Wrapping up the series of Rough Guide posts for IETF 93 is our focus on Trust, Identity, and Privacy. ISOC has been working over the past six years in these areas, and each subsequent IETF has seen advancing work and progress being made on multiple fronts. IETF 93 is no exception. During IETF 92, I mentioned a new mailing list that was created to discuss vectors of trust, a potential replacement for NIST SP 800-63. For this meeting, there has been a preliminary draft published (https://tools.ietf.org/html/draft-richer-vectors-of-trust-00), and an informal meeting is being organized to discuss it. The meeting will be held on Wednesday, 22 July 2015 at 7:45 pm in the Florenc Room. The impetus for this mailing list came out of an ISOC-sponsored workshop this past September. It is hoped that these discussions will lead to further consensus on concepts around trust and levels of assurance. Monitor the mailing list for details. This is a great opportunity to get involved in a potential IETF activity at a very early stage.
Next, the W3C Privacy Interest Group (PING) (https://www.w3.org/Privacy/) will again be meeting face-to-face alongside IETF on Thursday, 23 July 2015 in the Rokoska room between 11:30 and 13:00. The main topic will be the draft TAG privacy and security questionnaire: https://w3ctag.github.io/security-questionnaire/. Please join the meeting if you have an interest in privacy on the Web and would like to help develop better privacy features in Web standards.
As for the IETF working groups, there are several ongoing working groups addressing relevant topics in this space. We are particularly interested in a number of activities around the Web PKI at this meeting. First, there is a new draft outlining both the technical and non technical issues associated with the current web pki system. (https://tools.ietf.org/html/draft-housley-web-pki-problems-00) This draft will be considered within the context of the IAB Security and Privacy Program. There has also been interest expressed in the draft outside the IAB, so I look forward to some quality hallway conversations on this document.
The newly formed Automated Certificate Management Environment (acme) working group is working to lower the barrier to deployment of certificates for the Web PKI. In particular, the acme working group is looking for ways to automate certificate issuance, validation, revocation and renewal. The agenda for this meeting includes the protocol, use cases, and suggested changes to JWS Signing Input Options.
Certificate Transparency continues to show promise as one mechanism to improve trust in the infrastructure. The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the trans (Public Notary Transparency) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. The primary focus of this week’s discussion will be resolution of issues on the update to RFC 6962. Additional topics for this week’s agenda include a threat analysis, client behavior, and the gossip protocol.
Finally, a rough guide entry doesn’t seem complete without mention of the oauth WG. The oauth (Web Authorization Protocol) working group has a full agenda for its Wednesday evening meeting based around its continuing work on proof-of-possession security assertions, token introspection, and token exchange among others.
As you can see, the IETF is devoting a significant amount of time and energy on efforts related to trust, identity, and privacy. There is plenty to follow and contribute to in this space.
Related Meetings, Working Groups, and BOFs at IETF 93:
ace (Authentication and Authorization for Constrained Environments) BOF
Wednesday, 22 July 2015; 0900-1130, Karlin I/II
acme (Automated Certificate Management Environment) WG
Thursday, 23 July 2015; 1520-1720, Congress Hall III
oauth (Web Authorization Protocol) WG
Wednesday, 22 July 2015, Athens/Barcelona
trans (Public Notary Transparency) WG
Thursday, 23 March 2015, 1740 – 1910, Karlin III
There’s a lot going on in Prague, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf93.