[saag] Notes from SAAG meeting today

Hannes Tschofenig <hannes.tschofenig@gmx.net> Thu, 26 March 2015 19:59 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB18A1B2B30 for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 12:59:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bnoyE6j4A1Cb for <saag@ietfa.amsl.com>; Thu, 26 Mar 2015 12:59:51 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3174B1B2AC2 for <saag@ietf.org>; Thu, 26 Mar 2015 12:59:51 -0700 (PDT)
Received: from [192.168.10.152] ([31.133.152.120]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MOOJl-1YW0jx2BCH-005pIi for <saag@ietf.org>; Thu, 26 Mar 2015 20:59:48 +0100
Message-ID: <55146532.2060209@gmx.net>
Date: Thu, 26 Mar 2015 20:59:46 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: saag <saag@ietf.org>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="5V5akCa2IRSNu40elwillTpcaIxLb0gER"
X-Provags-ID: V03:K0:8du6XyLLXdCdW3+iddcQ4PnNkErfOG+KASQd7yf17NUVhWYI2Zs bK1Mnj16RR44jd4rHbF8xGUFrWsQxUDdRfc8ajcNMKs26ebzx52nsbQ+5LNm8H0uBWjimm+ rlOICgwxVXeQnTL4yszO7db2ZBJBzVj//lYeLRa6d5fFoNalKx4z3NwbCNBtLIon/vYuCxg T902lHQiC1jEcK8/W0jpg==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: <http://mailarchive.ietf.org/arch/msg/saag/a5pR3Sry6MINMw8J-F1HvzQ_5rw>
Subject: [saag] Notes from SAAG meeting today
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 19:59:54 -0000

IETF-92 SAAG Meeting initial Agenda (120 mins)

1. WG/BoF/side meeting reports (10 mins)

See mails sent to the SAAG mailing list.

TLS VPN side meeting happened to understand what those are. Mailing list
will be requested.
Security discussion about IoT/6LO (Pavilion) scheduled for today (in the
evening).

Presentation about draft-mm-wg-effect-encrypt and soliciting
input/feedback.

2. Invited/offered talks
	2.1 Joe Bonneau/HSTS and HPKP in practice (30 mins)

Chrome also supports HSTSP but it has not been turned on. Firefox
supports it already since a few versions.

How to pre-load into Chrome? Enter the data into
https://hstspreload.appspot.com
Firefox: Talk to Richard Barnes

You have to have multiple pins (for redundant) for HPKP.

Cryptocat managed to brick themselves end of last year by changing the
certificate without updating the pre-loaded pins.

Ekr: How many sides out of the 1 M domains from Alexa are using HTTPS?
Joseph: Probably 30%. Don't remember. Out of these 30%, 1.1% use HSTS.
Jeff: The details are in the paper.

Yoav: Is there a tool to test HSTS?
Joseph: Not that I know. Student wanted to write something but then
didn't got to-do it.

Jeff: SSL-Labs they test various SSL/TLS features and they also test
HSTS. We could work with them to do more tests.
	
Richard: Active mixed content may be due to lack of support for HTTPS at
content distribution networks.
Joseph: Yes and scripts from ad networks.

PHB: Concerned about two different registries. The info should be in the
DNS. I proposed to have a harmonized format (in CAA record).
Joseph: There has not been a momentum to align the different proposals.

Joseph: I would suggest to per-default include sub domains. The secure
attribute for cookies could be re-interpreted as well.
Jeff: Thank you for doing this. Too often there are no such survey data.
It is great to have that data.
In terms of the pre-load list. The UI gets you into Chrome's list but
those new requirements where added by the Firefox guys but that only
gets you into additional browser lists.

Adam: The list is also being populated into other browsers.
Jeff: This is all ad-hoc. There might be a way to more formalize.
In terms of sub-domains I have to go back and count the number of mails
on that subject. The people in the room designing HSTS where browser
vendors and relying parties we thought it would be dangerous to include
subdomains when they are populated down the sub-domains. It is not clear
which is the better way.

Mark: Thanks for gathering this data. I appreciate the message on the
last slide regarding developer testing.
I am worried about the low adoption rate. We need to make them more
comprehensible.

