From Pasi.Eronen@nokia.com Mon Mar 1 04:56:04 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 658A93A8400; Mon, 1 Mar 2010 04:56:04 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.599 X-Spam-Level: X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 29u0FxKVZwm6; Mon, 1 Mar 2010 04:56:03 -0800 (PST) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id 0C3683A8760; Mon, 1 Mar 2010 04:56:02 -0800 (PST) Received: from esebh105.NOE.Nokia.com (esebh105.ntc.nokia.com [172.21.138.211]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o21Ctn2e005903; Mon, 1 Mar 2010 14:56:00 +0200 Received: from vaebh104.NOE.Nokia.com ([10.160.244.30]) by esebh105.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Mon, 1 Mar 2010 14:55:47 +0200 Received: from smtp.mgd.nokia.com ([65.54.30.5]) by vaebh104.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Mon, 1 Mar 2010 14:55:39 +0200 Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-01.mgdnok.nokia.com ([65.54.30.5]) with mapi; Mon, 1 Mar 2010 13:55:38 +0100 From: To: , Date: Mon, 1 Mar 2010 13:55:37 +0100 Thread-Topic: Pasi's AD Notes for February 2010 Thread-Index: Acq5Pn0maQCiiLvrR6GlQzWfyOR3nA== Message-ID: <808FD6E27AD4884E94820BC333B2DB775848146A84@NOK-EUMSG-01.mgdnok.nokia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 01 Mar 2010 12:55:39.0276 (UTC) FILETIME=[7E5F34C0:01CAB93E] X-Nokia-AV: Clean Subject: [saag] Pasi's AD Notes for February 2010 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 01 Mar 2010 12:56:04 -0000 Here's again a short status update about what things are going on from my point-of-view. If you notice anything that doesn't look right, let me know -- miscommunication and mix-ups do happen. Best regards, Pasi MISC NOTES - Planning AD transition with Tim/Sean - IETF 77 planning with Tim/Sean: SAAG meeting, SecDir=20 lunch, overall agenda - (not wearing AD hat) draft-krawczyk-hkdf went through IETF last call; on the agenda of 2010-03-04 IESG telechat. - (not wearing AD hat) Waiting for Dan Romascanu to process=20 errata 1955/1956 for RFC 4072 [since 2009-12-09] - Waiting for IETF Trust's reply on how to contribute pre-5378 rights to the trust [since 2009-11-03] - Lot of tools work (code I want to get in decent state before my AD term ends) WORKING GROUPS DKIM - draft-ietf-dkim-deployment: discussion ongoing to resolve Tim's DISCUSS; currently waiting for Tim to reply [since 2010-02-25] - Processed errata 1385. - I still need to review what to do about errata 1532, 1596, and 1942. - Waiting for Stephen and Barry for new charter text. EMU - The WG chairs have the token for doing something about ITU-T=20 X.1034 liaison statement. IPSECME - draft-ietf-ipsecme-ikev2-ipv6-config (not wearing AD hat):=20 published as RFC 5739. - draft-ietf-ipsecme-esp-null-heuristics: went through IETF last call; placed on the agenda of 2010-03-04 IESG telechat. - draft-ietf-ipsecme-roadmap: sent by AD review comments; waiting for reply/revised ID [since 2010-02-26] - draft-ietf-ipsecme-aes-ctr-ikev2: sent my AD review comments; waiting for reply/revised ID [since 2010-01-27] - draft-ietf-ipsecme-traffic-visibility: in RFC editor queue. - I need to look at errata 1937 (for RFC 4307) [since 2009-11-02] ISMS - draft-ietf-isms-dtls-tm: sent my AD review comments; waiting for reply/revised ID [since 2010-02-25] KEYPROV - draft-ietf-keyprov-pskc: waiting for me to do my AD=20 review [since 2010-02-28] - draft-ietf-keyprov-symmetrickeyformat: waiting for me to=20 do my AD review [since 2010-02-28] PKIX - Processed errata 1909/2048 (for RFC 3279), 2013 (for RFC 5758),=20 and 2021 (for RFC 5756) SASL - draft-ietf-sasl-gs2: in RFC editor queue/AUTH48 - draft-ietf-sasl-scram: in RFC editor queue/AUTH48 - (not WG item) draft-melnikov-sasl-scram-ldap: in=20 RFC editor queue/AUTH48 - (not WG item) draft-altman-tls-channel-bindings: waiting for the=20 authors to propose wording that is both aligned with the=20 implementations, and considers the renegotiation problem and=20 solution [pinged again 2010-02-26] SYSLOG - draft-ietf-syslog-sign: in RFC editor queue. Waiting for the authors to reply about SHA-256 issue [since 2010-03-01] TLS - draft-ietf-tls-renegotiation: published as RFC 5746. - draft-ietf-tls-extractor: in RFC editor queue, waiting for Eric to reply. - draft-ietf-tls-rfc4366-bis: it seems we need more text about server_name (and perhaps renegotiation); waiting for WG=20 chairs/editor to drive discussion/propose text. - (not WG item) see SASL WG for draft-altman-tls-channel-bindings - (not WG item) lot of emails about draft-hoffman-tls-* I=20 need to read, but haven't yet... OTHER DOCUMENTS DISCUSSES (active -- something happened within last month) - draft-ietf-dhc-dhcpv4-vendor-message: it seems bigger issues concerning this draft need to be resolved before it makes sense to address my relatively minor concern; waiting for that dust to settle [as of 2010-03-01] - draft-ietf-geopriv-lis-discovery: discussion ongoing; currently waiting for more information from WG chair/authors [since 2010-02-25] - draft-zorn-radius-pkmv1: discussion ongoing; currently waiting=20 for the author to reply to my comments [since 2010-03-01] DISCUSSES (stalled -- I haven't heard anything from the authors or document shepherd for over one month) - draft-ietf-bmwg-ipsec-meth: waiting for authors to submit a revised ID [since 2010-01-29] - draft-ietf-bmwg-ipsec-term: waiting for authors to reply to my comments or submit a revised ID [since 2010-01-29] DISCUSSES (presumed dead -- I haven't heard anything from the authors or document shepherd for over three months) - draft-cheshire-dnsext-nbp: waiting for authors to reply to my comments [since 2008-12-03] (pinged again on 2009-04-30, 2009-06-09, 2009-10-29, 2009-12-28, 2010-02-18) - draft-ietf-sip-certs: waiting for the authors to reply=20 [since 2009-10-26] (pinged 2010-01-22) - draft-ietf-sipping-policy-package: waiting for draft-ietf-sipping- media-policy-dataset to progress (or more information from Robert) [since 2008-10-28] --end-- From stpeter@stpeter.im Tue Mar 9 10:44:54 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B139A3A6A0F; Tue, 9 Mar 2010 10:44:54 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.556 X-Spam-Level: X-Spam-Status: No, score=-2.556 tagged_above=-999 required=5 tests=[AWL=0.043, BAYES_00=-2.599] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sdn3IE0d4FZh; Tue, 9 Mar 2010 10:44:53 -0800 (PST) Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 9BEB23A69FD; Tue, 9 Mar 2010 10:44:53 -0800 (PST) Received: from dhcp-64-101-72-245.cisco.com (dhcp-64-101-72-245.cisco.com [64.101.72.245]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id ADA9D40E14; Tue, 9 Mar 2010 11:44:57 -0700 (MST) Message-ID: <4B969728.3090907@stpeter.im> Date: Tue, 09 Mar 2010 11:44:56 -0700 From: Peter Saint-Andre User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 MIME-Version: 1.0 To: "apps-discuss@ietf.org" , saag@ietf.org, "tls@ietf.org" , pkix@ietf.org X-Enigmail-Version: 1.0.1 OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms050001070505060602060700" Subject: [saag] representation and verification of identity in certificates X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Mar 2010 18:44:54 -0000 This is a cryptographically signed message in MIME format. --------------ms050001070505060602060700 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable A small, informal design team has been working on an I-D that attempts to define recommended procedures for representing and verifying server identities in X.509 certificates intended for use in applications that employ TLS. We have just published version -03 of that I-D: http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-03 Because this work touches on security in a wide variety of application protocols (HTTP, IMAP, LDAP, SMTP, XMPP, NNTP, NETCONF, SysLog, SIP, etc.) through the re-use of both TLS and the PKI, there is no one list where we can hold a focused discussion. Therefore we have created a new list, certid@ietf.org, to which you can subscribe here: https://www.ietf.org/mailman/listinfo/certid Please join the discussion there if you have an interest in this topic. Thanks! Peter --=20 Peter Saint-Andre https://stpeter.im/ --------------ms050001070505060602060700 Content-Type: application/pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIWnDCC B1cwggY/oAMCAQICAVUwDQYJKoZIhvcNAQEFBQAwgYwxCzAJBgNVBAYTAklMMRYwFAYDVQQK Ew1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBT aWduaW5nMTgwNgYDVQQDEy9TdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRl IENsaWVudCBDQTAeFw0wOTA3MDYwMDAwMDFaFw0xMDA3MDYyMzU5NTlaMIHCMQswCQYDVQQG EwJVUzERMA8GA1UECBMIQ29sb3JhZG8xDzANBgNVBAcTBkRlbnZlcjEiMCAGA1UEChMZWE1Q UCBTdGFuZGFyZHMgRm91bmRhdGlvbjEsMCoGA1UECxMjU3RhcnRDb20gVHJ1c3RlZCBDZXJ0 aWZpY2F0ZSBNZW1iZXIxGjAYBgNVBAMTEVBldGVyIFNhaW50LUFuZHJlMSEwHwYJKoZIhvcN AQkBFhJzdHBldGVyQHN0cGV0ZXIuaW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQCas7Mrnh02GakN8sft+HJpU4MwBxEgrGDZ2ZzUxDDt2sEhM+9Q74h955MtgMhK3TeBf6Hs hDh/8Z9G//k2qNA0M2S5rejTqrmW0Jabca/L7BUZ0GhnU2N/2zeciFUmuZ4A2l1T5IMX2ZVP