Pasi's AD Notes for February 2010

Here's again a short status update about what things are going on from
my point-of-view. If you notice anything that doesn't look right, let
me know -- miscommunication and mix-ups do happen.

Best regards,
Pasi

MISC NOTES

- Planning AD transition with Tim/Sean
- IETF 77 planning with Tim/Sean: SAAG meeting, SecDir 
  lunch, overall agenda
- (not wearing AD hat) draft-krawczyk-hkdf went through IETF last
  call; on the agenda of 2010-03-04 IESG telechat.
- (not wearing AD hat) Waiting for Dan Romascanu to process 
  errata 1955/1956 for RFC 4072 [since 2009-12-09]
- Waiting for IETF Trust's reply on how to contribute pre-5378
  rights to the trust [since 2009-11-03]
- Lot of tools work (code I want to get in decent state before
  my AD term ends)

WORKING GROUPS

DKIM
- draft-ietf-dkim-deployment: discussion ongoing to resolve
  Tim's DISCUSS; currently waiting for Tim to reply [since 2010-02-25]
- Processed errata 1385.
- I still need to review what to do about errata 1532, 1596,
  and 1942.
- Waiting for Stephen and Barry for new charter text.

E2MD BOF

The E2MD BOF is wrestling with some complicated issues around putting personal data about individuals in
DNS (names, phones numbers etc). They are considering various approaches to constrain access to the
private data. The leading contender as far as I can tell is to only run the DNS with the private data in a
walled garden and make sure no one that should not see the data can query a server in the walled garden. One or
two people have mentioned you might want to encrypt the private data and control access to the keys but that
idea has not received much discussion. It seems to me like a possibility worth exploring a little. 

If anyone is interested or has spend time thinking about privacy of data in DNS, input from folks on this list
would be valuable and I hope at least a few security folks can show up at the BOF. 

Thanks, Cullen

Mailing list archive at http://www.ietf.org/mail-archive/web/e2md/index.html

Re: [secdir] E2MD BOF

Cullen,

I suggest taking this question to the DNSEXT WG.  AFAIK, the DNSEXT 
agenda in Anaheim still has two minutes left open, which is about all 
the WG will tolerate of this.  

-- Sam

On Wed, 17 Mar 2010, Cullen Jennings wrote:

> The E2MD BOF is wrestling with some complicated issues around 
> putting personal data about individuals in DNS (names, phones 
> numbers etc). They are considering various approaches to constrain 
> access to the private data. The leading contender as far as I can 
> tell is to only run the DNS with the private data in a walled garden 
> and make sure no one that should not see the data can query a server 
> in the walled garden. One or two people have mentioned you might 
> want to encrypt the private data and control access to the keys but 
> that idea has not received much discussion. It seems to me like a 
> possibility worth exploring a little.
>
> If anyone is interested or has spend time thinking about privacy of 
> data in DNS, input from folks on this list would be valuable and I 
> hope at least a few security folks can show up at the BOF.
>
> Thanks, Cullen
>
> Mailing list archive at http://www.ietf.org/mail-archive/web/e2md/index.html

KITTEN Working Group Summary - IETF 77

The KITTEN-WG met Wednesday, 3/24/10, during the second morning session 
for 1 hour

Co-chairs: Tom Yu and Shawn Emery

The goals of the meeting were to review the state of the active WG 
items, one individual submission, discuss extensions - credential 
management and asynchronous calls, federated authentication for 
client-server applications, and discuss merging KITTEN and SASL WGs.

gssapi-extensions-iana
----------------------------
IANA has replied that they want the draft to pick one of the registry 
types left as a choice in the current version of the draft:
     single GSS-API name-space registry
     separate registry - symbolic and constant registries
     registry per programming language
     multiple registries
No response during the session on which registry is preferred, will take 
the question to the list.

gssapi-naming-exts
------------------------
Makes a normative reference to a 3rd party (OpenGridForum) standards 
document - GFD.024. Requested approval to the list. Awaiting a one-week 
timer before submitting a WGLC, pending any objections.

draft-lha-gssapi-delegate-policy
---------------------------------------

ISMS Summary for IETF 77

Summary:

ISMS is continuing work on two charted documents.  The first is specifying
a transport model for running SNMP over TLS and DTLS.  This document is
currently in IETF last call and, as of the beginning of IETF 77, had not
received any substantive comments.  The second document describes how
RADIUS can be used to provision security name to group name mappings in the
VACM access control model.  Since an additional editor has been recruited,
the WG has made progress on this document and the WG has cleared nearly all
open issues.  We are working on getting final consensus and text for the
last issue and expect to deliver the document to the IESG in the next few
weeks.  Since there were no items that required a face to face meeting, the
co-chairs cancelled the session for IETF 77.

