Internet Architecture Board

RFC2850

IAB Minutes 2012-08-29

Home»Documents»Minutes»Minutes 2012»IAB Minutes 2012-08-29

Minutes of the 2012-08-29 IAB Teleconference (Tech Chat & Business Meeting)

1. Roll-call, minutes

1.1. Attendance

PRESENT
  • Bernard Aboba (IAB Chair)
  • Jari Arkko
  • Mary Barnes (IAB Executive Director)
  • Marc Blanchet
  • Ross Callon
  • Alissa Cooper
  • Spencer Dawkins
  • Lars Eggert (IRTF Chair)
  • Mat Ford (ISOC Liaison)
  • Russ Housley (IETF Chair)
  • Joel Halpern
  • David Kessens
  • Cindy Morgan (IAB Executive Assistant)
  • Jon Peterson
  • Robert Sparks (IESG Liaison)
  • Dave Thaler
  • Hannes Tschofenig
APOLOGIES
  • Danny McPherson
GUESTS
  • Stephen Farrell
  • Sean Turner

1.2. Meeting Minutes

The minutes of the 2 August 2012 and 15 August 2012 business meetings were approved by the board and will be posted to the IAB website. The minutes of the 25 July 2012 meeting with the IEEE 802 leadership were approved by the board; once the IEEE 802 confirms their approval, the minutes will be posted to the IAB website.

The minutes of the IETF 84 Technical Plenary and the 22 August 2012 business meeting remain under review.

2. Tech Chat: Passwords and Authentication

Sean Turner and Stephen Farrell led the IAB in a discussion of some of the issues surrounding the use of passwords as an authentication method, and some of the alternatives. The following slides were presented:

–Begin Slide Deck #1: Sean Turner & Stephen Farrell–

Slide 1:

 - Passwords are the dominant end-user authentication method.
 - Somewhat frustrating that http-auth schemes aren't being
   specified for http/2.0.

Slide 2:

 - Passwords suck.
 - Seems like every other week some huge password database
   has been breached.
 - People use crappy passwords.
 - People use the same passwords for multiple site/services.
 - People are only as safe as the weakest protections
   implemented by the weakest service.

Slide 3:

 - Passwords will probably never completely go away.
 - We'll probably end up with more than one http-auth solution.
 - We'd like to reduce the rate of growth of password database
   entries.

Slide 4:

 - http/2.0 provides a window of opportunity - we should go
   for it.
 - http-auth is very uncommon (compared to form-based auth)
   but it's a good place to start in the IETF because its
   our protocol and if we do it well the forms-folks will
   copy the pattern.

–End Slide Deck #1: Sean Turner & Stephen Farrell–

Sean reported that the Security Area Directors are trying to organize a BOF at IETF 85 to discuss forming a Working Group to write Experimental RFCs about some of the opportunities provided in HTTP 2.0.

–Begin Slide Deck #2: Hannes Tschofenig–

Slide 1: Authentication - State of the Art
Hannes Tschofenig

Slide 2: Problems

  - Passwords are still in widespread use
  - Users choose to use the same password on multiple sites
  - Users log on to Web sites in insecure environments (e.g., PCs in an 
    Internet café and at the airport)
  - Users give their long-term password away to other Websites and 
    applications to share data

Slide 3: Increased Industry Activity

  - The GSA ICAM as well as the NIST NSTIC project lead to discussions 
    in the industry. 
  - NSTIC vision paper outlines problems with passwords as well as lack 
    of systems offering higher levels of assurance  
  - Examples:
    * GSA ICAM triggered the establishment of Trust Frameworks programs 
      (e.g., Kantara, OIX).
    * NIST workshop on Privacy-Enhancing Technology, see 

http://www.nist.gov/itl/csd/ct/pec-workshop.cfm

    * W3C "Identity in the Browser" Workshop, see 

http://www.w3.org/2011/identity-ws/

    * ISOC's Mapping the Identity Ecosystem 
    * Various NSTIC workshops
    * NIST SP 800-63 lead to improved understanding of the terminology.
    * Increased participation at the Internet Identity Workshop (IIW)