XnNIaefBtbImJAbDz3T0vxkzTtcqgW3wL83PMDiqiuM+e1k+VPvOW4f5ZSGkPIhYCDpWqNE5 wZvjrLNMc8jZOPs9DrsYuIVwU72Vhy1tkEh+w6YpYHrdEUAe+eKe6TuxqZ60e9z3O36uiV// Ms274iD6PbA/IGazJgaAdg6tvPehwTYGJAGmv3PsJKkLGjgoh+RrrM1LAgMBAAGjggOKMIID hjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYBBQUH AwQwHQYDVR0OBBYEFOyws3XWgIY9FP1POVqjdZP9Lu38MB0GA1UdEQQWMBSBEnN0cGV0ZXJA c3RwZXRlci5pbTCBqAYDVR0jBIGgMIGdgBR7iZySlyShhEcCy3T8LvSs3DLl86GBgaR/MH0x CzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQuMSswKQYDVQQLEyJTZWN1cmUg RGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQDEyBTdGFydENvbSBDZXJ0aWZp Y2F0aW9uIEF1dGhvcml0eYIBDzCCAUcGA1UdIASCAT4wggE6MIIBNgYLKwYBBAGBtTcBAgAw ggElMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9wb2xpY3kucGRmMDQG CCsGAQUFBwIBFihodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9pbnRlcm1lZGlhdGUucGRmMIG8 BggrBgEFBQcCAjCBrzAUFg1TdGFydENvbSBMdGQuMAMCAQEagZZMaW1pdGVkIExpYWJpbGl0 eSwgcmVhZCB0aGUgc2VjdGlvbiAqTGVnYWwgTGltaXRhdGlvbnMqIG9mIHRoZSBTdGFydENv bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSBQb2xpY3kgYXZhaWxhYmxlIGF0IGh0dHA6Ly93 d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwYwYDVR0fBFwwWjAroCmgJ4YlaHR0cDovL3d3 dy5zdGFydHNzbC5jb20vY3J0dTMtY3JsLmNybDAroCmgJ4YlaHR0cDovL2NybC5zdGFydHNz bC5jb20vY3J0dTMtY3JsLmNybDCBjgYIKwYBBQUHAQEEgYEwfzA5BggrBgEFBQcwAYYtaHR0 cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9jbGFzczMvY2xpZW50L2NhMEIGCCsGAQUFBzAC hjZodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9jZXJ0cy9zdWIuY2xhc3MzLmNsaWVudC5jYS5j cnQwIwYDVR0SBBwwGoYYaHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBBQUA A4IBAQBgv4xFXZqDKSOtnPOVbqOh1brj7oxRaVYk7N0MJG7x9Y/wkO3iwRwizVLcC1bA+D/R gyFilXx6IQWE63Ge2tu+Y4w5QoHYwuUFQuBZuxvZpOa3ykdgPlBQaBM8m+Ien0skwNggaizA X9Pc/sMLpP3jkO1iSF4agy4r5Ed+4G10mP5X0zO3gQwq9Uj4F9tX+58kU+fM1P8Sh+BYR4r/ kSbKE3tWcMaKblWPGwX0nYD26Je7Qb+uX/J5lCgozBrHXQWq8N98iklASf2pv+32Oi1dEjmM UgAm/J2+YmxaI02+c+H6QH8+F3RUjCiRg9XqUNjcrNrnTFnm/iMMZADktsXPMIIHVzCCBj+g AwIBAgIBVTANBgkqhkiG9w0BAQUFADCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50 IENBMB4XDTA5MDcwNjAwMDAwMVoXDTEwMDcwNjIzNTk1OVowgcIxCzAJBgNVBAYTAlVTMREw DwYDVQQIEwhDb2xvcmFkbzEPMA0GA1UEBxMGRGVudmVyMSIwIAYDVQQKExlYTVBQIFN0YW5k YXJkcyBGb3VuZGF0aW9uMSwwKgYDVQQLEyNTdGFydENvbSBUcnVzdGVkIENlcnRpZmljYXRl IE1lbWJlcjEaMBgGA1UEAxMRUGV0ZXIgU2FpbnQtQW5kcmUxITAfBgkqhkiG9w0BCQEWEnN0 cGV0ZXJAc3RwZXRlci5pbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJqzsyue HTYZqQ3yx+34cmlTgzAHESCsYNnZnNTEMO3awSEz71DviH3nky2AyErdN4F/oeyEOH/xn0b/ +Tao0DQzZLmt6NOquZbQlptxr8vsFRnQaGdTY3/bN5yIVSa5ngDaXVPkgxfZlU9ec0hp58G1 siYkBsPPdPS/GTNO1yqBbfAvzc8wOKqK4z57WT5U+85bh/llIaQ8iFgIOlao0TnBm+Oss0xz yNk4+z0Ouxi4hXBTvZWHLW2QSH7Dpilget0RQB754p7pO7GpnrR73Pc7fq6JX/8yzbviIPo9 sD8gZrMmBoB2Dq2896HBNgYkAaa/c+wkqQsaOCiH5GuszUsCAwEAAaOCA4owggOGMAkGA1Ud EwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDBDAdBgNV HQ4EFgQU7LCzddaAhj0U/U85WqN1k/0u7fwwHQYDVR0RBBYwFIESc3RwZXRlckBzdHBldGVy LmltMIGoBgNVHSMEgaAwgZ2AFHuJnJKXJKGERwLLdPwu9KzcMuXzoYGBpH8wfTELMAkGA1UE BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFs IENlcnRpZmljYXRlIFNpZ25pbmcxKTAnBgNVBAMTIFN0YXJ0Q29tIENlcnRpZmljYXRpb24g QXV0aG9yaXR5ggEPMIIBRwYDVR0gBIIBPjCCATowggE2BgsrBgEEAYG1NwECADCCASUwLgYI KwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3BvbGljeS5wZGYwNAYIKwYBBQUH AgEWKGh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL2ludGVybWVkaWF0ZS5wZGYwgbwGCCsGAQUF BwICMIGvMBQWDVN0YXJ0Q29tIEx0ZC4wAwIBARqBlkxpbWl0ZWQgTGlhYmlsaXR5LCByZWFk IHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENlcnRp ZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL3d3dy5zdGFy dHNzbC5jb20vcG9saWN5LnBkZjBjBgNVHR8EXDBaMCugKaAnhiVodHRwOi8vd3d3LnN0YXJ0 c3NsLmNvbS9jcnR1My1jcmwuY3JsMCugKaAnhiVodHRwOi8vY3JsLnN0YXJ0c3NsLmNvbS9j cnR1My1jcmwuY3JsMIGOBggrBgEFBQcBAQSBgTB/MDkGCCsGAQUFBzABhi1odHRwOi8vb2Nz cC5zdGFydHNzbC5jb20vc3ViL2NsYXNzMy9jbGllbnQvY2EwQgYIKwYBBQUHMAKGNmh0dHA6 Ly93d3cuc3RhcnRzc2wuY29tL2NlcnRzL3N1Yi5jbGFzczMuY2xpZW50LmNhLmNydDAjBgNV HRIEHDAahhhodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS8wDQYJKoZIhvcNAQEFBQADggEBAGC/ jEVdmoMpI62c85Vuo6HVuuPujFFpViTs3QwkbvH1j/CQ7eLBHCLNUtwLVsD4P9GDIWKVfHoh BYTrcZ7a275jjDlCgdjC5QVC4Fm7G9mk5rfKR2A+UFBoEzyb4h6fSyTA2CBqLMBf09z+wwuk /eOQ7WJIXhqDLivkR37gbXSY/lfTM7eBDCr1SPgX21f7nyRT58zU/xKH4FhHiv+RJsoTe1Zw xopuVY8bBfSdgPbol7tBv65f8nmUKCjMGsddBarw33yKSUBJ/am/7fY6LV0SOYxSACb8nb5i bFojTb5z4fpAfz4XdFSMKJGD1epQ2Nys2udMWeb+IwxkAOS2xc8wggfiMIIFyqADAgECAgEP MA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAklMMRYwFAYDVQQKEw1TdGFydENvbSBMdGQu MSswKQYDVQQLEyJTZWN1cmUgRGlnaXRhbCBDZXJ0aWZpY2F0ZSBTaWduaW5nMSkwJwYDVQQD EyBTdGFydENvbSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw0wNzEwMjQyMTAzMzJaFw0x MjEwMjIyMTAzMzJaMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjEr MCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UEAxMv U3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0EwggEiMA0G CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5o0luEj4gypQIp71Xi2TlXyLYrj9WkRy+d9BO 0FHPYnAsC99/jx/ibNRwIfAoFhZd+LDscdRSckvwuFSz0bKg3z+9o7cwlVAC9AwMWe8IM0Lx c+8etYxsX4WIamG9fjzzi5GAW5ESKzzIN3SxHSplyGCWFwx/pgf1f4y6O9/ym+4f6zaDYP6B x0r+SaJcr6eSGNm7X3EwX1v7XpRBY+aw019o7k72d0IX910F+XGt0OwNdM61Ff3FiTiexeUZ bWxCGm6GZl+SQVG9xYVIgHQaLXoQF+g2wzrmKCbVcZhqH+hrlRnD6PfCuEyX/BR6PlAPRDlQ 6f1u3wqik+LF5P15AgMBAAGjggNbMIIDVzAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIBpjAd BgNVHQ4EFgQUe4mckpckoYRHAst0/C70rNwy5fMwgagGA1UdIwSBoDCBnYAUTgvvGqRAW6UX aYcwyjRoQ9BBrvKhgYGkfzB9MQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UE AxMgU3RhcnRDb20gQ2VydGlmaWNhdGlvbiBBdXRob3JpdHmCAQEwCQYDVR0SBAIwADA9Bggr BgEFBQcBAQQxMC8wLQYIKwYBBQUHMAKGIWh0dHA6Ly93d3cuc3RhcnRzc2wuY29tL3Nmc2Nh LmNydDBgBgNVHR8EWTBXMCygKqAohiZodHRwOi8vY2VydC5zdGFydGNvbS5vcmcvc2ZzY2Et Y3JsLmNybDAnoCWgI4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMIIBXQYD VR0gBIIBVDCCAVAwggFMBgsrBgEEAYG1NwEBBDCCATswLwYIKwYBBQUHAgEWI2h0dHA6Ly9j ZXJ0LnN0YXJ0Y29tLm9yZy9wb2xpY3kucGRmMDUGCCsGAQUFBwIBFilodHRwOi8vY2VydC5z dGFydGNvbS5vcmcvaW50ZXJtZWRpYXRlLnBkZjCB0AYIKwYBBQUHAgIwgcMwJxYgU3RhcnQg Q29tbWVyY2lhbCAoU3RhcnRDb20pIEx0ZC4wAwIBARqBl0xpbWl0ZWQgTGlhYmlsaXR5LCBy ZWFkIHRoZSBzZWN0aW9uICpMZWdhbCBMaW1pdGF0aW9ucyogb2YgdGhlIFN0YXJ0Q29tIENl cnRpZmljYXRpb24gQXV0aG9yaXR5IFBvbGljeSBhdmFpbGFibGUgYXQgaHR0cDovL2NlcnQu c3RhcnRjb20ub3JnL3BvbGljeS5wZGYwEQYJYIZIAYb4QgEBBAQDAgAHMFAGCWCGSAGG+EIB DQRDFkFTdGFydENvbSBDbGFzcyAzIFByaW1hcnkgSW50ZXJtZWRpYXRlIEZyZWUgU1NMIEVt YWlsIENlcnRpZmljYXRlczANBgkqhkiG9w0BAQUFAAOCAgEAUpcEDdsKFRCxFBxcSm+8oMTT fpS7fbZkxWHx5fHDjvAgaBQ+oY0tk4xtbD6VxeHYjxI63+hj8jICnqeVXPe34Bu+XzekIn2T lrnPCQobKdQF2p52QgUvIxSURed0jcBaCBV22DSKaUqDOzD/Tx6VQy78zpblXjRH7OALE/+H jzJVmspdnBUUtQOLYgPo924xkxR25VDdgtEE5vAXa/g2oCeZhy0ZEO4NbgIayAYCJcJRDz0h dD2Ahec65Kw6LB3N7VXEjiRR5/WoKwH/QteRzPJbFDc1somrApjm2cyg+5nbm1RHeFIz+GxX luRrPztvhNcby0PtAjqwY1txi4sW0R6ZJPuZ2DZ1/dzckoFhyZgFyOX3SEkNXVLldjTzneFJ FnVSzDbc720vq184jR7pYoI9+f5QJ96a0iLxEAG8SJ5auBwXI/w2FmKmwmdMvJ8/17+B4sMC IRrXrDQl2xzpVXh/Qcmk5nf+w8HFmqATGy1OUAQbXga7AySAUaYhvvFk50u0bO5DiUGwzrJO 3TrwvaC2Ei4EFaBmIVgG7TfU5TaaY9IcJSCQ7AGUYE3RFSRpsLOoA3DsxP42YERgS/Nxw29+ YqZtPoO2QPbNpI7xnHVCfNBabx3oDIf438nFfv8spw5BQqBSbEF1izJA57eE64CzHnt7lB20 OFD11avYopwxggPKMIIDxgIBATCBkjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0 Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcx ODA2BgNVBAMTL1N0YXJ0Q29tIENsYXNzIDMgUHJpbWFyeSBJbnRlcm1lZGlhdGUgQ2xpZW50 IENBAgFVMAkGBSsOAwIaBQCgggIMMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZI hvcNAQkFMQ8XDTEwMDMwOTE4NDQ1NlowIwYJKoZIhvcNAQkEMRYEFGpKbBS+nmGTxzjQuWo5 tEpAz7CiMF8GCSqGSIb3DQEJDzFSMFAwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqG SIb3DQMCAgIAgDANBggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDCBowYJ KwYBBAGCNxAEMYGVMIGSMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRk LjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4MDYGA1UE AxMvU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQgQ0ECAVUw gaUGCyqGSIb3DQEJEAILMYGVoIGSMIGMMQswCQYDVQQGEwJJTDEWMBQGA1UEChMNU3RhcnRD b20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERpZ2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzE4 MDYGA1UEAxMvU3RhcnRDb20gQ2xhc3MgMyBQcmltYXJ5IEludGVybWVkaWF0ZSBDbGllbnQg Q0ECAVUwDQYJKoZIhvcNAQEBBQAEggEAfOcREdMu7C6XXMkbbeROprnTPbcjgLyds5Juph26 JqcqQUORSoebtuWHliLZ0HBs/KlaW4yZin9n+9wM3K5X9ZDQ+S/+W3YwwQ0s3RHKkxi0P4vb HnkI/a9g4gwganOKGO53amNM7rf70Sm1S0V78NvMD8lMExaHUYdG8Dg/hM4bZr67V9ssnPQb Bj6EojT8o/5LzFaDanmHlA+CdnHbPEb8ESBj/HGHhYMglxNJUt/4bgIogsT6ZrfGdaSmE4Ug Z4walaFPI4x3e55zakXyYNur95p2sz8602vVJeN9wwgp2u8U3suq2kkH//9shNoJ/7g8oiFc QC3E9hoba6ItmAAAAAAAAA== --------------ms050001070505060602060700-- From fluffy@cisco.com Wed Mar 17 19:03:54 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 150213A6807; Wed, 17 Mar 2010 19:03:54 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -109.729 X-Spam-Level: X-Spam-Status: No, score=-109.729 tagged_above=-999 required=5 tests=[AWL=-0.260, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_HI=-8, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xZXbShNNttPj; Wed, 17 Mar 2010 19:03:53 -0700 (PDT) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id A8A2B3A68BD; Wed, 17 Mar 2010 19:03:52 -0700 (PDT) Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEALMmoUurR7Ht/2dsb2JhbACbJnOfWJh3hHYEgxo X-IronPort-AV: E=Sophos;i="4.51,262,1267401600"; d="scan'208";a="498539816" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-6.cisco.com with ESMTP; 18 Mar 2010 01:55:58 +0000 Received: from [192.168.4.177] (rcdn-fluffy-8711.cisco.com [10.99.9.18]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2I1tvXF021796; Thu, 18 Mar 2010 01:55:57 GMT From: Cullen Jennings Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Impp: xmpp:cullenfluffyjennings@jabber.org Date: Wed, 17 Mar 2010 19:55:56 -0600 Message-Id: To: saag@ietf.org, secdir@ietf.org Mime-Version: 1.0 (Apple Message framework v1077) X-Mailer: Apple Mail (2.1077) Subject: [saag] E2MD BOF X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2010 02:03:54 -0000 The E2MD BOF is wrestling with some complicated issues around putting = personal data about individuals in DNS (names, phones numbers etc). They = are considering various approaches to constrain access to the private = data. The leading contender as far as I can tell is to only run the DNS = with the private data in a walled garden and make sure no one that = should not see the data can query a server in the walled garden. One or = two people have mentioned you might want to encrypt the private data and = control access to the keys but that idea has not received much = discussion. It seems to me like a possibility worth exploring a little.=20= If anyone is interested or has spend time thinking about privacy of data = in DNS, input from folks on this list would be valuable and I hope at = least a few security folks can show up at the BOF.=20 Thanks, Cullen Mailing list archive at = http://www.ietf.org/mail-archive/web/e2md/index.html From weiler@watson.org Thu Mar 18 20:49:02 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 465D33A677C; Thu, 18 Mar 2010 20:49:02 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.793 X-Spam-Level: X-Spam-Status: No, score=-1.793 tagged_above=-999 required=5 tests=[AWL=-0.324, BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSgqBZ7+E7w1; Thu, 18 Mar 2010 20:49:01 -0700 (PDT) Received: from fledge.watson.org (fledge.watson.org [65.122.17.41]) by core3.amsl.com (Postfix) with ESMTP id 7D0103A6403; Thu, 18 Mar 2010 20:49:01 -0700 (PDT) Received: from fledge.watson.org (localhost.watson.org [127.0.0.1]) by fledge.watson.org (8.14.3/8.14.3) with ESMTP id o2J3nB3Q026769; Thu, 18 Mar 2010 23:49:11 -0400 (EDT) (envelope-from weiler@watson.org) Received: from localhost (weiler@localhost) by fledge.watson.org (8.14.3/8.14.3/Submit) with ESMTP id o2J3nBek026766; Thu, 18 Mar 2010 23:49:11 -0400 (EDT) (envelope-from weiler@watson.org) X-Authentication-Warning: fledge.watson.org: weiler owned process doing -bs Date: Thu, 18 Mar 2010 23:49:11 -0400 (EDT) From: Samuel Weiler To: Cullen Jennings In-Reply-To: Message-ID: References: User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (fledge.watson.org [127.0.0.1]); Thu, 18 Mar 2010 23:49:11 -0400 (EDT) X-Mailman-Approved-At: Fri, 19 Mar 2010 08:08:38 -0700 Cc: saag@ietf.org, secdir@ietf.org Subject: Re: [saag] [secdir] E2MD BOF X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: secdir-secretary@mit.edu List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Mar 2010 03:49:02 -0000 Cullen, I suggest taking this question to the DNSEXT WG. AFAIK, the DNSEXT agenda in Anaheim still has two minutes left open, which is about all the WG will tolerate of this. :-) -- Sam On Wed, 17 Mar 2010, Cullen Jennings wrote: > The E2MD BOF is wrestling with some complicated issues around > putting personal data about individuals in DNS (names, phones > numbers etc). They are considering various approaches to constrain > access to the private data. The leading contender as far as I can > tell is to only run the DNS with the private data in a walled garden > and make sure no one that should not see the data can query a server > in the walled garden. One or two people have mentioned you might > want to encrypt the private data and control access to the keys but > that idea has not received much discussion. It seems to me like a > possibility worth exploring a little. > > If anyone is interested or has spend time thinking about privacy of > data in DNS, input from folks on this list would be valuable and I > hope at least a few security folks can show up at the BOF. > > Thanks, Cullen > > Mailing list archive at http://www.ietf.org/mail-archive/web/e2md/index.html From Shawn.Emery@Sun.COM Wed Mar 24 18:34:30 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 03B883A6A5B for ; Wed, 24 Mar 2010 18:34:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.427 X-Spam-Level: X-Spam-Status: No, score=-3.427 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AKB-vXy7zOIr for ; Wed, 24 Mar 2010 18:34:28 -0700 (PDT) Received: from brmea-mail-4.sun.com (brmea-mail-4.Sun.COM [192.18.98.36]) by core3.amsl.com (Postfix) with ESMTP id D58BA3A695C for ; Wed, 24 Mar 2010 18:34:28 -0700 (PDT) Received: from fe-amer-09.sun.com ([192.18.109.79]) by brmea-mail-4.sun.com (8.13.6+Sun/8.12.9) with ESMTP id o2P1YnXL025387 for ; Thu, 25 Mar 2010 01:34:49 GMT MIME-version: 1.0 Content-transfer-encoding: 7BIT Content-type: text/plain; CHARSET=US-ASCII; format=flowed Received: from conversion-daemon.mail-amer.sun.com by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) id <0KZT00300DI49P00@mail-amer.sun.com> for saag@ietf.org; Wed, 24 Mar 2010 19:34:49 -0600 (MDT) Received: from dhcp-wireless-open-abg-27-240.meeting.ietf.org ([unknown] [130.129.27.240]) by mail-amer.sun.com (Sun Java(tm) System Messaging Server 7u2-7.04 64bit (built Jul 2 2009)) with ESMTPSA id <0KZT00FA2DQ01O40@mail-amer.sun.com> for saag@ietf.org; Wed, 24 Mar 2010 19:34:48 -0600 (MDT) Date: Wed, 24 Mar 2010 19:34:48 -0600 From: "Shawn M. Emery" Sender: Shawn.Emery@Sun.COM To: saag@ietf.org Message-id: <4BAABDB8.3070204@sun.com> User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.1.8) Gecko/20100227 Thunderbird/3.0.3 Subject: [saag] KITTEN Working Group Summary - IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 01:34:30 -0000 The KITTEN-WG met Wednesday, 3/24/10, during the second morning session for 1 hour Co-chairs: Tom Yu and Shawn Emery The goals of the meeting were to review the state of the active WG items, one individual submission, discuss extensions - credential management and asynchronous calls, federated authentication for client-server applications, and discuss merging KITTEN and SASL WGs. gssapi-extensions-iana ---------------------------- IANA has replied that they want the draft to pick one of the registry types left as a choice in the current version of the draft: single GSS-API name-space registry separate registry - symbolic and constant registries registry per programming language multiple registries No response during the session on which registry is preferred, will take the question to the list. gssapi-naming-exts ------------------------ Makes a normative reference to a 3rd party (OpenGridForum) standards document - GFD.024. Requested approval to the list. Awaiting a one-week timer before submitting a WGLC, pending any objections. draft-lha-gssapi-delegate-policy --------------------------------------- Approval announcement made. Issue was raised given that the I-D makes a normative reference to the IANA-extensions draft. Decision was to create an RFC editor note to replace text once the IANA-extensions I-D is approved. Future WG Items ----------------------- We discussed requested new work items that are of particular interest: credential management asynchronous calls Subsequent discussion followed asynchronous calls. Nico Williams had volunteered to provide what the interfaces may look like. Requested editors/authors of any subsequent draft. None had volunteered. New Proposal ----------------- The merger of the KITTEN and SASL WGs was proposed. There were no comments for or against the merger. Will take this to the list Shawn Emery and Tom Yu. -- From mundy@tislabs.com Thu Mar 25 07:59:38 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 624C83A6990 for ; Thu, 25 Mar 2010 07:59:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.39 X-Spam-Level: X-Spam-Status: No, score=0.39 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, DNS_FROM_OPENWHOIS=1.13] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ejqe7gsAdPkA for ; Thu, 25 Mar 2010 07:59:37 -0700 (PDT) Received: from M4.sparta.com (M4.sparta.com [157.185.61.2]) by core3.amsl.com (Postfix) with ESMTP id 79B523A697A for ; Thu, 25 Mar 2010 07:59:37 -0700 (PDT) Received: from Beta5.sparta.com (beta5.sparta.com [157.185.63.21]) by M4.sparta.com (8.13.5/8.13.5) with ESMTP id o2PExwLJ015334; Thu, 25 Mar 2010 09:59:58 -0500 Received: from mailbin2.ads.sparta.com (mailbin.sparta.com [157.185.85.6]) by Beta5.sparta.com (8.13.8/8.13.8) with ESMTP id o2PExvRQ020082; Thu, 25 Mar 2010 09:59:57 -0500 Received: from calvin.travel.tislabs.com ([69.250.64.147]) by mailbin2.ads.sparta.