Pasi.Eronen | 1 Mar 13:55 2010
Picon

Pasi's AD Notes for February 2010

Here's again a short status update about what things are going on from
my point-of-view. If you notice anything that doesn't look right, let
me know -- miscommunication and mix-ups do happen.

Best regards,
Pasi

MISC NOTES

- Planning AD transition with Tim/Sean
- IETF 77 planning with Tim/Sean: SAAG meeting, SecDir 
  lunch, overall agenda
- (not wearing AD hat) draft-krawczyk-hkdf went through IETF last
  call; on the agenda of 2010-03-04 IESG telechat.
- (not wearing AD hat) Waiting for Dan Romascanu to process 
  errata 1955/1956 for RFC 4072 [since 2009-12-09]
- Waiting for IETF Trust's reply on how to contribute pre-5378
  rights to the trust [since 2009-11-03]
- Lot of tools work (code I want to get in decent state before
  my AD term ends)

WORKING GROUPS

DKIM
- draft-ietf-dkim-deployment: discussion ongoing to resolve
  Tim's DISCUSS; currently waiting for Tim to reply [since 2010-02-25]
- Processed errata 1385.
- I still need to review what to do about errata 1532, 1596,
  and 1942.
- Waiting for Stephen and Barry for new charter text.
(Continue reading)

Peter Saint-Andre | 9 Mar 19:44 2010

representation and verification of identity in certificates

A small, informal design team has been working on an I-D that attempts
to define recommended procedures for representing and verifying server
identities in X.509 certificates intended for use in applications that
employ TLS. We have just published version -03 of that I-D:

http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-03

Because this work touches on security in a wide variety of application
protocols (HTTP, IMAP, LDAP, SMTP, XMPP, NNTP, NETCONF, SysLog, SIP,
etc.) through the re-use of both TLS and the PKI, there is no one list
where we can hold a focused discussion. Therefore we have created a new
list, certid <at> ietf.org, to which you can subscribe here:

https://www.ietf.org/mailman/listinfo/certid

Please join the discussion there if you have an interest in this topic.

Thanks!

Peter

--

-- 
Peter Saint-Andre
https://stpeter.im/

Attachment (smime.p7s): application/pkcs7-signature, 9 KiB
_______________________________________________
pkix mailing list
(Continue reading)

Cullen Jennings | 18 Mar 02:55 2010
Picon

E2MD BOF


The E2MD BOF is wrestling with some complicated issues around putting personal data about individuals in
DNS (names, phones numbers etc). They are considering various approaches to constrain access to the
private data. The leading contender as far as I can tell is to only run the DNS with the private data in a
walled garden and make sure no one that should not see the data can query a server in the walled garden. One or
two people have mentioned you might want to encrypt the private data and control access to the keys but that
idea has not received much discussion. It seems to me like a possibility worth exploring a little. 

If anyone is interested or has spend time thinking about privacy of data in DNS, input from folks on this list
would be valuable and I hope at least a few security folks can show up at the BOF. 

Thanks, Cullen

Mailing list archive at http://www.ietf.org/mail-archive/web/e2md/index.html

Samuel Weiler | 19 Mar 04:49 2010

Re: [secdir] E2MD BOF

Cullen,

I suggest taking this question to the DNSEXT WG.  AFAIK, the DNSEXT 
agenda in Anaheim still has two minutes left open, which is about all 
the WG will tolerate of this.  :-)

-- Sam

On Wed, 17 Mar 2010, Cullen Jennings wrote:

> The E2MD BOF is wrestling with some complicated issues around 
> putting personal data about individuals in DNS (names, phones 
> numbers etc). They are considering various approaches to constrain 
> access to the private data. The leading contender as far as I can 
> tell is to only run the DNS with the private data in a walled garden 
> and make sure no one that should not see the data can query a server 
> in the walled garden. One or two people have mentioned you might 
> want to encrypt the private data and control access to the keys but 
> that idea has not received much discussion. It seems to me like a 
> possibility worth exploring a little.
>
> If anyone is interested or has spend time thinking about privacy of 
> data in DNS, input from folks on this list would be valuable and I 
> hope at least a few security folks can show up at the BOF.
>
> Thanks, Cullen
>
> Mailing list archive at http://www.ietf.org/mail-archive/web/e2md/index.html
Shawn M. Emery | 25 Mar 02:34 2010
Picon

KITTEN Working Group Summary - IETF 77


The KITTEN-WG met Wednesday, 3/24/10, during the second morning session 
for 1 hour

Co-chairs: Tom Yu and Shawn Emery

The goals of the meeting were to review the state of the active WG 
items, one individual submission, discuss extensions - credential 
management and asynchronous calls, federated authentication for 
client-server applications, and discuss merging KITTEN and SASL WGs.

