Donate
Rough Guide to IETF 92: Trust, Identity, and Privacy Thumbnail
‹ Back
Building Trust 22 March 2015

Rough Guide to IETF 92: Trust, Identity, and Privacy

Karen O'Donoghue
By Karen O'DonoghueResearch Analyst

Wrapping up the series of Rough Guide to IETF 92 posts is our focus on Trust, Identity, and Privacy. ISOC has been working over the past five years in these areas, and each subsequent IETF has seen advancing work and progress being made on multiple fronts. IETF 92 in Dallas this week is no exception.

First, while there won’t be a meeting on it this time, I’d like to remind folks of the mailing list created last fall to discuss vectors of trust at https://www.ietf.org/mailman/listinfo/vot. The impetus for this mailing list came out of an ISOC-sponsored workshop this past September. It is hoped that these discussions will lead to further consensus on concepts around trust and levels of assurance. There are rumors of an informal bar BoF to further discussions on this topic. Monitor the mailing list for details. This is a great opportunity to get involved in a potential IETF activity at a very early stage.

The W3C Privacy Interest Group (PING) will again meet face-to-face alongside IETF on Thursday, 26 March. Topics for the meeting include: the WiFi Privacy Experiment at IETF; W3C Technical Advisory Group (TAG) finding “Securing the Web” through the use of cryptography; Proposed Edited Recommendation Geolocation API; as well as PING’s ongoing work on privacy reviews and guidance for Web specification authors. Please join the meeting if you have an interest in privacy on the Web and would like to help develop better privacy features in Web standards. Meeting details are provided here: https://lists.w3.org/Archives/Public/public-privacy/2015JanMar/0124.html.

And since I mentioned it above, I’d also like to highlight an experiment that will be hosted on the IETF network. As stated at the link below, the IEEE 802 EC Privacy Recommendation Study Group, in coordination with the IAB and IESG, are working on privacy enhancements for link layer technologies. As part of this effort, they are carrying out a WiFi MAC randomization trial/experiment at IETF 92. The experiment is similar to the one carried out at IETF 91, but this time it’s been upgraded with more support for operating systems (including mobile) and it will run integrated into the main IETF 92 WiFi network. If you are attending in person, you can participate in this experiment. Details on participation can be found on the IETF Meeting Wiki; there is also an article about the privacy trials in the latest issue of the IETF Journal.

As for the IETF working groups, there are several ongoing working groups addressing topics in this space.

The jose (Javascript Object Signing and Encryption) working group will have a short meeting on Tuesday evening to discuss new proposals to develop a Concise Binary Object Representation (CBOR) encoded message syntax for signatures, message authentication codes, and encryption similar to those developed for JSON. The four core jose specifications and the cookbook have both progressed to the RFC Editor and should be coming out sometime soon.

The oauth (Web Authorization Protocol) working group has a full agenda for its Monday afternoon meeting based around its continuing work on proof-of-possession security assertions, token introspection, and token exchange among others. There are several oauth documents that are currently in IESG processing or the RFC Editor queue.

The ace (Authentication and Authorization in Constrained Environments) working group is continuing to develop documents on use cases, actors, architecture comparison, and object security. There is also a side meeting organized on Monday evening to help accelerate consensus on architecture, terminology, and scope. The plan is to meet from 19:10 to 20:40 after the plenary (look to the mailing list for details). Additionally, the technical plenary on Monday evening is on Smart Object Architecture and is highly relevant to this area of work.

The scim (System for Cross-domain Identity Management) working group has successfully sent their core document to the IESG for processing. This includes use cases, an api, and core schema. The meeting this week will discuss new drafts on soft deletes and event notification.

The relatively new stir (Secure Telephone Identities Revisited) working group is looking to develop mechanisms to correctly identify where SIP requests are being originated. In a nutshell, how do you prove ownership of a telephone number on the Internet? The problem statement (RFC 7340) and threats (RFC 7375) documents were published earlier this year, and the “Authenticated Identity Management in the Session Initiation Protocol” and “Secure Telephone Identity Credentials: Certificates” documents are again on the agenda for this meeting.

The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the trans (Public Notary Transparency) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. The primary focus of this week’s discussion will be resolution of issues on the update to RFC 6962. Additional topics for this week’s agenda include a threat analysis, client behavior, and the gossip protocol.

The httpauth (Hypertext Transfer Protocol Authentication) working group’s document for a basic http authentication scheme is in the RFC Editor queue, and the HTTP Digest Access Authentication document is with the IESG. This meeting will focus on mutual authentication, algorithms for mutual authentication, and extensions for interactive clients.

Finally, the dprive (DNS PRIVate Exchange) working group is a relatively new working group chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” They are working on a problem statement and some initial proposals. And, the kitten (Common Authentication Technology Next Generation) working group is addressing a long list of documents related to authentication.

As you can see, the IETF is devoting a significant amount of time and energy on efforts related to trust, identity, and privacy. There is plenty to follow and contribute to in this space.

Related Meetings, Working Groups, and BoFs at IETF 92:

Follow Us

There’s a lot going on in Dallas, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://www.internetsociety.org/rough-guide-ietf92.

‹ Back

Related articles

Rough Guide to IETF 93: Trust, Identity, and Privacy
Rough Guide to IETF 93: Trust, Identity, and Privacy
Building Trust19 July 2015

Rough Guide to IETF 93: Trust, Identity, and Privacy

Wrapping up the series of Rough Guide posts for IETF 93 is our focus on Trust, Identity, and Privacy. ISOC...

Rough Guide to IETF 92: Strengthening the Internet
Rough Guide to IETF 92: Strengthening the Internet
Improving Technical Security20 March 2015

Rough Guide to IETF 92: Strengthening the Internet

One of our primary strategic objectives for 2015 is work related to strengthening the Internet. News continues to come in...

Rough Guide to IETF 91: Trust, Identity and Privacy
Rough Guide to IETF 91: Trust, Identity and Privacy
IETF7 November 2014

Rough Guide to IETF 91: Trust, Identity and Privacy

Wrapping up the series of Rough Guide posts is our focus on Trust, Identity, and Privacy. ISOC has been working...

Join the conversation with Internet Society members around the world