From paul.hoffman@vpnc.org Wed Aug 1 14:54:10 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8434E11E8235 for ; Wed, 1 Aug 2012 14:54:10 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.832 X-Spam-Level: X-Spam-Status: No, score=-102.832 tagged_above=-999 required=5 tests=[AWL=-0.233, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Cim614i24ukI for ; Wed, 1 Aug 2012 14:54:09 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 9518C11E829B for ; Wed, 1 Aug 2012 14:54:09 -0700 (PDT) Received: from dhcp-2066.meeting.ietf.org (dhcp-2066.meeting.ietf.org [130.129.32.102]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q71L2rEN004693 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Wed, 1 Aug 2012 14:02:54 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) From: Paul Hoffman Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Wed, 1 Aug 2012 14:54:04 -0700 Message-Id: To: IETF Security Area Advisory Group Mime-Version: 1.0 (Apple Message framework v1278) X-Mailer: Apple Mail (2.1278) Subject: [saag] IPsec WG summary for IETF 84 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 21:54:10 -0000 IPsecME met on Tuesday. There was a healthy discussion of the = "requirements" part of draft-ietf-ipsecme-p2p-vpn-problem, "Auto = Discovery VPN Problem Statement and Requirements". There will be another = rev soon and the WG might be able to move on to protocol proposals in = the coming months. The WG also heard about draft-nir-ipsecme-ike-tcp, = "TCP transport for the Internet Key Exchange". The WG seemed interested = in adopting this work. Separately, the WG has started a design team to = discuss how to better handle ECDSA certificates in IKEv2. --Paul Hoffman= From leifj@mnt.se Wed Aug 1 16:31:26 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 375B511E83F0 for ; Wed, 1 Aug 2012 16:31:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.349 X-Spam-Level: X-Spam-Status: No, score=-3.349 tagged_above=-999 required=5 tests=[AWL=-0.750, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HV9vfIXD1aR3 for ; Wed, 1 Aug 2012 16:31:25 -0700 (PDT) Received: from backup-server.nordu.net (backup-server.nordu.net [IPv6:2001:948:4:1::66]) by ietfa.amsl.com (Postfix) with ESMTP id 999E111E839E for ; Wed, 1 Aug 2012 16:31:24 -0700 (PDT) Received: from [130.129.8.54] (dhcp-9036.meeting.ietf.org [130.129.8.54]) (authenticated bits=0) by backup-server.nordu.net (8.14.3/8.14.3) with ESMTP id q71NVGlo021351 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 2 Aug 2012 01:31:22 +0200 (CEST) Message-ID: <5019BC44.9090709@mnt.se> Date: Thu, 02 Aug 2012 01:31:16 +0200 From: Leif Johansson User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] ABFAB WG status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 01 Aug 2012 23:31:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ABFAB met on Monday afternoon. There has been quite a bit of progress on our core documents, several of which are on their way through LC/WGLC. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAlAZvEQACgkQ8Jx8FtbMZnd6EQCdE4FhMj0bi0veecbCv5tbk1Gn 5bIAoIgJ6A/sJiI8qTcLzv5bGKKhHE49 =qGd3 -----END PGP SIGNATURE----- From shawn.emery@oracle.com Wed Aug 1 17:11:48 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F0F521F899D for ; Wed, 1 Aug 2012 17:11:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.599 X-Spam-Level: X-Spam-Status: No, score=-10.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7RarKVoa10cY for ; Wed, 1 Aug 2012 17:11:47 -0700 (PDT) Received: from acsinet15.oracle.com (acsinet15.oracle.com [141.146.126.227]) by ietfa.amsl.com (Postfix) with ESMTP id 7183921F8914 for ; Wed, 1 Aug 2012 17:11:47 -0700 (PDT) Received: from ucsinet22.oracle.com (ucsinet22.oracle.com [156.151.31.94]) by acsinet15.oracle.com (Sentrion-MTA-4.2.2/Sentrion-MTA-4.2.2) with ESMTP id q720Biix008803 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Thu, 2 Aug 2012 00:11:45 GMT Received: from acsmt357.oracle.com (acsmt357.oracle.com [141.146.40.157]) by ucsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id q720BiUe017340 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 2 Aug 2012 00:11:44 GMT Received: from abhmt103.oracle.com (abhmt103.oracle.com [141.146.116.55]) by acsmt357.oracle.com (8.12.11.20060308/8.12.11) with ESMTP id q720BhcP027567 for ; Wed, 1 Aug 2012 19:11:43 -0500 Received: from [10.159.106.240] (/10.159.106.240) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 01 Aug 2012 17:11:43 -0700 Message-ID: <5019C580.8000301@oracle.com> Date: Wed, 01 Aug 2012 18:10:40 -0600 From: Shawn Emery User-Agent: Mozilla/5.0 (X11; SunOS i86pc; rv:10.0.5) Gecko/20120703 Thunderbird/10.0.5 MIME-Version: 1.0 To: saag@ietf.org References: <4F721C18.2010407@oracle.com> In-Reply-To: <4F721C18.2010407@oracle.com> X-Forwarded-Message-Id: <4F721C18.2010407@oracle.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Source-IP: ucsinet22.oracle.com [156.151.31.94] Subject: [saag] kitten Summary - IETF 84 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 00:11:48 -0000 The WG did not meet for IETF 84. Shawn - kitten co-chair. -- From aland@deployingradius.com Wed Aug 1 17:22:21 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7D9E11E80D7 for ; Wed, 1 Aug 2012 17:22:21 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.599 X-Spam-Level: X-Spam-Status: No, score=-102.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZrstBKQnaBQc for ; Wed, 1 Aug 2012 17:22:21 -0700 (PDT) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by ietfa.amsl.com (Postfix) with ESMTP id 2C45211E809A for ; Wed, 1 Aug 2012 17:22:21 -0700 (PDT) Received: from dhcp-5051.meeting.ietf.org (dhcp-5051.meeting.ietf.org [130.129.80.81]) by liberty.deployingradius.com (Postfix) with ESMTPSA id 2A7B412341F8 for ; Thu, 2 Aug 2012 02:21:52 +0200 (CEST) Message-ID: <5019C81D.6040107@deployingradius.com> Date: Wed, 01 Aug 2012 17:21:49 -0700 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] EMU WG Status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 00:22:21 -0000 EMU met on Tuesday. We had volunteers for review of the final two charter documents. We expect to have the reviews, a new rev, and a last call prior to the next meeting. Alan DeKok. From ondrej.sury@nic.cz Wed Aug 1 21:29:16 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B9E11E812C for ; Wed, 1 Aug 2012 21:29:16 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.699 X-Spam-Level: X-Spam-Status: No, score=-1.699 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_23=0.6, MIME_8BIT_HEADER=0.3] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6k-kmQG2yrqE for ; Wed, 1 Aug 2012 21:29:15 -0700 (PDT) Received: from mail.nic.cz (mail.nic.cz [IPv6:2001:1488:800:400::400]) by ietfa.amsl.com (Postfix) with ESMTP id 95ABE11E8109 for ; Wed, 1 Aug 2012 21:29:15 -0700 (PDT) Received: from [192.168.8.67] (unknown [64.114.255.126]) by mail.nic.cz (Postfix) with ESMTPSA id 090C7141058; Thu, 2 Aug 2012 06:29:13 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=nic.cz; s=default; t=1343881754; bh=mKwK11xZVAoZ0oI5Utr/QVcEgHxJ1q3p0/pgoG2P6fM=; h=From:Content-Type:Content-Transfer-Encoding:Subject:Date: Message-Id:Cc:To:Mime-Version; b=EoZHWdljiJb+7eeCF6UcELZX3zVecR6H/0WaLRuACJyh7gecjooN79KFFVeYacmKh 5iCpfufxOQW+RYRofDHzVcJ9SY6JzQ0qo0PkaH1rzbT8Dzl95cb5fMuHuvb3CZ71hn 0K85QZUT1d1oGUF/DSvH+RmxTVZyzLii7FMZX+5Q= From: =?utf-8?Q?Ond=C5=99ej_Sur=C3=BD?= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Date: Wed, 1 Aug 2012 21:29:11 -0700 Message-Id: <5CBDE998-42A8-4B6D-93C9-47800C5B4941@nic.cz> To: saag@ietf.org Mime-Version: 1.0 (Mac OS X Mail 6.0 \(1485\)) X-Mailer: Apple Mail (2.1485) X-Virus-Scanned: clamav-milter 0.96.5 at mail X-Virus-Status: Clean Cc: "dane-chairs@tools.ietf.org" Subject: [saag] DANE WG status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 04:29:16 -0000 DANE met on Monday. We have the main DANE protocol document in AUTH48, so we had couple of presentation of possible new work regarding handling protocols with less trivial DNS lookup (SMTP, MUA, XMPP) and S/MIME bindings. In the last part of the session we had a discussion whether to recharter, go hiatus or close and based on feedback from WG we have decided to stay open and recharter to include (some of) the new work which was presented. O. -- Ond=C5=99ej Sur=C3=BD -- Chief Science Officer ------------------------------------------- CZ.NIC, z.s.p.o. -- Laborato=C5=99e CZ.NIC Americka 23, 120 00 Praha 2, Czech Republic mailto:ondrej.sury@nic.cz http://nic.cz/ tel:+420.222745110 fax:+420.222745112 ------------------------------------------- From jimsch@nwlink.com Thu Aug 2 09:03:26 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A594521F85C7 for ; Thu, 2 Aug 2012 09:03:26 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.925 X-Spam-Level: X-Spam-Status: No, score=-1.925 tagged_above=-999 required=5 tests=[AWL=-0.184, BAYES_20=-0.74, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rz9fxyS2eV-5 for ; Thu, 2 Aug 2012 09:03:26 -0700 (PDT) Received: from smtp1.pacifier.net (smtp1.pacifier.net [64.255.237.171]) by ietfa.amsl.com (Postfix) with ESMTP id E559E21F84B2 for ; Thu, 2 Aug 2012 09:03:25 -0700 (PDT) Received: from Tobias (dhcp-10a6.meeting.ietf.org [130.129.16.166]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: jimsch@nwlink.com) by smtp1.pacifier.net (Postfix) with ESMTPSA id 870332CA18 for ; Thu, 2 Aug 2012 09:03:25 -0700 (PDT) From: "Jim Schaad" To: Date: Thu, 2 Aug 2012 09:02:00 -0700 Message-ID: <007301cd70c8$2721f780$7565e680$@nwlink.com> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook 14.0 Thread-Index: Ac1wxuOjin3He2RoQMufc+/5zpp+xg== Content-Language: en-us Subject: [saag] JOSE status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 16:03:26 -0000 JOSE met on Wednesday. We went through a number of open issues in an attempt to close them and = succeeded for a fair number. There are still a number of issues to be = discussed and decided before the core documents can be closed and passed = off to the IESG. Jim From ynir@checkpoint.com Thu Aug 2 09:15:17 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AC7021F849C for ; Thu, 2 Aug 2012 09:15:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.314 X-Spam-Level: X-Spam-Status: No, score=-10.314 tagged_above=-999 required=5 tests=[AWL=0.285, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OrUT4mY5NwVB for ; Thu, 2 Aug 2012 09:15:15 -0700 (PDT) Received: from smtp.checkpoint.com (smtp.checkpoint.com [194.29.34.68]) by ietfa.amsl.com (Postfix) with ESMTP id 632C911E80DF for ; Thu, 2 Aug 2012 09:15:14 -0700 (PDT) Received: from il-ex01.ad.checkpoint.com (il-ex01.ad.checkpoint.com [194.29.34.26]) by smtp.checkpoint.com (8.13.8/8.13.8) with ESMTP id q72GFBUn022864 for ; Thu, 2 Aug 2012 19:15:11 +0300 X-CheckPoint: {501AA4F8-0-1B221DC2-4FFFF} Received: from il-ex01.ad.checkpoint.com ([126.0.0.2]) by il-ex01.ad.checkpoint.com ([126.0.0.2]) with mapi; Thu, 2 Aug 2012 19:15:08 +0300 From: Yoav Nir To: "saag@ietf.org" Date: Thu, 2 Aug 2012 19:15:07 +0300 Thread-Topic: WebSec status Thread-Index: Ac1wyfvlCKiBApbLSa+N5kfgjkumog== Message-ID: <3AACCB72-00F2-4CB5-992E-3578DB840461@checkpoint.com> References: <007301cd70c8$2721f780$7565e680$@nwlink.com> In-Reply-To: <007301cd70c8$2721f780$7565e680$@nwlink.