Security Area

Director:


o Jeff Schiller <[email protected]>



Area Summary reported by Jeff Schiller, MIT and Jim Galvin, TIS


The Security Area within the IETF is responsible for development of security
oriented protocols, security review of RFCs, development of candidate
policies, and review of operational security on the Internet.

The Area Director is assisted by a Directorate, an advisory entity with no
standards-setting powers.  The members of the Security Directorate are as
follows:

Jeffrey I. Schiller             [email protected]
Ran Atkinson                    [email protected]
Steve Bellovin                  [email protected]
Steve Crocker                   [email protected]
Barbara Fraser                  [email protected]
James M. Galvin                 [email protected]
Phil Karn                       [email protected]
Steve Kent                      [email protected]
John Linn                       [email protected]
Clifford Neuman                 [email protected]
Rob Shirey                      [email protected]
Ted Ts'o                        [email protected]

In addition to the Directorate, the Security Area is assisted by the Security
Area Advisory Group (SAAG).  The SAAG is an open group that meets at
least once during each IETF meeting as well as electronically via the
[email protected] mailing list.  Send a message to [email protected] to join the
list.

During the SAAG meeting, the activities of the Security Area, including the
Directorate, are reported and discussed.  In addition, the SAAG meeting
provides an opportunity for open discussion of security issues.

Included below is a summary from those working groups and birds of a
feather sessions with security relevant activities to report.


The following working groups met during at this IETF meeting:

o  Authenticated Firewall Traversal
o  Common Authentication Technology
o  Domain Name System Security
o  IP Security
o  One Time Password Working Group
o  Public Key Infrastructure (New Working Group)
o  Web Transaction Security

In addition, a BOF was held on Secure Payments (ISPP).


Authenticated Firewall Traversal Working Group (AFT)

The AFT Working Group works on standardizing aspects of the SOCKS
protocol.  SOCKS is a mechanism for applications to use a firewall server as a
proxy for direct internet services.  It permits an organization to install a
firewall while still permitting users inside the firewall to make use of
internet services that normally would not be permitted to cross the firewall.

The AFT Working Group held a brief meeting at the Dallas IETF.

The Agenda included the notice of IETF LAST CALL on:

draft-ietf-aft-socks-protocol-v5-05.txt
draft-ietf-aft-username-password-01.txt

Some controversy existed with respect to the draft-ietf-aft-gssapi-02.txt
document.  There was some concern about REQUIRING draft-myers-auth-
sasl-00.txt as the strong authentication method encoding for SOCKS V5.
However, consensus prevailed and there was unanimous support for draft-
ietf-aft-gssapi-02.txt.  There was also a presentation by Marcus Leech and Dave
Blob on their implementations of SOCKS V5.

Common Authentication Technology Working Group (CAT)

The CAT Working Group develops technologies that make it easy for
application programmer's and protocol designers to incorporate
authentication technology into their products.  Its primary focus is to define
an IETF Generic Security Services Applications Programming Interface (GSS-
API) and to specify different security systems that make use of it.

The CAT Working Group met for two sessions in Dallas.  Presentations
included talks on the SESAME GSS-API mechanism, the Kerberos Single-Use
Authentication Mechanism (SAM) draft, Kerberos Public-Key Extensions,
IDUP, Simple Authentication and Session Layer (SASL), authorization and
delegation control extensions (xgssapi), and GSS-API/Web integration (a
work item within the WTS Working Group).  Other discussion topics
included pending issues on GSS-V2; all known pending issues were closed or
triggered action items, and an additional Internet-Draft version is planned for
January as a basis for advancement to Proposed Standard.  Following active
business on Internet-Drafts, a brief summary of Microsoft's adaptation of GSS-
API for Windows NT was presented.

Note: For detailed information on the technologies referenced above, the
reader is encouraged to read the work product documents of the CAT
working group (both RFCs and Internet Drafts) available from the IETF Web
pages (http://ietf.cnri.reston.va.us).

Domain Name System Security Working Group (DNS-SEC)

The Domain Name System Security (DNS-SEC) Working Group is adding
security services to the Domain Name System (DNS).  Its primary focus is to
provide authentication and integrity for DNS data.  A secondary outcome is
likely to be a workable mechanism that uses the DNS to distribute
cryptographic keys.

