Internet Architecture Board

RFC2850

IAB Minutes 2015-01-14

Home»Documents»Minutes»Minutes 2015»IAB Minutes 2015-01-14

Minutes of the 2015-01-14 IAB Teleconference (Tech Chat & Business Meeting)

1. Roll-call, agenda-bash, administrivia, minutes

1.1. Attendance

PRESENT
  • Jari Arkko (IETF Chair)
  • Mary Barnes
  • Marc Blanchet
  • Alissa Cooper (IESG Liaison)
  • Michelle Cotton (IANA Liaison)
  • Lars Eggert (IRTF Chair)
  • Heather Flanagan (RFC Editor Liaison)
  • Mat Ford (ISOC Liaison)
  • Ted Hardie
  • Joe Hildebrand
  • Russ Housley (IAB Chair)
  • Eliot Lear
  • Xing Li
  • Alexey Melnikov (RSOC Chair)
  • Cindy Morgan (IAB Executive Administrative Manager)
  • Erik Nordmark
  • Andrew Sullivan
  • Dave Thaler
  • Brian Trammell
  • Amy Vezza (IETF Secretariat)
REGRETS
  • Joel Halpern
  • Jonne Soininen (ICANN Liaison)
GUESTS
  • Joseph Bonneau
  • Michael Kranch

1.2. Administrivia

The IAB agreed to add a tech chat on 21 January 2014 with Hannes Tschofenig on smart objects. Mary Barnes will follow up to invite Hannes, and Cindy Morgan will update the IAB internal calendar.

1.3. Meeting Minutes

The IAB approved the minutes of the 7 January 2014 IAB Business Meeting.

2. Tech Chat: HSTS/key pinning

Joseph Bonneau joined the IAB to discuss HSTS/key pinning and Advanced HTTPS features.

Slides similar to the ones presented can be found here.

Joseph Bonneau and his graduate student Michael Kranch (also attending) presented research that builds on work done at Google about how secure HTTP is in practice. Joseph reported that there are current crypto flaws in TLS relating to HTTPS and the interface between HTTP and TLS or SSL.

Joseph Bonneau discussed how TLS is faster than certificates for security. He also mentioned that 50% of sites don’t use security via HTTPS at all, and others lack the forward secrecy of private keys. At the HTTPS level, the problems are HTTPS stripping and rogue certificates. Some people have tried to deploy HTTPS but ended up downgrading due to incorrect deployment.

Joseph Bonneau first discussed HTTPS stripping. If a browser tries to access a domain over HTTP, but the domain wants to use HTTPS, there is an automatic redirect. An attacker can use that redirect to change the request, which the user may not notice. HSTS (HTTP Strict Transport Security) is the fix for this type of attack. The Firefox and Chrome browsers have included HSTS in the code, but it does not always extend to subdomains. Joseph mentioned that if a browser successfully connects to the server with HTTPS, the browser will cache that policy. The connection is vulnerable to attack only at initial contact.

Dave Thaler asked if anyone was looking at solving this issue using DNS. Joseph Bonneau replied that it was possibly being investigated in DANE, but he is not certain if the issue is actively being worked on. Eliot Lear mentioned that DANE has a dependency on DNSSEC, although some question how strong that dependency is. Ted Hardie replied that with DNSSEC it isn’t clear whether validation is occurring on the client side or the server side. Brian Trammell asked if this was a bootstrapping mechanism that will disappear eventually. Joseph replied that it wasn’t clear, but only the first connection was vulnerable and most search engines and browsers were preloaded with HTTPS and HSTS.

Joseph Bonneau discussed the second problem, rogue certificates. If the user is trying to connect via HTTPS but an attacker has a valid certificate, they can see everything. Users wouldn’t notice the attack. The key pinning, not certificate pinning, works by setting up a policy for a list of pins interpreted as at least one of the key hashes for that domain. A user can pin to a key in their CA certificate. An attacker with a rogue certificate that cannot come up with a key pin would be rejected even if it is signed by a valid CA. A self-signed certificate would also get rejected, even if it matches a key pin.

Dave Thaler asked why a pinned self-signed certificate would be rejected. Joseph Bonneau mentioned that a user can have an exception to say it doesn’t have to be rejected, but it still needs a valid CA signature. Dave noted that if a pinned server certificate is compromised, the user could be attacked. Joseph agreed.

