Categories
Building Trust Identity IETF Open Internet Standards Privacy Technology

Rough Guide to IETF 95: Trust, Identity, and Privacy

This installment of the Internet Society’s Rough Guide to IETF 95 focuses attention on the IETF 95 activities related to improving trust in the Internet. Key to this trust is the ability to establish and maintain accurate identity including privacy. As one might expect, there is a great deal of activity in this space in the IETF.

First, there is one BoF related to the trust topic at IETF 95. The Limited Use of Keys (lurk) BoF is looking at the problem caused by the increasing separation of the content provider from the network delivery. In this case, the content provider does not necessarily want to give their private key to the network service provider hosting their content. Generally speaking sharing of private keys is a bad idea. Thus far the mailing list has identified this “offload TLS without giving the CDN my private key” use case as being of particular interest. This BoF will explore if there are other related use cases that also need to be addressed and if there is sufficient interest to pursue work in this area.

As for the IETF working groups, there are several ongoing working groups addressing relevant topics in this space. Some of the ones that will meet at IETF 95 are highlighted below.

The Automated Certificate Management Environment (acme) working group is working to lower the barrier to deployment and management of certificates for the Web PKI. Currently, the verification of domain names in a certificate is done using a set of manual mechanisms. The acme working group is working to automate the process of issuance, validation, revocation and renewal of certificates. This is meeting will focus almost exclusively on maturing the current document (https://datatracker.ietf.org/doc/draft-ietf-acme-acme/) and resolving the issues documented in the issue tracker (https://github.com/ietf-wg-acme/acme/issues). This working group is also tied to the Let’s Encrypt certificate authority that is striving to lower the barriers to certificate usage both from a cost and a complexity perspective.

The Authentication and Authorization for Constrained Environments (ace) working group is focused on the increasingly complex Internet of Things (IoT) space. The bulk of the discussion this week will focus on resolving open issues with the draft on using OAuth 2.0 for Internet of Things (IoT) authorization. There are more details on all the IETF work related to IoT in the most recent edition of the IETF Journal.

In response to evolving concerns about pervasive surveillance, the IETF has looked to improve the observable data in many of its protocols. The DNS PRIVate Exchange (DPRIVE) Working Group was chartered to develop mechanisms to provide confidentiality between DNS Clients and Iterative Resolvers. Given that virtually all communication on the Internet involves name resolution, providing additional privacy to the underlying mechanisms is key to improving trust in the Internet.

The Web Authorization Protocol (oauth) working group has been working for quite some time on a suite of documents that enables a user to grant a third-party access to protected resources without sharing the user’s long term credentials. The working group has completed a long list of RFCs. This week’s meeting will focus on mix-up mitigation, discovery, token exchange, and the use of OAuth for native apps. OAuth is a key component of online identity systems and is being leveraged in the ongoing OpenID Connect work. The Open Specification for Pretty Good Privacy (OpenPGP) working group originally completed its work in 2008 providing a solution for object encryption, object signing, and identity certification ( RFC4880). Recently it has become clear that it was time to produce an update to RFC4880, and the OpenPGP working group was reinstated to do that work. This revision will include potential inclusion of elliptic curves recommended by the Crypto Forum Research Group (CFRG), a symmetric encryption mechanism that offers modern message integrity protection, an update to the mandatory-to-implement algorithm selection, deprecation of weak algorithms, and an updated public-key fingerprint mechanism.

The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the Public Notary Transparency (trans) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. Certificate Transparency creates a log of certificates issued by certificate authorities (CAs). This provides the opportunity to monitor for problems in the certificate infrastructure globally. The primary focus of this week’s discussion will continue to be the update to RFC 6962, a threat analysis, and the gossip protocol. Rumor has it that the 6962bis effort in approaching completion!

As the Internet has evolved, some of the key pieces of infrastructure that we often take for granted need to be reconsidered in the light of the current operational environment. Time is a key component of establishing and maintaining trust, and it is often overlooked. The Network Time Protocol (ntp) working group has recently started a working group last call (WGLC) on NTS. Network Time Security (NTS) will define an updated framework and mechanisms for time server authentication. The WGLC on NTS has generated a great deal of mailing list discussion, and the meeting here at IETF 95 promises to have many interesting questions to resolve.

