS to authenticate the server to the client or you have a
man-in-the-mdille problem. This will be discussed on the list.
The working group reached a consensus at the meeting to deprecate DES
and 3DES because they are insecure.
Larry submitted a 00 version of the GSSAPI draft, but it did not
appear. He will resubmit in the near future.
Keith Burdis agreed to submit an SASL applicability statement as an
individual submission. His document will include comparisons of the
various sasl mechanisms and their security properties. Sam agreed to
propose an outline for the document. The working group will discuss
rechartering to include this document after the first revision.
Summary of IETF57 Secure Shell WG meeting.
The actual meeting was short, mostly largely of document status
updates. Attendance was very light. There was brief discussion of
open issues with several of the documents. One document is now in the
IESG's hands: draft-ietf-secsh-dns-04.txt (SSH key fingerprints in
DNS). The core draft update to resolve IESG issues missed publication
deadline for this meeting, but editing is now done and the documents
should reappear shortly. This will hopefully break the logjam and get
the rest of the documents moving.
There are few open issues at present -- mostly editorial nits.
Starting with this IETF, the AD has requested that I list the actions
expected before the next IETF meeting (November 9-14, 2003, in
Minneapolis).
Expected within next month: [responsible party]
Creation of issue tracking database for the WG. [chair]
core drafts reissued with revised sec-cons [moffat]
draft-ietf-secsh-dh-group-exchange-04.txt [provos/friedl]
reissued with nit fixed [provos/friedl]
to AD for IETF-wide Last Call [chair]
core drafts back to IESG review. [chair]
Completion of WG last call period on
draft-ietf-secsh-gsskeyex-06.txt [jhutz]
draft-ietf-secsh-auth-kbdinteract-05.txt [cusack/forssen]
Expected before next IETF:
Reissue of extensions drafts with WG chair's nits fixed, and
run WG last call:
draft-ietf-secsh-break-00.txt [galbraith/remaker]
draft-ietf-secsh-filexfer-04.txt [galbraith]
draft-ietf-secsh-fingerprint-01.txt [friedl]
draft-ietf-secsh-publickeyfile-03.txt [galbraith]
Discussion and resolution of technical issues with extension drafts:
draft-ietf-secsh-agent-01 [lehtinen]
Issue: moving keys to root agent vs. moving
requests to keys.
draft-ietf-secsh-newmodes-00.txt [kohno]
Issue: Tweak/prune algorithm list?
Discussion of whether to accept individual submissions as WG items:
draft-galb-secsh-publickey-subsystem-01.txt [mcclure]
S/MIME session at IETF 57
Here is what happened:
- MSGbis fixed some nits believe it is ready for security ADs and IETF-wide last call
- CERTbis text needs to be added for acknowledgements but after that it's ready for security ADs and IETF-wide last call
- Examples added 11 new cases all need to be verified
- X400Trans and X400Wrap had minor comments from IESG, which have all been addressed
- Interoperability Matrix is completed but final report needs to be written
- RSA PSS and CMS going to WG LC
- RSA KEM has 3 remaining issues but then ready for WG LC
- ESSbis separating MLExpansiionHistory in to ReceiptBehavior and MLLoopDetection is proving more difficult than expected
- GOST algorithm for CMS will be published under WG
- Peter Sylvester gave a presentation on OpenEvidence
- Tim Polk gave pointers to NIST's Online SMIME tester
ENROLL BOF Report
Agenda Items:
Enroll Scope Overview Jim Schaad
Authenticate Unknown Principals Pekka Nikanda
Enroll Shared Secrets John Vollbrect for Bob Moskowitz
Trusted Transitive Introduction Cullen Jennings for Max Pritikin
Open Discussion on Charter and Models
Action Items:
Item Responsible Person(s)
1. Determine WG chair Jim Schaad and Russ Housley
2. Determine WG documents and Authors Jim Schaad
3. Write -00 Model Document Max Pritikin
4. Update WG Charter and submit to IESG Jim Schaad
Schedule of work items:
Chairs and documents authors to be determined by 15 August
First WG Charter revisions to be submitted by 25 July to list
WG Charter Revistions completed by 1 Sept.
Model document -00 to list by 1 Sept.
Incident Handling (INCH) WG report
Wednesday, July 16. 2003, 15.30-17.30
IETF 57: Vienna, Austria
Chair: Roman Danyliw <rdd@cert.org>
AD Adviser: Russ Housley <housley@vigilsec.com>
The Vienna INCH meeting was productive in discussing many of the
remaining issues in the working group.
- The requirements draft [1] is heading toward completion. The
meeting refined a number of the definitions found in Section 3;
albeit, further discussion is needed. Likewise, the FINE
time-format was decided to be anything that can be
"easily converted to UTC".
The remaining work on the requirements draft is in:
o refining the domain-specific definitions
o clarifying the FINE operational model
o providing more descriptive text for certain requirements
o proof reading of the text
- The data model [2] is beginning to stabilize. There have been no
substantial changes (or proposed changes) in the past 4-months.
The remaining work is in:
o migrating the current XML DTD implementation to Schema (this
will be a very substantial change)
o addressing remaining issues with multi-lingual free-form text
o examining and further enumerating certain enumerated
attribute values
o codifying the semantics of document updates, and making
any appropriate data model changes that might be necessary
o fully integrating XML-Signature and XML-Encryption
o confirming that all FINE requirements are being met
o proof reading of the text
A new draft incorporating an initial implementation in XML Schema,
and all current pending issues will be complete by September 2003.
This draft will still include the DTD implementation to ease
the transition.
- An initial draft of the implementation guide is not yet complete.
However, a rough outline of the main issues to be covered was
presented at the meeting. The main topics covered dealt with
data types, document exchange, data semantics, migration strategies,
security, and processing issues.
- Several independent implementations of the IODEF now (or will
soon) exist. Therefore, interoperability testing will
be possible starting in November 2003.
- Updates were made to reflect a slight slippage in the delivery
dates (WG last-call) of the WG drafts.
o Requirements Draft: November 2003
o Data Model: November 2003
o Implementation Guide: early 2004, with an initial draft by
September 2003.
Relevant Documents
[1] Requirements: draft-ietf-inch-requirements-01
[2] Data Model: draft-ietf-inch-iodef-01