sacred@conference.ietf.jabber.com - 2002/11/19

[14:21] %% dg has arrived.
[14:26] %% dg has left.
[14:26] %% dg has arrived.
[14:37] <dg> testing ... dale gustafson
[14:48] %% dg has left.
[14:48] %% dg has arrived.
[15:03] %% mrose has arrived.
[15:03] %% awa has arrived.
[15:04] %% newcat has arrived.
[15:10] <mrose> meeting begins
[15:10] %% smb@research.att.com has arrived.
[15:10] <mrose> nystrom: objects - develop a framework and a protocol for the security transport of credentials
[15:11] <mrose> nystrom: today's session is to focus on the remaining issues in the protocol draft
[15:11] <mrose> nystrom: agenda - discuss open issues, discuss possible man-in-the-middle attack, review timeline
[15:13] <mrose> farell: discussing protocol draft
[15:15] <mrose> farell: issues remaining: edits rejected on the mailing list, some clarifications, and binding of separate authentications
[15:15] <mrose>

[15:17] <mrose> nystrom: it turns out that you don't need an "upload response mesage"
[15:18] <mrose> rlbob: i think that minimal text on "sasl authentication id" is still required in the draft to conform to rfc 2222 (sasl).
[15:18] <mrose> farell: the "compound authentication issue" -- draft-puthenkulam-eap-binding-00
[15:20] <mrose> farell: if the same digest-md5 password is used both for sacred and non-ssl http, you have problems.
[15:21] <mrose> farell: the problem is that if the web server can be spoofed the attacker, and digest-md5 is a shared secret approach
[15:23] <mrose> larry: this is a rather silly scenario (editorializing from mrose)
[15:23] <mrose> larry: if the client is going to use the same password with multiple server, then it has to take the same precautions with the server and the certificate server.
[15:25] <mrose> farell: ok, not really a man-in-the-middle attack, but still a potential problem
[15:27] <mrose> farell: we have a couple of options to address this. let's discuss.
[15:27] <mrose> farell: will try to issue -05 later this week
[15:27] <mrose> mrose: did manning ever come back with the exact issue he had?
[15:27] <mrose> farell: no.
[15:30] <mrose> nystrom: suggested schedule: 1. framework already submitted to iesg, 2. right after this meeting, produce -05 and do WG last-call 3. plan on going to iesg at year's end.
[15:30] <mrose> nystrom: after that, let's talk about implementation/interop testing
[15:30] <mrose> nystrom: should we be doing the peer-to-peer use case, or a transport other than beep, speak up!
[15:31] <mrose> jeff: i'm hoping that the p2p case will become more interesting to the ietf, e.g., for jxta
[15:32] %% awa has left.
[15:33] %% smb@research.att.com has left.
[15:33] <mrose> nystrom: thanks!
[15:33] <mrose> chairs: adjourn.
[15:33] %% newcat has left.
[15:35] <dg> was there any discussion on impl/interop testing?
[15:38] %% leifj has arrived.
[15:41] %% leifj has left.
[15:44] <mrose> dg - no. just a "we'd like to do that after the drafts get published"
[15:44] <dg> ok, thanks.
[15:45] %% dg has left.
[15:50] %% RjS has arrived.
[15:50] %% RjS has left.
[15:52] %% mrose has left.