Minutes of the 2015-01-14 IAB Teleconference (Tech Chat & Business Meeting)
1. Roll-call, agenda-bash, administrivia, minutes
- Jari Arkko (IETF Chair)
- Mary Barnes
- Marc Blanchet
- Alissa Cooper (IESG Liaison)
- Michelle Cotton (IANA Liaison)
- Lars Eggert (IRTF Chair)
- Heather Flanagan (RFC Editor Liaison)
- Mat Ford (ISOC Liaison)
- Ted Hardie
- Joe Hildebrand
- Russ Housley (IAB Chair)
- Eliot Lear
- Xing Li
- Alexey Melnikov (RSOC Chair)
- Cindy Morgan (IAB Executive Administrative Manager)
- Erik Nordmark
- Andrew Sullivan
- Dave Thaler
- Brian Trammell
- Amy Vezza (IETF Secretariat)
- Joel Halpern
- Jonne Soininen (ICANN Liaison)
- Joseph Bonneau
- Michael Kranch
The IAB agreed to add a tech chat on 21 January 2014 with Hannes Tschofenig on smart objects. Mary Barnes will follow up to invite Hannes, and Cindy Morgan will update the IAB internal calendar.
1.3. Meeting Minutes
The IAB approved the minutes of the 7 January 2014 IAB Business Meeting.
2. Tech Chat: HSTS/key pinning
Joseph Bonneau joined the IAB to discuss HSTS/key pinning and Advanced HTTPS features.
Joseph Bonneau and his graduate student Michael Kranch (also attending) presented research that builds on work done at Google about how secure HTTP is in practice. Joseph reported that there are current crypto flaws in TLS relating to HTTPS and the interface between HTTP and TLS or SSL.
Joseph Bonneau discussed how TLS is faster than certificates for security. He also mentioned that 50% of sites don’t use security via HTTPS at all, and others lack the forward secrecy of private keys. At the HTTPS level, the problems are HTTPS stripping and rogue certificates. Some people have tried to deploy HTTPS but ended up downgrading due to incorrect deployment.
Joseph Bonneau first discussed HTTPS stripping. If a browser tries to access a domain over HTTP, but the domain wants to use HTTPS, there is an automatic redirect. An attacker can use that redirect to change the request, which the user may not notice. HSTS (HTTP Strict Transport Security) is the fix for this type of attack. The Firefox and Chrome browsers have included HSTS in the code, but it does not always extend to subdomains. Joseph mentioned that if a browser successfully connects to the server with HTTPS, the browser will cache that policy. The connection is vulnerable to attack only at initial contact.
Dave Thaler asked if anyone was looking at solving this issue using DNS. Joseph Bonneau replied that it was possibly being investigated in DANE, but he is not certain if the issue is actively being worked on. Eliot Lear mentioned that DANE has a dependency on DNSSEC, although some question how strong that dependency is. Ted Hardie replied that with DNSSEC it isn’t clear whether validation is occurring on the client side or the server side. Brian Trammell asked if this was a bootstrapping mechanism that will disappear eventually. Joseph replied that it wasn’t clear, but only the first connection was vulnerable and most search engines and browsers were preloaded with HTTPS and HSTS.
Joseph Bonneau discussed the second problem, rogue certificates. If the user is trying to connect via HTTPS but an attacker has a valid certificate, they can see everything. Users wouldn’t notice the attack. The key pinning, not certificate pinning, works by setting up a policy for a list of pins interpreted as at least one of the key hashes for that domain. A user can pin to a key in their CA certificate. An attacker with a rogue certificate that cannot come up with a key pin would be rejected even if it is signed by a valid CA. A self-signed certificate would also get rejected, even if it matches a key pin.
Dave Thaler asked why a pinned self-signed certificate would be rejected. Joseph Bonneau mentioned that a user can have an exception to say it doesn’t have to be rejected, but it still needs a valid CA signature. Dave noted that if a pinned server certificate is compromised, the user could be attacked. Joseph agreed.
Joseph Bonneau mentioned that as with HSTS, the user has to specify the hashes of keys, and pin to at least two keys because if the user relies on only one key and then lose the key pin, the user would be offline. Additionally, if there is a MITM attack on the first connection, the attackers can break the domain, bricking it for the user.
