This installment of the Internet Society’s Rough Guide to IETF 95 focuses attention on the IETF 95 activities related to improving trust in the Internet. Key to this trust is the ability to establish and maintain accurate identity including privacy. As one might expect, there is a great deal of activity in this space in the IETF.
First, there is one BoF related to the trust topic at IETF 95. The Limited Use of Keys (lurk) BoF is looking at the problem caused by the increasing separation of the content provider from the network delivery. In this case, the content provider does not necessarily want to give their private key to the network service provider hosting their content. Generally speaking sharing of private keys is a bad idea. Thus far the mailing list has identified this “offload TLS without giving the CDN my private key” use case as being of particular interest. This BoF will explore if there are other related use cases that also need to be addressed and if there is sufficient interest to pursue work in this area.
As for the IETF working groups, there are several ongoing working groups addressing relevant topics in this space. Some of the ones that will meet at IETF 95 are highlighted below.
The Automated Certificate Management Environment (acme) working group is working to lower the barrier to deployment and management of certificates for the Web PKI. Currently, the verification of domain names in a certificate is done using a set of manual mechanisms. The acme working group is working to automate the process of issuance, validation, revocation and renewal of certificates. This is meeting will focus almost exclusively on maturing the current document (https://datatracker.ietf.org/doc/draft-ietf-acme-acme/) and resolving the issues documented in the issue tracker (https://github.com/ietf-wg-acme/acme/issues). This working group is also tied to the Let’s Encrypt certificate authority that is striving to lower the barriers to certificate usage both from a cost and a complexity perspective.
The Authentication and Authorization for Constrained Environments (ace) working group is focused on the increasingly complex Internet of Things (IoT) space. The bulk of the discussion this week will focus on resolving open issues with the draft on using OAuth 2.0 for Internet of Things (IoT) authorization. There are more details on all the IETF work related to IoT in the most recent edition of the IETF Journal.
In response to evolving concerns about pervasive surveillance, the IETF has looked to improve the observable data in many of its protocols. The DNS PRIVate Exchange (DPRIVE) Working Group was chartered to develop mechanisms to provide confidentiality between DNS Clients and Iterative Resolvers. Given that virtually all communication on the Internet involves name resolution, providing additional privacy to the underlying mechanisms is key to improving trust in the Internet.
The Web Authorization Protocol (oauth) working group has been working for quite some time on a suite of documents that enables a user to grant a third-party access to protected resources without sharing the user’s long term credentials. The working group has completed a long list of RFCs. This week’s meeting will focus on mix-up mitigation, discovery, token exchange, and the use of OAuth for native apps. OAuth is a key component of online identity systems and is being leveraged in the ongoing OpenID Connect work. The Open Specification for Pretty Good Privacy (OpenPGP) working group originally completed its work in 2008 providing a solution for object encryption, object signing, and identity certification ( RFC4880). Recently it has become clear that it was time to produce an update to RFC4880, and the OpenPGP working group was reinstated to do that work. This revision will include potential inclusion of elliptic curves recommended by the Crypto Forum Research Group (CFRG), a symmetric encryption mechanism that offers modern message integrity protection, an update to the mandatory-to-implement algorithm selection, deprecation of weak algorithms, and an updated public-key fingerprint mechanism.
The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the Public Notary Transparency (trans) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. Certificate Transparency creates a log of certificates issued by certificate authorities (CAs). This provides the opportunity to monitor for problems in the certificate infrastructure globally. The primary focus of this week’s discussion will continue to be the update to RFC 6962, a threat analysis, and the gossip protocol. Rumor has it that the 6962bis effort in approaching completion!
As the Internet has evolved, some of the key pieces of infrastructure that we often take for granted need to be reconsidered in the light of the current operational environment. Time is a key component of establishing and maintaining trust, and it is often overlooked. The Network Time Protocol (ntp) working group has recently started a working group last call (WGLC) on NTS. Network Time Security (NTS) will define an updated framework and mechanisms for time server authentication. The WGLC on NTS has generated a great deal of mailing list discussion, and the meeting here at IETF 95 promises to have many interesting questions to resolve.
Finally, the Internet Architecture Board (IAB), through its Privacy and Security Program has taken a look at some of the problems of the existing Web PKI infrastructure. Since IETF 94, the program has adopted and updated a draft that identifies some of the issues and emerging solutions in this space. This draft, “ Problems with the Public Key Infrastructure (PKI) for the World Wide Web” will be on the program agenda this week. Find one of the co-authors and discuss any suggestions you might have for improving the document. Have a great week here at IETF 95 while you explore all of these trust, identity, and privacy related activities!