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US x-kse-antivirus-interceptor-info: scan successful x-kse-antivirus-info: Clean Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [saag] WebSec status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 16:15:18 -0000 WebSec met at 9:00 AM on Tuesday morning. HSTS is at IETF LC. All issues are resolved, and a new revision should go t= o the IESG soon. Cert Pinning is coming along, with several issues to be discussed on the li= st Still no editor for Mime-sniffing. If none is found soon, we may consider d= ropping this item, but there are issues with HTML5 spec referencing it. The Frame-Options drafts (X- and non-X-) are coming along OK, but the non-X= may become part of CSP and move to W3C Yoav From kent@bbn.com Thu Aug 2 09:42:42 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 351B911E813B for ; Thu, 2 Aug 2012 09:42:42 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.489 X-Spam-Level: X-Spam-Status: No, score=-106.489 tagged_above=-999 required=5 tests=[AWL=0.110, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id prdrBJfBtNiK for ; Thu, 2 Aug 2012 09:42:41 -0700 (PDT) Received: from smtp.bbn.com (smtp.bbn.com [128.33.0.80]) by ietfa.amsl.com (Postfix) with ESMTP id EDFF611E8122 for ; Thu, 2 Aug 2012 09:42:31 -0700 (PDT) Received: from dommiel.bbn.com ([192.1.122.15]:50831 helo=COMSEC.local) by smtp.bbn.com with esmtp (Exim 4.77 (FreeBSD)) (envelope-from ) id 1SwyTl-00077q-GT for saag@ietf.org; Thu, 02 Aug 2012 12:42:29 -0400 Message-ID: <501AADF5.6040900@bbn.com> Date: Thu, 02 Aug 2012 12:42:29 -0400 From: Stephen Kent User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: saag Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] PKIX Status X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 16:42:42 -0000 PKIX met for 2 hours on Wednesday. Sean Turner announced plans to shut down the WG, once the current 4, active I-Ds (and 1 I-D with the IESG) are completed. If work on these docs stalls, the WG will be shut down anyway. No new WG items will be accepted. Presentations were made on 4 WG items: 2560bis, 5280bis, EST, and CAA. A straw poll is underway (on the list) to decide how to proceed on 2560bis. A (final?) proposed paragraph for the one contentious section of 5280bis was briefed. The EST doc was reviewed and plans for the next rev were discussed. CAA was discussed in detail and generated a lot of questions and comments. A new version will be required, with a new IETF LC. There were presentations on four other topics, but none are expected to become WG items, based on Sean's announcement. From kathleen.moriarty@emc.com Thu Aug 2 09:51:31 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7187A11E8104 for ; Thu, 2 Aug 2012 09:51:31 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.586 X-Spam-Level: X-Spam-Status: No, score=-2.586 tagged_above=-999 required=5 tests=[AWL=0.013, BAYES_00=-2.599] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Scr66ILtL-cc for ; Thu, 2 Aug 2012 09:51:30 -0700 (PDT) Received: from mexforward.lss.emc.com (hop-nat-141.emc.com [168.159.213.141]) by ietfa.amsl.com (Postfix) with ESMTP id 4571F11E80E7 for ; Thu, 2 Aug 2012 09:51:30 -0700 (PDT) Received: from hop04-l1d11-si01.isus.emc.com (HOP04-L1D11-SI01.isus.emc.com [10.254.111.54]) by mexforward.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q72GpTbb031387 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Thu, 2 Aug 2012 12:51:29 -0400 Received: from mailhub.lss.emc.com (mailhub.lss.emc.com [10.254.221.251]) by hop04-l1d11-si01.isus.emc.com (RSA Interceptor) for ; Thu, 2 Aug 2012 12:51:14 -0400 Received: from mxhub05.corp.emc.com (mxhub05.corp.emc.com [128.222.70.202]) by mailhub.lss.emc.com (Switch-3.4.3/Switch-3.4.3) with ESMTP id q72GpC53002914 for ; Thu, 2 Aug 2012 12:51:12 -0400 Received: from mx15a.corp.emc.com ([169.254.1.189]) by mxhub05.corp.emc.com ([128.222.70.202]) with mapi; Thu, 2 Aug 2012 12:51:12 -0400 From: To: Date: Thu, 2 Aug 2012 12:51:11 -0400 Thread-Topic: MILE WG Summary Thread-Index: AQHNcM8FF+U1a/GAaUCfbF9ATImWiw== Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-EMM-MHVC: 1 Subject: [saag] MILE WG Summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 16:51:31 -0000 MILE WG Meeting Summary Met Tuesday, July 31, 2012 Session recorded via MeetEcho Two drafts moved to RFCs, RFC6684 and RFC6685 since the last meeting. Reviewed existing drafts: Structured Cyber Security Information draft: draft-ietf-mile-sci=20 Discussion on how to include identifier references (enumerated values of ot= her data formats) came to a conclusion of preferring representation directl= y in IODEF. A second draft to address this use case will be submitted by A= dam Montville. IPR issues and the inability to normatively reference (references not valid= as a normative reference) included work was raised with the references in = the SCI draft by AD. Working group conclusion was to pull these references= from the document. Review will be required to add any back into the docum= ent or later into IANA tables. GRC Report Exchange: draft-ietf-mile-grc-exchange Some work has been done to implement and play with the message exchange flo= ws previously proposed. As a result, a need for additional flows was ident= ified. The proposed changes were presented and will be included in an upda= ted version of the document. The WG will need to review the updated docume= nt. Suggestions were provided and are included int he meeting minutes. Proposed Work: RFC5070-bis Discussion on the mailing list has been outlining some important updates to= RFC5070, the Incident Object Description Exchange Format (IODEF). We woul= d like to see lots of discussion and agreement to guide any updates. The d= iscussion and presentation covered both detailed proposals for updates as w= ell as guidance updates, so we may wind up with a complimentary guidance do= cument as well. The main problem experienced by those using the format is = the limitation in not being able to easily extend enumerated values, so an = IANA table may be used to allow updates to enumerated values once the updat= ed RFC has been published. Internationalization issues were also identifie= d. The complete details of current proposals has been sent to the list and= was included in the slides. Drafts will need to be posted.= From shanna@juniper.net Thu Aug 2 11:24:07 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D617D21E8120 for ; Thu, 2 Aug 2012 11:24:07 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.669 X-Spam-Level: X-Spam-Status: No, score=-106.669 tagged_above=-999 required=5 tests=[AWL=-0.070, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OmA0W08kj8XT for ; Thu, 2 Aug 2012 11:24:07 -0700 (PDT) Received: from exprod7og124.obsmtp.com (exprod7og124.obsmtp.com [64.18.2.26]) by ietfa.amsl.com (Postfix) with ESMTP id DA50121E8121 for ; Thu, 2 Aug 2012 11:24:05 -0700 (PDT) Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob124.postini.com ([64.18.6.12]) with SMTP ID DSNKUBrFxULcyfh8P4hnGfb2yOfRmaynSNnq@postini.com; Thu, 02 Aug 2012 11:24:05 PDT Received: from p-emfe02-wf.jnpr.net (172.28.145.25) by P-EMHUB01-HQ.jnpr.net (172.24.192.35) with Microsoft SMTP Server (TLS) id 8.3.213.0; Thu, 2 Aug 2012 11:23:31 -0700 Received: from EMBX01-WF.jnpr.net ([fe80::1914:3299:33d9:e43b]) by p-emfe02-wf.jnpr.net ([fe80::c126:c633:d2dc:8090%11]) with mapi; Thu, 2 Aug 2012 14:23:13 -0400 From: Stephen Hanna To: "saag@ietf.org" Date: Thu, 2 Aug 2012 14:23:12 -0400 Thread-Topic: NEA Summary for IETF 84 Thread-Index: Ac1wTMH9ilVOS/eqRn+c5iPf8xKP3wAjwGgA Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [saag] NEA Summary for IETF 84 X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 18:24:08 -0000 The nea Working Group didn't meet at IETF 84. One of our documents (PT-TLS) is with the IESG, having completed IETF Last Call. One (PT-EAP) has completed a review in EMU and will now for a second WGLC. And the last (NEA Asokan Attack Analysis) has completed WGLC and will soon go to the IESG for publication as Informational. We plan to wind down the WG when these documents are published. Thanks, Steve From ekr@rtfm.com Thu Aug 2 11:34:04 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 452DA11E822F for ; Thu, 2 Aug 2012 11:34:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzSCVWH4xnwg for ; Thu, 2 Aug 2012 11:34:03 -0700 (PDT) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id AD15811E8229 for ; Thu, 2 Aug 2012 11:34:03 -0700 (PDT) Received: by yenq13 with SMTP id q13so9800829yen.31 for ; Thu, 02 Aug 2012 11:34:03 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:from:date:message-id:subject:to:cc :content-type:x-gm-message-state; bh=ubc5BUYF61lqPYy967ildRFS2LI/d7ZUmE7iS6/6sN0=; b=UjwDOlTpwbTCvzNW7TPddoW+vlyUw46NVqYsXkBqsmsiDv2ZBEsyN8we8O5OzYXbp8 CAPTNFTUiQLlcPLdxNG8oucjrSWgzLUzPXJ6LXRFat3vZ7sPoLxYYOupGspwdEc8Ktoh 