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 10:59:57 -0400 Received: from [10.88.80.37] (localhost [127.0.0.1]) by calvin.travel.tislabs.com (Postfix) with ESMTP id 6677B1E33C8A; Thu, 25 Mar 2010 10:59:55 -0400 (EDT) Mime-Version: 1.0 Message-Id: Date: Thu, 25 Mar 2010 10:59:51 -0400 To: saag@ietf.org From: Russ Mundy Content-Type: text/plain; charset="us-ascii" X-OriginalArrivalTime: 25 Mar 2010 14:59:57.0256 (UTC) FILETIME=[D596A480:01CACC2B] Subject: [saag] ISMS Summary for IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 14:59:38 -0000 Summary: ISMS is continuing work on two charted documents. The first is specifying a transport model for running SNMP over TLS and DTLS. This document is currently in IETF last call and, as of the beginning of IETF 77, had not received any substantive comments. The second document describes how RADIUS can be used to provision security name to group name mappings in the VACM access control model. Since an additional editor has been recruited, the WG has made progress on this document and the WG has cleared nearly all open issues. We are working on getting final consensus and text for the last issue and expect to deliver the document to the IESG in the next few weeks. Since there were no items that required a face to face meeting, the co-chairs cancelled the session for IETF 77. WG Chairs: Russ Mundy Juergen Schoenwaelder WG URL: http://tools.ietf.org/wg/isms/ From paul.hoffman@vpnc.org Thu Mar 25 09:19:35 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id B0DD53A693A for ; Thu, 25 Mar 2010 09:19:35 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.872 X-Spam-Level: X-Spam-Status: No, score=-2.872 tagged_above=-999 required=5 tests=[AWL=0.556, BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, HELO_MISMATCH_COM=0.553, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xjM3meF2uuXO for ; Thu, 25 Mar 2010 09:19:35 -0700 (PDT) Received: from balder-227.proper.com (Balder-227.Proper.COM [192.245.12.227]) by core3.amsl.com (Postfix) with ESMTP id D60943A681E for ; Thu, 25 Mar 2010 09:19:34 -0700 (PDT) Received: from [10.6.19.70] (dhcp-wireless-open-a-40-51.meeting.ietf.org [130.129.40.51]) (authenticated bits=0) by balder-227.proper.com (8.14.2/8.14.2) with ESMTP id o2PGJtwG016769 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 25 Mar 2010 09:19:56 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 Message-Id: Date: Thu, 25 Mar 2010 09:19:53 -0700 To: saag@ietf.org From: Paul Hoffman Content-Type: text/plain; charset="us-ascii" Subject: [saag] IPsecME WG meeting report, Anaheim edition X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 16:19:35 -0000 The WG already has a good handful of documents published as RFCs or are in the RFC Editor queue, so we started talking about the new work items in our charter. We started discussing high-availability requirements and got into a good discussion of vocabulary. We also started discussing a mode that allows EAP-only authentication and more secure password-based authentication. The next few months will be focused on these new work items. --Paul Hoffman, Director --VPN Consortium From aland@deployingradius.com Thu Mar 25 09:24:37 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 66A153A690C for ; Thu, 25 Mar 2010 09:24:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.131 X-Spam-Level: * X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id idzl1nR9zEpy for ; Thu, 25 Mar 2010 09:24:36 -0700 (PDT) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by core3.amsl.com (Postfix) with ESMTP id 6896E3A6B19 for ; Thu, 25 Mar 2010 09:24:32 -0700 (PDT) Received: from dhcp-wireless-open-abg-27-214.meeting.ietf.org (dhcp-wireless-open-abg-27-214.meeting.ietf.org [130.129.27.214]) by liberty.deployingradius.com (Postfix) with ESMTPSA id 86968123445D for ; Thu, 25 Mar 2010 17:24:53 +0100 (CET) Message-ID: <4BAB8E54.2060205@deployingradius.com> Date: Thu, 25 Mar 2010 09:24:52 -0700 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: saag@ietf.org X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] EMU WG meeting report IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 16:24:37 -0000 We made a lot of good progress. Many issues that have come up on the list were either resolved, or had resolutions suggested and discussed. We will be taking those issues to the list for validation. We have two volunteers to edit the channel bindings document (Sam Hartman and Glen Zorn). We should be able to get a new version of the tunnel requirements document out before IETF 78. It looks like we can do a WG last call before then, too. Alan DeKok. From turners@ieca.com Thu Mar 25 09:46:34 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 9FDD63A6C13 for ; Thu, 25 Mar 2010 09:46:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 0.591 X-Spam-Level: X-Spam-Status: No, score=0.591 tagged_above=-999 required=5 tests=[AWL=-0.875, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, IP_NOT_FRIENDLY=0.334, UNPARSEABLE_RELAY=0.001] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2awen2Q03r2I for ; Thu, 25 Mar 2010 09:46:34 -0700 (PDT) Received: from smtp111.biz.mail.sp1.yahoo.com (smtp111.biz.mail.sp1.yahoo.com [69.147.92.224]) by core3.amsl.com (Postfix) with SMTP id 9A1763A6BEA for ; Thu, 25 Mar 2010 09:46:30 -0700 (PDT) Received: (qmail 15673 invoked from network); 25 Mar 2010 16:46:50 -0000 Received: from dhcp-wireless-open-abg-24-191.meeting.ietf.org (turners@130.129.24.191 with plain) by smtp111.biz.mail.sp1.yahoo.com with SMTP; 25 Mar 2010 09:46:50 -0700 PDT X-Yahoo-SMTP: ZrP3VLSswBDL75pF8ymZHDSu9B.vcMfDPgLJ X-YMail-OSG: I9ayH.AVM1l.xjme4KgnQDa_Ytf6a4SX12ZEbpDaqV9gsy2UDxra.B6e0doTj3KFmdQrVYEryfVTy_.yoA.zy45mKtzXITYgl61XMX5Uyp.eKqjWFrB5SCq6MJo7xkaDemOaE8Q_m3RvtROpYag2OX5vRU499M60ctDrfwSmJDHuDO9Fegy4wwziW.SZzEGuU0HIWvHrTA86q76pAAxM.PdBZhNgjZscbV66llAxvKfBpFC4OgHY5Wbc.C00plxFnVipD6m2g4wC4xzz8vweJHH_J0PIY4.l6QVeOLzwU5eMGwRNIqsy9tI- X-Yahoo-Newman-Property: ymail-3 Message-ID: <4BAB937A.4010205@ieca.com> Date: Thu, 25 Mar 2010 09:46:50 -0700 From: Sean Turner User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: saag@ietf.org Content-Type: multipart/mixed; boundary="------------060105040005070303060603" Subject: [saag] syslog WG update X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 16:46:34 -0000 This is a multi-part message in MIME format. --------------060105040005070303060603 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit --------------060105040005070303060603 Content-Type: message/rfc822; name="syslog WG update for SAAG.eml" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="syslog WG update for SAAG.eml" X-Account-Key: account2 X-Mozilla-Keys: X-Apparently-To: turners@ieca.com via 216.252.120.71; Wed, 24 Mar 2010 15:04:06 -0700 X-YMailISG: 8VvzussWLDvk.ecV_30_.mG0PS1gYUocPncZ4H0gTZM3cgIEWmNSKtzYobpZtugT61iGDOy9ovmVLQUNUmOT5gI3yrfquGbtwHW5ilPZZARGa68B.vFBtgsuEoAgduPVGe6wOLliABoeeUxIerPgvcZyI7pmluE7PIQD9IqecfX1eJ3Dp5rniq4EtAuZEN0BJD.VEnSFPcZrV5s5CK6OW66ENyl54XBlwmHB6QSodK4Vt_vWtPX6mDxzuWLyEIrht_Auq3YK9IxuhJsskAz13paCpIIwhvkVrgfcY6w3SQqSsY1oWYlQoCXctbj0h_H..1Mvm4xhyQLKIWdSV12QQqm5Lm2qLqvn X-Originating-IP: [171.68.10.87] Authentication-Results: mta1021.biz.mail.mud.yahoo.com from=cisco.com; domainkeys=neutral (no sig); from=cisco.com; dkim=neutral (no sig) Received: from 171.68.10.87 (EHLO sj-iport-5.cisco.com) (171.68.10.87) by mta1021.biz.mail.mud.yahoo.com with SMTP; Wed, 24 Mar 2010 15:04:06 -0700 Authentication-Results: sj-iport-5.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-AV: E=Sophos;i="4.51,303,1267401600"; d="scan'208";a="171851475" Received: from syd-core-1.cisco.com ([64.104.193.198]) by sj-iport-5.cisco.com with ESMTP; 24 Mar 2010 22:04:03 +0000 Received: from sjc-cde-011.cisco.com (sjc-cde-011.cisco.com [171.69.16.68]) by syd-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2OM415J001820; Wed, 24 Mar 2010 22:04:02 GMT Date: Wed, 24 Mar 2010 15:04:01 -0700 (PDT) From: Chris Lonvick To: Sean Turner , pasi.eronen@nokia.com cc: Christopher Lonvick , ietfdbh@comcast.net Subject: syslog WG update for SAAG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Hi, The syslog WG is nearing completion of its last deliverable. draft-ietf-syslog-dtls has passed WGLC and is awaiting a proto document writeup from the Chair with the recommendation that it be reviewed by the IESG to become a Standards Track RFC. The other document in the WG list of deliverables is draft-ietf-syslog-sign which is in the RFC Editors queue. Once draft-ietf-syslog-dtls is submitted to the IESG, it is our recommendation that the syslog Working Group be concluded. The Chairs and the Working Group wish to express our sincere thanks to Pasi for his leadership, care, and guidance in his tenure as our Advisor. Best regards, Chris --------------060105040005070303060603-- From Pasi.Eronen@nokia.com Thu Mar 25 10:03:28 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A9E8F3A6CA5; Thu, 25 Mar 2010 10:03:28 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.24 X-Spam-Level: X-Spam-Status: No, score=-3.24 tagged_above=-999 required=5 tests=[AWL=-0.370, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iPa-V+gjy7v9; Thu, 25 Mar 2010 10:03:26 -0700 (PDT) Received: from mgw-mx03.nokia.com (smtp.nokia.com [192.100.122.230]) by core3.amsl.com (Postfix) with ESMTP id A18903A6B45; Thu, 25 Mar 2010 10:03:24 -0700 (PDT) Received: from esebh106.NOE.Nokia.com (esebh106.ntc.nokia.com [172.21.138.213]) by mgw-mx03.nokia.com (Switch-3.3.3/Switch-3.3.3) with ESMTP id o2PH3MSr029827; Thu, 25 Mar 2010 19:03:43 +0200 Received: from vaebh102.NOE.Nokia.com ([10.160.244.23]) by esebh106.