Joseph Bonneau mentioned that as with HSTS, the user has to specify the hashes of keys, and pin to at least two keys because if the user relies on only one key and then lose the key pin, the user would be offline. Additionally, if there is a MITM attack on the first connection, the attackers can break the domain, bricking it for the user.

Joseph Bonneau reported that HSTS has been in use and accepted by all browsers except IE (he noted that he thinks it will be deployed with IE 12). He further reported that about 12,000 domains are trying to set HSTS, 80% for long terms.

Joseph Bonneau mentioned that preloads of domains are now accepted via a website that will crawl the domain, and if it has implemented HSTS correctly, the domain will be added to the preloads in the browser. Key pinning security growth has been slower. Some domains use HSTS, some use key pinning, some do both. Examples Joseph used included Google, Facebook, and Twitter.

Joseph Bonneau reported that the keepers of the preload lists do not have a process to prune the stale, outdated, or obsolete domains. Only about 1% of the top million Alexa domains are using HSTS, and of those, 6% are HTTPS sites that redirect from HTTP. Possibly the reason is that many web administrators don’t know HSTS is available.

Joseph Bonneau mentioned there were two bugs observed. One was mixed content, where pages that use both both HTTPS and HTTP that can be attacked by a MITM. In the case of key pinning, the user has the same problem of connecting to HTTPS with a specified resource not from a pinned domain. Most of Twitter can be hijacked by a hacker with a rogue certificate because of this.

Joseph Bonneau said that, due in part to semantic differences between cookie and key pinning policies, it is possible to open a vulnerability that an attacker could take advantage of, and therefore it was important for web developers to take pains to see that policies, particularly regarding subdomains, are consistent. He noted that a major service had already suffered a problem because of this.

Joseph Bonneau concluded by noting that Web security is difficult for users, and spec writers don’t understand the real constraints. The browser preload lists may be updated frequently, but they are just lists.

3. Monthly Reports

3.1. ISOC Liaison Report

–Begin ISOC Liaison Report, Mat Ford–

Internet Society Liaison Report to the IAB
14 January 2015

Topics:

 I. Internet encryption and traffic management
II. IXP development
III. IXP workshops
IV. United Nations Commission on Science and Technology for Development
 V. Organisation for Economic Co-operation and Development
VI. W3C Privacy Interest Group

I. Internet encryption and traffic management
ISOC are working with the IAB and IESG on participating in a GSMA hosted 
meeting on impacts of Internet encryption on the mobile environment.

II. IXP development
Equipment has been sent to Thailand to support the soon to be launched 
Bangkok National Internet Exchange (BKNIX). The launch is anticipated 
for mid-February and the team there is doing an excellent job with 
assistance from the community.  Cisco, Google, Alcatel and NSRC have all 
provided support for this work.

III. IXP workshops
ISOC held a joint IXP workshop in Tunis in collaboration with the ITU’s 
Arab regional office and the Arab League. This was the second workshop 
held in collaboration with the ITU-D. The meeting brought eight 
countries together to discuss best practices and the impact an IXP can 
make on local traffic costs and delivery.

IXP workshops are in the planning stages for Montenegro (February) and 
South East Asia (June). Joint work will continue between ISOC and LACNIC 
to deliver IXP workshops and training in Latin America. Packet Clearing 
House (PCH) are supporting this work.

IV. United Nations Commission on Science and Technology for Development 
(CSTD)
ISOC submitted its comments on the draft CSTD report on Mapping Internet 
public policy issues. This followed consultations with the IAB and other 
members of the technical community. A new version of the report will be 
discussed in May, at the CSTD meeting. The final version will feed into 
the 2015 WSIS 10 year Review process.

V. Organisation for Economic Co-operation and Development (OECD)
The Internet Society led the participation of the Internet technical 
advisory committee (ITAC) at the recent OECD meeting week of the 
Committee on Digital Economy Policy and its working parties. A large 
part of the week was devoted to defining the focus areas and future work 
feeding the 2016 OECD Ministerial on the Digital Economy, to be held in 
Cancun (Mexico) in late June 2016. ITAC will also have the opportunity 
to organise a pre-event at the Ministerial. Work is ongoing on the 
review of the OECD Security Guidelines. ITAC also published a new 
edition of its newsletter, illustrating positive examples of cooperation 
between policymakers and the technical community in the OECD context: 
https://storify.com/ITAC/itac-newsletter-n-4-december-2014 .