7SISu4thXsq/6oW1QGYsPSb7XO5tByZATBKbAb2Q3GsYmpEDBt7LXI9HXPt4OyLg0rTg /AxiyXbo5kRS6uy+N8ivTyK2OSoP+RQXBKY++ENDKvFGi5UdFNw5jqcwdBhJemywdg6O Iv6Hz5oWEj3yIVCW7/Q3lKDsCRg6uEgMTi1oBWn7/TP0zqfhNQk8B3EegW0ilY6Hqqg+ IyZw== Received: by 10.50.149.225 with SMTP id ud1mr5193334igb.74.1343932442968; Thu, 02 Aug 2012 11:34:02 -0700 (PDT) MIME-Version: 1.0 Received: by 10.50.71.37 with HTTP; Thu, 2 Aug 2012 11:33:22 -0700 (PDT) X-Originating-IP: [130.129.85.212] From: Eric Rescorla Date: Thu, 2 Aug 2012 11:33:22 -0700 Message-ID: To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1 X-Gm-Message-State: ALoCoQnKPnKRXhYwUrgPgBGUK4flyRc01ENCgygfqKfGuXQmu67rQxeA9diTgHB5wxD65XHhxglS Cc: tls@ietf.org Subject: [saag] TLS WG Report X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 18:34:04 -0000 The TLS WG met at 10:30 AM on Tuesday: - TLS-OOB is effectively done. There was discussion of the relationship to RFC 6091, which is Informational, but depended upon. Consensus is to cut-and-paste the relevant portions. Authors to prepare a new draft and WGLC. http://tools.ietf.org/html/draft-ietf-tls-oob-pubkey-04 - The CachedInfo draft is ready for WGLC with some minor changes. The authors will prepare a new draft. http://tools.ietf.org/html/draft-ietf-tls-cached-info-12 - The OCSP Multistapling draft needs some more review but is believed nearly done. The chairs called for more reviewers of this. http://tools.ietf.org/html/draft-ietf-tls-multiple-cert-status-extension-01 - There was a discussion of rollback protection mechanisms (to compensate for broken servers). The WG agreed to proceed in this line and to discuss specific mechanisms on-list. - There was consensus for the WG to accept the TLS-PWD mechanism. We will confirm on the list. http://tools.ietf.org/id/draft-harkins-tls-pwd-02.txt - There was extensive discussion on explicit TLS proxy support (for proxies which encrypt and decrypt, not RFC 2817 proxies) but generally the WG seemed not to want to take this work on. http://tools.ietf.org/html/draft-mcgrew-tls-proxy-server-01 -Ekr From alexey.melnikov@isode.com Thu Aug 2 13:56:14 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A3C111E80E8 for ; Thu, 2 Aug 2012 13:56:14 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.157 X-Spam-Level: X-Spam-Status: No, score=-102.157 tagged_above=-999 required=5 tests=[AWL=0.442, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LmH3TNCg+cAL for ; Thu, 2 Aug 2012 13:56:13 -0700 (PDT) Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 1200A11E80F5 for ; Thu, 2 Aug 2012 13:56:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1343941044; d=isode.com; s=selector; i=@isode.com; bh=n2bSqgDeYLLVLYkfOLPlSmSFYNllimbsbjhyYWoJLGI=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=Udt+WnUjQ++67DcWaP+rOml1+Tdbdkk9duTltzLlQntUVp+06oXex/cIQbu0RQnxPmRTHq vAw08yvaNeoIoH0Uboa48fbIA/I+rVv40aFt4temp2SaR2aOT4nGoSZC8uVq4dqHeENfcj PxKx2ZpeFIpy9rUd/pvEAYfhqorJvgc=; Received: from [130.129.23.230] (dhcp-17e6.meeting.ietf.org [130.129.23.230]) by waldorf.isode.com (submission channel) via TCP with ESMTPSA id ; Thu, 2 Aug 2012 21:57:24 +0100 X-SMTP-Protocol-Errors: PIPELINING Message-ID: <501AE972.3010306@isode.com> Date: Thu, 02 Aug 2012 13:56:18 -0700 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20120614 Thunderbird/13.0.1 To: saag@ietf.org References: <2299DA40-CFB3-40A0-9747-1D00232FE8DF@juniper.net> In-Reply-To: <2299DA40-CFB3-40A0-9747-1D00232FE8DF@juniper.net> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: [saag] SIDR summary X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 20:56:14 -0000 SIDR WG met on Wednesday morning. New Unified CPS document was posted which combines CPS for RIRs and CPS for RIRs, as they were too similar. Steve Kent presented Local TA Management document. Suggestion to wait for a second implementation before finalizing syntax to be used. Matt Lepinski presented BGPSEC Protocol document. Special handling of duplicates would be needed, because some algorithms (e.g. ECSDA) will produce different signatures if applied twice to same data. Also some discussion on whether revalidation due to changes in RPKI should or should not be coordinated with update processing. General feeling that arrival of duplicate update should not cause re-validation of the signature. Summary of the SIDR interim on last Friday followed. Some lovely discussion on scaling of SIDR systems, what the target(s) for testing should be, how and what to test. It looks like rsync-based implementations have some scaling issues, so the WG should start discussing if something better can be used in the future (BitTorrent? Something HTTP based?) Presentation on Multiple Publication Points. This changes syntax to list multiple. Some disagreement in the room about whether this is actually needed. More discussion needed on the mailing list. Presentation of grandparenting by Randy Bush. Some questions about how is this different from just signing on behalf of direct children (they differ in a type of legal relationship). The document describes some cases when this is needed operationally. From turners@ieca.com Thu Aug 2 14:10:37 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E29C11E814E for ; Thu, 2 Aug 2012 14:10:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.036 X-Spam-Level: X-Spam-Status: No, score=-102.036 tagged_above=-999 required=5 tests=[AWL=0.229, BAYES_00=-2.599, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xlyq-c5kXqgg for ; Thu, 2 Aug 2012 14:10:31 -0700 (PDT) Received: from gateway08.websitewelcome.com (gateway08.websitewelcome.com [67.18.66.17]) by ietfa.amsl.com (Postfix) with ESMTP id 126CD11E814B for ; Thu, 2 Aug 2012 14:10:31 -0700 (PDT) Received: by gateway08.websitewelcome.com (Postfix, from userid 5007) id 4378DDA83F9D1; Thu, 2 Aug 2012 16:10:22 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway08.websitewelcome.com (Postfix) with ESMTP id 3873FDA83F994 for ; Thu, 2 Aug 2012 16:10:22 -0500 (CDT) Received: from [209.20.186.192] (port=52573 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1Sx2ey-0006uk-Vh for saag@ietf.org; Thu, 02 Aug 2012 16:10:21 -0500 Message-ID: <501AECB9.5010405@ieca.com> Date: Thu, 02 Aug 2012 14:10:17 -0700 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: saag@ietf.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [209.20.186.192]:52573 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 5 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Subject: [saag] Updated SAAG Agenda/Status slides uploaded EOM X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 21:10:37 -0000 From jhildebr@cisco.com Thu Aug 2 15:36:20 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA2B921F8B6F for ; Thu, 2 Aug 2012 15:36:20 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -10.449 X-Spam-Level: X-Spam-Status: No, score=-10.449 tagged_above=-999 required=5 tests=[AWL=-0.150, BAYES_00=-2.599, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-8] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TtiIAELvZQKl for ; Thu, 2 Aug 2012 15:36:20 -0700 (PDT) Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) by ietfa.amsl.com (Postfix) with ESMTP id EAF3321F8421 for ; Thu, 2 Aug 2012 15:36:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=546; q=dns/txt; s=iport; t=1343946980; x=1345156580; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=0pMyT5R9oT5zcSKNbAvqaFUTLhb5xMibT8R5vf9y4Wo=; b=dsgI1ufalUdIy1K58EEqQYzDCMP71vnZRZ3V4nF4U3wqSGl0D25aGZ45 PRbtnUn5MNOAWA7WgnwN6EiLmOzHde4kBRJ1Gk8tSCn6KTnP+7j/QyfGb ox/daq6Kk/pKPUp8+JNzMAGCOaHetyD4ppp1bZoyberNwPNNQRi4jmcS8 k=; X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AiEFAI3/GlCtJXHA/2dsb2JhbABFhTSzZ4EHgicSAXgBgQAnBDWHawubUIEooEaSTgOIGI0vgRSNE4Fmgl8 X-IronPort-AV: E=Sophos;i="4.77,703,1336348800"; d="scan'208";a="105026397" Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by rcdn-iport-9.cisco.com with ESMTP; 02 Aug 2012 22:36:19 +0000 Received: from xhc-rcd-x02.cisco.com (xhc-rcd-x02.cisco.com [173.37.183.76]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id q72MaJbm024374 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL) for ; Thu, 2 Aug 2012 22:36:19 GMT Received: from xmb-rcd-x10.cisco.com ([169.254.15.184]) by xhc-rcd-x02.cisco.com ([173.37.183.76]) with mapi id 14.02.0298.004; Thu, 2 Aug 2012 17:36:19 -0500 From: "Joe Hildebrand (jhildebr)" To: "saag@ietf.org" Thread-Topic: =?iso-8859-1?Q?pr=E9cis_WG_status?= Thread-Index: AQHNcP87nF9PXFeBU02Sc8DlIlhc1w== Date: Thu, 2 Aug 2012 22:36:17 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: user-agent: Microsoft-MacOutlook/14.2.3.120616 x-originating-ip: [10.21.74.15] x-tm-as-product-ver: SMEX-10.2.0.1135-7.000.1014-19082.000 x-tm-as-result: No--23.313800-8.000000-31 x-tm-as-user-approved-sender: No x-tm-as-user-blocked-sender: No Content-Type: text/plain; charset="iso-8859-1" Content-ID: <62C9DE8977B1F246B443273C0D958BCA@cisco.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: [saag] =?iso-8859-1?q?pr=E9cis_WG_status?= X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Aug 2012 22:36:21 -0000 Pr=E9cis met Wednesday afternoon. Discussions relevant to Security include= d: - What to do with whitespace in usernames - What to do with codepoints commonly mapped to nothing in usernames - Switching the order of canonicalization and checking for prohibited codepoints - How to deal with case-folding in a context-sensitive (e.g. xml:lang) way I'm not the chair, so I'm not going to report on where there was consensus, but there are comprehensive notes here: http://tools.ietf.org/wg/precis/minutes --=20 Joe Hildebrand From Jeff.Hodges@KingsMountain.com Thu Aug 2 18:22:38 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D58CF21F87E7 for ; Thu, 2 Aug 2012 18:22:38 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.495 X-Spam-Level: X-Spam-Status: No, score=-100.