Pasi's AD notes for June 2008

Hi all,

(This time, sending to SAAG list as well as SecDir)

Inspired by the reports Lisa sends about the applications area, I've
put together a short status update about what things are going on 
from my point-of-view.

I hope this would increase transparency of the process, and perhaps
catch some miscommunications (e.g. I thought the authors of some draft 
were supposed to do something next, but the authors waiting for me to
do something).

Please let me know if you would find a regular report along these
lines useful or not. (Ideas on how to make it more useful are 
welcome, too.)

Best regards,
Pasi

NOTES

- Approving the creation IPsec maintenance/extensions (IPsecME) WG 
  is on agenda of 2008-07-03 telechat.
- Planning for Dublin: Deadlines for draft WG agendas and document
  submissions are approaching. Topic ideas of SecDir lunch and SAAG 
  presentations are welcome!
- SAAG mailing list will be moved from mit.edu to ietf.org soon;
  hopefully SecDir list will follow soon after.

SAAG mailing list move

The SAAG mailing list has been moved from mit.edu to ietf.org.

Everyone who was subscribed to the old list, and had mail delivery
enabled (and not disabled due to e.g. bounces) is now subscribed to
the new list, and you should have received an email confirming
this (and your new password). If you didn't get it, subscribe 
manually here:

https://www.ietf.org/mailman/listinfo/saag

The old list is temporarily forwarding mail to the new list;
it will be completely closed soon.

You may have to update your mail filtering rules and such. If
you used any special mailman options (like digest), you have to 
enable them again.

The archives are located here:

http://www.ietf.org/mail-archive/web/saag/current/maillist.html

Let's hope I didn't screw up this too badly -- this is the first
time I've tried anything of this magnitude with Mailman, and
it turned out that Mailman assumes you have command line shell 
access for certain things (which I don't have). 

In case something went wrong, please send error reports to me
and Tim.

Testing - please ignore

(checking that the archives are now working properly...)

Request for review of an upcoming NIST document on firewalls

Greetings. I have excerpted a recent NIST request for comments on a 
pending document below. I am the co-author of the document, and we 
really do want suggestions from the firewall side of the security 
community on the document.

NIST SP 800 documents are long-lived and are relied on by a very 
large audience, particularly by people throughout the US government. 
Improvements that can be made to this draft now will help people 
buying and administering firewalls for many years.

If you would, please take the time to read the draft. If you find 
anything, large or small, please send comments to the NIST address 
listed. (Sending comments to me is not a good idea because I can't 
just make changes at this stage; they should go through the NIST 
review process.) Every comment will be read and many will have direct 
effects on the content of the final document.

Also, please pass this along to anyone in your organization who might 
have time to review the document. Thanks in advance!

--Paul Hoffman, Director
--VPN Consortium

>3. Draft SP 800-41 Revision 1, Guidelines on Firewalls and Firewall 
>Policy, provides recommendations on developing firewall policies and 
>on selecting, configuring, testing, deploying, and managing 
>firewalls. The publication covers a number of firewall technologies, 
>including packet filtering, stateful inspection, application-proxy 
>gateways, host-based, and personal firewalls. SP 800-41 Revision 1 
>updates the original publication, which was released in 2002. NIST 

ipsecme meeting summary

Ipsecme, formed nearly a month ago, met for the first time on Monday 
morning. The meeting was well attended and rather lively.

Most of the time was spent on the group's chartered work items, and both 
the charter and the "starting point" documents were presented. All 
existing documents are still individual I-Ds, and volunteers were (and 
are) solicited to edit the WG docs. Our goal is to have -00 WG documents 
out within a few weeks, for all cases where starting points exist (i.e. 
all but a single document).

The group's charter covers:

- IKEv2 bis
- IPsec roadmap
- IKEv2 IPv6 configuration
- IKE session resumption
- IKE redirect
- ESP-null visibility

Most of the discussion was around precise scoping of the IKEv2 bis and 
the session resumption documents.

Regards,

    Paul Hoffman and Yaron Sheffer

HOKEY WG meeting summary

HOKEY met briefly Wednesday morning.