gssapi-extensions-iana
----------------------------
IANA has replied that they want the draft to pick one of the registry 
types left as a choice in the current version of the draft:
     single GSS-API name-space registry
     separate registry - symbolic and constant registries
     registry per programming language
     multiple registries
No response during the session on which registry is preferred, will take 
the question to the list.

gssapi-naming-exts
------------------------
Makes a normative reference to a 3rd party (OpenGridForum) standards 
document - GFD.024. Requested approval to the list. Awaiting a one-week 
timer before submitting a WGLC, pending any objections.

draft-lha-gssapi-delegate-policy
---------------------------------------
(Continue reading)

Russ Mundy | 25 Mar 15:59 2010

ISMS Summary for IETF 77


Summary:

ISMS is continuing work on two charted documents.  The first is specifying
a transport model for running SNMP over TLS and DTLS.  This document is
currently in IETF last call and, as of the beginning of IETF 77, had not
received any substantive comments.  The second document describes how
RADIUS can be used to provision security name to group name mappings in the
VACM access control model.  Since an additional editor has been recruited,
the WG has made progress on this document and the WG has cleared nearly all
open issues.  We are working on getting final consensus and text for the
last issue and expect to deliver the document to the IESG in the next few
weeks.  Since there were no items that required a face to face meeting, the
co-chairs cancelled the session for IETF 77.

WG Chairs:      Russ Mundy <russ.mundy <at> sparta.com>
   		Juergen
   		Schoenwaelder<j.schoenwaelder <at> jacobs-university.de>
WG URL: http://tools.ietf.org/wg/isms/

Paul Hoffman | 25 Mar 17:19 2010

IPsecME WG meeting report, Anaheim edition

The WG already has a good handful of documents published as RFCs or are in the RFC Editor queue, so we started
talking about the new work items in our charter. We started discussing high-availability requirements
and got into a good discussion of vocabulary. We also started discussing a mode that allows EAP-only
authentication and more secure password-based authentication. The next few months will be focused on
these new work items.

--Paul Hoffman, Director
--VPN Consortium
Alan DeKok | 25 Mar 17:24 2010

EMU WG meeting report IETF 77

  We made a lot of good progress.  Many issues that have come up on the
list were either resolved, or had resolutions suggested and discussed.
We will be taking those issues to the list for validation.

  We have two volunteers to edit the channel bindings document (Sam
Hartman and Glen Zorn).

  We should be able to get a new version of the tunnel requirements
document out before IETF 78.  It looks like we can do a WG last call
before then, too.

  Alan DeKok.
Sean Turner | 25 Mar 17:46 2010

syslog WG update

gmane.ietf.saag
Picon
From: Chris Lonvick <clonvick <at> cisco.com>
Subject: syslog WG update for SAAG
Date: 2010-03-24 22:04:01 GMT
Hi,

The syslog WG is nearing completion of its last deliverable.

draft-ietf-syslog-dtls has passed WGLC and is awaiting a proto document 
writeup from the Chair with the recommendation that it be reviewed by the 
IESG to become a Standards Track RFC.

The other document in the WG list of deliverables is 
draft-ietf-syslog-sign which is in the RFC Editors queue.

Once draft-ietf-syslog-dtls is submitted to the IESG, it is our 
recommendation that the syslog Working Group be concluded.

The Chairs and the Working Group wish to express our sincere thanks to 
Pasi for his leadership, care, and guidance in his tenure as our Advisor.

Best regards,
Chris

(Continue reading)

Pasi.Eronen | 25 Mar 18:03 2010
Picon

Pasi's final AD notes (mid-March 2010)

I'm writing an expanded version of my notes so that Sean and Tim will
have the information they need to continue the work.  If you notice
anything that doesn't look right, let Sean and Tim know --
miscommunication and mix-ups do happen.

Best regards,
Pasi

MISC NOTES
==========

- Planning AD transition with Tim/Sean
- IETF 77 planning with Tim/Sean: SAAG meeting, SecDir 
  lunch, overall agenda
- (not wearing AD hat) draft-krawczyk-hkdf was approved by IESG;
  now in RFC editor queue.
- (not wearing AD hat) Waiting for Dan Romascanu to process 
  errata 1955/1956 for RFC 4072 [since 2009-12-09]
- Lot of tools work to finish the datatracker UI changes.

DKIM
====

- draft-ietf-dkim-deployment: was approved by IESG, now in RFC editor
  queue. If the WG decides to change its mind about errata 1532
  (see below), appendix A.1.2.3 could require small changes.

- Processed errata 1942.

- Errata 1532 for RFC 4871: Currently (March 2010) being
(Continue reading)


Gmane