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rq02GbsIKjiO for ; Thu, 2 Aug 2012 18:22:38 -0700 (PDT) Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 2E30521F855E for ; Thu, 2 Aug 2012 18:22:38 -0700 (PDT) Received: (qmail 9841 invoked by uid 0); 3 Aug 2012 01:22:37 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 3 Aug 2012 01:22:36 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=9Q9SGJNbsvb+54tjMqnicjSiVO1SoA7HCSBU7alcS00=; b=E4XsUJ5Cy7PY9nWpQcWuWIYOp0E8A/rWWaOksAz8eYRuxt2y0M0lgfjZMLMR3QjV78wgpWyJWkyWF4GWRFWvZ9qbHaXh48kTO2CfZeBexmclvAEUYB6CX8Zh52RQl6Eo; Received: from [130.129.86.152] (port=50423) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1Sx6b5-000479-Je; Thu, 02 Aug 2012 19:22:35 -0600 Message-ID: <501B27D8.6020109@KingsMountain.com> Date: Thu, 02 Aug 2012 18:22:32 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: IETF PKIX WG , IETF Security Area Advisory Group Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.86.152 authed with jeff.hodges+kingsmountain.com} Subject: [saag] fyi: CA/Browser Forum (CABF) reform deliberations + Revocation and TLS/SSL Replacements/Enhancements X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2012 01:22:39 -0000 FYI, as I mentioned in the SAAG session this afternoon and have mentioned on these lists before, the CA/Browser Forum (CABF) is entertaining governance reforms. The CABF has decided on four governance proposals on which the members are voting. These proposals are listed on the CABF home page here.. CA/Browser Forum (CABF): Governance Proposals Published, Advancing Toward Adoption http://cabforum.org/ As noted there, the CABF is soliciting public input (but not votes), and as noted in this email message.. CA/Browser Forum Governance Reform Proposals Published ..the deadline for CABF members to vote on the proposals is fast approaching, it is next Wednesday, Aug 8, 2012. So get your comments in! Full Disclosure: One of the four CABF reform proposals is authored by us at PayPal (my employer). We have a recent blog post regarding the governance reform proposals here.. CA/Browser Forum Governance Reform Proposals Published (Brad Hill) I'm here @ietf-84, feel free to reach out if you have any questions, =JeffH From Jeff.Hodges@KingsMountain.com Thu Aug 2 18:44:17 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 300E711E80B8 for ; Thu, 2 Aug 2012 18:44:17 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -100.495 X-Spam-Level: X-Spam-Status: No, score=-100.495 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553, RDNS_NONE=0.1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id curqTetABOz4 for ; Thu, 2 Aug 2012 18:44:16 -0700 (PDT) Received: from oproxy9.bluehost.com (oproxy9.bluehost.com [IPv6:2605:dc00:100:2::a2]) by ietfa.amsl.com (Postfix) with SMTP id 4BFC011E8072 for ; Thu, 2 Aug 2012 18:44:16 -0700 (PDT) Received: (qmail 13537 invoked by uid 0); 3 Aug 2012 01:44:16 -0000 Received: from unknown (HELO box514.bluehost.com) (74.220.219.114) by oproxy9.bluehost.com with SMTP; 3 Aug 2012 01:44:16 -0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=kingsmountain.com; s=default; h=Content-Transfer-Encoding:Content-Type:Subject:To:MIME-Version:From:Date:Message-ID; bh=/NxsPfMOsEVfZd0SEMtl33e0inv3YwtPkNwVU31MYy8=; b=vVubcwM3n3erU9ekgVsJhK3MMW+Bl2ReQ3mXKdHylmz78Jr4nsrT80p2EkRbJuqq0EKIfuNenmcVZTm/D03Y1JERRQ+TK4u0weHn9yQOd0Go4q4r8qNMnzUBX+C/++01; Received: from [130.129.86.152] (port=50549) by box514.bluehost.com with esmtpsa (TLSv1:CAMELLIA256-SHA:256) (Exim 4.76) (envelope-from ) id 1Sx6w3-0003YC-GS; Thu, 02 Aug 2012 19:44:15 -0600 Message-ID: <501B2CEC.9050508@KingsMountain.com> Date: Thu, 02 Aug 2012 18:44:12 -0700 From: =JeffH User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: IETF PKIX WG , IETF Security Area Advisory Group Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Identified-User: {11025:box514.bluehost.com:kingsmou:kingsmountain.com} {sentby:smtp auth 130.129.86.152 authed with jeff.hodges+kingsmountain.com} Subject: [saag] fyi: CA/Browser Forum (CABF) reform voting (corrected) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2012 01:44:17 -0000 [ my apologies, I sent my prior message before it was complete, please forgive me, and see below -- note that there's an updated link to the cabforum public email message discussing the vote ] FYI, as I mentioned in the SAAG session this afternoon and have mentioned on these lists before, the CA/Browser Forum (CABF) is entertaining governance reforms. The CABF has decided on four governance proposals on which the members are voting. These proposals are listed on the CABF home page here.. CA/Browser Forum (CABF): Governance Proposals Published, Advancing Toward Adoption http://cabforum.org/ As noted there, the CABF is soliciting public input (but not votes), and as noted in this email message.. [cabfpub] Replacement Chair and Governance ..the deadline for CABF members to vote on the proposals is fast approaching, it is next Wednesday, Aug 8, 2012. So get your comments in! Full Disclosure: One of the four CABF reform proposals is authored by us at PayPal (my employer). We have a recent blog post regarding the governance reform proposals here.. CA/Browser Forum Governance Reform Proposals Published (Brad Hill) I'm here @ietf-84, feel free to reach out if you have any questions, =JeffH From stephen.farrell@cs.tcd.ie Fri Aug 3 11:37:59 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CA7A21F8D55 for ; Fri, 3 Aug 2012 11:37:59 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.573 X-Spam-Level: X-Spam-Status: No, score=-102.573 tagged_above=-999 required=5 tests=[AWL=0.026, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QD6hp9t1dp-E for ; Fri, 3 Aug 2012 11:37:58 -0700 (PDT) Received: from scss.tcd.ie (hermes.scss.tcd.ie [IPv6:2001:770:10:200:889f:cdff:fe8d:ccd2]) by ietfa.amsl.com (Postfix) with ESMTP id AE39621F8D52 for ; Fri, 3 Aug 2012 11:37:58 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by hermes.scss.tcd.ie (Postfix) with ESMTP id 28C6E1717C8 for ; Fri, 3 Aug 2012 19:37:56 +0100 (IST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; h= content-transfer-encoding:content-type:subject:mime-version :user-agent:from:date:message-id:received:received: x-virus-scanned; s=cs; t=1344019075; bh=whTNCol5N9o4cGaryzH7AxiQ 3iDJhRKhkmg6sXnEhes=; b=K3XJTeFxcM65jfCt2VVqP9PNZrUdW/1EZnNS8vGm lVrEq6I8bE1uX/AIryjV81t/CePPILZubEAQNUOggauYRpz5rV0TzHb+8C5qAogR F//69Y57h/3UF6XOZfU1hpYQbxmwWreE+ChkTsVbMo+k+U0fNubxgFgMai3V0O1K 6ZA1BbybhNfkPCrAVQlOo71EgvtN6/z/98JHVE2MrkTpOpQgfTJsxb31yvK0E3ow WGihzWRjxa5EQhZXlgZ+0NGQQYwdiDom69c2l4/pyEzmu2ijoj4mnZYlR4VoOW3d +C0BrKcluHv0Vl8h9okKJeoZTx2orKJpFT9XvV2r6GNQ4A== X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie Received: from scss.tcd.ie ([127.0.0.1]) by localhost (scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10027) with ESMTP id 39awbdj5vPTW for ; Fri, 3 Aug 2012 19:37:55 +0100 (IST) Received: from [IPv6:2001:df8:0:96:8853:ef9b:1b62:6a9b] (unknown [IPv6:2001:df8:0:96:8853:ef9b:1b62:6a9b]) by smtp.scss.tcd.ie (Postfix) with ESMTPSA id 66320171472 for ; Fri, 3 Aug 2012 19:37:55 +0100 (IST) Message-ID: <501C1A81.8090807@cs.tcd.ie> Date: Fri, 03 Aug 2012 19:37:53 +0100 From: Stephen Farrell User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:14.0) Gecko/20120714 Thunderbird/14.0 MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 1.4.3 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] draft minutes posted... X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 Aug 2012 18:37:59 -0000 Hiya, I've posted the draft minutes [1] from yesterday, please send Sean and I any corrections needed. Thanks to Olafur for minute-taking and Yoav for jabbering. Cheers, S. [1] http://www.ietf.org/proceedings/84/minutes/minutes-84-saag From aland@deployingradius.com Mon Aug 6 21:55:44 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6137021F85A8 for ; Mon, 6 Aug 2012 21:55:44 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.566 X-Spam-Level: X-Spam-Status: No, score=-102.566 tagged_above=-999 required=5 tests=[AWL=0.033, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fFGrnq2IfH50 for ; Mon, 6 Aug 2012 21:55:43 -0700 (PDT) Received: from liberty.deployingradius.com (liberty.deployingradius.com [88.191.76.128]) by ietfa.amsl.com (Postfix) with ESMTP id 3CCA721F85A3 for ; Mon, 6 Aug 2012 21:55:43 -0700 (PDT) Message-ID: <50209FB2.6040805@deployingradius.com> Date: Tue, 07 Aug 2012 06:55:14 +0200 From: Alan DeKok User-Agent: Thunderbird 2.0.0.24 (Macintosh/20100228) MIME-Version: 1.0 To: "saag@ietf.org" X-Enigmail-Version: 0.96.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: [saag] FWIW: Useful little script X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Aug 2012 04:55:45 -0000 The aaa-doctors have historically tracked and reviewd AAA related documents. The tracking can be difficult, as many working groups define RADIUS or Diameter changes without talking to the RADEXT or DIME working groups. In order to help, I've written a hacky little script. The goal is to search WG drafts for references to certain RFCs. e.g. 2865 (RADIUS). Ones matching that criteria are selected. BUT drafts in the RADEXT and DIME working groups are ignored, as we presume the RADIUS people already monitor RADIUS drafts. The script is available on github: https://github.com/alandekok/ietf-tech-report There's a README with documentation. Feedback is appreciated. Some example output: $ ./ietf-tech-report -r radius draft-ietf-dhc-dhcpv6-radius-opt-01 Active draft-ietf-softwire-6rd-radius-attrib-05 Active draft-ietf-abfab-arch-03 Active draft-ietf-abfab-aaa-saml-03 Active draft-ietf-netmod-system-mgmt-02 Active draft-ietf-abfab-gss-eap-08 In IESG processing - ID Tracker state $ ./ietf-tech-report -r yang draft-ietf-netmod-routing-cfg-04 Active draft-ietf-netmod-iana-if-type-04 Active draft-ietf-netmod-system-mgmt-02 Active draft-ietf-netmod-interfaces-cfg-05 Active draft-ietf-ipfix-configuration-model-11 In IESG processing - ID Tracker state draft-ietf-netmod-iana-timezones-00 Active draft-ietf-netmod-snmp-cfg-00 Active draft-ietf-netmod-ip-cfg-05 Active From wes@hardakers.net Sat Aug 4 22:46:27 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A059321F86B6 for ; Sat, 4 Aug 2012 22:46:27 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.6 X-Spam-Level: X-Spam-Status: No, score=-4.6 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, GB_I_LETTER=-2, NO_RELAYS=-0.001] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqDEHiUU0h6i for ; Sat, 4 Aug 2012 22:46:27 -0700 (PDT) Received: from mail.hardakers.net (dawn.hardakers.net [IPv6:2001:470:1f00:187::1]) by ietfa.amsl.com (Postfix) with ESMTP id 0A42121F86AD for ; Sat, 4 Aug 2012 22:46:27 -0700 (PDT) Received: from localhost (unknown [IPv6:2001:470:1f00:187:8a2:3128:7f27:8afe]) by mail.hardakers.net (Postfix) with ESMTPSA id 43FE6373; Sat, 4 Aug 2012 22:46:25 -0700 (PDT) From: Wes Hardaker To: "Richard L. Barnes" References: <02CB01C6-835D-4C01-B9B7-8D4F525ADCBC@bbn.com> Date: Sat, 04 Aug 2012 22:46:24 -0700 In-Reply-To: <02CB01C6-835D-4C01-B9B7-8D4F525ADCBC@bbn.com> (Richard L. Barnes's message of "Mon, 30 Jul 2012 13:10:26 -0700") Message-ID: <0l1ujlopqn.fsf@wjh.hardakers.net> User-Agent: Gnus/5.130004 (Ma Gnus v0.4) Emacs/23.