Identity, privacy, and encryption continue to be active topics for the Internet Society and the IETF community impacting a broad range of applications. In this Rough Guide to IETF 100 post, I highlight a few of the many relevant activities happening next week in Singapore, but there is much more going on so be sure to check out the full agenda online.
Encryption continues to be a priority of the IETF as well as the security community at large. Related to encryption, there is the TLS working group developing the core specifications, several working groups addressing how to apply the work of the TLS working group to various applications, and the Crypto-Forum Research Group focusing on the details of the underlying cryptographic algorithms.
The Transport Layer Security (TLS) working group is a key IETF effort developing core security protocols for the Internet. This week’s agenda includes both TLS 1.3 and Datagram Transport Layer Security. Additionally, the TLS working group will be discussing connection ID, exported authenticators, protecting against denial of service attacks, and application layer TLS. The TLS working group is very active and, as with all things that are really important, there are many diverse opinions to fill the room.
For those new to TLS, there is a TLS 1.3 tutorial planned for Sunday afternoon in the first tutorial slot. This is an excellent opportunity to get a detailed introduction to the TLS 1.3 protocol from the experts.
Two of the working groups focused on updating crypto algorithms and the use of TLS in IETF protocols are also meeting at IETF 100. The DKIM Crypto Update (dcrup) working group, which is focused on updating the cryptographic aspects of RFC 6376, will have a short. Their first document, Cryptographic Algorithm and Key Usage Update to DKIM, has just been approved and has been moved to the RFC Editor for publication. On the agenda for this meeting will be new cryptographic signature methods for DKIM and defining elliptic curve cryptography algorithms for use with DKIM.
The Using TLS in Applications (UTA) working group has finished a number of documents already, including recommendations for the secure use of TLS and DTLS, use of TLS for XMPP, and the use of TLS server identity check procedures for email. The first part of the meeting will focus on resolving the final IESG comments on the use of TLS for email submission and access. This draft outlines current recommendations for the use of TLS to provide confidentiality of email traffic between a mail user agent and a mail access server. The meeting will also cover open issues on a draft related to Strict Transport Security (STS) for mail (SMTP) transfer agents and mail user agents. Finally, the meeting will address a draft on an option to require TLS for SMTP.
The Network Time Protocol (NTP) working group addresses protocols for the accurate synchronization of clocks on a network. This may seem like a bit of a stretch for a blog post on identity, privacy, and encryption. However, accurate and secure time synchronization turns out to be vitally important for the proper operation of security protocols. The NTP WG has been working on Network Time Security (NTS) which is a significant update for NTP server authentication. In order to make progress, the latest version of this draft reduces the scope of the solution to the client server mode of NTP only. There is a recent IETF Journal article that provides a detailed discussion of the current state of the NTS effort.
The next activity of potential interest to the encryption community is the Crypto Forum Research Group (cfrg). Always a popular session at IETF, this week the CFRG will discuss four drafts, including Re-keying Mechanisms for Symmetric Keys, The Transition from Classical to Post-Quantum Cryptography, a draft SPAKE2, a secure, efficient password based key exchange protocol, and Public Key Exchange.
Moving on from cryptography and encryption, the next set of IETF working groups are related to the certificate infrastructure for the Internet, acme and trans.
The Automated Certificate Management Environment (acme) working group is specifying ways to automate certificate issuance, validation, revocation and renewal. The main order of business at this week’s meeting is to discuss the core specification Automatic Certificate Management Environment. This document has been submitted to the IESG for publication, and this meeting will focus on the feedback received to date. The meeting will also discuss automatic certificate management for telephony (https://datatracker.ietf.org/doc/draft-ietf-acme-telephone/, https://datatracker.ietf.org/doc/draft-ietf-acme-service-provider/) and email (draft-ietf-acme-email-tls-01 and draft-ietf-acme-email-smime-01 ) along with Short-Term, Automatically-Renewed (STAR) Certificates.
The second certificate related working group is the Public Notary Transparency (trans) working group. It has been working since 2014 to improve the confidence of users in the Web PKI. The underlying premise of this work is to create transparent logs of certificates so that improperly issued certificates can be detected. That which is transparent can be observed and monitored for unexpected behavior. The core document has been submitted to the IESG, and this meeting will discuss resolution of open issues from the AD review. The threat analysis needs some minor enhancements before restarting the WGLC. The Gossiping in CT document has been submitted to the IESG, and the working group needs to address initial AD feedback. Finally, the working group will discuss name redaction (https://datatracker.ietf.org/doc/draft-strad-trans-redaction/, https://www.ietf.org/internet-drafts/draft-ito-yet-another-name-redaction-00.txt ) to improve privacy.
Authentication and Authorization
From the certificate infrastructure, we move next to authentication and authorization and the set of related working groups tackling those issues for the IETF.
