Security Area Open Meeting (SAAG) Minutes Meeting : IETF 76, Thursday 12 November 2009, 13:00-15:00 Location: ANA Crowne Plaza Hiroshima, room Acacia East Chairs : Pasi Eronen and Tim Polk Minutes : Jim Schaad (+some editing by Pasi) Version : 1 (2009-11-23) ---------------------------------------------------------------------- 1. Working Group Reports pkix: - status update on documents - TAMP - in progress - possible extensions are not currently considered - OCSP agility - into WGLC - couple of other docs goto WGLC - progression of 5280 to draft standard - two features currently not supported. Need further discussion to decide how to finish handling this. hokey Glen - waiting for new charter approval - so treaded water. isms - Two documents in process - cleared issues on ? over ?? - use of radius: slower - lack of document editors - please help if possible tls - re-negotiation vulnerability is the main topic keyprov - didn't meet - make some progress on the ASN.1 based key container - now in WGLC - xml based key container is dealing with WGLC comments - then the protocol document is in the cross hairs. BOF Reports: karp - looking for modest goals - trying to secure the routing and help the current routing protocols to do that - looking for integerity and authentication only - improve the current manual keying - potentially start automatic keying later - no discussion of where the managment protocol will actually occur - broad support to start the working group - Sam H - do you have a charter? - Yes - draft charter exists. 6LowApp Rene Struik: - Have some security angles - Draft charter exists - - Focus on defining protocols to pull and push application layer messages - Security issues dealing with commissioning. - Need more eyeballs. Carsten Bormann: - Has no securty content - No usefulness w/o additional security work. SmartGrid bar-BOF: Paul Hoffman: - NIST initiated effort for electrical system - NIST is coordinating, not leading the effort - Good presentation about what is happening in Japan on this issue - Starting w/ islands using propriatary protocols - Idea is to come up w/ a unified netowrk - Question is what additional value do you get - energy and cost savings - HUM - IETF should be involved - form a new directorate for this - Tight deadlines happening in the work. - based on money waiting to be released to vendors - NIST has a public participation structure - our work feeds into that. - No discussion of security aspects of the problem. Tim Polk (as NIST) - 250 page draft for cyber security for the grid - w/o an architecture for the grid - Need to address the problem and do it well. Randy ? - Largest issue discussed at a cyber threat conference - currently no thought of security in the current grid ---------- 2. HTTP Architecture in Security Protocols. -- Lisa Paul Hoffman - most of us may not know what REST is - look on Google Lisa - can also look at the Wikipedia page ?? - wondering why limiting to REST style - then comment on server sent messages. Lisa - people don't like to build on things that aren't there yet Use TCP or TLS for rather than HTTP for things like WebSockets Q&A Sean - keyprov is doing http using rpc, not rest model Wes Hardaker - Good job convincing me that HTTP is no longer REST compiliant. Can't convince the world not to use the protool in bad ways. Lisa - ATOM is a fully REST wonderful protocol Paul Hoffman - Lisa was not saying get everyone to do this - look at the IETF when doing new protocols. App area is very good about helping with the design work - not just saying it's broken. Nico - how should we recommend that apps do channel binding w/ TLS Hannes Tschofenig - Common case that XML based protocol - then look at the transport - it HTTP just to get it through the firewalls. Pasi - Impression from the past IESG was don't use HTTP - now it is how to use HTTP correctly. Tim - where are the BCP 56 revisions occuring? What is the draft? Lisa - don't know at the present - maybe HTTP-bis ---------- 3. IP Residential Security - presentation from v6ops Randy Bojay(?) - point 4 [[ allow to public DNS host]] is useless Paul Hoffman - two things 1. blocks everything comming in is wrong - allows IPsec traffic in. 2. Gave presentation talking about SSL VPNs - the middle box in the middle attack. Very bad idea - don't do it. Sam Hartman - To make this [SSL middle box in the middle attack] work well have to stuff new roots into everybody. Thus ignore certificate warnings Totally awesome propsoal - drop off a web-cam in your house - and get pictures for that (outbound connections). Would like to see better than no-in-bound connections by default. It is not really that bad - this is what is in v4 - Make sure that what comes up with is not worse that the no-inbound. Don't undermine confidence in v6 by bad security choices. Response: Need to get the root cert back into the home web cam can still connect out even w/ output Want to get end-to-end security - so allow inbound connection by default Sam - sometimes you need to give up dreams if they cannot be realized Wes Hardaker - NATs don't buy us any security - just redirecting traffic - internal connections have been blocked - like go-to my pc - middle boxes Paul Hoffman - Like document - better than simple security document - can encumpos that here. #2 is very powerful model. Don't believe in IPSs because too hard to manage in the enterprise. Room and IETF are not good at firewall stuff. Doug Otis - Working on bad reputation (DKIM) - agree w/ what has been said about letting anything growth. Don't know even w/ rep does not get rid of all things Still want the don't give it to me if I did not ask for it. ---------- 4. Open Mike No open issues. ----------