Building Trust IETF Improving Technical Security Open Internet Standards Technology

Rough Guide to IETF 90: Strengthening the Internet

The pervasive monitoring revelations over the past year have galvanized the Internet technical community around the topic of Strengthening the Internet (STRINT). The community responded with an Internet Architecture Board (IAB) technical plenary at IETF 88 and a joint IAB/W3C workshop prior to IETF 89 in London. A summary of the workshop is provided in our latest issue of the IETF Journal. The full set of papers and presentations is available at the workshop website. Now is an excellent time to take a quick look at some of the STRINT-related activities that are being discussed this week in Toronto at IETF 90.
The IETF community established consensus around the fact that pervasive monitoring is an attack with the publication of RFC 7258 “Pervasive Monitoring Is an Attack”. The next topic to be addressed is terminology. While the topic can seem mundane and frustrating, having a common set of well understood terms is one of the key factors to a productive discussion leading to community consensus. The Security Area Advisory Group (saag) has been discussing terminology over the last few months primarily through two drafts. The first draft ( draft-dukhovni-opportunistic-security-01) is in the middle of an IETF Last Call. Now is a good time to review and comment on that document. Additionally, there is a more general draft on terminology in the works (draft-kent-opportunistic-security-01).
The Internet Architecture Board (IAB) has established a Security and Privacy Program with three areas of focus: Internet Scale Resilience, Confidentiality, and Trust. Members of this program will hold their first meeting during the week here in Toronto. One of the specific STRINT-related work items for the IAB will be the discussion of the pervasive monitoring threat model based on the draft (
Several working groups are taking a second look at how encryption is used within their protocols. While highlighting each one here is a bit too detailed, keep an eye out for those discussions in the individual work group meetings. One that does deserve mention is the relatively new uta (Using TLS in Applications) Working Group that is specifically tasked with looking at the use of TLS in applications. This is only their second IETF as a working group.
Also of interest is IRTF Crypto Forum Research Group, the cfrg. With the increased interest in encryption and the desire to have more standards track cryptographic algorithms, the profile of the cfrg has increased here at IETF. This meeting will focus on ChaCha20 and Poly1305, hash-based signatures, and elliptic curve cryptography.
Beyond the incorporation of more encryption in developing protocols, there is also an effort to review existing RFCs for privacy and pervasive monitoring issues. This is an activity that is looking for additional volunteers and is an excellent way to read some of those old RFCs that you never got around to. The wiki for that activity is:
Finally, the CrypTech project is looking to develop an open hardware cryptographic engine (see our blog post on CrypTech for more information). The leaders of this project will be having another Wednesday lunch meeting to discuss its design and status. This effort could eventually provide a set of open source cryptographic building blocks along with a trustworthy set of tools to be used to build more secure Internet products.
Related Meetings, Working Groups, and BoFs at IETF 90
uta (Using TLS in Applications) WG
Tuesday, 22 July 2014; 900-1130
IRTF cfrg (Crypto Forum Research Group)
Wednesday, 23 July 2014; 1300-1500