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain X-Mailman-Approved-At: Fri, 10 Aug 2012 08:26:20 -0700 Cc: saag@ietf.org Subject: Re: [saag] Password Discussion X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2012 05:46:27 -0000 "Richard L. Barnes" writes: > - - - - > 1. A capital letter. ... > 20. A lowercase letter. Finally: The password must be base64 encoded UTF-8 that passes all internationalization tests we might throw at it. -- Wes Hardaker My Pictures: http://capturedonearth.com/ My Thoughts: http://pontifications.hardakers.net/ From palmer@google.com Fri Aug 10 15:20:25 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 438A311E80BA for ; Fri, 10 Aug 2012 15:20:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.977 X-Spam-Level: X-Spam-Status: No, score=-102.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i2QpkvmMVb7n for ; Fri, 10 Aug 2012 15:20:24 -0700 (PDT) Received: from mail-lpp01m010-f44.google.com (mail-lpp01m010-f44.google.com [209.85.215.44]) by ietfa.amsl.com (Postfix) with ESMTP id AEC8E21F85F3 for ; Fri, 10 Aug 2012 15:20:23 -0700 (PDT) Received: by lahm15 with SMTP id m15so1159779lah.31 for ; Fri, 10 Aug 2012 15:20:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record; bh=FTmmwBpKGjH+Tbnx5ZkrEUYsGph/GBInZy34ikeBInE=; b=YuthJyKzNEAkdwrV0uSD9UV5rkXvG4N6ZnY7q9m7tYuCoN3qgrpOqpQReRoF0ovabO I0+ycuMLW1/AbuG85sw2MVHd8mkK0uF70nNKiMag4lK5+9rNb1RM9etbD9YFx6AciC9r R2QY6Glvtn/mfpb/kQo/7rYecwqOjR0JDNab5MOQH2rwr60icnGk7CgxoTv0Okwmo4Lr 1Hsc/byl3JyFTXV97Hrg7/gLsaDrioUsx/WOixQiXoCtXg/+CBiZ8HTzBBim4HP42YMB BKirPKuyoIXZtqcnN3m+NCxXlrffjgyWQUf8oKK5Hv2xuC5p93i0d5ucBsG82fOWP40i PJJQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding:x-system-of-record :x-gm-message-state; bh=FTmmwBpKGjH+Tbnx5ZkrEUYsGph/GBInZy34ikeBInE=; b=LFU411tZw6AID+ICAn11grs5Mb62715wah5dLGf5/qUFbK1lUSXkIeRGGicDSj28Lk WVtsMij5+f3YUy5zu1iSLWLx2uSVERmC2RPRpPM1N5mIlS566ComJSTykL52hWt1zJ46 IT9NNpxXm9AsxXbFQFgx9L+Cd1GA+ErxgrzeL0M3mS8hL6dUTsdtLj58Ax3kqEo214Ze 8nQxptk+GFT8EZvOeDip8RehYjGvMe0ebmcaIYXUNakITleInGtX0NcYvYyNvddoT8Rx 9a42EBMfNwX4SCLcC59KWCOQPy1SJ9dveKf8w4X9d/lSMKdF8JJR7CnbplnV/3AvIh7L sZ6Q== Received: by 10.152.111.71 with SMTP id ig7mr4303292lab.28.1344637222738; Fri, 10 Aug 2012 15:20:22 -0700 (PDT) MIME-Version: 1.0 Received: by 10.152.111.71 with SMTP id ig7mr4303269lab.28.1344637222530; Fri, 10 Aug 2012 15:20:22 -0700 (PDT) Received: by 10.112.77.4 with HTTP; Fri, 10 Aug 2012 15:20:22 -0700 (PDT) In-Reply-To: <4FCF894B.8080002@gondrom.org> References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> Date: Fri, 10 Aug 2012 15:20:22 -0700 Message-ID: From: Chris Palmer To: Tobias Gondrom Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-System-Of-Record: true X-Gm-Message-State: ALoCoQnMCxGeMiW/jlxczrNCKN4o3DVoUnsI8anYGfFzUbAnQVP24mMY/YEBpO4SEIq3JqG1kNlKqhJk4b/bCSQBCHMEZVb80exbvbPuGfReapta3el2W7i9V8MXuUoda/qXtf9w+u9g3zx5w8xyDfhz9CT+s3G5oJImoWQFXtp4trDC112jrw9jHAdc1sss2yq28x2QFN6D Cc: Chris Evans , websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, Moxie Marlinspike Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2012 22:20:25 -0000 Hi all, Resurrecting this ancient thread, and explicitly including Moxie and Trevor in case they aren't already on any of the relevant mailing lists. So ultimately I do think we should decide on either HPKP or TACK, but that we should make that decision after there has been some real-world deployment experience with both (or, sadly, real-world non-deployment of one or both). Additionally, HPKP and TACK might converge, more or less. I have plans to publish a new HPKP I-D that borrows some of TACK's pin activation and expiration ideas, for example. Additionally, one of the main criticisms of HPKP is that it is tied to HTTP. I currently don't consider that a huge problem =E2=80=94 even though = I consider TACK's TLS-generic-ness a nice benefit =E2=80=94 for several reaso= ns: * HTTPS is the big, important application that we need to secure right now. * IMAPS and POPS are surely on the list too, right after HTTPS; but specifying "IPKP" and "PPKP" is likely to be relatively straightforward once we get HPKP working. * It's not clear that SMTP over TLS is very beneficial, because you can't stop delivery due to pin validation failure (or really even regular old X.509 failure). You could use certificate errors as soft-fail spam signals, but you can in principle do that now, too, without explicit pinning. I don't know how much benefit you'd get from using pin validation failure as a spam signal. * SSH already has PKP. :) * The other common application protocols, like SIP, XMPP, and friends, are likely to also be pretty easy to extend in a manner similar to HPKP, "IPKP", and "PPKP". And finally, as Ben Laurie pointed out, there is also Certificate Transparency. I personally consider the "public log" class of solutions (of which CT is a leading member, along with Sovereign Keys) to be The Real Solution. Pinning-like solutions (including HPKP and TACK) are a good, quick fix =E2=80=94 as long as they are quick and simple. On Wed, Jun 6, 2012 at 9:46 AM, Tobias Gondrom wrote: > Sean et al., > > > I agree with Paul and Yoav and think the coordination between dane and > websec on HSTS and key-pinning is ok. Both WGs are aware of potential > coordination issues when mechanisms in both (DNSSEC and HTTP header) will= be > implemented eventually. I don't think we need an operations statement yet= . > Maybe at some point in the future an informational Best Practice or if yo= u > wish a Std Track can help. > > With regards to draft-perrin-tls-tack and draft-ietf-websec-key-pinning, = I > am not so sure about potential conflicts here and whether we need or want > both. > > > Best regards, Tobias > > > Ps.: > > And on a personal note, one thing I am not so happy about is that I can s= ee > from the tls-tack draft, that the authors are aware of key-pinning (which= is > nice) and perceive that there would be flaws, yet they chose to not post > their comments on it to websec nor inform the WG about their new draft. > > To make it easier in the future to coordinate the two drafts and possibly > discuss and decide whether to boil down to one, it might make sense to > inform websec about draft-perrin-tls-tack and have a discussion about it = at > some point there. > Just my 5cents. > > > > > > On 05/06/12 23:01, Paul Hoffman wrote: >> >> On Jun 5, 2012, at 2:46 PM, Yoav Nir wrote: >> >>>> The similarity of pinning and DANE has been discussed before. DANE >>>> relies on DNSSEC being deployed, which key-pinning does not. >> >> Correct. Further, key-pinning in HTTP only applies to HTTP and relies on >> the client being able to establish a TLS session using non-key-pinning >> semantics. Key-pinning in TLS relies works with any lower-layer protocol= and >> relies on the client being able to establish a TLS session using >> non-key-pinning semantics. >> >>>> Come to think of it, the draft needs a section comparing with DANE, bu= t >>>> that's for another thread. >>>> >>>> draft-perrin-tls-tack seems to tackle the same problem as key-pinning. >>>> Instead of the pins getting attested to in HTTP headers, you have a sp= ecial >>>> public/private key pair, that you use to sign the SPKI from the server >>>> certificate within the a TLS extension. Like key-pinning there's a TOF= U >>>> element here, because the client only learns about the special key whe= n it >>>> encounters it in a TLS handshake. >>>> >>>> The obvious question is why would we need both key-pinning and tack. >> >> It would be clearer if you said "both key-pinning in HTTP and key-pinnin= g >> in TLS (tack)". >> >> --Paul Hoffman >> >> _______________________________________________ >> saag mailing list >> saag@ietf.org >> https://www.ietf.org/mailman/listinfo/saag > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag From paul.hoffman@vpnc.org Sat Aug 11 10:57:43 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92D921F861C; Sat, 11 Aug 2012 10:57:43 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.582 X-Spam-Level: X-Spam-Status: No, score=-102.582 tagged_above=-999 required=5 tests=[AWL=0.017, BAYES_00=-2.599, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EB57QPjUIhy; Sat, 11 Aug 2012 10:57:43 -0700 (PDT) Received: from hoffman.proper.com (IPv6.Hoffman.Proper.COM [IPv6:2605:8e00:100:41::81]) by ietfa.amsl.com (Postfix) with ESMTP id 49E9521F8617; Sat, 11 Aug 2012 10:57:43 -0700 (PDT) Received: from [10.20.30.100] (50-1-50-97.dsl.dynamic.fusionbroadband.com [50.1.50.97]) (authenticated bits=0) by hoffman.proper.com (8.14.5/8.14.5) with ESMTP id q7BHvdS8049125 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Sat, 11 Aug 2012 10:57:39 -0700 (MST) (envelope-from paul.hoffman@vpnc.org) Mime-Version: 1.0 (Apple Message framework v1278) Content-Type: text/plain; charset=windows-1252 From: Paul Hoffman In-Reply-To: Date: Sat, 11 Aug 2012 10:57:42 -0700 Content-Transfer-Encoding: quoted-printable Message-Id: References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> To: Chris Palmer X-Mailer: Apple Mail (2.1278) Cc: IETF WebSec WG , IETF Security Area Advisory Group , Moxie Marlinspike Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2012 17:57:44 -0000 On