Joseph Bonneau reported that HSTS has been in use and accepted by all browsers except IE (he noted that he thinks it will be deployed with IE 12). He further reported that about 12,000 domains are trying to set HSTS, 80% for long terms.
Joseph Bonneau mentioned that preloads of domains are now accepted via a website that will crawl the domain, and if it has implemented HSTS correctly, the domain will be added to the preloads in the browser. Key pinning security growth has been slower. Some domains use HSTS, some use key pinning, some do both. Examples Joseph used included Google, Facebook, and Twitter.
Joseph Bonneau reported that the keepers of the preload lists do not have a process to prune the stale, outdated, or obsolete domains. Only about 1% of the top million Alexa domains are using HSTS, and of those, 6% are HTTPS sites that redirect from HTTP. Possibly the reason is that many web administrators don’t know HSTS is available.
Joseph Bonneau mentioned there were two bugs observed. One was mixed content, where pages that use both both HTTPS and HTTP that can be attacked by a MITM. In the case of key pinning, the user has the same problem of connecting to HTTPS with a specified resource not from a pinned domain. Most of Twitter can be hijacked by a hacker with a rogue certificate because of this.
Joseph Bonneau said that, due in part to semantic differences between cookie and key pinning policies, it is possible to open a vulnerability that an attacker could take advantage of, and therefore it was important for web developers to take pains to see that policies, particularly regarding subdomains, are consistent. He noted that a major service had already suffered a problem because of this.
Joseph Bonneau concluded by noting that Web security is difficult for users, and spec writers don’t understand the real constraints. The browser preload lists may be updated frequently, but they are just lists.
3. Monthly Reports
3.1. ISOC Liaison Report
–Begin ISOC Liaison Report, Mat Ford–
Internet Society Liaison Report to the IAB 14 January 2015 Topics: I. Internet encryption and traffic management II. IXP development III. IXP workshops IV. United Nations Commission on Science and Technology for Development V. Organisation for Economic Co-operation and Development VI. W3C Privacy Interest Group I. Internet encryption and traffic management ISOC are working with the IAB and IESG on participating in a GSMA hosted meeting on impacts of Internet encryption on the mobile environment. II. IXP development Equipment has been sent to Thailand to support the soon to be launched Bangkok National Internet Exchange (BKNIX). The launch is anticipated for mid-February and the team there is doing an excellent job with assistance from the community. Cisco, Google, Alcatel and NSRC have all provided support for this work. III. IXP workshops ISOC held a joint IXP workshop in Tunis in collaboration with the ITU‚Äôs Arab regional office and the Arab League. This was the second workshop held in collaboration with the ITU-D. The meeting brought eight countries together to discuss best practices and the impact an IXP can make on local traffic costs and delivery. IXP workshops are in the planning stages for Montenegro (February) and South East Asia (June). Joint work will continue between ISOC and LACNIC to deliver IXP workshops and training in Latin America. Packet Clearing House (PCH) are supporting this work. IV. United Nations Commission on Science and Technology for Development (CSTD) ISOC submitted its comments on the draft CSTD report on Mapping Internet public policy issues. This followed consultations with the IAB and other members of the technical community. A new version of the report will be discussed in May, at the CSTD meeting. The final version will feed into the 2015 WSIS 10 year Review process. V. Organisation for Economic Co-operation and Development (OECD) The Internet Society led the participation of the Internet technical advisory committee (ITAC) at the recent OECD meeting week of the Committee on Digital Economy Policy and its working parties. A large part of the week was devoted to defining