Minutes of the 2012-08-29 IAB Teleconference (Tech Chat & Business Meeting)
1. Roll-call, minutes
1.1. Attendance
PRESENT
- Bernard Aboba (IAB Chair)
- Jari Arkko
- Mary Barnes (IAB Executive Director)
- Marc Blanchet
- Ross Callon
- Alissa Cooper
- Spencer Dawkins
- Lars Eggert (IRTF Chair)
- Mat Ford (ISOC Liaison)
- Russ Housley (IETF Chair)
- Joel Halpern
- David Kessens
- Cindy Morgan (IAB Executive Assistant)
- Jon Peterson
- Robert Sparks (IESG Liaison)
- Dave Thaler
- Hannes Tschofenig
APOLOGIES
- Danny McPherson
GUESTS
- Stephen Farrell
- Sean Turner
1.2. Meeting Minutes
The minutes of the 2 August 2012 and 15 August 2012 business meetings were approved by the board and will be posted to the IAB website. The minutes of the 25 July 2012 meeting with the IEEE 802 leadership were approved by the board; once the IEEE 802 confirms their approval, the minutes will be posted to the IAB website.
The minutes of the IETF 84 Technical Plenary and the 22 August 2012 business meeting remain under review.
2. Tech Chat: Passwords and Authentication
Sean Turner and Stephen Farrell led the IAB in a discussion of some of the issues surrounding the use of passwords as an authentication method, and some of the alternatives. The following slides were presented:
–Begin Slide Deck #1: Sean Turner & Stephen Farrell–
Slide 1: - Passwords are the dominant end-user authentication method. - Somewhat frustrating that http-auth schemes aren't being specified for http/2.0. Slide 2: - Passwords suck. - Seems like every other week some huge password database has been breached. - People use crappy passwords. - People use the same passwords for multiple site/services. - People are only as safe as the weakest protections implemented by the weakest service. Slide 3: - Passwords will probably never completely go away. - We'll probably end up with more than one http-auth solution. - We'd like to reduce the rate of growth of password database entries. Slide 4: - http/2.0 provides a window of opportunity - we should go for it. - http-auth is very uncommon (compared to form-based auth) but it's a good place to start in the IETF because its our protocol and if we do it well the forms-folks will copy the pattern.
–End Slide Deck #1: Sean Turner & Stephen Farrell–
Sean reported that the Security Area Directors are trying to organize a BOF at IETF 85 to discuss forming a Working Group to write Experimental RFCs about some of the opportunities provided in HTTP 2.0.
–Begin Slide Deck #2: Hannes Tschofenig–
Slide 1: Authentication - State of the Art
Hannes Tschofenig
Slide 2: Problems
- Passwords are still in widespread use
- Users choose to use the same password on multiple sites
- Users log on to Web sites in insecure environments (e.g., PCs in an
Internet café and at the airport)
- Users give their long-term password away to other Websites and
applications to share data
Slide 3: Increased Industry Activity
- The GSA ICAM as well as the NIST NSTIC project lead to discussions
in the industry.
- NSTIC vision paper outlines problems with passwords as well as lack
of systems offering higher levels of assurance
- Examples:
* GSA ICAM triggered the establishment of Trust Frameworks programs
(e.g., Kantara, OIX).
* NIST workshop on Privacy-Enhancing Technology, see
http://www.nist.gov/itl/csd/ct/pec-workshop.cfm
* W3C "Identity in the Browser" Workshop, see
http://www.w3.org/2011/identity-ws/
* ISOC's Mapping the Identity Ecosystem
* Various NSTIC workshops
* NIST SP 800-63 lead to improved understanding of the terminology.
* Increased participation at the Internet Identity Workshop (IIW)
Slide 4: Technological Development #1: Expiry of RSA Patents
- Deployment of two-factor authentication via HMAC-Based One-time
Password (HOTP, RFC 4226) and Time-based One-time Password (TOTP,
RFC 6238)
* Developed by the Initiative for Open Authentication (OATH) and
standardized within the IETF
* By-product of the IETF KEYPROV working group. KEYPROV itself was
not very successful since it focused too much on the complex
enterprise use case and failed to offer a solution for the Web.
- Example:
* http://code.google.com/p/google-authenticator/ for Android, iOS,
and Blackberry, as well as a PAM module.
Slide 5: Technological Development #2: JavaScript Crypto API
- JavaScript extensions, which allow cryptographic protocols to be
developed, are entering standardization.
* Widespread usage in Web browsers expected.
* For non-browser based environment JavaScript has not found
deployment.
- If access to the long-term credentials is offered by the API then
this could be an extremely powerful mechanism with the potential to
replace standardized security protocols.
* New authentication and key exchange protocols can be rolled out in
almost no time (without the need to get agreements from anyone
else).
- W3C Web Cryptography working group, see
http://www.w3.org/2011/11/webcryptography-charter.html
Slide 6: Technological Development #3: ABFAB
- The IETF ABFAB working group develops an authentication framework
for non-Web based applications utilizing existing technology, namely
* AAA: RADIUS and Diameter
* Extensible Authentication Protocol (EAP)
* GSS-API & SASL
- Builds on an widely deploy trust fabric.
- Challenge:
* How many non-HTTP based applications will we see in the future?
* Is ABFAB suitable for an HTTP-based environment?
Slide 7: Technological Development #4: Delegated Access
- OAuth was developed to provide delegated access to resources in
order to replace password sharing.
- OAuth now widely in use for Web based applications (e.g., data
sharing between different Web applications) as well as for
downloadable smart phone applications.
- Long-term user credentials are replaced with token/shared secret
Slide 8: Open Issues
- Web SSO still faces lots of challenges
* Business models for authentication-only identity provider, i.e.,
those who do not offer their own applications nor attribute data
beyond authentication information, not yet found
* Attribute sharing introduces privacy challenges
* Trust framework deployments mostly in the academic community
(e.g., research networks) but little to no progress in the
consumer Internet sector
* No widespread usage of high LoAs
- Web authentication mechanisms still weak
* Forms-based authentication instead of lower-layer security
mechanisms.
* User involvement leads to phishing problems.
* Insecure session management widely used (although proposals are
available)
–End Slide Deck #2: Hannes Tschofenig–
3. Affirmation of the Modern Global Standards Paradigm
Bernard reported that the Open Stand website [http://open-stand.org/] has gone live and that the announcement and supporting badge have been posted on the IAB website.
The current proposed plan is to also publish the affirmation as an RFC on the IAB stream. Russ has drafted an internet-draft with the text; Bernard will forward this to the IAB and start a vote to adopt the draft on the IAB stream.
4. Congestion Control Workshop Followup
Spencer reported that he has completed a draft of the minutes from the Congestion Control Workshop and sent them to the workshop mailing list for review.
5. IEEE Update
Spencer reported that he has started working with Dan Romascanu and Pat Thaler on a revision of RFC 4441, and that a conference call has been scheduled for 5 September 2012 to continue the work.
6. IAB Review of “Principles for Unicode Code Point Inclusion in Labels in the DNS”
The IAB Review of draft-iab-dns-zone-codepoint-pples ended on 29 August 2012 with no additional comments received. Bernard will issue an IETF Call for Comments ending on 30 September 2012.
7. IANA Strategy for the I* Meeting
Jari reported that the IANA Evolution Program has been working on developing a strategy regarding the evolution of the IANA protocol parameters function for discussion at the I* Meeting next week. The goal at the I* meeting is to confirm that all parties are in agreement on the basic goals, and then begin developing the path forward.