Security Area Director: o Jeff Schiller Area Summary reported by Jeff Schiller, MIT and Jim Galvin, TIS The Security Area within the IETF is responsible for development of security oriented protocols, security review of RFCs, development of candidate policies, and review of operational security on the Internet. The Area Director is assisted by a Directorate, an advisory entity with no standards-setting powers. The members of the Security Directorate are as follows: Jeffrey I. Schiller jis@mit.edu Ran Atkinson rja@cisco.com Steve Bellovin smb@research.att.com Steve Crocker crocker@cybercash.com Barbara Fraser byf@cert.org James M. Galvin galvin@tis.com Phil Karn karn@qualcomm.com Steve Kent kent@bbn.com John Linn linn@ov.com Clifford Neuman bcn@isi.edu Rob Shirey rshirey@bbn.com Ted Ts'o tytso@mit.edu In addition to the Directorate, the Security Area is assisted by the Security Area Advisory Group (SAAG). The SAAG is an open group that meets at least once during each IETF meeting as well as electronically via the saag@tis.com mailing list. Send a message to saag-request@tis.com to join the list. During the SAAG meeting, the activities of the Security Area, including the Directorate, are reported and discussed. In addition, the SAAG meeting provides an opportunity for open discussion of security issues. Included below is a summary from those working groups and birds of a feather sessions with security relevant activities to report. The following working groups met during at this IETF meeting: o Authenticated Firewall Traversal o Common Authentication Technology o Domain Name System Security o IP Security o One Time Password Working Group o Public Key Infrastructure (New Working Group) o Web Transaction Security In addition, a BOF was held on Secure Payments (ISPP). Authenticated Firewall Traversal Working Group (AFT) The AFT Working Group works on standardizing aspects of the SOCKS protocol. SOCKS is a mechanism for applications to use a firewall server as a proxy for direct internet services. It permits an organization to install a firewall while still permitting users inside the firewall to make use of internet services that normally would not be permitted to cross the firewall. The AFT Working Group held a brief meeting at the Dallas IETF. The Agenda included the notice of IETF LAST CALL on: draft-ietf-aft-socks-protocol-v5-05.txt draft-ietf-aft-username-password-01.txt Some controversy existed with respect to the draft-ietf-aft-gssapi-02.txt document. There was some concern about REQUIRING draft-myers-auth- sasl-00.txt as the strong authentication method encoding for SOCKS V5. However, consensus prevailed and there was unanimous support for draft- ietf-aft-gssapi-02.txt. There was also a presentation by Marcus Leech and Dave Blob on their implementations of SOCKS V5. Common Authentication Technology Working Group (CAT) The CAT Working Group develops technologies that make it easy for application programmer's and protocol designers to incorporate authentication technology into their products. Its primary focus is to define an IETF Generic Security Services Applications Programming Interface (GSS- API) and to specify different security systems that make use of it. The CAT Working Group met for two sessions in Dallas. Presentations included talks on the SESAME GSS-API mechanism, the Kerberos Single-Use Authentication Mechanism (SAM) draft, Kerberos Public-Key Extensions, IDUP, Simple Authentication and Session Layer (SASL), authorization and delegation control extensions (xgssapi), and GSS-API/Web integration (a work item within the WTS Working Group). Other discussion topics included pending issues on GSS-V2; all known pending issues were closed or triggered action items, and an additional Internet-Draft version is planned for January as a basis for advancement to Proposed Standard. Following active business on Internet-Drafts, a brief summary of Microsoft's adaptation of GSS- API for Windows NT was presented. Note: For detailed information on the technologies referenced above, the reader is encouraged to read the work product documents of the CAT working group (both RFCs and Internet Drafts) available from the IETF Web pages (http://ietf.cnri.reston.va.us). Domain Name System Security Working Group (DNS-SEC) The Domain Name System Security (DNS-SEC) Working Group is adding security services to the Domain Name System (DNS). Its primary focus is to provide authentication and integrity for DNS data. A secondary outcome is likely to be a workable mechanism that uses the DNS to distribute cryptographic keys. The two documents of this working group are ready to go, pending a minor change to what is currently labeled the NULL signature algorithm. The