Trust Anchor Management (tam) Birds of a Feather (BoF) 69th Internet Engineering Task Force (IETF) Chairs: Sean Turner Stephen Farrell Mailing List: ietf-trust-anchor@vpnc.org Summary: The tam BoF was held on Friday, 27 July 2007. Approximately 120 attendees came to the meeting in person; approximately 40 people were on jabber, some were on both. The BoF co-chairs conducted agenda bashing; no additional speakers were added. Background and meeting goals were also provided by the co-chairs. This information provided context for audience members who have not been part of the mailing list discussion. (Slides presented at the BoF are available at: https://datatracker.ietf.org/meeting/69/materials.html) Carl Wallace presented the problem statement (see "Problem Statement" slides). Explained the: trust anchor (TA) concept and uses, general problem and proposal, proposed a list of functional properties, and outlined security considerations. Received questions regarding feasibility of doing all the items listed as functional requirements, the threat model that might apply and the need for confidentiality, among others. Paul Hoffman presented non-enterprise scenarios (see "TAM Scenarios" slides). Provided: background, terminology information, one and/or multiple TA administrator (TAA) scenarios, and examples of systems that need trust management. Received questions regarding: the vision between the user and the TAA; doing transfer protocol, acquisition protocol, or both; whether work would be for managing number of application information; among others. A concern about properly scoping the problem was raised. Raksha Reddy presented the enterprise case (no slides). Presented the NSA/DoD view on support for this topic. The primary reason was there are things the DoD wants to manage in their specialized space, that would benefit from having a TA management protocol. Indicated interest in having a collaborative effort for development. The remainder of the time was used for open mic discussion and hums (show of hands). Concern raised about the apparent lack of industry/vendor support for the concept. Questions about whether to include devices and browsers, or limit the scope. Comment that the Trusted Computer Group (TCG) has a lot of interest in this topic. Comment that vendors are not at the BoF yet because they don't know that they need to be. Clarification from the AD that working group formation was not the objective of this BoF. Goal is to determine if there is a real problem, who cares about it, and is there a constituency for it. Comments from the government of Canada regarding: - Title/ownership management (assurance of integrity and originator in protocols) - Liability management (assurance of authority in protocols) - Protocol for concept of relinquishment (at time of manufacture, at time of distribution, at time of use in the field) - Protocol for policy management (reflecting on conditions of use such as licensing arrangements, restrictions on the use of intellectual property rights) - Protocol for identification of liability from both the perspective of assurance of authority and of non-repudiation (useful in establishing risk and addressing it in appropriate business plans Comment questioning whether trust anchor management is a subset of remote management, is it covered by netconf? Polling by co-chairs to determine support, results are as follows: - About half the room in favor of the IETF working on the idea (no hands against) - 20 to actively work the topic - Another 12 to review - 10 to implement (if its of good quality) Will take the topic back to the mailing list. Need to get a better understanding of what "this" is (scope). Will use the mailing list to do scoping, refine questions, build/recruit/demonstrate more constituency. Monitor the list to see how the group is progressing.