the focus areas and future work feeding the 2016 OECD Ministerial on the Digital Economy, to be held in Cancun (Mexico) in late June 2016. ITAC will also have the opportunity to organise a pre-event at the Ministerial. Work is ongoing on the review of the OECD Security Guidelines. ITAC also published a new edition of its newsletter, illustrating positive examples of cooperation between policymakers and the technical community in the OECD context: https://storify.com/ITAC/itac-newsletter-n-4-december-2014 . VI. W3C Privacy Interest Group (PING) PING held its monthly call on 4 December 2014. This call focused on general design principles for the Web regarding data minimisation and identifiers, as well as a discussion of the recent Article 29 Working Party Opinion regarding device fingerprinting. The next call will be on 15 January 2015. PING will be discussing the draft TAG finding on Securing the Web. Link to call summary: http://lists.w3.org/Archives/ Public/public-privacy/2014OctDec/0043.html
–End ISOC Liaison Report, Mat Ford–
3.2. IESG Liaison Report
–Begin IESG Liaison Report, Alissa Cooper–
Recent new working groups: None Recently rechartered working groups: - IP Security Maintenance and Extensions (ipsecme) Current new chartering: - "Archive" Top-Level Media Type (arcmedia) [Internal review] - Domain Boundaries (dbound) [Internal review] Current rechartering: None Pending rechartering: None Recently closed working groups: None Personnel changes: - James Polk has stepped down as co-chair of TSVWG. - Alfred H√∂nes has been replaced by Melinda Shore as co-chair of URNBIS. - Jouni Korhonen has been replaced by Lionel Morand as co-chair of RADEXT. - Ralph Droms stepped down as 6lo co-chair and resumed his role as 6lo Technical Adviser. - Gabriel Montenegro was appointed as 6lo co-chair. - James Woodyatt was appointed as 6lo WG secretary. - Ted Lemon became responsible AD for ANIMA. - Joel Jaeggli became responsible AD for OPSAWG. - Alissa Cooper became responsible AD for LMAP. - Kathleen Moriarty became responsible AD for RADEXT and DIME.
–End IESG Liaison Report, Alissa Cooper–
3.3. IRTF Chair Report
–Begin IRTF Chair Report, Lars Eggert–
- ICNRG having interim at Cisco in Boston Jan 13-14 (right now) - Proposed NFVRG has been asking for formal chartering; charter is finalized. Discussing this with the IAB (and IESG, due to NFV being actively standardized elsewhere). - Am cautiously optimistic that the CFRG has cut the Gordian knot in terms of a recommendation to the TLS WG on curves. - Ongoing discussion with ACM SIGCOMM on a SIGCOMM/IRTF workshop on Internet measurements on the Saturday before the Yokohama IETF (i.e., directly after ACM IMC in Tokyo). - Announced ANRP winner for IETF-92 (topic is NFV, FWIW)
–End IRTF Chair Report, Lars Eggert–
3.4. ICANN Liaison Report
–Begin ICANN Liaison Report, Jonne Soininen–
I. Public Comments needing attention (only highlights) ======================================================= (All public comment processes: https://www.icann.org/public-comments#open-public) IDN TLD Program - Label Generation Ruleset (LGR) Tool Project (P1) - LGR Tool Set Specifications Now Open for Public Comment (https://www.icann.org/public-comments/idn-lgr-2014-12-03-en) Reply period closes: 23 Jan 2015 II. Upcoming topics that could be relevant =========================================== Cross Community Working Group (CWG) on Naming Related Functions Draft Transition proposal The CWG published its report and the comment period for the report has now closed. The CWG is now contemplating how to move forward with their proposal. There seems to be a need by some parties to link the ICANN accountability question to the IANA stewardship transition question. These two issues should really not be coupled together. However, if there is consensus to go forward with the approach coupling accountability together with the IANA stewardship transition this might impact the naming community timelines. III. (If relevant) upcoming meeting topics of importance ========================================================= The next ICANN meeting is February 8-12th, 2015 in Singapore.
