DANISH BOF. Friday March 12, 1300 UTC Notes are at: https://codimd.ietf.org/notes-ietf-110-danish?edit Meetecho is at: https://gce.conf.meetecho.com/conference/?group=danish&short=&item=1 jabber:danish@jabber.ietf.org 73 entities in the jabber room. - [15 min] Defining the problem space - Ash - [5 min] Clarifying Q&A Discussion in jabber about mTLS, mutual-TLS, and where the term came from, and it seems to come from corporate world, and often used in OAUTH, but not typically used within TLS WG circles. No clarifying questions asked. - [5 min] Future Use Case - Sandoche Discussion in chat regarding some confusion over acronyms used in slides. - [30 min] Initial work areas - Shumon/Ash - [10 min] Clarifying Q&A Brendan Moran question about DNS records for IoT devices. Concern about security implications of namespace being advertised in records, wondered if IP addresses would also be included? Answer: No, IP addresses not included. Viktor Dukhovni comment regarding privacy, suggests issuing certs using private CA vice public one to mitigate risk. Some discussion in chat about how well NSEC3 works to avoid enumeration (vs white lies, vs NSEC5) - [remaining time] Open MIC - Do we understand the problem? - Is the problem space worth solving within the IETF? - Is this a good starting set of documents? - Who wants to help with the effort? Hannes Tschofenig: Comment on documents referenced in slides; mostly positive reaction. Viktor Dukhovni: Wonders if delivery of CA certificates is redundant when done over secure web connection. Viktor: in the network access space, the client probably wants to change identities early on in the lifespan. Discussion about changing keys, BRSKI, ec. Jim Reid: the scope has been fairly clear and complete. However, we might be talking amongst ourselves. We need more engagement from manufacturers and vendors of IoT devices. We aren't seeing a lot of uptake of DNSSEC or DANE among the clueful, so how would IoT manufacturers will work? Concerns acknowledged; mention of some work already being done to get vendors involved. Jacques Latour: Discusses work he's been involved with that's similar to the topic of the BoF. https://github.com/CIRALabs/CIRA-Secure-IoT-Registry Likes idea, thinks it needs to be made simple. Provides information on some challenges in this area that he and his team have struggled with and managed to overcome. Wes: Seems that the problem space is understood and that there's general support for IETF to tackle the problem. (No opposition expressed.) Wes: Are the three documents a good place to start? Shumon: draft-wilson-dane-pkix-cd-00 new, so lots of people haven't had time to read it yet. Jim: Question on next steps. Go for working group now, or discuss on list? Roman: It all depends. Explains process. Ben Kaduk: Don't want to wait have discussion. Roman: Agreed. Start talking about charter on mailing list Hannes: Discussion of architecture document Roman: Concur that architecture document would be helpful Wes: Want to help? Subscribe to mailing list Discussion in chat about how "boringly straightforward" and "well run" the BoF session was. - [10 min] Other use cases out of scope - Dash Cam Retention - Hannes asks clarifying questions on how taxi/dash cam is configured - Danish Peripheral Objectives - Question from Michael Richardson asking for clarity on HTTP proxy headers - JOSE and COSE - Eligible for Inclusion - SMIMEA Update - TLS DNSSEC Chain Extension - Viktor: Doesn't think it necessary for new DANE usage for HTTPS - DANE for SIP Authentcation - Oauth2 mTLS Update - MLS Protocol Slides available for download from datatracker - https://datatracker.ietf.org/meeting/110/materials/slides-110-danish-danish-bof-slides-02 https://datatracker.ietf.org/meeting/110/materials/slides-110-danish-chair-slides-00