area director will get the documents in early January to consider for publication as Proposed Standards. The majority of the time at this working group meeting was to begin a new work item: secure dynamic update. A list of requirements and desired functionality was developed and a draft proposal is expected in time for the Spring IETF. IP Security Working Group (IPSEC) IPSEC met twice during the Dallas IETF. Shortly after the last IETF (Stockholm) the first documents of the IPSEC Working Group went to proposed standard (RFC1825-1829). These documents define the overall architecture of IP Security as well as defining the IP layer protocol for providing authentication, integrity and confidentiality. At the Dallas IETF 10 implementations of these documents were presented and discussion indicated that at least two others are known. RSA Data Security sponsored a room at the hotel for implementers of the IPSEC documents to perform interoperability testing. At least six implementations that interoperated were demonstrated. At this point we anticipate that the proposed standards will be edited to incorporate implementation experience and we expect to be able to advance them to DRAFT standard in the not so distant future. In addition to reporting on implementation experience, the IPSEC Working Group spent considerable time discussing various proposals for key management (not yet at the level of proposed standard). At least three proposals exist (Photuris, ISAKMP and SKIP). The Area Director is supportive of all three efforts but would prefer to see the IPSEC group converge to one proposal based on an objective review of how the proposals address the already agreed upon requirements for a key management protocol (requirements are documented in previous minutes of the IPSEC Working Group and on the IPSEC mailing list). One Time Password Working Group The One Time Password Working Group met briefly in Dallas. This was the first in-person meeting of the group as a full fledged working group. The most recent OTP draft was turned over to the Security Area Director (immediately prior to the Dallas IETF) for consideration as a Proposed Standard. Phil Servita gave a presentation on his OTP toolkit for UNIX which is freely distributable for non-commercial use. Ran Atkinson and Dan McDonald talked about the NRL OPIE software package which is freely distributable for any purpose under BSD-like terms. Work commenced on a follow-up document to the OTP draft. This document discusses issues beyond the scope of the original draft. Specifically, issues such as defending against certain forms of active attack of specification of how to re-initialize a OTP system are to be part of this document. A call for proposals and discussion on this more recent document was issued with a deadline of January 1 for the first round of discussion. Public Key Infrastructure Working Group (PKIX) The Public Key Infrastructure Working Group (PKIX) is examining ways of using the X.509 and similar public key infrastructures on the Internet. This IETF marked the first official meeting of this working group. The meeting was well-attended (filled a moderate sized room) and the leadership came prepared with several proposals that have already been published as Internet Drafts. Web Transaction Security Working Group The Web Transaction Security Working Group met in Dallas. Some final wording on the requirements document was worked out. Working Group Last Call is expected on the requirements document as soon as a draft is available with the discussed wording in it. Presentations were given by Doug Rosenthal on GSSAPI-WWW, Rohit Khare on PEP and from Alan Schiffman on SHTTP. The working group would like to advance the SHTTP document but first needs to settle some issues. These issues deal with whether to use PEM (RFC1421 style) or MOSS (RFC1848) and how to track the evolution of HTTP itself. Secure Payments BOF A second BOF was held at the Dallas IETF (the first BOF was held in Stockholm). The primary focus of the meeting was whether or not it made sense for the IETF to charter a working group in this area given the interests of the major bank card companies and the recent involvement of ANSI. The consensus of the group was NOT to pursue an effort to develop a merchant- bank payment authorization protocol (this would be a competing effort to what the major players are already working on). There was consensus that the IETF could contribute by defining negotiation mechanisms to decide which payment protocol to use as well as how to encapsulate protocol messages for transport. These are areas that the payment protocol people have not address and in fact have specifically invited the participation of the IETF.