Wrapping up the series of Rough Guide to IETF 92 posts is our focus on Trust, Identity, and Privacy. ISOC has been working over the past five years in these areas, and each subsequent IETF has seen advancing work and progress being made on multiple fronts. IETF 92 in Dallas this week is no exception.
First, while there won’t be a meeting on it this time, I’d like to remind folks of the mailing list created last fall to discuss vectors of trust at https://www.ietf.org/mailman/listinfo/vot. The impetus for this mailing list came out of an ISOC-sponsored workshop this past September. It is hoped that these discussions will lead to further consensus on concepts around trust and levels of assurance. There are rumors of an informal bar BoF to further discussions on this topic. Monitor the mailing list for details. This is a great opportunity to get involved in a potential IETF activity at a very early stage.
The W3C Privacy Interest Group (PING) will again meet face-to-face alongside IETF on Thursday, 26 March. Topics for the meeting include: the WiFi Privacy Experiment at IETF; W3C Technical Advisory Group (TAG) finding “Securing the Web” through the use of cryptography; Proposed Edited Recommendation Geolocation API; as well as PING’s ongoing work on privacy reviews and guidance for Web specification authors. Please join the meeting if you have an interest in privacy on the Web and would like to help develop better privacy features in Web standards. Meeting details are provided here: https://lists.w3.org/Archives/Public/public-privacy/2015JanMar/0124.html.
And since I mentioned it above, I’d also like to highlight an experiment that will be hosted on the IETF network. As stated at the link below, the IEEE 802 EC Privacy Recommendation Study Group, in coordination with the IAB and IESG, are working on privacy enhancements for link layer technologies. As part of this effort, they are carrying out a WiFi MAC randomization trial/experiment at IETF 92. The experiment is similar to the one carried out at IETF 91, but this time it’s been upgraded with more support for operating systems (including mobile) and it will run integrated into the main IETF 92 WiFi network. If you are attending in person, you can participate in this experiment. Details on participation can be found on the IETF Meeting Wiki; there is also an article about the privacy trials in the latest issue of the IETF Journal.
As for the IETF working groups, there are several ongoing working groups addressing topics in this space.
The oauth (Web Authorization Protocol) working group has a full agenda for its Monday afternoon meeting based around its continuing work on proof-of-possession security assertions, token introspection, and token exchange among others. There are several oauth documents that are currently in IESG processing or the RFC Editor queue.
The ace (Authentication and Authorization in Constrained Environments) working group is continuing to develop documents on use cases, actors, architecture comparison, and object security. There is also a side meeting organized on Monday evening to help accelerate consensus on architecture, terminology, and scope. The plan is to meet from 19:10 to 20:40 after the plenary (look to the mailing list for details). Additionally, the technical plenary on Monday evening is on Smart Object Architecture and is highly relevant to this area of work.
The scim (System for Cross-domain Identity Management) working group has successfully sent their core document to the IESG for processing. This includes use cases, an api, and core schema. The meeting this week will discuss new drafts on soft deletes and event notification.
The relatively new stir (Secure Telephone Identities Revisited) working group is looking to develop mechanisms to correctly identify where SIP requests are being originated. In a nutshell, how do you prove ownership of a telephone number on the Internet? The problem statement (RFC 7340) and threats (RFC 7375) documents were published earlier this year, and the “Authenticated Identity Management in the Session Initiation Protocol” and “Secure Telephone Identity Credentials: Certificates” documents are again on the agenda for this meeting.
The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the trans (Public Notary Transparency) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. The primary focus of this week’s discussion will be resolution of issues on the update to RFC 6962. Additional topics for this week’s agenda include a threat analysis, client behavior, and the gossip protocol.
The httpauth (Hypertext Transfer Protocol Authentication) working group’s document for a basic http authentication scheme is in the RFC Editor queue, and the HTTP Digest Access Authentication document is with the IESG. This meeting will focus on mutual authentication, algorithms for mutual authentication, and extensions for interactive clients.
Finally, the dprive (DNS PRIVate Exchange) working group is a relatively new working group chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” They are working on a problem statement and some initial proposals. And, the kitten (Common Authentication Technology Next Generation) working group is addressing a long list of documents related to authentication.
As you can see, the IETF is devoting a significant amount of time and energy on efforts related to trust, identity, and privacy. There is plenty to follow and contribute to in this space.
Related Meetings, Working Groups, and BoFs at IETF 92:
There’s a lot going on in Dallas, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf92.