Aug 10, 2012, at 3:20 PM, Chris Palmer wrote: > Additionally, one of the main criticisms of HPKP is that it is tied to > HTTP. I am one of those people who expressed that criticism in the past. = Having said that: > I currently don't consider that a huge problem =97 even though I > consider TACK's TLS-generic-ness a nice benefit =97 for several = reasons: >=20 > * HTTPS is the big, important application that we need to secure right = now. >=20 > * IMAPS and POPS are surely on the list too, right after HTTPS; but > specifying "IPKP" and "PPKP" is likely to be relatively > straightforward once we get HPKP working. Fully agree to both. TACK is more general, but HPKP's specificity is an = advantage for deployability and interoperability, and other TLS-using = application protocols can copy what they need from it when it is = deployed. > * It's not clear that SMTP over TLS is very beneficial, because you > can't stop delivery due to pin validation failure (or really even > regular old X.509 failure). You could use certificate errors as > soft-fail spam signals, but you can in principle do that now, too, > without explicit pinning. I don't know how much benefit you'd get from > using pin validation failure as a spam signal. Even if you could, the SMTP community hasn't spent much effort and = thinking about the value of TLS failure as spam signals. Until they do, = it is not wise for us to gate our work on them. If they deal with it, = they can then deal with things like pinning issues. > * SSH already has PKP. :) And we can learn from that. And from the smiley. > * The other common application protocols, like SIP, XMPP, and friends, > are likely to also be pretty easy to extend in a manner similar to > HPKP, "IPKP", and "PPKP". Yes. > And finally, as Ben Laurie pointed out, there is also Certificate > Transparency. I personally consider the "public log" class of > solutions (of which CT is a leading member, along with Sovereign Keys) > to be The Real Solution. Pinning-like solutions (including HPKP and > TACK) are a good, quick fix =97 as long as they are quick and simple. "Here is what I say about them" proposals are orthogonal to "here is = what I say about myself" proposals and should not be confused with each = other. --Paul Hoffman= From trevp@trevp.net Sat Aug 11 11:16:04 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 10F8921F84C9 for ; Sat, 11 Aug 2012 11:16:04 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.977 X-Spam-Level: X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LRzpacrWdPBp for ; Sat, 11 Aug 2012 11:16:03 -0700 (PDT) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.213.172]) by ietfa.amsl.com (Postfix) with ESMTP id 490F321F84C8 for ; Sat, 11 Aug 2012 11:16:03 -0700 (PDT) Received: by yenm5 with SMTP id m5so2652919yen.31 for ; Sat, 11 Aug 2012 11:16:02 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:cc:content-type :content-transfer-encoding:x-gm-message-state; bh=lTUibbTXkpNEO56DtfydqlyEzmEq5SzjN79KjpgVv0U=; b=Z0F4Suuho3f1sneZiERcGOe7ad4YSMGgTX7zhwzhzS+50hX3orCmMEXZu5REORWOzQ xsIaDTk0G1LVz/dJRjdpaYDtt8Zfhdhj6067qU3PwodFnCm76i1T+Z8cO67LfV3MUvGk P4xinTB8nHadL8dkKB+piOC3QE392poD2wux1Uw/2dhVIRdhLfmgYYajZutg69mU6kPo u3xEtB9xRs4Zwkce2N19SwTiJZrfUwkLHVysg2HoVZmPqux2QNfk2BA8k8hNGdZkojVZ KEwOeDbvRUyp9ZQ4Nz1yrFncen6lxLwx2I0qoIpiTrfqhxO7zmvBMpEvtYWz/tcU6Hz1 w9QA== MIME-Version: 1.0 Received: by 10.42.92.17 with SMTP id r17mr4403742icm.39.1344708962627; Sat, 11 Aug 2012 11:16:02 -0700 (PDT) Received: by 10.64.78.200 with HTTP; Sat, 11 Aug 2012 11:16:02 -0700 (PDT) X-Originating-IP: [67.127.59.13] In-Reply-To: References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> Date: Sat, 11 Aug 2012 11:16:02 -0700 Message-ID: From: Trevor Perrin To: Chris Palmer Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable X-Gm-Message-State: ALoCoQnLAgTD2rtcEuZm9ux5x3kVG9lIY5/dTmPVZuaaBL9CcpByOPpiLunoadrwKepiO4s4zvR9 Cc: Chris Evans , websec@ietf.org, saag@ietf.org, Moxie Marlinspike Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2012 18:16:04 -0000 Hi Chris, all, On Fri, Aug 10, 2012 at 3:20 PM, Chris Palmer wrote: > So ultimately I do think we should decide on either HPKP or TACK, but > that we should make that decision after there has been some real-world > deployment experience with both (or, sadly, real-world non-deployment > of one or both). My 2c: We should keep exploring both TACK and HPKP. I'd like to see both proposals fleshed out, so we can do an in-depth comparison. We'll try to send a draft-01 in a couple weeks. > Additionally, HPKP and TACK might converge, more or less. I have plans > to publish a new HPKP I-D that borrows some of TACK's pin activation > and expiration ideas, for example. Awesome, looking forward to it. There's some things you'll have to grapple with (is pin activation performed for each key individually, or for the keys as a set? when is it performed? etc.) > Additionally, one of the main criticisms of HPKP is that it is tied to > HTTP. I currently don't consider that a huge problem =97 even though I > consider TACK's TLS-generic-ness a nice benefit =97 for several reasons: > > * HTTPS is the big, important application that we need to secure right no= w. Agreed: TACK's TLS-generic-ness is a nice benefit, but a good solution for HTTPS is more important than reusability. > * It's not clear that SMTP over TLS is very beneficial, because you > can't stop delivery due to pin validation failure (or really even > regular old X.509 failure). Pinning for MTA-to-MTA SMTP seems useful. Since receiving MTAs often have invalid certificates, they're hard to authenticate any other way. If a sending MTA doesn't want to reject connections on pin failure, it could run in "warn-only" mode. > * SSH already has PKP. :) Not proposing to change that. But a TACK_Extension *could*, theoretically, be embedded in non-TLS, non-X.509 protocols... And TACK *does* have some nice lifecycle features (activation, break sigs, generations)... > And finally, as Ben Laurie pointed out, there is also Certificate > Transparency. I personally consider the "public log" class of > solutions (of which CT is a leading member, along with Sovereign Keys) > to be The Real Solution. Pinning-like solutions (including HPKP and > TACK) are a good, quick fix =97 as long as they are quick and simple. I think pinning is likely to coexist or integrate with future trust systems= . For example, Cert Transparency is cool and would help detect bad certs, but pinning would prevent their use. I think sites would want to deploy pinning even in a CT world. Also, self-asserted pins like TACK and HPKP can be detected by trust infrastructure (think Convergence or Google Cert Catalog) which publishes them for auditors to review and for client apps to download. So, in a broad sense (pinning, CT, Convergence) are all "public knowledge" systems which have some similar benefits. Anyways, quick and simple is always good, but we shouldn't view pinning as a disposable technology. (Not that you're saying that, but just don't want it to be misconstrued). Trevor From jhutz@cmu.edu Sat Aug 11 15:18:25 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0F5A21F8510; Sat, 11 Aug 2012 15:18:25 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.599 X-Spam-Level: X-Spam-Status: No, score=-106.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hPqkBM2-prfs; Sat, 11 Aug 2012 15:18:25 -0700 (PDT) Received: from smtp02.srv.cs.cmu.edu (SMTP02.SRV.CS.CMU.EDU [128.2.217.197]) by ietfa.amsl.com (Postfix) with ESMTP id 2120321F84D6; Sat, 11 Aug 2012 15:18:25 -0700 (PDT) Received: from [192.168.202.154] (pool-74-111-100-191.pitbpa.fios.verizon.net [74.111.100.191]) (authenticated bits=0) by smtp02.srv.cs.cmu.edu (8.13.6/8.13.6) with ESMTP id q7BMIIL8021870 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 11 Aug 2012 18:18:19 -0400 (EDT) From: Jeffrey Hutzelman To: Chris Palmer In-Reply-To: <22134_1344637228_q7AMKQRp022297_CAOuvq20iC817T-9U3zWG7S2Z=uU=G0i6usOT915ky+9FO8_Zwg@mail.gmail.com> References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> <22134_1344637228_q7AMKQRp022297_CAOuvq20iC817T-9U3zWG7S2Z=uU=G0i6usOT915ky+9FO8_Zwg@mail.gmail.com> Content-Type: text/plain; charset="UTF-8" Date: Sat, 11 Aug 2012 18:18:18 -0400 Message-ID: <1344723498.15925.63.camel@destiny.pc.cs.cmu.edu> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Content-Transfer-Encoding: 7bit X-Scanned-By: mimedefang-cmuscs on 128.2.217.197 Cc: Chris Evans , websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, Moxie Marlinspike , jhutz@cmu.edu Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Aug 2012 22:18:25 -0000 On Fri, 2012-08-10 at 15:20 -0700, Chris Palmer wrote: > * It's not clear that SMTP over TLS is very beneficial, because you > can't stop delivery due to pin validation failure (or really even > regular old X.509 failure). That depends. Key pinning may not be very interesting for accepting coming mail from unknown sources, but it may be very interesting when TLS is used for communication between cooperating components of an enterprise mail system, or with an outsourced anti-smap or anti-virus or backup MX service. And of course, it's also interesting when TLS is used to protect authenticated mail submission services -- a user sending outgoing mail via his ISP probably doesn't want to tell his username and password to just anyone. > * SSH already has PKP. Well, no. Certainly, SSH clients making a leap-of-faith connection to a previously unknown host will generally remember that host's public key. And yes, once a host's public key is known, clients will generally reject a host that presents a public key other than the one known for that host. But then, web browsers do the same thing for leap-of-faith connections to web servers, when a server has a self-signed certificate or one signed by an unknown CA. But while this behavior is common, it is not required by any standard, not something I'd expect an SSH client to do when an X.509 certificate is used, and not the same thing as key pinning. So in fact, if this gets done at the application layer, it likely