An update on the current documents was provided.  Since the last IETF 
meeting, the reauthentication problem statement document has been 
published as RFC 5169, and both the EMSK key hierarchy document and ERX 
are in the RFC Editor's queue.  Most of the working group's time since 
the last meeting was spent getting the latter two documents through IESG 
review.

The preauthentication problem statement has completed its second WGLC, 
and will be moving forward for shepherd, AD, and IESG review.

The one major remaining task is the key management document.  List 
discussion since the last IETF confirmed the consensus derived there, 
and the group will be implementing the proposed plan.  This basically 
involves trimming down the existing document into a request/response 
architecture defined as RADIUS attributes for delivering keys to various 
AAA entities.  We expect to have this document mostly complete before 
the next IETF meeting.

--
t. charles clancy, ph.d.                 eng.umd.edu/~tcc
electrical & computer engineering, university of maryland

IETF 72 Kitten Working Group Summary

[Forwarded to circumvent mail list snafu]

>
> The kitten-wg met Tuesday, 7/29/08, during afternoon session three.
>
> Co-chairs: Alexey Melnikov and Shawn Emery
>
> The goals of the meeting were to go over the active working items and
> Milestones.
>
> Important developments included both domain-based drafts:
> draft-ietf-kitten-gssapi-domain-based-names
> draft-ietf-kitten-gssapi-krb5-domain-based-names
>
> Both are now published RFCs:
> RFC5178
> RFC5179
>
> respectively.
>
> IANA extension draft:
> draft-ietf-kitten-gssapi-extensions-iana-04
>
> updates were made to provide registration, change control, and  
> expert review procedures.  Will start WGLC this week.
>
> The channel-bindings clarification draft:
> draft-ietf-kitten-gssapi-channel-bindings-04
>
> introduction and IANA sections created.  WGLC ended in April, sent  

DKIM notes for SAAG

Attached,
Stephen.

DKIM met Monday afternoon, 62 people attended.

Main goal of the meeting was to get the ADSP and Overview documents to the
start of WGLC. Each had a couple of open issues at the start of the meeting
that were discussed and resolved (modulo confirmation on the list).  The result
was that a new rev of ADSP will be published this week.  WGLC on both documents
will start at that point.

The deployment guide was briefly presented and work on that continues.

A couple of proposals were made for new work that might require re-chartering.
There was some, but not overwhelming, interest in pursuing these, but the group
won't have that discussion until after the two current documents are in the
hands of the IESG.

DKIM met Monday afternoon, 62 people attended.

Main goal of the meeting was to get the ADSP and Overview documents to the
start of WGLC. Each had a couple of open issues at the start of the meeting
that were discussed and resolved (modulo confirmation on the list).  The result
was that a new rev of ADSP will be published this week.  WGLC on both documents

IETF72 SASL summary

Simple Authentication And Security Layer (SASL)
IETF72, Dublin, IE

Tuesday, July 29, 2008 at 15:20-17:20
=====================================

Chairs:

Tom Yu <tlyu <at> mit.edu>
Kurt Zeilenga <kurt.zeilenga <at> isode.com>

====================

Thanks to Larry Zhu for scribing.

draft-ietf-sasl-crammd5-10 - answer outstanding comments, new rev to
IESG with Informational status and explicitly marking 2195 Historic.

draft-ietf-sasl-gs2-10 - need rev; gated on SCRAM (which would be the
first user of the framework)

draft-melnikov-digest-to-historic-00 - expired; awaiting SCRAM

draft-newman-auth-scram-06 - new doc available

Chairs have been lame about rechartering; will get that back on
track.  Chairs will produce biweekly summary of who currently has the
ball for each task.

Alexey Melnikov talks about SCRAM.  Some discussion about channel

Summary for TLS WG

The TLS working group met on Monday afternoon.  TLS 1.2 is in auth-48
waiting on one issue to be resolved, it should be published soon.  We
discussed the remaining open issues on the extensions document
(4366bis).  Once discussion completes on the list this document revised
for WG last call.  We also had some discussion on DTLS 1.2, which is a
new working group draft.  There are several cipher suite documents
waiting for the publication of TLS 1.2.  We had a presentation on using
TLS for key management for applications. This seems to be out of scope
for the group. We also had a presentation on camellia cipher suites.  

Joe