[Smart] Six SMART drafts

[Kirsty P <Kirsty.p@ncsc.gov.uk>]

Hi everyone,


SMART has five drafts on the IETF Datatracker <https://datatracker.ietf.org/doc/search?name=smart&sort=&rfcs=on&activedrafts=on&by=group&group=> - all of these (plus one extra!) are on our Github page<https://github.com/smart-rg/drafts> too.


Each draft falls in one of four categories:

  1.  Research on attacks or defences enabled or disabled by IETF protocols, and recommending protocol design fixes or considerations as a result – including privacy considerations
  2.  Papers on principles/key concepts in attack defence, to underpin attack defence research of protocols and evidence a threat landscape
  3.  Creating methodologies for researchers to consistently analyse protocols for attack defence, and use these to perform such analysis
  4.  Scoping out specific security research problems outside of the above three points. The sole aim of these scoping exercises is to create an Internet Draft and establish feasibility of creating a separate IRTF security research group on that specific security problem.


The drafts are below, with a short description and a link to find out more. If you're have comments, are supportive of the work or want to contribute to a draft, please post on the list or email the authors saying so.


Kirsty


======

draft-taddei-smart-cless-introduction

  *   Also known as CLESS: Capabilities and Limitations of Endpoint Security Solutions: draft-taddei-smart-cless-introduction<https://datatracker.ietf.org/doc/draft-taddei-smart-cless-introduction/>

CLESS<https://datatracker.ietf.org/doc/draft-taddei-smart-cless-introduction/> attempts to establish the capabilities and limitations of endpoint-only security solutions and explore potential alternative approaches.

draft-mcfadden-smart-endpoint-taxonomy-for-cless

  *   Endpoint Taxonomy for CLESS: draft-mcfadden-smart-endpoint-taxonomy-for-cless<https://datatracker.ietf.org/doc/draft-mcfadden-smart-endpoint-taxonomy-for-cless/>

CLESS<https://datatracker.ietf.org/doc/draft-taddei-smart-cless-introduction/> discusses endpoints in general terms. It has been suggested that there are classes of endpoints that have different characteristics. Those classes may have completely different threat landscapes and the endpoints may have completely different security capabilities. In support of the work on CLESS, this document provides a taxonomy of endpoints that is intended to provide a foundation for further work on CLESS and research on approaches to providing endpoint security alternatives in a diverse group of settings.

draft-sasse-smart-secui-questions

  *   Open Questions in Supporting Secure User Interactions: draft-sasse-smart-secui-questions<https://github.com/smart-rg/drafts/blob/master/draft-sasse-smart-secui-questions.txt>

Describes open questions in supporting usable security at the UI level. The questions are split into defining a set of manageable security tasks for countering the most common attacks, and the UI elements for signalling whether an intended action is secure.

draft-lazanski-smart-users-internet

  *   An Internet for Users Again: draft-lazanski-smart-users-internet<https://datatracker.ietf.org/doc/draft-lazanski-smart-users-internet/>

RFC 3552 introduces a threat model that does not include endpoint security. In the fifteen years since RFC 3552 security issues and cyber attacks have increased, especially on the endpoint. This document proposes a new approach to Internet cyber security protocol development that focuses on the user of the Internet, namely those who use the endpoint and are the most vulnerable to attacks.

draft-moriarty-caris2

  *   Coordinating Attack Response at Internet Scale 2<https://www.internetsociety.org/events/caris2> Report: draft-moriarty-caris2<https://datatracker.ietf.org/doc/draft-moriarty-caris2/>

Coordinating Attack Response at Internet Scale (CARIS) 2, sponsored by the Internet Society, took place 28 February and 1 March 2019 in Cambridge, Massachusetts, USA. Participants spanned regional, national, international, and enterprise CSIRTs, operators, service providers, network and security operators, transport operators and researchers, incident response researchers, vendors, and participants from standards communities.

This workshop continued the work started at the first CARIS workshop, with a focus for CARIS 2 on scaling incident prevention and detection as the Internet industry moves to stronger and a more ubiquitous deployment of session encryption.

draft-mcfadden-smart-rfc3552-research-methodology

  *   Methodology for Researching Security Considerations Sections: draft-mcfadden-smart-rfc3552-research-methodology<https://datatracker.ietf.org/doc/draft-mcfadden-smart-rfc3552-research-methodology/>

RFC3552 provides guidance to authors in crafting RFC text on Security Considerations. The RFC is more than fifteen years old. With the threat landscape and security ecosystem significantly changed since the RFC was published, RFC3552 is a candidate for update. This draft proposes that, prior to drafting an update to RFC3552, an examination of recent, published Security Considerations sections be carried out as a baseline for how to improve RFC3552. It suggests a methodology for examining Security Considerations sections in published RFCs and the extraction of both quantitative and qualitative information that could inform a revision of the older guidance.

This information is exempt under the Freedom of Information Act 2000 (FOIA) and may be exempt under other UK information legislation. Refer any FOIA queries to ncscinfoleg@ncsc.gov.uk