Security Area Director(s): o Steve Crocker: crocker@tis.com Area Summary reported by Steve Crocker/TIS and Jim Galvin/TIS The Security Area within the IETF is responsible for development of security oriented protocols, security review of RFCs, development of candidate policies, and review of operational security on the Internet. Much of the work of the Security Area is performed in coordination with working groups in other areas. The Security Area Advisory Group (SAAG) is a group of security experts which provides both consulting help to other areas and direct management of working groups within the security area. The main bulk of the work for the SAAG consists of a set of formal work items. These work items correspond to working groups within the IETF Security Area, security relevant developments within working groups in areas other than security, and internal SAAG work items which do not merit the creation of formal working groups but which do need some level of attention. Below is the status of each of the Working Groups and/or BOFs officially chartered or initiated within the Security Area. Immediately following those reports is an update on other security issues as well as security related work in other IETF areas. Authorization and Access Control BOF (AAC) A Charter has been submitted to the IESG. Its official ratification is waiting for a statement indicating its relationship to other security related activities in the IETF. The Authorization and Access Control BOF met on Wednesday afternoon. Common characteristics of several distributed authorization mechanisms were discussed. The Group will compile a common list of restrictions and/or privilege attributes sufficient to support DCE, ECMA/Sesame, and restricted proxies, as well as the needs of applications. The specification for an authorization API was refined with the form of several arguments defined, and others sketched. Work items were assigned to further refine these definitions and to specify the form of access control list entries themselves. Common Internet Protocol Security Option Working Group (CIPSO) The CIPSO Working Group meets principally under the auspices of the Trusted Systems Interoperability Group. A revised Internet-Draft was 1 posted for discussion at the Columbus IETF meeting. A few changes were discussed, that were primarily structural with some additions to provide more detail. The majority of the Working Group believes its work is done. Steve Crocker will coordinate a team of experts to review the current specification prior to its submission to the IESG for publication as a Proposed Standard. Common Authentication Technology Working Group (CAT) The GSS-API base specification, GSS-API C Language Bindings, and Kerberos Version 5 documents are to be submitted for consideration as Proposed Standards. The DASS document is to be submitted for consideration as an Experimental Protocol. The CAT Working Group met for two sessions at the Columbus IETF. The primary agenda item was integration of security features into FTP, a topic for which Sam Sjogren is acting as task leader and on which Steve Lunt has generated a working document shortly to be released as an Internet-Draft. The FTP security discussions were quite fruitful, both in terms of providing feedback for improving the draft proposal for FTP as well as fine tuning the GSS-API requirements and specifications. Internet Protocol Security Protocol Working Group (IPSEC) A Charter has been submitted to the IESG. Its official ratification is waiting for a statement indicating its relationship to other security related activities in the IETF. A review of initial experimental implementations was conducted. A preliminary list of IPSEC protocol features/requirements was discussed and will be posted to the mailing list. There was a brief discussion of key management issues but it was deferred to be conducted on the mailing list. Privacy Enhanced Mail Working Group (PEM) The PEM specifications have been published as RFCs 1421, 1422, 1423, and 1424. This work item was officially closed at the Columbus IETF meeting. SNMP Security Working Group (SNMPSEC) In conjunction with the SNMPv2 Working Group, twelve documents have been completed and adopted by the IESG as Proposed Standards. They are currently in the hands of the RFC editor for processing for publication. By agreement with the new Network Management Area Director, Marshall 2 Rose, further work on SNMP security will be carried within the existing SNMP Working Group with assistance provided by the Security Area. TCP Client Identity Protocol Working Group (IDENT) The protocol specification has been published in RFC 1413 as a Proposed Standard. A network management MIB document was published in parallel as RFC1414. Using this MIB, a SNMP client can ascertain the same information that an Indent client can, thereby giving clients two options for implementing this service. This work item was officially closed at the Columbus IETF meeting. OSI Directory Services Working Group (OSIDS) - Applications There is no security activity in this area at this time. This work item was officially closed at the Columbus IETF meeting. TELNET Working Group (TELNET) - Applications A document specifying a combination authentication-encryption option was discussed, including replacing the individual option documents with this one document. A revised Internet-Draft will be posted. A Kerberos version 5 sub-option document was also discussed. A revised Internet-Draft will be posted. Router Requirements Working Group (RREQ) - Internet The previous single document has been split into four documents and a number auxiliary documents. Philip Almquist has responsibility for finishing the documents and submitting them to the IESG for publication. Mobile IP Security Working Group (MOBILEIP) - Routing If there existed an IP security option Mobile IP would not have to create its own. This raises the question of what the relationship between this security work item and the IP security work item is. This will be addressed in a document to be posted to internet-drafts. Audio/Video Transport Working Group (AVT) - Transport This activity will be reviewed to identify the security issues for the Amsterdam meeting. Domain Name System Working Group (DNS) - Transport A subcommittee will be created to deal with security issues. A mailing list will be created for use by the subcommittee. 3 Trusted Network File System Working Group (TNFS) - Transport The TNFS Working Group meets principally under the auspices of the Trusted Systems Interoperability Group. No progress to report. Integrated Directory Services Working Group (IDS) - User Services This activity will be reviewed to identify the security issues for the Amsterdam meeting. Export Control Issues Vint Cerf and Steve Crocker need to press forward on drafting a document. IP: The Next Generation A plan for processing a security review of the competing next generation proposals will be drafted for the Amsterdam meeting. ITAR Publication An on-line version of the U.S. International Traffic in Arms Regulations (ITAR) will be created. In addition, it was noted that the ISSA published a summary of U.S. export law that would be useful to include. Key Management Strategies A review of key management strategies and activities will be drafted for the Amsterdam meeting. Network Database Privacy There is no activity in this area. This work item was officially closed at the Columbus IETF meeting. PEM and MIME Integration The meeting began with discussions of implementation status' and deployment strategies. There will soon be PEM implementations available in the UK and Germany as a result of work under the EC PASSPORT program. Interoperability testing is in progress. In support of the Internet certification hierarchy RSADSI and TIS announced the availability of PCAs. In addition to the PEM and MIME integration, the use of email addresses in distinguished names and the relaxation of the trust model for the 4 current hierarchy were discussed, but no consensus was reached. The PEM and MIME integration was also not settled since there was a fair amount of disagreement about the issues. A revised Internet-Draft will be posted. Random Number Generation Issues A document has been posted as an Internet-Draft that identifies the issues to be concerned about when generating random numbers. However, the document does not have a conclusion on how to generate random numbers given a set of requirements. A revision will be prepared. Routing Security Plan Radia Perlman will submit a brief white paper identifying the issues. Security Area Architecture A short description of the relationship between the IETF security activities will be drafted for the Amsterdam meeting. Working Group Liaison Checklist A checklist for use by security liaisons to working groups that will assist in tracking progress will be drafted for the Amsterdam IETF. 5