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 19:03:39 +0200 Received: from vaebh101.NOE.Nokia.com ([10.160.244.22]) by vaebh102.NOE.Nokia.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 19:03:30 +0200 Received: from smtp.mgd.nokia.com ([65.54.30.8]) by vaebh101.NOE.Nokia.com over TLS secured channel with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 19:03:25 +0200 Received: from NOK-EUMSG-01.mgdnok.nokia.com ([65.54.30.86]) by nok-am1mhub-04.mgdnok.nokia.com ([65.54.30.8]) with mapi; Thu, 25 Mar 2010 18:03:24 +0100 From: To: , Date: Thu, 25 Mar 2010 18:03:33 +0100 Thread-Topic: Pasi's final AD notes (mid-March 2010) Thread-Index: AcrMPRnbkVve3ufeQ2G8k87U2/6Jdw== Message-ID: <808FD6E27AD4884E94820BC333B2DB775848688C66@NOK-EUMSG-01.mgdnok.nokia.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginalArrivalTime: 25 Mar 2010 17:03:25.0088 (UTC) FILETIME=[15001A00:01CACC3D] X-Nokia-AV: Clean Subject: [saag] Pasi's final AD notes (mid-March 2010) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 17:03:28 -0000 I'm writing an expanded version of my notes so that Sean and Tim will have the information they need to continue the work. If you notice anything that doesn't look right, let Sean and Tim know -- miscommunication and mix-ups do happen. Best regards, Pasi MISC NOTES =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D - Planning AD transition with Tim/Sean - IETF 77 planning with Tim/Sean: SAAG meeting, SecDir=20 lunch, overall agenda - (not wearing AD hat) draft-krawczyk-hkdf was approved by IESG; now in RFC editor queue. - (not wearing AD hat) Waiting for Dan Romascanu to process=20 errata 1955/1956 for RFC 4072 [since 2009-12-09] - Lot of tools work to finish the datatracker UI changes. DKIM =3D=3D=3D=3D - draft-ietf-dkim-deployment: was approved by IESG, now in RFC editor queue. If the WG decides to change its mind about errata 1532 (see below), appendix A.1.2.3 could require small changes. - Processed errata 1942. - Errata 1532 for RFC 4871: Currently (March 2010) being discussed. Waiting for the WG chairs to drive the discussion, and send the exact new text and recommended status to Sean. The conclusion back in 2008 is here: http://mipassoc.org/pipermail/ietf-dkim/2008q4/010820.html The dkim-deployment draft, appendix A.1.2.3 seems to be aligned the conclusion above. But given that we now have the dkim-deployment document ready (which has the recommendations for e.g. DomainKeys deployers), we probably want to edit the 2008 text slightly (at the very least, add a pointer to dkim-deployment) before marking it as "verified". - Errata 1596 for RFC 4871. Waiting for the WG chairs to drive the discussion, and send the exact new text and recommended status to Sean. Relevant emails from 2008: http://mipassoc.org/pipermail/ietf-dkim/2008q4/010820.html http://mipassoc.org/pipermail/ietf-dkim/2008q4/010818.html - The WG is currently (February-March 2010) discussing rechartering; Waiting for the chairs to send agreed text to IESG. EMU =3D=3D=3D - The WG chairs have the token for doing something about ITU-T=20 X.1034 liaison statement. IPSECME =3D=3D=3D=3D=3D=3D=3D - draft-ietf-ipsecme-traffic-visibility: in RFC editor queue. Nothing special to note. - draft-ietf-ipsecme-esp-null-heuristics: was approved by IESG; now in RFC editor queue. Nothing special to note. - Processed errata 1919 (for RFC 4106) and 1937 (for RFC 4307). - draft-ietf-ipsecme-aes-ctr-ikev2: The draft was updated to address my AD review comments, but WG members found couple of additional minor nits that should be fixed before starting IETF last call. Waiting for authors to submit a revised ID [since early March 2010]. - draft-ietf-ipsecme-roadmap: I think we've roughly agreed on how to address my AD review comments; waiting for the authors to=20 submit a revised ID [since March 2010]. ISMS =3D=3D=3D=3D - draft-ietf-isms-dtls-tm: currently in IETF Last Call; ends 2010-04-02. Nothing special to note. KEYPROV =3D=3D=3D=3D=3D=3D=3D - draft-ietf-keyprov-pskc and draft-ietf-keyprov-symmetrickeyformat:=20 current in Publication Requested, waiting for Tim to do his=20 AD review. SASL =3D=3D=3D=3D - draft-ietf-sasl-gs2 and draft-ietf-sasl-scram: in RFC editor queue, waiting for draft-altman-tls-channel-bindings. =20 These went to AUTH48 already once; I approved the AUTH48 changes, but we changed draft-altman-tls-channel-bindings (see below) to=20 be a normative reference, so they went from AUTH48 to MISSREF. =20 The authors are currently discussing whether SCRAM needs some minor changes and/or clarifications related to error messages ("e=3D" parameter). - (not WG item) draft-altman-tls-channel-bindings:=20 Back in October/early November 2009 there were discussions about how to make the text clearer about TLS session resumption and/or renegotiation. Although we mostly agreed on clearer text back then, the discussions were put on hold while the TLS renegotiation fix was done. However, the latest emails (March 2010) suggest that the text in -07 draft (and the 'tls-unique' IANA registration) isn't anywhere close to what Microsoft has actually implemented. The current plan is to update the draft (and IANA registration, when the draft is approved) to match what Microsoft implemented. However, this MUST be double-checked with Mark Novak, as the information about what the Microsoft code actually does has been somewhat inconsistent in the past. Alexey will be the responsible AD for this draft. - (not WG item) draft-melnikov-sasl-scram-ldap: in=20 RFC editor queue/AUTH48 (waiting for GS2 and SCRAM).=20 Thankfully, nothing special to note for this draft :-) - Errata 1812 for RFC 4013: I think the current text in the=20 errata is OK, and it should be marked as "Verified" -- but I'm waiting for OK from Kurt (author of RFC 4013) before=20 approving this [since 2010-03-12]. SYSLOG =3D=3D=3D=3D=3D=3D - draft-ietf-syslog-sign: in RFC editor queue. Nothing special to note. - draft-ietf-syslog-dtls: still in WG, but probably coming to=20 AD Evaluation soon. I'm expecting that all the security-related issues will be exactly the same as in RFC 5425 (Syslog over TLS/TCP), and UDP-related issues (like MTU, congestion, etc.) will be the same as in RFC 5426 (Syslog over UDP), and only very few DTLS-specific details will be new to this document. (And the new text about DCCP probably should be checked carefully.) Currently it looks like the document is copying some text from RFC 5425/5426, so it's not very clear what is new and what is the same. My guess is that it's easier to get this through IESG if we're referencing text instead of copying it... TLS =3D=3D=3D - draft-ietf-tls-extractor: published as RFC 5705. - draft-ietf-tls-rfc4366-bis: waiting for WG chairs/editor to=20 drive discussion/propose text about the following topics: 1) The "server_name" extension contains a list of domain names. Apparently, existing clients only send one, and some servers ignore everything except the first one. Since it seems nobody is using multiple names (and there are some unclear aspects about their exact semantics), perhaps the spec should just forbid more than one name of same "name_type"? 2) The document probably should be clearer about how "server_name" and session resumption interact (or do not interact). In particular, are Session IDs scoped by "server_name"? (If they are, the client MUST send the same "server_name" when resuming a session.) If they are not, does the server ignore the "server_name" when it resumes the session (in case the "server_name" in the original session was different) or not? IMHO RFC 4366 is quite clear that "server_name" is completely ignored when the server resumes a session (so Session IDs are not scoped by "server_name", and the server does not check it against the original session), but perhaps it doesn't hurt to clarify this with some new text. 3) As noted in Stephen Farrell's SecDir review (http://www.ietf.org/mail-archive/web/secdir/current/msg01195.html), the document probably should explain why SHA-1 is OK and algorithm agility is not needed. Tim and I have agreed with the WG that this use of SHA-1 (without algorithm agility) is acceptable.=20 "trusted_ca_keys" clearly does not need a cryptographic function, and client_certificate_url does not seem to be affected by collisions either (and this extension is rarely used, so creating a new extension with agility is not really useful work). 