Anyone with an interest in the Internet of Things (IoT), will be interested in the Authentication and Authorization for Constrained Environments (ace) working group. This working group is working to develop standardized solutions for authentication and authorization in constrained environments. They published a use cases document last year, and this week’s agenda includes discussion of existing working group documents on authentication and authorization for constrained environments, a DTLS profile for ACE, a CBOR Web Token (CWT), and an architecture for authorization in constrained environments. In addition, there will be discussion of a number of new drafts for working group consideration. You might also want to check out the Internet of Things Rough Guide post for more on IoT.
The Web Authorization Protocol (oauth) working group has been working for years on mechanisms that allow users to grant access to web resources without necessarily compromising long term credentials or even identity. It has been a very prolific working group with around 15 RFCs published to date. IETF 100 will be another busy week for those interested in this area including sessions on both Tuesday and Wednesday. Agenda items for these two sessions include a mutual TLS profile, token binding, JWT best practices, device flow, discovery, token exchange, and incremental authorization.
There are two additional working groups meeting this coming week that are related to the OAUTH work. The first is the Token Binding (TOKBIND) working group that is tasked with specifying a token binding protocol and specifying the use of that protocol with HTTPS. A number of the group’s core documents have been submitted to the IESG (https://datatracker.ietf.org/doc/draft-ietf-tokbind-https/, https://datatracker.ietf.org/doc/draft-ietf-tokbind-negotiation/, and https://datatracker.ietf.org/doc/draft-ietf-tokbind-protocol/). Preliminary feedback from the Area Director (AD) will be discussed. This working group works in collaboration with the TLS, HTTPbis and OAUTH WGs and with the W3C webappsec WG.
Also related to OAUTH, the Security Events (SECEVENT) working group is working on an Event Token specification that includes a JWT extension for expressing security events and a syntax for communicating the event-specific data. This is a fairly new WG, formally chartered in January 2017. The meeting this week will discuss the token specification, token delivery, stream management and provisioning, and a management API.
For the security crowd, no IETF week is complete without the Security Area Advisory Group (SAAG) meeting. This meeting features a quick run through all the working groups doing security related work in the IETF across all areas, a set of short talks, and an open session to bring issues and topics forward from the community. This week will have one invited talk on Inter-domain DDoS mitigations: potentials, challenges, and solutions. The remaining time will be spent on an experiment, called secdispatch, where proposals for new work will be discussed.
Also, don’t forget the IETF Hackathon which is held the weekend before the IETF. This IETF Hackathon has several projects of interest including continuing work on TLS 1.3 testing and interoperability, the HTTP status code 451, generating certificate requests for short-term automatically-renewed certificates, and distributed denial of service threat signaling. All the potential projects of this rendition of the IETF Hackathon as listed on the IETF 100 Hackathon wiki site.
Finally, in a continuing effort to connect security researchers and the Internet security standardization community, two topics with active working groups at IETF 100, IoT Security and DNS Privacy, are planning for workshops to be held in conjunction with NDSS 2018. Both the Decentralized IoT Security and Standards (DISS) workshop and DNS Privacy: Increasing Usability and Decreasing Traceability (DNSPRIV) workshop are currently accepting submissions and planning for productive workshops in February 2018. Perhaps something overheard in the halls of IETF 100 would make a good submission.
Join us for another full week for identity, and privacy, and encryption related topics here at IETF 100!
Relevant Working Groups at IETF 100
ace (Authentication and Authorization for Constrained Environments) WG
Tuesday, 14 November 2017, 930 – 1200, Collyer
acme (Automated Certificate Management Environment) WG
Thursday 16 November 2017, 1550 – 1750, Sophia
cfrg (Crypto Forum Research Group)
Wednesday, 15 November 2017, 15:20-16:50, VIP A
dcrup (DKIM Crypto Update)
Wednesday, 15 November 2017, 930-1100, Bras Basah
oauth (Web Authorization Protocol) WG
Tuesday, 14 November 2017, 1550 – 1750, Sophia
Wednesday, 15 November 2017, 1520 – 1650, Orcard
saag (Security Area open meeting)
Thursday, 16 November 2017, 1330-1530, Padang
secevent (Security Events) WG
Monday, 13 November 2017, 1330 – 1530, Bras Basah
tls (Transport Layer Security) WG
Thursday, 16 November 2017, 930 – 1200, Canning
tokbind (Token Binding) WG
Tuesday, 14 November 2017, 1330 – 1530, VIP A
trans (Public Notary Transparency) WG
Monday, 13 November 2017, 1550 – 1720, Orchard
uta (Using TLS in Applications) WG
Wednesday, 15 November 2017, 1330 – 1500, Bras Basah
A lot is going on in Singapore, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Society blog, Twitter, Facebook, or see https://dev.internetsociety.org/events/ietf/ietf-100/.