Slide 4: Technological Development #1: Expiry of RSA Patents

  - Deployment of two-factor authentication via HMAC-Based One-time 
    Password (HOTP, RFC 4226) and Time-based One-time Password (TOTP, 
    RFC 6238)
    * Developed by the Initiative for Open Authentication (OATH) and 
      standardized within the IETF
    * By-product of the IETF KEYPROV working group. KEYPROV itself was 
      not very successful since it focused too much on the complex 
      enterprise use case and failed to offer a solution for the Web. 
  - Example:
    * http://code.google.com/p/google-authenticator/ for Android, iOS, 
      and Blackberry, as well as a PAM module.  

Slide 5: Technological Development #2: JavaScript Crypto API

  - JavaScript extensions, which allow cryptographic protocols to be 
    developed, are entering standardization.
    * Widespread usage in Web browsers expected. 
    * For non-browser based environment JavaScript has not found 
      deployment. 
  - If access to the long-term credentials is offered by the API then 
    this could be an extremely powerful mechanism with the potential to 
    replace standardized security protocols.
    * New authentication and key exchange protocols can be rolled out in 
      almost no time (without the need to get agreements from anyone 
      else).
  - W3C Web Cryptography working group, see 

http://www.w3.org/2011/11/webcryptography-charter.html

Slide 6: Technological Development #3: ABFAB

  - The IETF ABFAB working group develops an authentication framework 
    for non-Web based applications utilizing existing technology, namely
    * AAA: RADIUS and Diameter
    * Extensible Authentication Protocol (EAP)
    * GSS-API & SASL
  - Builds on an widely deploy trust fabric. 
  - Challenge: 
    * How many non-HTTP based applications will we see in the future?
    * Is ABFAB suitable for an HTTP-based environment?

Slide 7: Technological Development #4: Delegated Access

  - OAuth was developed to provide delegated access to resources in 
    order to replace password sharing.
  - OAuth now widely in use for Web based applications (e.g., data 
    sharing between different Web applications) as well as for 
    downloadable smart phone applications. 
  - Long-term user credentials are replaced with token/shared secret

Slide 8: Open Issues

  - Web SSO still faces lots of challenges
    * Business models for authentication-only identity provider, i.e., 
      those who do not offer their own applications nor attribute data 
      beyond authentication information, not yet found
    * Attribute sharing introduces privacy challenges
    * Trust framework deployments mostly in the academic community 
      (e.g., research networks) but little to no progress in the 
      consumer Internet sector
    * No widespread usage of high LoAs
  - Web authentication mechanisms still weak
    * Forms-based authentication instead of lower-layer security 
      mechanisms.
    * User involvement leads to phishing problems. 
    * Insecure session management widely used (although proposals are 
      available)

–End Slide Deck #2: Hannes Tschofenig–

3. Affirmation of the Modern Global Standards Paradigm

Bernard reported that the Open Stand website [http://open-stand.org/] has gone live and that the announcement and supporting badge have been posted on the IAB website.

The current proposed plan is to also publish the affirmation as an RFC on the IAB stream. Russ has drafted an internet-draft with the text; Bernard will forward this to the IAB and start a vote to adopt the draft on the IAB stream.

4. Congestion Control Workshop Followup

Spencer reported that he has completed a draft of the minutes from the Congestion Control Workshop and sent them to the workshop mailing list for review.

5. IEEE Update

Spencer reported that he has started working with Dan Romascanu and Pat Thaler on a revision of RFC 4441, and that a conference call has been scheduled for 5 September 2012 to continue the work.

6. IAB Review of “Principles for Unicode Code Point Inclusion in Labels in the DNS”

The IAB Review of draft-iab-dns-zone-codepoint-pples ended on 29 August 2012 with no additional comments received. Bernard will issue an IETF Call for Comments ending on 30 September 2012.

7. IANA Strategy for the I* Meeting

Jari reported that the IANA Evolution Program has been working on developing a strategy regarding the evolution of the IANA protocol parameters function for discussion at the I* Meeting next week. The goal at the I* meeting is to confirm that all parties are in agreement on the basic goals, and then begin developing the path forward.