4) Joe thought the WG should also consider whether the renegotiation fix has any effect on the "server_name" extension. I don't think it necessarily does (beyond the one sentence that's already in RFC 5746). - (not WG item yet) draft-seggelmann-tls-dtls-heartbeat: waiting for the WG chairs to determine whether to take this as WG item. - (not WG item) see SASL WG for draft-altman-tls-channel-bindings - There is one errata (1077 for RFC 2818), but it's very unclear what, if anything, should be done about it. I've understood that the text in RFC 2818 isn't exactly what e.g. the major browsers do, but it seems this errata isn't either (and no, the major browsers don't all do the same thing either :-). Since there hasn't been any discussion about this errata, I'm just leaving it as "Reported"... =20 DISCUSSES =3D=3D=3D=3D=3D=3D=3D=3D=3D draft-ietf-geopriv-lis-discovery Discussion currently ongoing. The authors have proposed simply noting that the security depends on DNS, but I would really like to see better arguments than "it's simpler to implement with some HTTP libraries" for ignoring this important security advice from RFC 3958. To me it looks like someone implementing HELD and this discovery mechanism can pick one of the many libraries that does support this, and this is not something that e.g. would have to work with all currently deployed web browsers. LoST had a quite reasonable description (RFC 5222, Section 18) why the approach recommended in RFC 3958 would not actually work in the deployment scenarios envisioned for LoST. But it seems the deployment considerations would HELD would be quite different, and the same argument does not apply here. draft-zorn-radius-pkmv1 I have sent Glen proposed text on 2010-03-11; waiting for his answer. =20 I'm also hoping Glen reverts back to version -10 which used the RFC 2119 keywords (these were in the version sent to IESG, but got removed in -11), but that's not part of my DISCUSS. draft-ietf-bmwg-ipsec-meth/draft-ietf-bmwg-ipsec-term=20 For ipsec-meth Section 12.x (where the proposed methodology measures setup latency, not setup rate), I think we've agreed to move those tests to an appendix (with a note saying they're not useful for comparing implementations, but might be still useful for internal SW/HW development). For other changes, I'm waiting for authors to submit revised IDs [since 2010-01-29] draft-cheshire-dnsext-nbp It has been 15 months since my DISCUSS, and I have been unable to get a single email reply from the author, despite pinging him and the responsible AD every couple of months. IMHO first asking the IESG to consider a document and then refusing to answer emails for this long is rude behavior. If the author doesn't have sufficient energy to engage in a discussion, he shouldn't have asked the IESG to consider this in this first place. I have asked Ralph to end this farce and declare the document dead several times, but he keeps saying the author has promised to work on this soon (but it's been "soon" for more then 8 months now). Since it seems the author has lost all interest, I'm not expecting this to really progress anywhere. The DISCUSS itself wouldn't be very difficult to address: the first and third concern are just one or two sentences. The second concern probably needs more thinking, but even then, I'm not expecting this document to come up with new solutions to known-to-be-difficult problems, just being realistic about a protocol might do (so text-wise, that could be something like two paragraphs). draft-ietf-tsvwg-port-randomization I think we have agreed on the changes (below); waiting for the authors to submit a revised ID [since 2010-03-04] Section 3.3.1: rephprase as "random() is a function that returns a 32-bit pseudo-random unsigned integer number. Note that the output needs to be unpredictable, and typical implementations of POSIX random() function do not necessarily meet this requirement. See [RFC4086] for randomness requirements for security." Section 3.4: recommend 128 bit keys instead of 32. draft-ietf-smime-cms-rsa-kem For the first issue (alignment with 18033-2/X9.44), I'm waiting for a reply from the authors [since 2010-03-11]. The second and third issues are minor, and I think we've agreed on the changes already. draft-ietf-csi-hash-threat Waiting for the authors to submit a revised ID to address the comments from SecDir [since 2010-03-11]. --end-- From sethomso@cisco.com Thu Mar 25 11:04:52 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 70B543A6B4F for ; Thu, 25 Mar 2010 11:04:52 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -7.98 X-Spam-Level: X-Spam-Status: No, score=-7.98 tagged_above=-999 required=5 tests=[BAYES_05=-1.11, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IU0Tmm9o3x5g for ; Thu, 25 Mar 2010 11:04:51 -0700 (PDT) Received: from rtp-iport-1.cisco.com (rtp-iport-1.cisco.com [64.102.122.148]) by core3.amsl.com (Postfix) with ESMTP id CA0C43A6B83 for ; Thu, 25 Mar 2010 11:04:35 -0700 (PDT) Authentication-Results: rtp-iport-1.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAOdCq0utJV2Z/2dsb2JhbACbKHOmJpkOhH0Egx4 X-IronPort-AV: E=Sophos;i="4.51,308,1267401600"; d="scan'208";a="96128980" Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rtp-iport-1.cisco.com with ESMTP; 25 Mar 2010 18:04:53 +0000 Received: from xbh-rcd-301.cisco.com (xbh-rcd-301.cisco.com [72.163.63.8]) by rcdn-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id o2PI4r6j029381 for ; Thu, 25 Mar 2010 18:04:53 GMT Received: from xmb-rcd-105.cisco.com ([72.163.62.147]) by xbh-rcd-301.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 13:04:53 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 25 Mar 2010 13:04:51 -0500 Message-ID: <043901FAFD488D44ACC9CCED00470BDC011DA95B@XMB-RCD-105.cisco.com> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: NEA WG summary for IETF 77 Thread-Index: AcrMRapqdLvbYGbXRp+0TwHJ58huZA== From: "Susan Thomson (sethomso)" To: X-OriginalArrivalTime: 25 Mar 2010 18:04:53.0316 (UTC) FILETIME=[AB5B0840:01CACC45] Subject: [saag] NEA WG summary for IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:04:52 -0000 WG Status and Progress since last IETF: PA-TNC and PB-TNC were published as RFC 5792 and RFC 5793 in March 2010. Three proposals were submitted in response to the call for submissions for proposals for the Posture Transport (PT) protocol: one submission proposed a TLS-based protocol, and two others proposed an EAP-based protocol. Meeting Summary: These proposals were discussed at a virtual interim meeting held in January 2010, and again at the meeting this week. While there is consensus that there is a requirement for both a TLS-based PT and an EAP-based PT, there is no consensus on adopting any of the proposals as -00 WG I-Ds.=20 A number of issues were discussed at both meetings and action items identified. The issues include: 1) the Asokan attack and counter-measure 2) the extent to which the various proposals meet the NEA requirements 3) determining the impact on supplicants, and=20 4) process for standardizing an EAP-based PT given the dependency on a standard EAP tunnel method.=20 The last two issues have been addressed. The major remaining issue is to get consensus on whether the Asokan attack needs to be protected against, and how it should be done. This topic will be explored further on the mailing list. From jsalowey@cisco.com Thu Mar 25 11:10:16 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id EDC9F3A6774 for ; Thu, 25 Mar 2010 11:10:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.468 X-Spam-Level: X-Spam-Status: No, score=-9.468 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DP1bJd5bhP1 for ; Thu, 25 Mar 2010 11:10:16 -0700 (PDT) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id 874173A6B65 for ; Thu, 25 Mar 2010 11:10:00 -0700 (PDT) Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AhwGALVDq0urR7Ht/2dsb2JhbACBRJFoh3xzpi2ZDYR9BIMe X-IronPort-AV: E=Sophos;i="4.51,308,1267401600"; d="scan'208,217";a="502919560" Received: from sj-core-1.cisco.com ([171.71.177.237]) by sj-iport-6.cisco.com with ESMTP; 25 Mar 2010 18:10:23 +0000 Received: from xbh-sjc-211.amer.cisco.com (xbh-sjc-211.cisco.com [171.70.151.144]) by sj-core-1.cisco.com (8.13.8/8.14.3) with ESMTP id o2PIAM4f010206 for ; Thu, 25 Mar 2010 18:10:22 GMT Received: from xmb-sjc-225.amer.cisco.com ([128.107.191.38]) by xbh-sjc-211.amer.cisco.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 25 Mar 2010 11:10:22 -0700 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01CACC46.6FAD21B8" Date: Thu, 25 Mar 2010 11:10:21 -0700 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: TLS Working Group Summary Thread-Index: AcrMRm8eultp+5IQTdyFdGpFQ6B5Sw== From: "Joseph Salowey (jsalowey)" To: X-OriginalArrivalTime: 25 Mar 2010 18:10:22.0831 (UTC) FILETIME=[6FC307F0:01CACC46] Subject: [saag] TLS Working Group Summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:10:17 -0000 This is a multi-part message in MIME format. ------_=_NextPart_001_01CACC46.6FAD21B8 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable We haven't met yet. We will meet in the session after SAAG. =20 ------_=_NextPart_001_01CACC46.6FAD21B8 Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

We haven’t met yet.  We will meet in the = session after SAAG. 