–End ICANN Liaison Report, Jonne Soininen–
3.5. IANA Liaison Report
–Begin IANA Liaison Report, Michelle Cotton–
IANA Liaison Report ‚Äì 14 January 2015 2014 SLA Deliverables Update: - ICANN met 100% of processing goal times for the November 2014 monthly statistics, exceeding the SLA goal to meet 90% of processing goal times. These times include the steps that the IANA Department has control over and not time it is waiting on requesters, document authors or other experts. - The deliverable for the review of protocol parameters by third-party auditors is in process. The third-party reviewers (PWC) are completing their final tests. The report will be available by March 30, 2015. - The Draft Supplemental Agreement for 2015 continues to be revised and discussed. Other News: - The request for the addition of as112.arpa is in process. The IAB has approved the request. The request should be completed soon. - The IANA Department Customer Satisfaction Survey for 2014 is now available at http://www.iana.org/reports/2014/customer-survey-20141217.pdf
–End IANA Liaison Report, Michelle Cotton–
3.6. RFC Editor Liaison Report
–Begin RFC Editor Liaison Report, Heather Flanagan–
RSE Report * Format update Several draft updates are expected this month, including a revision to the xml2rfc v3 draft , the framework draft , and the plain-text draft . A new draft with precise examples of how the vocabulary should work is also in progress, and with that new draft and the updates to the existing drafts as mentioned, the Tools Team will be ready for the next step to release the proposed Statements of Work out to community comment. The xml2rfc v2 draft has also been submitted into the Datatracker as an IAB stream document. There is one complex action item to complete regarding crefs; Julian Reschke is testing how the current vocabulary behaves in order to complete that one item. At that point, the document will be ready to continue the publication process. * DOI update John Levine, Heather Flanagan, and the RPC team (Sandy Ginoza, Alice Russo, and Priyanka Narkar are having a kick off meeting on 16 January 2015 to discuss the next steps for the DOI project. The coding work involves both the interface to CrossRef to register the DOIs as well as the interface to the RPC system so that the identifiers are created automatically at time of publication. Heather Flanagan submitted the CrossRef application at the beginning of the month as the administrative part of the project. She is waiting to hear back from CrossRef (expected the week of 12 January 2015). * Participation as an Invited Expert in the W3C Digital Publishing Interest Group Heather Flanagan was invited to participate as an Invited Expert in the W3C's Digital Publishing Interest Group <http://www.w3.org/dpub/IG/wiki/ Main_Page>. This involvement should provide useful material to the RFC format project, as well as being generally useful to the e-publishing community. * Errata System Design Team Heather Flanagan is kicking off a new design team to discuss the errata system and how to make it more efficient for approvers, implementors, authors, and submitters. Participants include Joel Jaeggli, Stephen Farrell, Barry Leiba, Pete Resnick, Ted Lemon, Mark Nottingham, Nevil Brownlee, Robert Sparks, Sandy Ginoza, and Heather Flanagan. More information is available on the RSE wiki at <https://www.rfc-editor.org/ rse/wiki/doku.php?id=erratasystem:start> RPC Update * SLA - see http://www.rfc-editor.org/reports - From the notes: Having met the SLA in December, the RPC had a successful Q4. The table shows the impact of the increased number of documents entering the queue (both newly approved and those released from MISSREF) earlier in the year, and the RPC's recovery throughout the remainder of the year. * The current queue is seeing a larger number of clusters than usual, each with a higher number of average pages per document. Examples include the NFS, BLISS, and WEIRDS clusters. The list of active clusters is available off of the RFC Editor website: http://www.rfc- editor.org/all_clusters.php * Published 327 RFCs in 2014 - This past year saw an increase of 50 documents published over the stats for 2013, putting us back up near the high points hit in 2010 through 2012. See http://www.rfc-editor.org/ num_rfc_year.html for the annual publication count back through the start of the Series. * RFC Editor F2F meeting in Seattle - Sandy Ginoza, Alice Russo, Lisa Winkler, and Heather Flanagan will be holding a two-day meeting in Seattle to discuss 2015 and 2016 priorities and review plans for the upcoming year.
–End RFC Editor Liaison Report, Heather Flanagan–
4. Technical Plenary at IETF 92
The IAB briefly discussed the Technical Plenary for IETF 92. As the IAB has not received a response from Shafi Goldwasser, the IAB has decided to pursue other options for IETF 92.
5. Program Meetings in Dallas
Russ Housley asked Program Leads to let him know if they will need agenda time at IETF 92.
6. Executive Session: NomCom Report on the IESG
Joel Halpern, who was not on the teleconference, was recused from the discussion. In accordance with RFC 2850, Jari Arkko left the teleconference. The IAB confirmed the IESG slate presented by NomCom in an executive session.