WG Chairs:      Russ Mundy <russ.mundy <at> sparta.com>
   		Juergen
   		Schoenwaelder<j.schoenwaelder <at> jacobs-university.de>
WG URL: http://tools.ietf.org/wg/isms/

IPsecME WG meeting report, Anaheim edition

The WG already has a good handful of documents published as RFCs or are in the RFC Editor queue, so we started
talking about the new work items in our charter. We started discussing high-availability requirements
and got into a good discussion of vocabulary. We also started discussing a mode that allows EAP-only
authentication and more secure password-based authentication. The next few months will be focused on
these new work items.

--Paul Hoffman, Director
--VPN Consortium

EMU WG meeting report IETF 77

  We made a lot of good progress.  Many issues that have come up on the
list were either resolved, or had resolutions suggested and discussed.
We will be taking those issues to the list for validation.

  We have two volunteers to edit the channel bindings document (Sam
Hartman and Glen Zorn).

  We should be able to get a new version of the tunnel requirements
document out before IETF 78.  It looks like we can do a WG last call
before then, too.

  Alan DeKok.

syslog WG update

gmane.ietf.saag

From: Chris Lonvick <clonvick <at> cisco.com>
Subject: syslog WG update for SAAG
Date: 2010-03-24 22:04:01 GMT

Hi,

The syslog WG is nearing completion of its last deliverable.

draft-ietf-syslog-dtls has passed WGLC and is awaiting a proto document 
writeup from the Chair with the recommendation that it be reviewed by the 
IESG to become a Standards Track RFC.

The other document in the WG list of deliverables is 
draft-ietf-syslog-sign which is in the RFC Editors queue.

Once draft-ietf-syslog-dtls is submitted to the IESG, it is our 
recommendation that the syslog Working Group be concluded.

The Chairs and the Working Group wish to express our sincere thanks to 
Pasi for his leadership, care, and guidance in his tenure as our Advisor.

Best regards,
Chris

Pasi's final AD notes (mid-March 2010)

I'm writing an expanded version of my notes so that Sean and Tim will
have the information they need to continue the work.  If you notice
anything that doesn't look right, let Sean and Tim know --
miscommunication and mix-ups do happen.

Best regards,
Pasi

MISC NOTES
==========

- Planning AD transition with Tim/Sean
- IETF 77 planning with Tim/Sean: SAAG meeting, SecDir 
  lunch, overall agenda
- (not wearing AD hat) draft-krawczyk-hkdf was approved by IESG;
  now in RFC editor queue.
- (not wearing AD hat) Waiting for Dan Romascanu to process 
  errata 1955/1956 for RFC 4072 [since 2009-12-09]
- Lot of tools work to finish the datatracker UI changes.

DKIM
====

- draft-ietf-dkim-deployment: was approved by IESG, now in RFC editor
  queue. If the WG decides to change its mind about errata 1532
  (see below), appendix A.1.2.3 could require small changes.

- Processed errata 1942.

- Errata 1532 for RFC 4871: Currently (March 2010) being

NEA WG summary for IETF 77

WG Status and Progress since last IETF:
PA-TNC and PB-TNC were published as RFC 5792 and RFC 5793 in March 2010.
Three proposals were submitted in response to the call for submissions
for proposals for the Posture Transport (PT) protocol: one submission
proposed a TLS-based protocol, and two others proposed an EAP-based
protocol.

Meeting Summary:
These proposals were discussed at a virtual interim meeting held in
January 2010, and again at the meeting this week. While there is
consensus that there is a requirement for both a TLS-based PT and an
EAP-based PT, there is no consensus on adopting any of the proposals as
-00 WG I-Ds. 

A number of issues were discussed at both meetings and action items
identified. The issues include:
1) the Asokan attack and counter-measure
2) the extent to which the various proposals meet the NEA requirements
3) determining the impact on supplicants, and 
4) process for standardizing an EAP-based PT given the dependency on a
standard EAP tunnel method. 

The last two issues have been addressed. The major remaining issue is to
get consensus on whether the Asokan attack needs to be protected
against, and how it should be done. This topic will be explored further
on the mailing list.