------_=_NextPart_001_01CACC46.6FAD21B8-- From lnovikov@mitre.org Thu Mar 25 11:11:33 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id A60443A6774 for ; Thu, 25 Mar 2010 11:11:33 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.008 X-Spam-Level: X-Spam-Status: No, score=-3.008 tagged_above=-999 required=5 tests=[AWL=0.046, BAYES_40=-0.185, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6L3m3pyk44YY for ; Thu, 25 Mar 2010 11:11:32 -0700 (PDT) Received: from smtp-bedford.mitre.org (smtp-bedford.mitre.org [129.83.20.191]) by core3.amsl.com (Postfix) with ESMTP id 22C093A6E22 for ; Thu, 25 Mar 2010 11:11:08 -0700 (PDT) Received: from smtp-bedford.mitre.org (localhost.localdomain [127.0.0.1]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o2PIBUi7000820 for ; Thu, 25 Mar 2010 14:11:30 -0400 Received: from imchub1.MITRE.ORG (imchub1.mitre.org [129.83.29.73]) by smtp-bedford.mitre.org (8.13.1/8.13.1) with ESMTP id o2PIBUsu000817 for ; Thu, 25 Mar 2010 14:11:30 -0400 Received: from IMCMBX3.MITRE.ORG ([129.83.29.206]) by imchub1.MITRE.ORG ([129.83.29.73]) with mapi; Thu, 25 Mar 2010 14:11:31 -0400 From: "Novikov, Lev" To: "saag@ietf.org" Date: Thu, 25 Mar 2010 14:11:30 -0400 Thread-Topic: High Assurance Crypto API Bar BOF Summary Thread-Index: AcrLhcOxTzsxRF44SrKFJv8XU9opbgAuzDSQ Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-cr-hashedpuzzle: Aw3G Bu3O Cr6l Duk5 D7Ad Feoe Gcm2 HdZk I1XL JFDJ JH/G JaO5 JsvC J2q/ J8Nz LX9N; 1; cwBhAGEAZwBAAGkAZQB0AGYALgBvAHIAZwA=; Sosha1_v1; 7; {61B5AD79-1E82-446D-9970-A3CF8BA3D03D}; bABuAG8AdgBpAGsAbwB2AEAAbQBpAHQAcgBlAC4AbwByAGcA; Thu, 25 Mar 2010 17:33:13 GMT; SABpAGcAaAAgAEEAcwBzAHUAcgBhAG4AYwBlACAAQwByAHkAcAB0AG8AIABBAFAASQAgAEIAYQByACAAQgBPAEYAIABTAHUAbQBtAGEAcgB5AA== x-cr-puzzleid: {61B5AD79-1E82-446D-9970-A3CF8BA3D03D} acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [saag] High Assurance Crypto API Bar BOF Summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:11:33 -0000 (Begin forwarded message) ... We had a great turnout of 16 people for [Tuesday's] bar BoF (at the IETF me= eting in Anaheim, CA) where we talked about high assurance environments for= about an hour and a half.=20 Some of points that were made: 1. There is a desire to see an explanation of the underlying model of high = assurance environments similar to how PKCS#11 is based on the model put for= th by FIPS-140. 2. There is uncertainty about how existing protocols would work in a high a= ssurance environment. An explanation would be appreciated. Therefore, one of our early tasks is to create a document that explains the= model of high assurance environments and how that model differs (and is si= milar to) the model in FIPS-140. I'll take a crack at it soon and will be l= ooking for people to help review and comment on it. Lev From kent@bbn.com Thu Mar 25 11:21:01 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BA6633A6E0D for ; Thu, 25 Mar 2010 11:21:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.131 X-Spam-Level: * X-Spam-Status: No, score=1.131 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vsQbia07DhsG for ; Thu, 25 Mar 2010 11:21:00 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by core3.amsl.com (Postfix) with ESMTP id DD8563A6C71 for ; Thu, 25 Mar 2010 11:19:23 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:53398 helo=[130.129.25.161]) by smtp.bbn.com with esmtp (Exim 4.71 (FreeBSD)) (envelope-from ) id 1Nurej-000HWJ-GT for saag@ietf.org; Thu, 25 Mar 2010 14:19:45 -0400 Mime-Version: 1.0 Message-Id: Date: Thu, 25 Mar 2010 14:19:43 -0400 To: saag@ietf.org From: Stephen Kent Content-Type: text/plain; charset="us-ascii" ; format="flowed" Subject: [saag] PKIX summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:21:01 -0000 PKIX met once, for 2 hours, on Monday, 3/22, and attracted about 53 attendees. We had four presentations on WG documents: Trust Anchor Management docs, ASN.1 translation, Certififate Image, and the 5280 Implementation report. The last of these was the most significant, as we discussed how to address the lack of implementation support in two areas: string encodings for the user notice text in a policy qualifier, and lack of demonstrable support for string prep in internationalized names, e.g., for IDNs expressed as domain components in DNs. The plan is to publish 5280bis, with just the fixes needed to achieve progression. Details of the necessary changes are being worked out on the list. We also had five presentations on "related: topics: Suite B profile for CMC, approaches to addressing hash function vulnerabilities wrt cert revocation, server identity checking in TLS, cert key ID, and proxy architecture for DRM services. The first is an independent submission that was briefed to PKIX as a courtesy, by our new SEC AD. The second was a set of preliminary ideas on how to deal with the cited problem. The this was a briefing about a document that is very much related to PKIX, but perhaps ore closely related to TLS. the fourth briefing closed a topic that had been discussed on the list, with agreement to cite the ESSCerttIDv2 as the preferred way to refer to certs. The last presentation was a high-level discussion of one method for managing authorization delegation in a user/proxy/server PKI context. From jhutz@cmu.edu Thu Mar 25 11:21:50 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 844753A6E33 for ; Thu, 25 Mar 2010 11:21:49 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.025 X-Spam-Level: X-Spam-Status: No, score=-4.025 tagged_above=-999 required=5 tests=[AWL=-1.156, BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D63SBwYSDglP for ; Thu, 25 Mar 2010 11:21:45 -0700 (PDT) Received: from smtp03.srv.cs.cmu.edu (SMTP03.SRV.CS.CMU.EDU [128.2.217.198]) by core3.amsl.com (Postfix) with ESMTP id 180223A6A0A for ; Thu, 25 Mar 2010 11:19:32 -0700 (PDT) Received: from dhcp-wireless-open-abg-24-255.meeting.ietf.org (SIRIUS.FAC.CS.CMU.EDU [128.2.216.216]) (authenticated bits=0) by smtp03.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id o2PIJnUh023060 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 25 Mar 2010 14:19:50 -0400 (EDT) Date: Thu, 25 Mar 2010 11:19:49 -0700 From: Jeffrey Hutzelman To: ietf-krb-wg@anl.gov, saag@ietf.org Message-ID: X-Mailer: Mulberry/4.0.8 (Linux/x86) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Scanned-By: mimedefang-cmuscs on 128.2.217.198 Subject: [saag] KRB-WG summary for IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:21:50 -0000 Kerberos Working Group - IETF77 meeting summary DECISIONS (to be validated): - Principals in the KDC data model may have multiple names, each of which has an associated realm name. - Update KDC data model to reflect not all implementations need a canonical principal name for salting ACTION ITEMS: - JH, TP: Resolve DISCUSS issues on STARTTLS - LZ: Submit new naming, anon, IAKERB - Chairs: Start WGLC on DES die die die - Chairs: Start WGLC on DHCPv6 Option - LZ: Finish review of OTP - Chairs: adopt draft-lha-krb-wg-some-numbers-to-iana-00 - Chairs, AD: Update milestones SESSION SUMMARY: * Reviewed the status of several documents: - Cross-realm Problem Statement is now in the RFC Editor Queue - Chairs, Authors, AD are working on resolving DISCUSSes on STARTTLS - Preauth framework is on the 4/8 IESG telechat agenda - Anonymous needs another update to reflect WG discussion and update numbers, then get another IETF LC. Naming needs to be unexpired. Then both go back to the IESG. - IAKERB is in PROTO eval, but needs to be unexpired. * The KDC Data Model document is in its fourth and hopefully final WGLC. Three issues were discussed during the meeting: - Whether the realm name attribute should be single- or multi-valued - Updating to reflect that not all implementations need the concept of a canonical principal name to use in generating salted keys. - Greg Hudson's concern about the document's lack of clarity in its justification of separating keysets from other principal data for security reasons. * The chairs noted several recently-adopted documents: - There was agreement at some previous meetings that the WG wishes to adopt the DHCPv6 option document. The chairs and AD determined this was possible within the scope of the current charter, and so the document has now been adopted. In the meantime, it has gone through several revisions as a result of WG feedback, and so will enter WGLC shortly. - Love's DES deprecation document was adopted based on WG consesus as expressed at various points in person and on the list. There was a general sense in the room that this document is ready for WGLC, which will therefore begin shortly. There was also strong consensus in the room that the document filename should remain "draft-lha-des-die-die-die", which succinctly captures its intent. - Love's ticket extensions document was adopted by WG consensus at a previous meeting and on the list. However, it is currently on the back burner as the author handles more urgent work. * There was discussion as to whether to adopt Love's IANA considerations document. Sam Hartman in particular was concerned that adopting this document not create a presumption of consensus on its specific contents, particularly with regard to registration procedures. Both Love and the chairs asserted this would not be the case, and there was general agreement to adopt the work. WG discussion will be needed to determine appropriate registration procedures for each registry. * There was some discussion as to whether there was sufficient interest to pursue creation of an LDAP schema document based on the KDC data model document now in WGLC. The existing charter item is for a schema "for management of [information needed by the KDC]", but there maya also be some interest in a KDC storage backend schema. Howard Chu and Simo Sorce have been working on a document which describes the latter, based on the information model. It was suggested they submit their document as an individual submission and bring it up on the WG mailing list, at which point there could be a discussion as to whether it might be adopted and modified to fulfill the WG charter item. * Thomas Hardjono gave a brief overview of a recent document describing a family of enctypes based on the Camellia cipher. There was some discussion of this document. Sam suggested that in deciding whether to adopt enctype work, the WG should take on only enctypes which it intends for the standards track. It was also noted that if this work were to be adopted, the WG would determine which modes to include, and if the authors wished to define additional modes, they could do so in an individual informational document, with enctype number assignment subject to review by the designated expert (currently Ken Raeburn) as specified in RFC3961. There seemed to be a strong sense in the room that this work should be adopted; however, that poll was taken before