[Secdispatch] Re: Topics for IETF 120

Jim Fenton <fenton@bluepopcorn.net> Thu, 12 September 2024 16:47 UTC

Return-Path: <fenton@bluepopcorn.net>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74598C151540; Thu, 12 Sep 2024 09:47:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=bluepopcorn.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4yrZwRD4Ke59; Thu, 12 Sep 2024 09:47:33 -0700 (PDT)
Received: from v2.bluepopcorn.net (v2.bluepopcorn.net [IPv6:2607:f2f8:a994::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-256) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AAD13C151548; Thu, 12 Sep 2024 09:47:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=bluepopcorn.net; s=supersize; h=Content-Type:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=JAO/Qv2Gd/vGohNh8UIhlp+RpbpQyf1bes+599G/j7g=; b=Mz1T3UUJxhG2M7f5w/qfsSPLrB 9q0B4LFhPhOSNdbsG0THD3E3pwtybKcWO/d32baLFE+CSKgwQDS1osJNZqaXJDIJj+CWMSEzkhfyu X/xm5+dsJtC/YivhV0ISiHTi0cwsSKyO4Tjnykrt3SzZc0tFyvpIqCbvSeuv2boj/kBU=;
Received: from [2601:205:8300:c5e0:2cc0:37df:1dca:297a] (helo=[192.168.1.104]) by v2.bluepopcorn.net with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from <fenton@bluepopcorn.net>) id 1somyd-004YDP-15; Thu, 12 Sep 2024 09:47:28 -0700
From: Jim Fenton <fenton@bluepopcorn.net>
To: David Brossard <david.brossard@gmail.com>
Date: Thu, 12 Sep 2024 09:47:25 -0700
X-Mailer: MailMate (1.14r5852)
Message-ID: <C01D21ED-470A-4016-8BF2-BDC25AD34DBA@bluepopcorn.net>
In-Reply-To: <CAJO7GQ-22tphu6Xjbrxrba3ndz-=T14Gzq3pnD-=Ybk4p45eGg@mail.gmail.com>
References: <CAJO7GQ_MJ=eGsmGR1odkZEeN=PALeyc5SnUQJVReitz5D3fBMQ@mail.gmail.com> <37BE4D5D-06E4-4875-BDD1-99717F790081@bluepopcorn.net> <CAJO7GQ_AU7efX5LiqTssNs3sFzeHE=ieSAAwzAm4NF1N+8Putw@mail.gmail.com> <CAJO7GQ-22tphu6Xjbrxrba3ndz-=T14Gzq3pnD-=Ybk4p45eGg@mail.gmail.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="=_MailMate_6962A0FA-FF5E-4249-925E-42B415E567D2_="
Embedded-HTML: [{"plain":[445,5179],"uuid":"34F4CAF4-CF5C-44E7-90B6-F813C40C329A"}]
Message-ID-Hash: DB4PKL53DZLKDGKCLD6NHQL6CXDKL3X4
X-Message-ID-Hash: DB4PKL53DZLKDGKCLD6NHQL6CXDKL3X4
X-MailFrom: fenton@bluepopcorn.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdispatch.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: dispatch-owner@ietf.org, alldispatch-chairs@ietf.org, Andrew Clymer <andy@rocksolidknowledge.com>, theo.dimitrakos@ifiptm.org, secdispatch@ietf.org, Daniel Kahn Gillmor <dkg@fifthhorseman.net>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Secdispatch] Re: Topics for IETF 120
List-Id: Security Dispatch <secdispatch.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/SZAH6U9RBht_SCRHkKH--aJ8Wps>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Owner: <mailto:secdispatch-owner@ietf.org>
List-Post: <mailto:secdispatch@ietf.org>
List-Subscribe: <mailto:secdispatch-join@ietf.org>
List-Unsubscribe: <mailto:secdispatch-leave@ietf.org>

Hi David,

Glad to hear about your progress. We’re still waiting for guidance 
from IESG on whether alldispatch will continue at IETF 121, or whether 
we will revert to the individual dispatch groups like secdispatch. Of 
course it would be good to get a reading from Deb and Paul, but unless 
the decision is obvious it would probably be best to take it to 
secdispatch or alldispatch next.

-Jim

On 11 Sep 2024, at 11:49, David Brossard wrote:

