Minutes IETF99: saag
minutes-99-saag-00
The information below is for an old version of the document.
Meeting Minutes | Security Area Open Meeting (saag) AG Snapshot | |
---|---|---|
Date and time | 2017-07-20 11:30 | |
Title | Minutes IETF99: saag | |
State | Active | |
Other versions | plain text | |
Last updated | 2017-07-21 |
minutes-99-saag-00
SAAG Minutes *** WG reports. Barry: proposing to close OpenPGP WG. DKG: will be happy to work with authors if drafts pop up. Lionel discusses Diameter e2e security needs. Asking for expert help to revive work on AVP encryption/protection with a JOSE and possibly COSE-based approach. Jean Mahoney: please help! The WG cannot do it by itself. PHB: needs something similar for his Mesh work. Could pull it out. Willing to help. Karen: the NTP Security work going into WGLC, please review. Leif: UTA is closing unless people come up with proposals. Hannes describes work on FUD (firmware update) and invites people to join the list. Sam Weiler: W3C is looking for security experts for help on security and privacy. If interested, contact him. *** Kenny Paterson on Post-Quantum Crypto Richard Barnes: agrees that CFRG should work on combining classical and PQ algorithms. Could IETF or CFRG support the NIST process? Kenny: maybe attend the workshops and provide requirements. Paul Hoffman: keys expected to be at least 10x larger, e.g. 15k bits. Mentions his classical-to-PQ draft at CFRG. We are going to want to know when to make the transition. PHB: mentions Lamport signatures, we could bake them in now. We need to have a deployment/migration plan for PQC. Steven F.: we could avoid long-term encrypted things (identifiers?) so they are not vulnerable in the future. What is the IPR situation? Kenny: not sure. Quynh (NIST): we require IPR to be declared, but not given up. But practically will prefer unencumbered. Nick Sullivan: there are trade-offs between key sizes and computation. Tobias: the time-lines are vague. Devices and protocols have lifetimes of 10 years or more. We need to build in ability to change algorithms. This is a requirement we need to consider now. *** Volker Birk presents PEP. ?? invites the team to join UTA. Volker invites the team to attend their bar BOF this evening. Paul Wouters: is this an effort to strengthen protocols? Federated identity? I am confused. Volker: this is not centralized. They do not manage identities, they only map identities between different identity providers. Martin Thomson: draft is hard to read. Did not see an architecture. The presentation was helpful to understand. Please talk to many people and ask for help. People would like to hear concrete goals, what the architecture looks like, what are problems with existing protocols. The project is very massive. There is difference between shipping code and achieving interoperability. PHB: I like the activity. There are lots of secure e2e protocols out there. All are siloed (e.g. Signal). Also, all are sold as solutions around government coercion. However even if crypto is e2e-secure, the application itself is a point of coercion. Must have open source that can be audited. *** Dmitry Belyavskiy presents the Certificate Limitation Profile. Martin Thomson: chairs, please include a link to the draft. This has a lot of overlap with existing mechanisms around pinning, CT. Richard Barnes: there are app vendors that have their own CRL sets, those are proprietary but overlap with this proposal. What is the value in standardizing it? Dmitry: we are trying to formalize the syntax. DKG: mentions P11glue, which has similar functionality. There is merit in this kind of work because subtlety in the rules, but some people are already doing it. Rich Salz: would be interested in seeing a common data format. Martin: they would be willing to participate. Richard: need a notion of who is trusted to provide this information. Eric Rescorla: two problems to solve. Policy: which anchors do you trust. Distribution: need compression to deal with numerous revocations. Hardcoding is a problem, it makes it hard for a new CA to enter the market. Kathleen: will update the agenda with the draft link. *** Open Mic Steven: querying the ADs re: their position re: rechartering TLS WG or new potential proposals. Kathleen: maybe opportunity for something that's data center specific. The WG decides. Steven: is this within the current charter. Kathleen: needs to reread the charter. EKR as individual: does not believe draft-green would be in charter. Yaron: are quantum security models (QROM) usable/reliable and a good base for NIST's process? Kenny: yes.