Minutes interim-2024-tigress-01: Thu 18:00
minutes-interim-2024-tigress-01-202401251800-01
Meeting Minutes | Transfer dIGital cREdentialS Securely (tigress) WG | |
---|---|---|
Date and time | 2024-01-25 18:00 | |
Title | Minutes interim-2024-tigress-01: Thu 18:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-01-26 |
minutes-interim-2024-tigress-01-202401251800-01
TIGRESS Interim 01 2024
Agenda:
Welcome, NoteWell, Minute Taker - 5 mins
* Agenda Bash
* Presentation by Yogesh to compare the 2 drafts - 15 mins
* Open mic discussion - 20-25 mins
* Consensus check - 15 mins
Drafts
https://datatracker.ietf.org/doc/draft-vinokurov-tigress-http/
https://datatracker.ietf.org/doc/draft-rescorla-tigress-http/
Notes:
Yogesh presenting, see slides
- ekr notes in the chat that everything presneted in these slides is false
- ekr comments
- randomly generated numbers of sufficient space are guarenteed not to collide, this property is relied on in most IETF protocols including TLS
- ekr and yogesh can't come to an agreement
- ekr makes the point that the deletion is the ask in his draft and can happen on the same TLS connection, as such there is no issue here
- ekr and yogesh can't come to an agreement
- randomly generated numbers of sufficient space are guarenteed not to collide, this property is relied on in most IETF protocols including TLS
- aaron comments
- Can you elaborate on the wide deployment claimed here
- Yogesh: a handful of car manufactures who have deployed this solution
- Elham: there are more than cars, its also being used by scooters and multihome keys
- Matthias: many other device OEMs in the Android world and other entiteis are deploying this
- Joe from Repairify notes that his company is part of the consortium in the chat
- Can you elaborate on the wide deployment claimed here
- Lief chair comments
- This isn't uncommon in the IETF, there is a solution outside the IETF that wants to be specified
- The IETF is not the venue to rubber stamp solutions
- If Apple and Android have a working relationship there isn't a need for an international standards organiztion
- The process we're in now, with the evolution of a soltion is part of the IETF process
- as a chair it is bad practice for the IETF for the security analysis to be dicsucssed only be the proposers
- If Apple and Google are the only involved, you don't need the IETF
- Where are the care manufactures and other interested parties
- Su Yong
- IETF can set up a liason with the CCC for folks to get more details of the deployments
- Lief
- Liason relationships are an IAB thing, not an IETF thing
- However it would be useful for CCC members to show up here
- IETF has been asked to take ownership control of this protocol which means you need to do the work in the IETF
- Brad
- Why not specify this in the CCC
- Matthias: CCC only covers cars, not other verticals
- as to why Apple and Google don't just do this on their own (didn't get the argument)
- but we shouldnt' just make changes for changes sake
- Why not specify this in the CCC
- Leif
- What ekr has done is offer a much simpler way to acomplish the same goals
- Does this mean there is compettion between the two drafts? Not neciscarily but we do need objective review
- We need a detatched and objective review of the requirements
- Wide deployment is besides the point at this point
- Yogesh
- These slides are trying to compare the two drafts objectively
- draft-resorla is not less complicated, it is more complicated and confusing
- ekr
- Feel like in need to jump in again, I disagree
- If we had car manufacturers or other veritcal vendors offering opinions about why they prefer one approach or another
- If we're going to do a comparisoon it needs to be based on concensus opinon, not just one person's opinion which I think we've established is disputed
- (on the next slide)
- these points are more reasoanble
- I don't agree that lifetimes are important, but that's easy to add. I prefer not to add that compexity to the server
- Yogesh: can you repeat that
- erk:
- a) we're not talking about cookies here becasue it is not required
- b) even if they were, there are isolated and not a tracking vector
- If we're deciding on deployment, then agree draft-v works
- If we're deciding on technical merit, then we need to actually have reasonable analysis
- Matthias
- I joined today because I thought we were making a decision here
- Leif
- We need a concensus call, which would have on the mailing list, not here in the interim
- We have multiple options
- a) we could have a working group redesign
- b) we could decide on draft-v
- we couldn't take draft-v to IESG because we haven't demonstrated concensus
- so far we havne't seen enough participation
- Matthias: A lot of this work has happened before
- Leif: then you don't need the IETF, this isn't how the IETF works
- Matthias: Isn't the IETF just a standards organization that standardizes across verticals
- Leif: We dont' even have people responding to basic review requests. As chairs we could declare that we're done, but the IESG would reject it. We need to demonstrate rough concensus and running code. You have the running code bit, but we don't have the concensus part.
- Su: If we continue of on this trajectory, what happens?
- Leif: the working group will get shut down
- The IETF is very wary one or two companies coming in with a draft based on past experience
- Aaron: Apple if you have relationships with other companies, can you ask them to come and speak
- Leif: to be clear, we need more than a raised hand
- Aaron: I think people could use suggestions on how they can participate concretely
- Leif: We have seen this before where someone brings work to the IETF but don't have time to contribute to it and that takes it out of the running for an IETF protocol.
- Su: From CCC members side, they've already done that work and they don't want to repeat it.
- Brad: The reason given for bringing this to the IETF was to support other veriticles, so then representiatives from non-CCC members could come participate here.
- Su: Those vendors may not have the bandwidth
Chairs will confer with the ADs and take the next steps.