VI. W3C Privacy Interest Group (PING)
PING held its monthly call on 4 December 2014. This call focused on 
general design principles for the Web regarding data minimisation and 
identifiers, as well as a discussion of the recent Article 29 Working 
Party Opinion regarding device fingerprinting. The next call will be on 
15 January 2015. PING will be discussing the draft TAG finding on 
Securing the Web. Link to call summary: http://lists.w3.org/Archives/
Public/public-privacy/2014OctDec/0043.html

–End ISOC Liaison Report, Mat Ford–

3.2. IESG Liaison Report

–Begin IESG Liaison Report, Alissa Cooper–

Recent new working groups:
  None

Recently rechartered working groups:
  - IP Security Maintenance and Extensions (ipsecme)

Current new chartering:
  - "Archive" Top-Level Media Type (arcmedia) [Internal review]
  - Domain Boundaries (dbound) [Internal review]

Current rechartering:
  None

Pending rechartering:
  None

Recently closed working groups:
  None

Personnel changes:
  - James Polk has stepped down as co-chair of TSVWG.
  - Alfred Hönes has been replaced by Melinda Shore as co-chair of 
    URNBIS.
  - Jouni Korhonen has been replaced by Lionel Morand as co-chair of 
    RADEXT.
  - Ralph Droms stepped down as 6lo co-chair and resumed his role as 6lo 
    Technical Adviser.
  - Gabriel Montenegro was appointed as 6lo co-chair.
  - James Woodyatt was appointed as 6lo WG secretary.
  - Ted Lemon became responsible AD for ANIMA.
  - Joel Jaeggli became responsible AD for OPSAWG.
  - Alissa Cooper became responsible AD for LMAP.
  - Kathleen Moriarty became responsible AD for RADEXT and DIME.

–End IESG Liaison Report, Alissa Cooper–

3.3. IRTF Chair Report

–Begin IRTF Chair Report, Lars Eggert–

- ICNRG having interim at Cisco in Boston Jan 13-14 (right now)

- Proposed NFVRG has been asking for formal chartering; charter is 
  finalized. Discussing this with the IAB (and IESG, due to NFV being 
  actively standardized elsewhere).

- Am cautiously optimistic that the CFRG has cut the Gordian knot in 
  terms of a recommendation to the TLS WG on curves.

- Ongoing discussion with ACM SIGCOMM on a SIGCOMM/IRTF workshop on 
  Internet measurements on the Saturday before the Yokohama IETF (i.e., 
  directly after ACM IMC in Tokyo).

- Announced ANRP winner for IETF-92 (topic is NFV, FWIW)

–End IRTF Chair Report, Lars Eggert–

3.4. ICANN Liaison Report

–Begin ICANN Liaison Report, Jonne Soininen–

I.  Public Comments needing attention (only highlights)
=======================================================
(All public comment processes: 

https://www.icann.org/public-comments#open-public)

IDN TLD Program - Label Generation Ruleset (LGR) Tool Project (P1) - LGR 
Tool Set Specifications Now Open for Public Comment
(https://www.icann.org/public-comments/idn-lgr-2014-12-03-en)
Reply period closes: 23 Jan 2015

II.  Upcoming topics that could be relevant
===========================================

Cross Community Working Group (CWG) on Naming Related Functions Draft 
Transition proposal

The CWG published its report and the comment period for the report has 
now closed. The CWG is now contemplating how to move forward with their 
proposal. There seems to be a need by some parties to link the ICANN 
accountability question to the IANA stewardship transition question. 
These two issues should really not be coupled together. However, if 
there is consensus to go forward with the approach coupling 
accountability together with the IANA stewardship transition this might 
impact the naming community timelines.

III.  (If relevant) upcoming meeting topics of importance
=========================================================

The next ICANN meeting is February 8-12th, 2015 in Singapore.

–End ICANN Liaison Report, Jonne Soininen–

3.5. IANA Liaison Report

–Begin IANA Liaison Report, Michelle Cotton–

IANA Liaison Report – 14 January 2015

2014 SLA Deliverables Update:

- ICANN met 100% of processing goal times for the November 2014 monthly 
  statistics, exceeding the SLA goal to meet 90% of processing goal 
  times.  These times include the steps that the IANA Department has 
  control over and not time it is waiting on requesters, document 
  authors or other experts.

- The deliverable for the review of protocol parameters by third-party 
  auditors is in process.  The third-party reviewers (PWC) are 
  completing their final tests.  The report will be available by March 
  30, 2015.