will eventually have to happen for SSH, too. I would really rather not see a proliferation of application-layer extensions to handle pinning of the long-term keys used for TLS. While I haven't participated in previous discussion on this question, I think that in the long run this is much better handled at the TLS layer. That said, there may be a benefit to solving the problem for HTTP at the HTTP layer, _if_ doing so allows us to get something deployed more quickly than a TLS-layer solution. -- Jeff From fanf2@hermes.cam.ac.uk Mon Aug 13 07:08:37 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3329721F8754; Mon, 13 Aug 2012 07:08:37 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.257 X-Spam-Level: X-Spam-Status: No, score=-6.257 tagged_above=-999 required=5 tests=[AWL=0.342, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xs04g9Jc444H; Mon, 13 Aug 2012 07:08:36 -0700 (PDT) Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 0971221F8752; Mon, 13 Aug 2012 07:08:35 -0700 (PDT) X-Cam-AntiVirus: no malware found X-Cam-SpamDetails: not scanned X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/ Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:35222) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1T0vJn-0003Hk-s4 (Exim 4.72) (return-path ); Mon, 13 Aug 2012 15:08:31 +0100 Received: from fanf2 (helo=localhost) by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local-esmtp id 1T0vJn-00069I-LW (Exim 4.67) (return-path ); Mon, 13 Aug 2012 15:08:31 +0100 Date: Mon, 13 Aug 2012 15:08:31 +0100 From: Tony Finch X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk To: Chris Palmer In-Reply-To: Message-ID: References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> User-Agent: Alpine 2.00 (LSU 1167 2008-08-23) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: Tony Finch Cc: Chris Evans , websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, Moxie Marlinspike Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Aug 2012 14:08:37 -0000 Chris Palmer wrote: > > * It's not clear that SMTP over TLS is very beneficial, It is not beneficial at the moment because it is underspecified - there is no specification that says which identity to check against the certificate (mail domain vs. host name), and there are significant problems with either choice. In practice this has led to most SMTP server certificates being unvalidatable or containing the wrong name. See also draft-fanf-dane-smtp for a possible way to sort out this mess. > because you can't stop delivery due to pin validation failure (or really > even regular old X.509 failure). I disagree. You can (and usually have to) stop delivery for DNS failures; there is no reason why you can't do the same for authentication errors. Tony. -- f.anthony.n.finch http://dotat.at/ Northwest FitzRoy, Sole, Lundy, Fastnet: Southwesterly backing southerly 4 or 5. Moderate, occasionally rough in northwest Fitzroy and west Sole. Rain or thundery showers. Moderate or good. From alexey.melnikov@isode.com Fri Aug 17 05:56:30 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A3F021F8526; Fri, 17 Aug 2012 05:56:30 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.169 X-Spam-Level: X-Spam-Status: No, score=-102.169 tagged_above=-999 required=5 tests=[AWL=-0.966, BAYES_00=-2.599, MIME_QP_LONG_LINE=1.396, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JzMNmdyHCEOn; Fri, 17 Aug 2012 05:56:29 -0700 (PDT) Received: from waldorf.isode.com (cl-125.lon-03.gb.sixxs.net [IPv6:2a00:14f0:e000:7c::2]) by ietfa.amsl.com (Postfix) with ESMTP id 353FE21F84E7; Fri, 17 Aug 2012 05:56:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1345208186; d=isode.com; s=selector; i=@isode.com; bh=q0YkPYMyJMbVRxe6UWeu7zCc0nwH40hINGExehkp3gk=; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:Cc:MIME-Version: In-Reply-To:References:Content-Type:Content-Transfer-Encoding: Content-ID:Content-Description; b=qybYs4diXlLIaBBgHpghJBhsbci6qsT/NLSnMqkMmEra5uggRhGL6quoKs8GeuVN+4ryZn BCyip6nJbScI/MJ8mm5OCpQYXg2lCltjuxx5w2EkYZrSYIhHO0NecwYqmXtCMTG76say9n jUVyiSM0Bsh1xSy2OSj1n3xFPD4ynkw=; Received: from [172.16.11.4] (shiny.isode.com [62.3.217.250]) by waldorf.isode.com (submission channel) via TCP with ESMTPA id ; Fri, 17 Aug 2012 13:56:26 +0100 Message-ID: <502E3FDB.8060800@isode.com> Date: Fri, 17 Aug 2012 13:58:03 +0100 From: Alexey Melnikov User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 To: Chris Palmer References: <31946C2A-4ACD-46D7-8977-49B681204A7B@checkpoint.com> <8E52CEC5-4FEB-4464-AB11-21F1B9208C5C@checkpoint.com> <38489744-05A9-45F0-A752-7F0B9E96E641@vpnc.org> <4FCF894B.8080002@gondrom.org> In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-transfer-encoding: quoted-printable Cc: Chris Evans , websec@ietf.org, paul.hoffman@vpnc.org, saag@ietf.org, Moxie Marlinspike Subject: Re: [saag] [websec] Pinning X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 12:56:30 -0000 On 10/08/2012 23:20, Chris Palmer wrote: > Hi all, > > Resurrecting this ancient thread, and explicitly including Moxie and > Trevor in case they aren't already on any of the relevant mailing > lists. > > So ultimately I do think we should decide on either HPKP or TACK, but > that we should make that decision after there has been some real-world > deployment experience with both (or, sadly, real-world non-deployment > of one or both). > > Additionally, HPKP and TACK might converge, more or less. I have plans > to publish a new HPKP I-D that borrows some of TACK's pin activation > and expiration ideas, for example. > > Additionally, one of the main criticisms of HPKP is that it is tied to > HTTP. I currently don't consider that a huge problem =E2=80=94 even though= I > consider TACK's TLS-generic-ness a nice benefit =E2=80=94 for several reas= ons: > > * HTTPS is the big, important application that we need to secure right now= . > > * IMAPS and POPS are surely on the list too, right after HTTPS; but > specifying "IPKP" and "PPKP" is likely to be relatively > straightforward once we get HPKP working. I am surely hoping there would be no IMAP, POP or SMTP extensions to=20 address this. IMHO, judging from past experiences of any new=20 functionality being adopted by IMAP/POP/SMTP, chances of such extensions=20 being deployed in any reasonable number of email clients any time soon=20 are close to 0. I think some more generic facility (like a TLS=20 extension) has much better chance of success. Having said that, I think it is Ok if an HTTP facility is deployed now=20 before the TLS extension is finalized. > * It's not clear that SMTP over TLS is very beneficial, because you > can't stop delivery due to pin validation failure (or really even > regular old X.509 failure). You could use certificate errors as > soft-fail spam signals, but you can in principle do that now, too, > without explicit pinning. I don't know how much benefit you'd get from > using pin validation failure as a spam signal. > From housley@vigilsec.com Fri Aug 17 07:33:22 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C54DF21E804E for ; Fri, 17 Aug 2012 07:33:22 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.373 X-Spam-Level: X-Spam-Status: No, score=-102.373 tagged_above=-999 required=5 tests=[AWL=0.225, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s+X5NugjRegH for ; Fri, 17 Aug 2012 07:33:21 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id A69FD21E804B for ; Fri, 17 Aug 2012 07:33:21 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id A8608F240B9 for ; Fri, 17 Aug 2012 10:33:29 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id uwlShg3zwpzW for ; Fri, 17 Aug 2012 10:33:13 -0400 (EDT) Received: from [192.168.1.3] (96-37-2-47.dhcp.sffl.va.charter.com [96.37.2.47]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 49C6BF240BA for ; Fri, 17 Aug 2012 10:33:27 -0400 (EDT) From: Russ Housley Content-Type: multipart/alternative; boundary=Apple-Mail-48--312906537 Date: Fri, 17 Aug 2012 10:33:17 -0400 References: To: IETF SAAG Message-Id: <7F89499D-F257-46B4-A679-E4A9A722A0D8@vigilsec.com> Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: [saag] Fwd: Comments requested on NIST SP 800-152: A Profile for U. S. Federal Cryptographic Key Management Systems (CKMS) X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 17 Aug 2012 14:33:22 -0000 --Apple-Mail-48--312906537 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=windows-1252 Some members of this mail list will be interested in this document. If = you have comments, please send them directly to the mail address below. Russ > From: "Caswell, Sara J." > Date: August 16, 2012 1:43:16 PM EDT > To: "'housley@vigilsec.com'" > Subject: Comments requested on NIST SP 800-152: A Profile for U. S. = Federal Cryptographic Key Management Systems (CKMS) >=20 > NIST is developing a Special Publication (SP 800-152) that will be = entitled =93A Profile for U. S. Federal Cryptographic Key Management = Systems (CKMS)=94. This Profile will be based on the Special Publication = 800-130, entitled =93A Framework for Designing Cryptographic Key = Management Systems.=94 The Framework covers topics that should be = considered by a product or system designer when designing a CKMS and = specifies requirements for the design and its documentation. The = Profile, however, will cover not only a CKMS design, but also its = procurement, installation, management, and operation throughout its = lifetime.=20 > An initial draft of the Profile requirements is now available at = http://csrc.nist.gov/publications/PubsSPs.html for public comment and = for discussion by participants of the CKM Workshop scheduled for = September 10-11. Details of the workshop are available at CKM Workshop.=20= > Please provide comments by October 10, 2012 to = ckmsdesignframework@nist.gov, with "Comments on SP 800-152 Profile = Requirements" in the subject line. >=20 > =20 --Apple-Mail-48--312906537 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=windows-1252 Some = members of this mail list will be interested in this document.  If = you have comments, please send them directly to the mail address = below.