DKG: Thanks for doing the work. I think we got the interaction with the
different specifications wrong and we have to keep this in mind for
future work.


	2.3 Adam Langley/QUIC (15 mins)
	
Ekr: Thinking about harmonizing the cookie exchange between DTLS/TLS.
Adam: We are meeting with the QUIC folks tonight.

Paul: Have you given the same presentation in TSVWG.
Adam: No.
Paul: You may want to talk to the TSVWG about QUIC to make them less
worried.

?: There was a presentation some time ago

Wes: Thanks for pushing the boundaries. One question about the
deployment: you talk about it being used today in Google/Chrome.
Adam: Users would not notice.
Wes: I am worried about that. You are lying to the users since they
don't get HTTPS but rather something else.

Adam: That would be a concern if the security concerns are less.
Wes: It has not gotten the same level of review. I am not sure that's true.

Allison: TCPINC is the place where these types of things should be
discussed.
A question: Is there crypto-agility in your proposal?

Adam: It is exactly the same as in TLS since we use the same certs.

Mark: The semantics of the HTTPS URI schemes are not bound to TLS.
Ekr: When we do TLS 1.3 we make experiments as well.


	2.4 Jan Včelák/Authenticated Denial of Existence in DNSSEC (NSEC5) (10
mins)
	
Adam: When the zone is signed offline then you are creating NSEC5
records. Does the DNS server need to have these keys online?
Jan: Yes. The keys are online.

?: I like the technology but I don't think it will be
Message files are a much bigger issue. Your paper don't support ECC.

Jan: We require deterministic signatures. If we use ECDSA then for one
name and one key there may be more than one signature.

Some years we were told that we need to support NSEC3. Given that
everything in DNSSEC is moving forward very slowly I think we should
just deploy DNSSEC instead of playing around with it.

Joseph: We worked on this topic as well. There is an ECC way to do it.
We went through the same problem and there is a way to do it but it is a
bit messy.

	2.5 Ladar Levinson/Darkmail (20 mins)
	
Jeff: I got a bit lost. I have a software I downloaded and I wanted to
send you a message. I have not contacted you before.

Ladar: You would type in the email address. The client would query the
DNS for a record. Once it has the record it has the signing key for that
domain.
Then, you contact that organizational domain. Subsequently, you query
the users signet and use the public key to encrypt the message with that
key.

Adam: Why did you choose two different curves?
Ladar: I wanted different curves for signing and encryption.

Ladar: Is the ChaCha TLS ciphersuite ever going to become a standard?
Sean: We are starting a working group adoption of the ChaCha TLS
ciphersuite.

Adam: Signatures are designed to provide integrity and authenticity but
not confidentiality.
Ladar: The signatures are inside the encrypted part of the message.

BarBOF happening this evening.

Adam: You asked for tree signatures. Merkle tree signatures are totally
fine.




	2.6 Paul Wouters/Opportunistic IPsec update (1 minute)

Paul pointed to the oe.libreswan.org.



	2.7 Eric Rescorla/Secure Conferencing (5 mins)

Adam: Does the key server know the key?
Ekr: Yes.
Adam: It does not need to be.
DKG: Happy to talk to you afterwards.

	3. Open-mic, ~30

Joe: Question about the QUIC talk. The information shown to the user
needs to correct.
Adam: It says QUIC. QUIC started with formal analysis of the crypto

Wes: My concern was not that there are many failures with TLS. The HTTPS
and the URI specification says that it is TLS.
I am not saying it is bad todo experimented but I want to know whether I
am experimented on.

Adam: We cannot change the URI scheme. We also cannot change the icon
either.
Wes: I understand the need for experimentation.

Adam: We are not going to deploy another URI scheme again.

Paul: We could solve this using a pop-up, for example when downloading

?: Haven't there been a experiments with the lock icon?

Adam: We are experimenting with you all the time, for example, when
switching to ChaCha.

Ekr: There are three things: URI scheme, a lock icon and then the crypto.

Jeff: This is a layer 9 problem. You agree to it when you download the
browser.