> Hi Jim,
>
> With IETF 120 in the back, I wanted to circle back and talk about next
> steps. After the lightning talk, a few folks came up to me to talk 
> about
> their needs for an authorization policy language. In OAuth, there is 
> also a
> need but the consensus was that the language should live outside OAuth 
> and
> OAuth would just be a consumer of it. Other WGs e.g. WIMSE, SCIM, ACE 
> of
> course, and perhaps SPICE,
>
> I am thinking therefore that ALFA 2.0 would belong to the Security 
> Area
> (SEC). Is the next step to talk to Deb & Paul?
>
> The current stub of a draft is here:
> https://datatracker.ietf.org/doc/draft-brossard-alfa-authz/ . I have 
> also
> CCed my two co-authors, Andy Clymer from Rock Solid Knowledge (UK) and 
> Theo
> Dimitrakos (IFIPTM, UK and Huawei, Germany) who should be able to 
> attend
> IETF 121 in Dublin.
>
> Thanks for your insights,
> David.
>
> On Fri, Jul 12, 2024 at 11:02 AM David Brossard 
> <david.brossard@gmail.com>
> wrote:
>
>> Hi Jim, all,
>>
>> Thanks for taking the time to reply. Apologies for missing the 
>> deadline.
>> This is my first IETF and I wasn't paying close attention.
>>
>> I will take you up on the lightning talk option. Per the rules on 
>> this
>> site <https://datatracker.ietf.org/group/hotrfc/about/> , I will 
>> email a
>> short abstract to hotrfc@ietf.org.
>>
>> I'm looking forward to meeting you in person,
>> David.
>>
>>
>> On Mon, Jul 8, 2024 at 11:06 AM Jim Fenton <fenton@bluepopcorn.net> 
>> wrote:
>>
>>> David,
>>>
>>> Thanks for reaching out. Copying alldispatch chairs (which includes
>>> Rifaat).
>>>
>>> For this IETF, we are again experimenting with a unified 
>>> “dispatch”
>>> session called alldispatch. That seems relevant here because this 
>>> topic
>>> seems like it might be in Aecurity Area or in ART (applications/real 
>>> time)
>>> Area, and the idea of alldispatch is to have a unified venue, 
>>> especially
>>> when it isn’t entirely clear which area something belongs in.
>>>
>>> At this point, the agenda for alldispatch at IETF 120 is full. We 
>>> had a
>>> deadline for agenda topics a couple of weeks ago as well.
>>>
>>> If you want to do something at IETF 120, you have a couple of 
>>> options: 1)
>>> Give a lightning talk to pitch the idea at the Hot RFC Lightning 
>>> Talks on
>>> Sunday evening, and/or 2) Set up an informal side meeting and 
>>> recruit
>>> relevant people to come to it.
>>>
>>> Let us know if you have any other questions.
>>>
>>> -Jim
>>>
>>> On 8 Jul 2024, at 10:35, David Brossard wrote:
>>>
>>> Dear Dispatch owners,
>>>
>>> First of all, my apologies if I'm supposed to email 
>>> dispatch@ietf.org
>>> rather than owners. I'm new(ish) to IETF and its processes.
>>>
>>> My name's David and I've been involved in authorization and its
>>> standardization for the past 15 years. I've worked at OASIS and am
>>> currently the co-chair of the OpenID AuthZEN WG.
>>>
>>> As I'm more and more interested in the overlap between AuthZ and
>>> authentication, I'll be taking part in the OAuth WG sessions and 
>>> have
>>> submitted a draft ID
>>> <https://datatracker.ietf.org/doc/draft-brossard-oauth-rar-authzen/> 
>>> for
>>> their consideration. I've already reached out to Rifaat and some of 
>>> the
>>> OAuth folks (whom I know relatively well from my interactions at IIW 
>>> and
>>> other venues).
>>>
>>> Additionally, I'd like to propose a new standard for authorization 
>>> policy
>>> language - or to be more specific an evolution of an old and trusted
>>> standard: ALFA 2.0. It's a modernization of ALFA (released in 2012) 
>>> itself
>>> a modernization of XACML (initially started in 2001). Because it's 
>>> so
>>> relevant to OAuth, I thought IETF could be a natural home for the 
>>> draft
>>> standard. I'm not sure, though, OAuth itself would be the natural WG 
>>> for
>>> this work hence my reaching out to you.
>>>
>>> I've not submitted an ID just yet but will have a framework out by
>>> today's deadline.
>>>
>>> Let me know what good next steps should be and which WG you believe 
>>> would
>>> be a natural home for ALFA 2.0. IF you want to read up on ALFA 
>>> itself,
>>> here's a deck I put together for IIW
>>> <https://www.slideshare.net/slideshow/internet-identity-workshop-iiw-2023-introduction-to-alfa-authorization-language/267197190>
>>> last year. There's also https://alfa.guide which is a site I 
>>> maintain
>>> (in the spirit of Aaron P.'s oauth.net website).
>>>
>>> Thanks for your time,
>>> David.
>>>
>>>
>>
>> --
>> ---
>> David Brossard
>> http://www.linkedin.com/in/davidbrossard
>> http://twitter.com/davidjbrossard
>> http://about.me/brossard
>> ---
>> Stay safe on the Internet: IC3 Prevention Tips
>> <https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
>> Prenez vos précautions sur Internet:
>> http://www.securite-informatique.gouv.fr/gp_rubrique34.html
>>
>
>
> -- 
> ---
> David Brossard
> http://www.linkedin.com/in/davidbrossard
> http://twitter.com/davidjbrossard
> http://about.me/brossard
> ---
> Stay safe on the Internet: IC3 Prevention Tips
> <https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
> Prenez vos précautions sur Internet:
> https://cyber.gouv.fr/bonnes-pratiques-protegez-vous