Internet Architecture Board

RFC2850

Security Program

NOTE: Work in the Security Program was folded into the Privacy and Security Program in May 2014.

Background

The IETF has a long history in developing security protocols and in addressing security early in the protocol design process for all IETF developed protocols. RFC 3552 “Guidelines for Writing RFC Text on Security Considerations” provides guidance for protocol authors. Recently, the available security guidance was enhanced with the publication of RFC 6973 “Privacy Considerations for Internet Protocols”.

While the standardization work is progressing at a satisfactory speed, challenges remain. One challenge is to make the wider Internet community aware of newly developed security mechanisms and to foster widespread deployment of key security technologies. Another challenge is to deal with the ever changing threat landscape.

The changes in the attacker profile can be seen on a number of examples: DigiNotar, a Dutch certificate authority, had a security breach in 2011, and in the same year, a Comodo affiliate was compromised. Both cases led to fraudulent issuance of certificates and raised questions regarding the strength of the Public Key Infrastructure (PKI) used by applications today.
Also in 2011, LulzSec, a hacker group, claimed responsibility for several attacks including the compromise of user accounts from Sony. In the meanwhile breach notifications about millions of stolen user accounts became increasingly common.

News reports about large-scale monitoring of Internet traffic appear on a daily basis. While it has generally been known that there was some interception of specific individuals’ traffic and other targeted monitoring activities, the scale of recently reported monitoring has been a shock to the community. Such large scale monitoring was not envisaged during the design of many Internet protocols. Discussions are ongoing about how the protect the Internet infrastructure against such attacks.

Purpose

This IAB program aims to focus on outreach activities complementing IETF security standardization effort including providing guidance to the IETF community on emerging threats. Developing new security technologies is outside the scope of this program.

 

Membership

IAB members

  • Ted Hardie (Lead)
  • Russ Housley
  • Eliot Lear

Non-IAB members

  • Bernard Aboba
  • Lucy Lynch
  • Sean Turner
  • Stephen Farrell
  • Karen O’Donoghue
  • Hannes Tschofenig

Work Items

 

  • DONE – Recruit persons to participate in the European Commission created Network and Information Security Platform
  • DONE – Verify alignment of IETF JOSE, IETF OAuth, and W3C Crypto API
  • DONE – Set up a WebPKI discussion mailing list. The mailing list can be found at: https://elists.isoc.org/mailman/listinfo/webpki
  • Oct 2013 (starting date) – Circulate information about the WebPKI discussion list to NIST workshop participants and other interested parties.
  • Oct 2013 (starting date) – Review document listing solutions for improving the Web PKI and recommend solutions. The work in progress document can be found at: http://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution
  • Nov 2013 – Organize WebPKI meeting at IETF#88 to solicit feedback about the WebPKI solution document.
  • Nov 2013 – Organize IAB Technical Plenary on ‘Internet Hardening’. The plenary announcement can be found here: http://www.ietf.org/mail-archive/web/ietf-announce/current/msg11987.html
  • Feb 2014 – Workshop on Improving the Web Public Key Infrastructure
  • Mar 2014 – Workshop on “Internet Hardening”