The two documents of this working group are ready to go, pending a minor
change to what is currently labeled the NULL signature algorithm.  The area
director will get the documents in early January to consider for publication as
Proposed Standards.

The majority of the time at this working group meeting was to begin a new
work item: secure dynamic update.  A list of requirements and desired
functionality was developed and a draft proposal is expected in time for the
Spring IETF.

IP Security Working Group (IPSEC)

IPSEC met twice during the Dallas IETF.  Shortly after the last IETF
(Stockholm) the first documents of the IPSEC Working Group went to
proposed standard (RFC1825-1829).  These documents define the overall
architecture of IP Security as well as defining the IP layer protocol for
providing authentication, integrity and confidentiality.  At the Dallas IETF 10
implementations of these documents were presented and discussion
indicated that at least two others are known.

RSA Data Security sponsored a room at the hotel for implementers of the
IPSEC documents to perform interoperability testing.  At least six
implementations that interoperated were demonstrated.

At this point we anticipate that the proposed standards will be edited to
incorporate implementation experience and we expect to be able to advance
them to DRAFT standard in the not so distant future.

In addition to reporting on implementation experience, the IPSEC Working
Group spent considerable time discussing various proposals for key
management (not yet at the level of proposed standard).  At least three
proposals exist (Photuris, ISAKMP and SKIP).  The Area Director is
supportive of all three efforts but would prefer to see the IPSEC group
converge to one proposal based on an objective review of how the proposals
address the already agreed upon requirements for a key management protocol
(requirements are documented in previous minutes of the IPSEC Working
Group and on the IPSEC mailing list).

One Time Password Working Group

The One Time Password Working Group met briefly in Dallas.  This was the
first in-person meeting of the group as a full fledged working group.  The
most recent OTP draft was turned over to the Security Area Director
(immediately prior to the Dallas IETF) for consideration as a Proposed
Standard.

Phil Servita gave a presentation on his OTP toolkit for UNIX which is freely
distributable for non-commercial use.  Ran Atkinson and Dan McDonald
talked about the NRL OPIE software package which is freely distributable for
any purpose under BSD-like terms.

Work commenced on a follow-up document to the OTP draft.  This
document discusses issues beyond the scope of the original draft.
Specifically, issues such as defending against certain forms of
active attack of specification of how to re-initialize a OTP system
are  to be part of this document.  A call for proposals and discussion
on this more recent document was issued with a deadline of January 1 for
the first round of discussion.

Public Key Infrastructure Working Group (PKIX)

The Public Key Infrastructure Working Group (PKIX) is examining ways of
using the X.509 and similar public key infrastructures on the Internet.

This IETF marked the first official meeting of this working group.  The
meeting was well-attended (filled a moderate sized room) and the leadership
came prepared with several proposals that have already been published as
Internet Drafts.

Web Transaction Security Working Group

The Web Transaction Security Working Group met in Dallas.  Some final
wording on the requirements document was worked out.  Working Group
Last Call is expected on the requirements document as soon as a draft is
available with the discussed wording in it.  Presentations were given by Doug
Rosenthal on GSSAPI-WWW, Rohit Khare on PEP and from Alan Schiffman
on SHTTP.  The working group would like to advance the SHTTP document
but first needs to settle some issues.  These issues deal with whether to use
PEM (RFC1421 style) or MOSS (RFC1848) and how to track the evolution of
HTTP itself.

Secure Payments BOF

A second BOF was held at the Dallas IETF (the first BOF was held in
Stockholm).  The primary focus of the meeting was whether or not it made
sense for the IETF to charter a working group in this area given the interests
of the major bank card companies and the recent involvement of ANSI.  The
consensus of the group was NOT to pursue an effort to develop a merchant-
bank payment authorization protocol (this would be a competing effort to
what the major players are already working on).

There was consensus that the IETF could contribute by defining negotiation
mechanisms to decide which payment protocol to use as well as how to
encapsulate protocol messages for transport.  These are areas that the payment
protocol people have not address and in fact have specifically invited the
participation of the IETF.

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.