Finally, the Internet Architecture Board (IAB), through its Privacy and Security Program has taken a look at some of the problems of the existing Web PKI infrastructure. Since IETF 94, the program has adopted and updated a draft that identifies some of the issues and emerging solutions in this space. This draft, “ Problems with the Public Key Infrastructure (PKI) for the World Wide Web” will be on the program agenda this week. Find one of the co-authors and discuss any suggestions you might have for improving the document. Have a great week here at IETF 95 while you explore all of these trust, identity, and privacy related activities!

Related Meetings, Working Groups, and BOFs at IETF 95:

lurk (Limited Use of Remote Keys) BOF
Tuesday, 5 April 2016; 14:00 – 16:00 ART, Atlantico C
Agenda: https://datatracker.ietf.org/meeting/95/agenda/lurk/

ace (Authentication and Authorization for Constrained Environments) WG
Monday, 4 April 2016; 10:00 – 12:30 ART, Atlantico C
Agenda: https://tools.ietf.org/wg/ace/agenda
Documents: https://tools.ietf.org/wg/ace
Charter: https://tools.ietf.org/wg/ace/charter

acme (Automated Certificate Management Environment) WG
Monday, 4 April 2016; 17:40 – 19:40 ART, Buen Ayre A
Agenda: https://tools.ietf.org/wg/acme/agenda
Documents: https://tools.ietf.org/wg/acme/
Charter: https://tools.ietf.org/wg/acme/charters

dprive (DNS PRIVate Exchange) wg
Wednesday, 6 April 2016; 10:00 – 11:00 ART, Atlantico C
Agenda: https://tools.ietf.org/wg/dprive/agenda
Documents: https://tools.ietf.org/wg/dprive/
Charter: https://tools.ietf.org/wg/dprive/charters

oauth (Web Authorization Protocol) WG
Wednesday, 6 April 2016; 10:00 – 12:30 ART, Buen Ayre B
Agenda: https://tools.ietf.org/wg/oauth/agenda
Documents: https://tools.ietf.org/wg/oauth
Charter: https://tools.ietf.org/wg/oauth/charter

openpgp (Open Specification for Pretty Good Privacy)
Wednesday, 6 April 2016; 11:00 – 12:30 ART, Atlantico C
Agenda: https://tools.ietf.org/wg/openpgp/agenda
Documents: https://tools.ietf.org/wg/openpgp/
Charter: https://tools.ietf.org/wg/openpgp/charters

trans (Public Notary Transparency) WG
Wednesday, 6 April 2016; 14:00 – 16:00 ART, Atlantico C
Agenda: https://tools.ietf.org/wg/trans/agenda
Documents: https://tools.ietf.org/wg/stir/
Charter: https://tools.ietf.org/wg/trans/charter

ntp (Network Time Protocol) WG
Tuesday, 5 April 2016, 14:00 – 16:00 ART, Quebracho B
Agenda: https://tools.ietf.org/wg/ntp/agenda
Documents: https://tools.ietf.org/wg/ntp
Charter: https://tools.ietf.org/wg/ntp/charter

Follow Us

There’s a lot going on in Buenos Aires, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf95.

Categories
Building Trust Encryption IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 95: All Things Encryption

We have come a long was in both time and distance from Yokohama to Buenos Aires, and the efforts of the Internet community to strengthen the Internet by improving deployment of encryption continue with IETF 95 this week. This time around we will highlight the curdle, tls, and uta working groups, the cfrg research group, and the IAB Privacy and Security program.

The first thing I’d like to mention is a working group that will be meeting for the first time here in Buenos Aires. The CURves, Deprecating and a Little more Encryption (CURDLE) working group will focus on updating cryptographic mechanisms for existing IETF protocols. The working group will add mature mechanisms that enjoy broad support from implementers. It will also look at removing the support for old algorithms where there is IETF consensus to do so. The initial protocols that the CURDLE group will address include SSH, DNSSEC, PKIX, CMS, XML Digital Signatures and potentially XML Encryption, Kerberos and JSON.

Along the same lines, the Using TLS in Applications (UTA) working group continues to look at adding TLS support to existing applications. This week the focus will be on support for TLS in SMTP. Of note from the uta working group since the last IETF is the recent publication of RFC 7817 “Updated Transport Layer Security (TLS) Server Identity Check Procedure for Email-Related Protocols”.