discussion of IPR issues related to the Camellia cipher. As a result, and because the IPR disclosure and licensing terms had been submitted but were not yet available via the IETF's IPR disclosure web site, it was agreed that the poll was not meaningful. Further discussion will continue on the mailing list once the IPR disclosure becomes available. * Henry Hotz gave a brief presentation on his work to document KX509. Due to delays in getting his employer to authorize release of the document, an internet-draft is not yet available but will be soon. There was some discussion of the work, and while no formal poll was taken, there seemed to be agreement this should happen within the security area of the IETF. It is not yet clear exactly where the work will find a home; this will be worked out between the authors, ADs, and chairs of related WG's. From alper.yegin@yegin.org Thu Mar 25 11:32:37 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 42D693A6E7D for ; Thu, 25 Mar 2010 11:32:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 2.58 X-Spam-Level: ** X-Spam-Status: No, score=2.58 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, MSGID_MULTIPLE_AT=1.449] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jLAoy7CxvY6L for ; Thu, 25 Mar 2010 11:32:35 -0700 (PDT) Received: from mout.perfora.net (mout.perfora.net [74.208.4.194]) by core3.amsl.com (Postfix) with ESMTP id E62B43A6E61 for ; Thu, 25 Mar 2010 11:30:22 -0700 (PDT) Received: from ibm (dhcp-wireless-open-a-40-123.meeting.ietf.org [130.129.40.123]) by mrelay.perfora.net (node=mrus2) with ESMTP (Nemesis) id 0Lt1v8-1NRbXn2VhK-012SoL; Thu, 25 Mar 2010 14:30:44 -0400 From: "Alper Yegin" To: "'Susan Thomson \(sethomso\)'" , References: <043901FAFD488D44ACC9CCED00470BDC011DA95B@XMB-RCD-105.cisco.com> In-Reply-To: <043901FAFD488D44ACC9CCED00470BDC011DA95B@XMB-RCD-105.cisco.com> Date: Thu, 25 Mar 2010 20:30:33 +0200 Message-ID: <036801cacc49$43b6c1d0$cb244570$@yegin@yegin.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcrMRapqdLvbYGbXRp+0TwHJ58huZAAAu2IQ Content-Language: en-us X-Provags-ID: V01U2FsdGVkX19oXH29LwOCrUwTL0yPvIbe8tt/uoDxFsQyWjL uO175LMHMEgrJFF37/9s8Ip1MLBDpQ8CqZjTTX6yYFac/Kt6r3 O73AMw2e2C2G+1/bsId+j6FNCmEcqLQ Subject: Re: [saag] NEA WG summary for IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 18:32:37 -0000 Hello, > 4) process for standardizing an EAP-based PT given the dependency on a > standard EAP tunnel method. Does using EAP for something other than "authentication" fit this protocol's applicability? Long time ago we had ICOS BoF, and this issue was *heavily* emphasized. Now I see there is no mention of that in IETF. Don't get me wrong, I'm not against the proposed drafts. But I just want to understand if I'm missing some important detail, or if IETF has evolved to a point where we are now more liberal on this issue. Alper From bew@cisco.com Thu Mar 25 13:02:56 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id BB8EF3A6907 for ; Thu, 25 Mar 2010 13:02:56 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -9.469 X-Spam-Level: X-Spam-Status: No, score=-9.469 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EFaAaAgk8uWF for ; Thu, 25 Mar 2010 13:02:55 -0700 (PDT) Received: from sj-iport-6.cisco.com (sj-iport-6.cisco.com [171.71.176.117]) by core3.amsl.com (Postfix) with ESMTP id C98CD3A6A11 for ; Thu, 25 Mar 2010 13:02:53 -0700 (PDT) Authentication-Results: sj-iport-6.cisco.com; dkim=neutral (message not signed) header.i=none X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvsEAI9eq0urR7H+/2dsb2JhbACbKHOlfZkShH0Egx4 X-IronPort-AV: E=Sophos;i="4.51,309,1267401600"; d="scan'208";a="502971751" Received: from sj-core-2.cisco.com ([171.71.177.254]) by sj-iport-6.cisco.com with ESMTP; 25 Mar 2010 20:03:16 +0000 Received: from dhcp-wireless-open-abg-24-216.meeting.ietf.org (sjc-vpn5-1956.cisco.com [10.21.95.164]) by sj-core-2.cisco.com (8.13.8/8.14.3) with ESMTP id o2PK36EV014511 for ; Thu, 25 Mar 2010 20:03:13 GMT Message-Id: From: Brian Weis To: saag@ietf.org Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Thu, 25 Mar 2010 13:03:02 -0700 X-Mailer: Apple Mail (2.936) Subject: [saag] msec WG summary for IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 20:02:56 -0000 The MSEC WG met Tuesday afternoon for about 2 hours. We had presentations on two working group documents. David McGrew presented the Using Counter Modes with ESP and AH to Protect Group Traffic I-D which passed WG last call some time ago. It is now ready to be submitted to Tim for an IETF last call. Sheela Rowles described an update to RFC 3547 (GDOI), which has undergone major change and requires more WG review before a working group last call will be made. We had two presentations for requests for the WG to consider making an individual document a WG document: one a GDOI MIB, the other is Group Key Management using IKEv2. This latter draft re-defines GDOI as an IKEv2 exchange. Discussion on these two documents will continue on the mailing list. David McGrew concluded the meeting with a presentation describing the issues of key wrapping within group key management protocols. Brian Weis From tena@huawei.com Thu Mar 25 13:09:40 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 972FB3A69A4 for ; Thu, 25 Mar 2010 13:09:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -98.05 X-Spam-Level: X-Spam-Status: No, score=-98.05 tagged_above=-999 required=5 tests=[AWL=1.004, BAYES_40=-0.185, DNS_FROM_OPENWHOIS=1.13, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id By2gjGIbjWL0 for ; Thu, 25 Mar 2010 13:09:39 -0700 (PDT) Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [119.145.14.64]) by core3.amsl.com (Postfix) with ESMTP id AB90E3A6892 for ; Thu, 25 Mar 2010 13:09:39 -0700 (PDT) Received: from huawei.com (szxga01-in [172.24.2.3]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KZU00EXXTCOEC@szxga01-in.huawei.com> for saag@ietf.org; Fri, 26 Mar 2010 04:10:00 +0800 (CST) Received: from huawei.com ([172.24.2.119]) by szxga01-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTP id <0KZU001RDTCOEJ@szxga01-in.huawei.com> for saag@ietf.org; Fri, 26 Mar 2010 04:10:00 +0800 (CST) Received: from dhcp-wireless-open-abg-25-219.meeting.ietf.org (dhcp-wireless-open-abg-25-219.meeting.ietf.org [130.129.25.219]) by szxml02-in.huawei.com (iPlanet Messaging Server 5.2 HotFix 2.14 (built Aug 8 2006)) with ESMTPA id <0KZU00LBDTCM87@szxml02-in.huawei.com> for saag@ietf.org; Fri, 26 Mar 2010 04:10:00 +0800 (CST) Date: Thu, 25 Mar 2010 13:09:57 -0700 From: Tina TSOU To: saag@ietf.org Message-id: MIME-version: 1.0 X-Mailer: Apple Mail (2.936) Content-type: multipart/alternative; boundary="Boundary_(ID_x7TVhZfoDr5tr6qBVn2+Jw)" Subject: [saag] HOKEY WG meeting report IETF 77 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 20:09:40 -0000 --Boundary_(ID_x7TVhZfoDr5tr6qBVn2+Jw) Content-type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-transfer-encoding: 7BIT We made some good progress. We had one session yesterday, and will have another session this afternoon. The HOKEY architecture document has been discussed. Many issues had resolutions suggested and discussed. We will be taking those issues to the list for validation. We have 6 volunteers committing to read the HOKEY architecture new version document in the next month. We will discuss on the mailing list if we want to adopt in current shape. Local Domain name Discovery, EAP Re-authentication Protocol Extensions for Authenticated Anticipatory Keying, and Diameter ERP Application Status, will be discussed in this afternoon's session. Glen and Tina --Boundary_(ID_x7TVhZfoDr5tr6qBVn2+Jw) Content-type: text/html; charset=US-ASCII Content-transfer-encoding: 7BIT
We made some good progress. We had one session yesterday, and will have another session this afternoon.

The HOKEY architecture document has been discussed.
Many issues had resolutions suggested and discussed.
We will be taking those issues to the list for validation.

We have 6 volunteers committing to read the HOKEY architecture new version document in the next month. We will discuss on the mailing list if we want to adopt in current shape.

Local Domain name Discovery, EAP Re-authentication Protocol Extensions for Authenticated Ant icipator P Application Status, will be discussed in this afternoon's session.


Glen and Tina




/div>


--Boundary_(ID_x7TVhZfoDr5tr6qBVn2+Jw)-- From barryleiba.mailing.lists@gmail.com Thu Mar 25 13:29:11 2010 Return-Path: X-Original-To: saag@core3.amsl.com Delivered-To: saag@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 908103A6984 for ; Thu, 25 Mar 2010 13:29:11 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: 1.567 X-Spam-Level: * X-Spam-Status: No, score=1.567 tagged_above=-999 required=5 tests=[BAYES_40=-0.185, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cYBH-4Yafw8d for ; Thu, 25 Mar 2010 13:29:11 -0700 (PDT) Received: from mail-fx0-f213.google.com (mail-fx0-f213.google.com [209.85.220.213]) by core3.amsl.com (Postfix) with ESMTP id 900EA3A67D3 for ; Thu, 25 Mar 2010 13:29:06 -0700 (PDT) Received: by fxm5 with SMTP id 5so1417401fxm.29 for ; Thu, 25 Mar 2010 13:29:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:reply-to:date:message-id :subject:from:to:content-type; bh=F1KndTRF/OpFyrmx0p3KGzQikfPhw61DMNZ3wpDN3UY=; b=O7X5Y1ruDPDIwf3MRnw/kusTaQd3/YZezqe4/kN+b1kHA94tBpKNhGZhOfjS5P6co1 KfebDaBgmUigUw5Lg+GXhRxsrr0jP2kRgShH9JOYEummHmrs0cJMi8USeEszcWkThi+J HfZ2eJxS5kdMLb1CS1ZMqzGwtfkx2DFEvkxlo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:reply-to:date:message-id:subject:from:to:content-type; b=ijqSrCg0pB8ML1cySYcXdMErE56enQ7TfTWWX2pHB12FqBZJOnyp5FEWWf0hM01SWB A2o9WXQZN/PmBWNnsM4UYhiarh7jsf+q5B0Cc1IS5IohJ5J+vz6diGmYaUbDrboT3A/D aI59u6MHu/9iSxZ+dZTgKA8u3ektLLbqlTbjQ= MIME-Version: 1.0 Received: by 10.223.65.18 with SMTP id g18mr2506308fai.32.1269548965268; Thu, 25 Mar 2010 13:29:25 -0700 (PDT) Date: Thu, 25 Mar 2010 16:29:25 -0400 Message-ID: <6c9fcc2a1003251329t37f5fd6cr7353f9904eec577a@mail.gmail.com> From: Barry Leiba To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1 Subject: [saag] DKIM working group report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: barryleiba@computer.org List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 25 Mar 2010 20:29:11 -0000 DKIM did not meet at IETF 77. The group has just finished its last document from its current charter: an informational document about deployment advice, now in the RFC Editor queue. There remain a few errata against RFC 4871 (DKIM base spec) to resolve. The group is ready to recharter, and is batting around a proposed new charter, which should go to the ADs within a few weeks. The primary item in the recharter is moving RFC 4871 to Draft Standard (incorporating the errata), and to that end, there is interoperability information already collected, with more on the way. Barry Leiba, DKIM working group chair