Welcome to the last installment of the IETF 96 Rough Guide! This post focuses attention on the IETF 96 activities related to improving trust in the Internet. Key to this trust is the ability to establish and maintain accurate identity including privacy. As one might expect, there is a great deal of activity in this space in the IETF.
First, there is one BoF related to trust. This is a continuation of a BoF from IETF 95. The Limited Use of Keys (lurk) BoF is looking at the problem caused by the increasing separation of the content provider from the network delivery. In this case, the content provider does not necessarily want to give their private key to the network service provider hosting their content. Generally speaking, sharing of private keys is a bad idea. Thus far the “offload TLS without giving the CDN my private key” use case is of particular interest. This is a working group forming BoF that will discuss the use cases, certificate delegation, a potential protocol, and a proposed charter for a new working group.
Next, the W3C Privacy Interest Group (PING) will again be meeting face-to-face alongside IETF on Thursday, 21 July in the Schinkel 3 room between 12:30 and 14:00. The meeting is BYOL (Bring Your Own Lunch), but it is an excellent chance to meet up with your fellow privacy enthusiasts. Please join the meeting if you have an interest in privacy on the Web and would like to help develop better privacy features in Web standards.
As for the IETF working groups, there are several ongoing working groups investigating relevant topics in this space. Some of the ones that will meet at IETF 96 are highlighted below.
The Automated Certificate Management Environment (acme) working group is working to lower the barrier to deployment and management of certificates for the Web PKI. Currently, the verification of domain names in a certificate is done using a set of manual mechanisms. The acme WG is working to automate the process of issuance, validation, revocation and renewal of certificates. This is meeting will focus almost exclusively on maturing the current document and resolving the issues documented in the issue tracker. This working group is also tied to the Let’s Encrypt certificate authority that is striving to lower the barriers to certificate usage both from a cost and a complexity perspective.
The Authentication and Authorization for Constrained Environments (ace) working group is focused on the increasingly complex Internet of Things (IoT) space (see our separate post on the IoT). The bulk of the discussion this week will focus on resolving open issues with the draft on using OAuth 2.0 for Internet of Things (IoT) authorization. Additional topics this week include web tokens for CBOR, a profile of ACE, and privacy-enhanced tokens for authentication.
The Web Authorization Protocol (oauth) working group has been working for quite some time on a suite of documents that enables a user to grant a third-party access to protected resources without sharing the user’s long-term credentials. The working group has completed a long list of RFCs. This week’s meeting will start with a summary from the recent OAuth security workshop. Additional topics include OAuth 2.0 token exchange, discovery, token exchange, mix-up mitigation, proof-of-possession, device flow, and the use of OAuth for native apps. OAuth is a key component of online identity systems and is being leveraged in the ongoing OpenID Connect work. In addition, there is going to be a side meeting on Tuesday evening at 6:30pm to discuss OAuth security topics including fragmentation, redirector, injection, code phishing, containment, and authentication.
The Open Specification for Pretty Good Privacy (OpenPGP) Working Group originally completed its work in 2008, providing a solution for object encryption, object signing, and identity certification ( RFC4880). Recently it has become clear that it was time to produce an update to RFC4880, and the OpenPGP working group was reinstated to do that work. This revision will include potential inclusion of elliptic curves recommended by the Crypto Forum Research Group (CFRG), a symmetric encryption mechanism that offers modern message integrity protection, an update to the mandatory-to-implement algorithm selection, deprecation of weak algorithms, and an updated public-key fingerprint mechanism.
As the Internet has evolved, some of the key pieces of infrastructure that we often take for granted need to be reconsidered in the light of the current operational environment. Time is a key component of establishing and maintaining trust, and it is often overlooked. The Network Time Protocol (ntp) Working Group has been working on improvements to security for NTP. The NTS suite of documents went through a recent WGLC and based on that a design team has been established to address the input received. One of the things being considered is the use of DTLS to secure NTP. The NTP working group meetings here at IETF 96 promise to have many interesting questions to resolve.
Have a great week here at IETF 96 while you explore all of these trust, identity, and privacy related activities!
Related Meetings, Working Groups, and BOFs at IETF 96:
Lurk (Limited Use of Remote Keys) BOF
Monday, 18 July 2016; 18:00 – 20:00 CEST, Potsdam III
ace (Authentication and Authorization for Constrained Environments) WG
Wednesday, 20 July 2016; 10:00 – 12:30 CEST, Bellevue
acme (Automated Certificate Management Environment) WG
Monday, 18 July 2016; 15:40 – 17:40 CEST, Tiergarten
oauth (Web Authorization Protocol) WG
Monday, 18 July 2016; 14:00 – 15:30 CEST, Potsdam II
Wednesday, 20 July 2016; 15:50 – 17:20 CEST, Lincke
openpgp (Open Specification for Pretty Good Privacy)
Monday, 18 July 2016; 14:00 – 15:30 CEST, Charlottenburg I
ntp (Network Time Protocol) WG
Monday 18 July 2016, 19:00 – 20:00 CEST, Tiergarten
There’s a lot going on in Berlin, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see http://dev.internetsociety.org/rough-guide-ietf96.