- The Draft Supplemental Agreement for 2015 continues to be revised and 
  discussed. 

Other News:

-  The request for the addition of as112.arpa is in process.  The IAB 
  has approved the request.  The request should be completed soon.

-  The IANA Department Customer Satisfaction Survey for 2014 is now 
  available at 

http://www.iana.org/reports/2014/customer-survey-20141217.pdf

–End IANA Liaison Report, Michelle Cotton–

3.6. RFC Editor Liaison Report

–Begin RFC Editor Liaison Report, Heather Flanagan–

RSE Report
* Format update
Several draft updates are expected this month, including a revision to 
the xml2rfc v3 draft , the framework draft 
, and the plain-text draft .  A new draft with precise examples of how the 
vocabulary should work is also in progress, and with that new draft and 
the updates to the existing drafts as mentioned, the Tools Team will be 
ready for the next step to release the proposed Statements of Work out 
to community comment.

The xml2rfc v2 draft  has also been submitted into 
the Datatracker as an IAB stream document.  There is one complex action 
item to complete regarding crefs; Julian Reschke is testing how the 
current vocabulary behaves in order to complete that one item.  At that 
point, the document will be ready to continue the publication process.

* DOI update
John Levine, Heather Flanagan, and the RPC team (Sandy Ginoza, Alice 
Russo, and Priyanka Narkar are having a kick off meeting on 16 January 
2015 to discuss the next steps for the DOI project.  The coding work 
involves both the interface to CrossRef to register the DOIs as well as 
the interface to the RPC system so that the identifiers are created 
automatically at time of publication.

Heather Flanagan submitted the CrossRef application at the beginning of 
the month as the administrative part of the project.  She is waiting to 
hear back from CrossRef (expected the week of 12 January 2015).

* Participation as an Invited Expert in the W3C Digital Publishing 
Interest Group
Heather Flanagan was invited to participate as an Invited Expert in the 
W3C's Digital Publishing Interest Group <http://www.w3.org/dpub/IG/wiki/ Main_Page>.  
This involvement should provide useful material to the RFC 
format project, as well as being generally useful to the e-publishing 
community.

* Errata System Design Team
Heather Flanagan is kicking off a new design team to discuss the errata 
system and how to make it more efficient for approvers, implementors, 
authors, and submitters.  Participants include Joel Jaeggli, Stephen 
Farrell, Barry Leiba, Pete Resnick, Ted Lemon, Mark Nottingham, Nevil 
Brownlee, Robert Sparks, Sandy Ginoza, and Heather Flanagan.  More 
information is available on the RSE wiki at 
<https://www.rfc-editor.org/ rse/wiki/doku.php?id=erratasystem:start>

RPC Update
* SLA - see http://www.rfc-editor.org/reports
- From the notes: Having met the SLA in December, the RPC had a 
successful Q4. The table shows the impact of the increased number of 
documents entering the queue (both newly approved and those released 
from MISSREF) earlier in the year, and the RPC's recovery throughout the 
remainder of the year.

* The current queue is seeing a larger number of clusters than usual, 
each with a higher number of average pages per document.  Examples 
include the NFS, BLISS, and WEIRDS clusters.  The list of active 
clusters is available off of the RFC Editor website: http://www.rfc-
editor.org/all_clusters.php

* Published 327 RFCs in 2014 - This past year saw an increase of 50 
documents published over the stats for 2013, putting us back up near the 
high points hit in 2010 through 2012.  See http://www.rfc-editor.org/
num_rfc_year.html for the annual publication count back through the 
start of the Series.

* RFC Editor F2F meeting in Seattle - Sandy Ginoza, Alice Russo, Lisa 
Winkler, and Heather Flanagan will be holding a two-day meeting in 
Seattle to discuss 2015 and 2016 priorities and review plans for the 
upcoming year.

–End RFC Editor Liaison Report, Heather Flanagan–

4. Technical Plenary at IETF 92

The IAB briefly discussed the Technical Plenary for IETF 92. As the IAB has not received a response from Shafi Goldwasser, the IAB has decided to pursue other options for IETF 92.

5. Program Meetings in Dallas

Russ Housley asked Program Leads to let him know if they will need agenda time at IETF 92.

6. Executive Session: NomCom Report on the IESG

Joel Halpern, who was not on the teleconference, was recused from the discussion. In accordance with RFC 2850, Jari Arkko left the teleconference. The IAB confirmed the IESG slate presented by NomCom in an executive session.