The Transport Layer Security (TLS) working group continues to work on an update to the TLS protocol. This is a very active working group with a plan to publish an update to TLS in 2016. This meeting will be devoted to resolving the open issues with the current specification as documented in the issue tracker: https://github.com/tlswg/tls13-spec/issues.

Next, the Internet Research Task Force (IRTF) Crypto Forum Research Group (cfrg) continues to focus on use of cryptography for IETF protocols. Since IETF 94, RFC 7748 on “Elliptic Curves for Security” has been published. This is a major milestone for this activity. Topics for this week’s meeting include extended hash-based signatures, secure state management for hash-based signatures, PAKE requirements, and quantum resistant cryptography. Anyone interested in the future direction of cryptographic curves and algorithms would be well served to follow these discussions.

The Internet Architecture Board (IAB), through its Privacy and Security Program, has been focusing on strengthening the Internet by looking at threats, mitigations, and trust models. Since the publication of RFC 7624 “Confidentiality in the Face of Pervasive Surveillance: A Threat Model and Problem Statement”, the focus has been on a draft discussing mitigations “Confidentiality in the Face of Pervasive Surveillance”. This document is approaching maturation so now is an excellent time to find a member of that program to discuss the draft.

Also related to the IAB Privacy and Security program work is the Managing Radio Networks in an Encrypted World (MaRNEW) workshop held jointly by the IAB and the GSMA in September 2015 and discussed at IETF 94. A draft of the report for this workshop is now available in addition to all the raw workshop materials. One concern going into the workshop was that radio networks would face challenges meeting their operational requirements in an encrypted world. Discussion at the workshop focused on alternatives to traditional content classification that could be deployed in conjunction with encryption. Here at IETF 95 there will be BoF on Alternatives to Content Classification for Operator Resource Deployment (accord). This should be an excellent discussion of the challenges being faced and possible next steps to address some of these challenges.

Finally, I’d like to give a quick plug for the Security Area Advisory Group (saag) session. This is an excellent way to get a quick view of some of the security related conversations ongoing in the IETF. This week’s session will include the challenges and possibilities represented by the Internet of Things along with security and privacy issues in numeric identifiers among other topics.

All in all, the work continues here at IETF 95 to make encryption more widespread and easier to deploy for a stronger Internet.

Related Meetings, Working Groups, and BOFs at IETF 95:

curdle (CURves, Deprecating and a Little more Encryption) WG
(Tuesday, April 5, 2016, 16:20 – 17:20 ART, Buen Ayre B)
Agenda: https://www.ietf.org/proceedings/95/agenda/agenda-95-curdle
Documents: https://datatracker.ietf.org/group/curdle/documents/
Charter: https://datatracker.ietf.org/group/curdle/charter/

uta (Using TLS in Applications) WG
(Monday, April 4, 2016, 14:00 – 15:30 ART, Atlantico C)
Agenda: https://datatracker.ietf.org/meeting/95/agenda/uta/
Documents: https://datatracker.ietf.org/wg/uta/charter/
Charter: https://datatracker.ietf.org/group/uta/charter/

tls (Transport Layer Security) WG
(Tuesday, April 5, 2016, 10:00-12:30 ART, Atlantico B
Thursday, April 7, 2016, 10:00-12:30 ART, Atlantico C)
Agenda: https://tools.ietf.org/wg/tls/agenda-95-tls.html
Documents: https://tools.ietf.org/wg/tls
Charter: https://tools.ietf.org/wg/tls/charters

cfrg (Crypto Forum Research Group)
(Friday, 8 April 2016, 10:00 – 12:00 ART, Buen Ayre A)
Agenda: https://tools.ietf.org/agenda/95/agenda-95-cfrg.html
Documents: https://datatracker.ietf.org/rg/cfrg/documents/
Charter: https://irtf.org/cfrg

accord (Alternatives to Content Classification for Operator Resource Deployment ) BoF
(Thursday April 7, 2016, 10:00-12:30 ART, Pacifico A)
Agenda: https://datatracker.ietf.org/meeting/95/agenda/accord/

saag (Security Area Advisory Group)
(Thursday, 7 April 2016, 1400-1600 ART, Pacifico A)
Agenda: https://tools.ietf.org/agenda/95/agenda-95-saag.html

Follow Us

There’s a lot going on in Buenos Aires, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf95.