Russ



From: "Caswell, Sara J." <sara.caswell@nist.gov>
Date: August 16, 2012 1:43:16 PM EDT
Subject: Comments = requested on NIST SP 800-152: A Profile for U. S. Federal Cryptographic = Key Management Systems (CKMS)

NIST is developing a Special Publication (SP = 800-152) that will = be entitled =93A = Profile for U. S. Federal Cryptographic Key Management Systems = (CKMS)=94. This Profile will be based on the Special Publication = 800-130, entitled =93A Framework for Designing Cryptographic Key = Management Systems.=94 The Framework covers topics that should be = considered by a product or system designer when designing a CKMS and = specifies requirements for the design and its = documentation.  The Profile, however, will cover not only a = CKMS design, but also its procurement, installation, management, and = operation throughout its lifetime. 

Please = provide comments by October 10, = 2012 to with "Comments on SP 800-152 Profile = Requirements" in the subject line.

> straightforward once we get HPKP working. > I am surely hoping there would be no IMAP, POP or SMTP extensions to > address this. IMHO, judging from past experiences of any new > functionality being adopted by IMAP/POP/SMTP, chances of such > extensions being deployed in any reasonable number of email clients > any time soon are close to 0. I think some more generic facility (like > a TLS extension) has much better chance of success. > > Having said that, I think it is Ok if an HTTP facility is deployed now > before the TLS extension is finalized. I agree with Alexey on both: chances of deployment in email clients is unclear and that it is ok to get an HTTP facility deployed. >> * It's not clear that SMTP over TLS is very beneficial, because you >> can't stop delivery due to pin validation failure (or really even >> regular old X.509 failure). You could use certificate errors as >> soft-fail spam signals, but you can in principle do that now, too, >> without explicit pinning. I don't know how much benefit you'd get from >> using pin validation failure as a spam signal. >> > From turners@ieca.com Sun Aug 19 14:22:34 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 434AA21F8602 for ; Sun, 19 Aug 2012 14:22:34 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.353 X-Spam-Level: X-Spam-Status: No, score=-101.353 tagged_above=-999 required=5 tests=[AWL=-0.577, BAYES_05=-1.11, IP_NOT_FRIENDLY=0.334, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kH3F9nnDXv2T for ; Sun, 19 Aug 2012 14:22:33 -0700 (PDT) Received: from gateway13.websitewelcome.com (gateway13.websitewelcome.com [67.18.94.12]) by ietfa.amsl.com (Postfix) with ESMTP id 9E8A421F85F4 for ; Sun, 19 Aug 2012 14:22:33 -0700 (PDT) Received: by gateway13.websitewelcome.com (Postfix, from userid 5007) id 15A66E9741BB1; Sun, 19 Aug 2012 16:22:34 -0500 (CDT) Received: from gator1743.hostgator.com (gator1743.hostgator.com [184.173.253.227]) by gateway13.websitewelcome.com (Postfix) with ESMTP id 06D4AE9741B70 for ; Sun, 19 Aug 2012 16:22:34 -0500 (CDT) Received: from [108.18.174.220] (port=60067 helo=thunderfish.local) by gator1743.hostgator.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.77) (envelope-from ) id 1T3Cx6-00067N-RV; Sun, 19 Aug 2012 16:22:32 -0500 Message-ID: <50315918.5010802@ieca.com> Date: Sun, 19 Aug 2012 17:22:32 -0400 From: Sean Turner User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:14.0) Gecko/20120713 Thunderbird/14.0 MIME-Version: 1.0 To: saag@ietf.org, pkix@ietf.org Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - gator1743.hostgator.com X-AntiAbuse: Original Domain - ietf.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - ieca.com X-BWhitelist: no X-Source: X-Source-Args: X-Source-Dir: X-Source-Sender: (thunderfish.local) [108.18.174.220]:60067 X-Source-Auth: sean.turner@ieca.com X-Email-Count: 4 X-Source-Cap: ZG9tbWdyNDg7ZG9tbWdyNDg7Z2F0b3IxNzQzLmhvc3RnYXRvci5jb20= Subject: [saag] new mailing list: wpkops X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Aug 2012 21:22:34 -0000 A new non-working group mailing list has been created and subscription information can be found at: https://www.ietf.org/mailman/listinfo/wpkops The purpose of the mailing list is to discussion the following topics: - How the Web PKI currently works - Shortcomings and failure modes of the current Web PKI - Future evolution of Web PKI - Advice to those developing Web PKI clients If you were at the SAAG session at IETF 84 [1], you might remember that we talked about having a BoF at IETF 85 to consider formation of a Working Group on one or more of these topics. For that reason, discussion in the immediate future should probably focus on the scope and objectives of such a Working Group. [1] http://www.ietf.org/proceedings/84/slides/slides-84-saag-0.pdf Cheers, Stephen and Sean From housley@vigilsec.com Tue Aug 21 06:50:24 2012 Return-Path: X-Original-To: saag@ietfa.amsl.com Delivered-To: saag@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C983C21F867C for ; Tue, 21 Aug 2012 06:50:24 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.439 X-Spam-Level: X-Spam-Status: No, score=-102.439 tagged_above=-999 required=5 tests=[AWL=0.159, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aQQKzyylsfv6 for ; Tue, 21 Aug 2012 06:50:23 -0700 (PDT) Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id B784121F85AD for ; Tue, 21 Aug 2012 06:50:23 -0700 (PDT) Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id AD9E6111C009; Tue, 21 Aug 2012 09:51:05 -0400 (EDT) X-Virus-Scanned: amavisd-new at smetech.net Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id MqDuIt+uTRIW; Tue, 21 Aug 2012 09:50:17 -0400 (EDT) Received: from [192.168.1.3] (96-37-2-47.dhcp.sffl.va.charter.com [96.37.2.47]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id BCF63111C001; Tue, 21 Aug 2012 09:50:59 -0400 (EDT) From: Russ Housley Content-Type: multipart/alternative; boundary=Apple-Mail-86-30111657 Date: Tue, 21 Aug 2012 09:50:15 -0400 References: To: IRTF CFRG , IETF SAAG Message-Id: Mime-Version: 1.0 (Apple Message framework v1084) X-Mailer: Apple Mail (2.1084) Subject: [saag] Fwd: NIST Requests Comments on Draft Revision NIST SP 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography X-BeenThere: saag@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Security Area Advisory Group List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Aug 2012 13:50:24 -0000 --Apple-Mail-86-30111657 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii This is probably of interest to CFRG and SAAG. > From: "Caswell, Sara J." > Date: August 21, 2012 8:08:59 AM EDT > To: "'housley@vigilsec.com'" > Subject: NIST Requests Comments on Draft Revision NIST SP 800-56A, = Recommendation for Pair-Wise Key Establishment Schemes Using Discrete = Logarithm Cryptography >=20 > NIST announces the release of a draft revision of Special Publication = 800-56A, Recommendation for Pair-Wise Key Establishment Schemes Using = Discrete Logarithm Cryptography. SP 800-56A specifies key-establishment = schemes based on the discrete logarithm problem over finite fields and = elliptic curves, including several variations of Diffie-Hellman and MQV = key establishment schemes. The revision is made on the March 2007 = version. The main changes are listed in Appendix D. The document is = available at = http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-56-A%20Rev. > =20 > Please submit comments to 56A2012rev-comments@nist.gov with "Comments = on SP 800-56A (Revision)" in the subject line. The comment period closes = on October 31, 2012. > =20 --Apple-Mail-86-30111657 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii This = is probably of interest to CFRG and = SAAG.



Date: August 21, 2012 8:08:59 AM EDT
Subject: NIST Requests = Comments on Draft Revision NIST SP 800-56A, Recommendation for Pair-Wise = Key Establishment Schemes Using Discrete Logarithm = Cryptography

NIST announces = the release of a draft revision of Special Publication = 800-56A, Recommendation for = Pair-Wise Key Establishment Schemes Using Discrete Logarithm = Cryptography. SP 800-56A specifies key-establishment schemes = based on the discrete logarithm problem over finite fields and elliptic = curves, including several variations of Diffie-Hellman and MQV key = establishment schemes. The revision is made on the March 2007 version. = The main changes are listed in Appendix D. The document is = available at 56A2012rev-comments@nist.gov with "Comments on SP = 800-56A (Revision)" in the subject line. The comment period closes = on