Recent and ongoing revelations about large-scale Internet surveillance activities have caused concern amongst Internet users worldwide. These users have started to question their basic understanding of the privacy and security of their information online. While there is much to be concerned about in the revelations, this information disclosure also represents an opportunity to focus on the development of more robust technical solutions and improved user understanding. The IETF has a key role to play in setting standards for digital identity, security, and privacy, and in ensuring that the standardization process contributes to the overall trustworthiness of the Internet. Many Working Groups and Birds of a Feather (Bof) sessions will take place at IETF 88 in Vancouver next week to discuss these issues.
This IETF meeting in particular has several activities of interest related to trust technologies, identity authentication and authorization, and privacy. The first such activity is the BoF session on Handling Pervasive Monitoring. This session will immediately follow the IETF Technical Plenary on Internet Hardening discussed in an earlier blog post in this series. The primary goal of this session is to identify and scope specific IETF efforts to address pervasive monitoring. The mailing list for this discussion was established after IETF 87 and has been very active since its inception with discussions related to threat models and various technical and nontechnical solutions. The challenge for the BoF will be to define concrete executable actions for the IETF community.
In another privacy-related development, the IAB Privacy Program has developed a tutorial for IETF working group chairs to help them better understand and apply privacy considerations in their respective working groups. This tutorial is based on the recently published RFC 6973 on “Privacy Considerations for Internet Protocols“. This tutorial will be offered to all attendees at future IETF meetings. RFC 6973 and the coming tutorial information will both help improve IETF protocols with respect to privacy.
Work also continues in a number of working groups related to trust technologies and identity authentication and authorization. A longer list of these working groups is provided at the bottom with a few highlights below.
The WPKOPS (Web PKI Ops) working group is investigating the current state of Web PKI operations in light of several revelations in the past about failures of this infrastructure. The initial trust model document has been published, and the agenda features several discussions on various aspects of PKI operations including certificate processing and revocation.
OAuth 2.0 is a mechanism that allows a user to give third-party websites or applications access to protected resources without providing them access to their long-term credentials or resources. The OAuth (Web Authorization Protocol) working group was chartered to update and improve the security mechanisms in the original OAuth protocol. OAuth 2.0 has been published and the working group is focusing on several follow-on efforts. A related side meeting will occur on Sunday, 3 November at 1400 PST on a strategy and plan for OAuth 2.0 interoperability test suites and a possible future interop test event.
The SCIM (System for Cross-domain Identity Management) working group was chartered to standardize methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, with the goal of simplifying common tasks related to user identity management in services and applications. This meeting will be focused on the remaining open issues.
Related Working Groups and BoFs at IETF 88:
- perpass (Pervasive Passive Monitoring) BoF
(6 November 2013, 1300 – 1530)
- abfab (Application Bridging for Federated Access Beyond web) WG
(7 November 2013, 1730 – 1830)
- httpauth (Hypertext Transfer Protocol Authentication) WG
(8 November 2013, 0900 – 1100)
(7 November 2013, 0900 – 1130)
- kitten (Common Authentication Technology Next Generation) WG
(7 November 2013, 1520 – 1720)
- oauth (Web Authorization Protocol) WG
Agenda: http://tools.ietf.org/wg/oauth/agenda?item=agenda-88-oauth.html (not published as of 1 Nov)
(4 November 2013, 1450 – 1720)
- scim (System for Cross-domain Identity Management) WG
(8 November 2013, 1120 – 1330)
- wpkops (Web PKI Ops) WG
(7 November 2013, 1520 – 1720)
IEFT 88 Rough guide:
- A Close Encounter of the Standards Kind – Internet Society Rough Guide to IETF 88
- Rough Guide to IETF 88: Routing Resilience
- Rough Guide to IETF 88: Scalability and Performance
- Rough Guide to IETF 88: All About IPv6
- Rough Guide to IETF 88: DNSSEC, DANE and DNS
- Rough Guide to IETF 88: Trust, Identity, and Privacy