Minutes IETF102: saag
Security Area Open Meeting
||Minutes IETF102: saag
# Agenda Bashing
# WG reports (not sent to email@example.com)
DOTS - meeting next. Close on all informational drafts. On the
protocol drafts were goign to WGLC both documents; one for the second
LAMPS - WG rechartered and getting started on new work.
TOKINBIND: Meeting Friday - drafts on their way or through IESG
TRANS: Discussed some issues on the bis draft. Spin new WG or drop
if not fitting.
# Related WGs
relpace: SIDR with SIDROPS
W3C is having a workshop about user consent:
DRIU (no WG forming): How do you get DOH over DHCP.
## Automated Crypto Validation Protocol
Paul Hoffman: Sounds great. FIP140 kinda sucks. Can yon tie them
more closely together?
Answer: Working on some vendors on modules.
Paul Hoffman: ICANN seemed to kick off a buying spree on L4 though
others didn't need it.
Yaron Sheffer: What's the scope? Longer term are you looking at
general purpose crypto testing?
Answer: We recognize that we only cover a portion of crypto-tech.
We're just starting and there are ways to extend it to do other
algorithms. You can also take the code and do what you like with it.
David Mcgrew: It would be good to add those other algs in.
Chris Wood: Are test vectors standardized? (Wycheproof)
Answer: Working on it.
Martin Thomson: Where are the specs? Need more help.
There's a side meeting at 7:30.
## Cluster of Re-Used Keys
Daniel Francke: If you were to study clients rather than servers you'd find
reuse of TLS and SSH keys. OpenSSH supports PKCS#11, but it's not
great. Better to swap it and use TLS.
Wes Hardaker: Did you try to make them aware of larger clusters that
one compromise is really bad.
Answer: It's hard got people who do it better.
Omit: Are there are cases where peoeple were look for heys on GH? Can we check
that those keys are there or not? Answer: Need an API to scan.
DKG: Scan is not complete (I've got a server that resuses SSH and TLS). Is CT
a mechanism for this? Answer: CT might help, but I didn't do it.
Wes Haraker: One thing that we had to do was break config because shit
passwords are in some default configs. Look at DNS too. Answer: Sure.
Tim H: Unfortunately, CAs support it, but it would make CAs less competive.
DKG: I think maybe you misunderstand, it's about the same key for different
identities. TimH: That has a better chance of passing at CABF. PaulH: Provide
better errors to help. Yoav - CA can kick it out with a bad CSR. PHB: If you're
doing EC stuff you can use collaborative techniques. Benjamin D: Seems like
this is an abject failure.
Rich Salz: Confused by what was found?
Answer: Every crazy think happened.
## Cyber Defense
Pete Resnick: Like the idea of an IRTF RG.
DKG: Thanks for the data. What kind of things could we do to help.
Answer: We do use die-die-die drafts, but we can always use more.
Yoshiro: Thanks for this. Have you talked to other countries cyber security
orgs? Answer: We have to some, but more is better. Roman: There's like 90 and
we're peers. It's good to have this data. Stephen: The more open the better.
There's called MAP RG is a measurement RG and that might be a place to go. Ron
(Last Name?) (UT North Texas): Can you share info on voice spam. Answer: Nope.
Carsten: Remote services attestation somewhere in Square Dorchester.