Minutes IETF102: saag

Meeting Minutes Security Area Open Meeting (saag) AG
Title Minutes IETF102: saag
State Active
Other versions plain text
Last updated 2018-08-28

Meeting Minutes

# Agenda Bashing



# WG reports (not sent to saag@ietf.org)

DOTS - meeting next.  Close on all informational drafts.  On the
protocol drafts were goign to WGLC both documents; one for the second

LAMPS - WG rechartered and getting started on new work.

TOKINBIND: Meeting Friday - drafts on their way or through IESG

TRANS: Discussed some issues on the bis draft.  Spin new WG or drop
if not fitting.

# Related WGs

relpace: SIDR with SIDROPS

W3C is having a workshop about user consent:

# BOFs

DRIU (no WG forming): How do you get DOH over DHCP.

# Presentations

## Automated Crypto Validation Protocol


Paul Hoffman: Sounds great.  FIP140 kinda sucks.  Can yon tie them
more closely together?
Answer: Working on some vendors on modules.

Paul Hoffman: ICANN seemed to kick off a buying spree on L4 though
others didn't need it.

Yaron Sheffer: What's the scope?  Longer term are you looking at
general purpose crypto testing?
Answer: We recognize that we only cover a portion of crypto-tech.
We're just starting and there are ways to extend it to do other
algorithms.  You can also take the code and do what you like with it.
David Mcgrew: It would be good to add those other algs in.

Chris Wood: Are test vectors standardized? (Wycheproof)
Answer: Working on it.

Martin Thomson: Where are the specs?  Need more help.

There's a side meeting at 7:30.

## Cluster of Re-Used Keys


Daniel Francke: If you were to study clients rather than servers you'd find
reuse of TLS and SSH keys.  OpenSSH supports PKCS#11, but it's not
great.  Better to swap it and use TLS.

Wes Hardaker: Did you try to make them aware of larger clusters that
one compromise is really bad.
Answer: It's hard got people who do it better.

Omit: Are there are cases where peoeple were look for heys on GH?  Can we check
that those keys are there or not? Answer: Need an API to scan.

DKG: Scan is not complete (I've got a server that resuses SSH and TLS).  Is CT
a mechanism for this? Answer: CT might help, but I didn't do it.

Wes Haraker: One thing that we had to do was break config because shit
passwords are in some default configs.  Look at DNS too. Answer: Sure.

Tim H: Unfortunately, CAs support it, but it would make CAs less competive.
DKG: I think maybe you misunderstand, it's about the same key for different
identities. TimH: That has a better chance of passing at CABF. PaulH: Provide
better errors to help. Yoav - CA can kick it out with a bad CSR. PHB: If you're
doing EC stuff you can use collaborative techniques. Benjamin D: Seems like
this is an abject failure.

Rich Salz: Confused by what was found?
Answer: Every crazy think happened.

## Cyber Defense


Pete Resnick: Like the idea of an IRTF RG.

DKG: Thanks for the data.  What kind of things could we do to help.
Answer: We do use die-die-die drafts, but we can always use more.

Yoshiro: Thanks for this.  Have you talked to other countries cyber security
orgs? Answer: We have to some, but more is better. Roman: There's like 90 and
we're peers.  It's good to have this data. Stephen: The more open the better.
There's called MAP RG is a measurement RG and that might be a place to go. Ron
(Last Name?) (UT North Texas): Can you share info on voice spam. Answer: Nope.

Carsten: Remote services attestation somewhere in Square Dorchester.