IETF-84 SAAG Meeting: Thusday Aug 1 2012 Chairs: Stephen Farrell & Sean Turner Agenda: http://tools.ietf.org/agenda/84/agenda-84-saag.html Thanks to our minute taker (Olafur Gudmundsson) and jabber channeller (Youv Nir). Corrections from Yoav Nir, Steve Kent. WG reports were sent to the saag list. Joe Hildenbrand: says Security people should monitor Precis Philip Hallam-Baker(PHB): OmniBroker ------------------------------------ http://www.ietf.org/proceedings/84/slides/slides-84-saag-1.ppt Paul Hoffman (PH): You will trust one OmniBorker how will this work with multiple ones? Philip HB: you may have different OB for certain name scopes with priorty levels Paul Hoffman: How about when a antivirus vendor has OB inside their product and the OS vendor has OB how does the user prioritize them ? Philip HB:: thinks platform vendors will not want to be in the trust brokering biz. Steve Kent joked that he understood why the service had "Omni" in its name, since it appeared that might offer any security service. Steve also asked whether Phil was worried about putting all of one's eggs in the same (OmniBroke) basket. Phil countered that putting all of one's eggs in one basket was a poor choice if one wanted to ensure that at least some eggs hatched, but if one wanted every egg to hatch, it was not a bad strategy. Tim Moses (TM): The Web PKI --------------------------- http://www.ietf.org/proceedings/84/slides/slides-84-saag-0.pdf Tim explained what the web PKI is, see slides. Possible WG request for an OPS area WG to document the existing web PKI, aiming for BOF in Atlanta. Steve Kent asked Tim if the primary motivation for making the name constraints extension non-critical was because of exactly one vendor. Tim said that he was not aware of that. Steve said that he had heard that Apple's iOS was unable to process this extension, and that this was the primary rationale for the requested change. Steve also noted that support for this extension had been a requirement in PKIX RFcs for well over a decade. Tim replied that he didn't know that one vendor was the problem. Steve expressed skepticism, saying that he was surprised that Tim was able to respond with an almost straight face. Tim stated that unnamed vendor had agreed to make changes to their products to meet specs, but that it would take a while for new versions of software to be distributed to all affected parties. Steve expressed consternation with this explanation, noting the speed with which software updates from Apple are pushed out and downloaded on iOS devices. David Black: where is this work going to exist as some of the Ops Area rep, please sponsor BOF with OPS area Stephen Farrell: Did that already, Ron's in the loop David Black: Do not think about tossing this over Erik Burger: How impotant is this ? how long will this take if this is needed soon is IETF is not the right forum Tim Moses: Relunctance in CA browser forum to do this Eliot Lear: Scope question how are attributes interpreted Tim Moses: Only do techical protocol elements Michael Richardson: What about the librares, e.g. libcurl, that are out there and are not compliant and you can not get updated or to do the right thing Tim Moses: Focus is on dealing with legacy issues Michael Richardson: Defaults may have been approriate in the old days but not anymore. Philip HB: There used to high overlap bettween IETF people and CA Browers but not anymore. Paul Hoffman:: you realized you subscribe to IETF process and are you willing to live with the consequences ? Tim Moses: we want something that people agree on but needs to check to colleagues Paul Hoffman: Be sure you want to invest the effort, and pleae don't waste hours on bof+WG if you could just ask for RFC to be issued Hannes: PKI is not broken only practices Tim Moses: we are aware Thomas Roessler: good idea to harmonize how PKI works but look at what other working groups and organizations, esp w3c, are doing Joe Hildenbrand: are you including middleboxes Tim Moses: not sure Stephen: We will create a mailing list Alberto Dainotti CAIDA.org ---------------------------- Analysis of Contry-wide Internet Outages Caused by Centership http://www.ietf.org/proceedings/84/slides/slides-84-irtfopen-1.pdf The sensors they have deployend to measure the impact of number of events not just route hijacking like effect of earthquakes, tsunamis and route hijacking. Open Mike: ---------- Paul H: new working groups have few reviewers, as reviewers only pay attention at LC. We end up with waste of time as orignal sponsors did not know what to expect. Sean: we are aware of this issue and keep it in mind. Elliot: require at least a draft before web pki BOF Jeff: CA forum has posting on Governance reform David B: Agrees with Elliot cross area BOFs need education thus drafts are real important Yoav: http-auth bof would be a good idea if the right people are going to be in the room, esp. server-side login UI developers, and might be a bad idea groups like that are missing Stephen: we need clarity before bof takes place