To:
keydist@cafax.se
Cc:
lewis@tislabs.com
From:
Edward Lewis <lewis@tislabs.com>
Date:
Mon, 25 Mar 2002 11:14:09 -0500
Sender:
owner-keydist@cafax.se
Subject:
My take on the BoF session
We held a one-hour BoF session last week at the Minneapolis meeting. The minutes are not yet available, but I thought I'd send out my comments. The BoF session did not succeed in convincing folks that a working group should be formed. On the other hand, we weren't told to give up. The prime failing of the BoF was that we didn't offer a concrete proposed solution. I knew that we didn't have a mature idea, but I didn't think that it would be seen as that much of a deterent. In the SAAG meeting, Jeff Schiller, a Security Area Director, summed up our BoF as an effort to stick keys/certificates in the DNS. Although during the BoF session he was very negative, this didn't show in his summary during the SAAG meeting - perhaps he was being polite. (SAAG is the open security area meeting.) Stepping backwards in time, I heard a rumor that some of the reviewers felt that our writing was "DNS agnostic" but our presentations in the BoF were tied to DNS. (Rumor = someone told me that they heard someone else say that.) During the BoF, besides being grilled for have in ill defined problem, these other comments stand out in my mind: 1) There is a need to solve the key/cert problem for non-connective applications, such as email. These applications cannot transfer keys in real time due to their store and forward nature. 2) A contrarian viewpoint is that we should avoid those applications and assist the connective ones, such as SSH. I'd need to see the minutes for the rationale. 3) We should have but didn't discuss RESCAP. This is true, but not for the lack of trying. I could not get someone to speak on RESCAP in time. 4) We should have but didn't dicsuss AAA. This is also true, I do remember deciding not to review that groups documents becuase I was pressed for time in the weeks leading up to the meeting. 5) We didn't have a formulated idea. With only one hour to present and entertain discussion there wasn't much time to present the work to date. Also, formulation kind of fell apart as the list fell silent. (215 messages from Dec 13 to Jan 24 when the BoF was formed, just 12 since then.) 6) The BoF description mentioned "not getting into a trust model." It is apparent that we do need to look at trust. The words in the description were written in the wrong context - that's all I can say. After the BoF we were encouraged to derive a charter and try again at the next IETF. We have been given some help, assigned by the Security AD (Steve Bellovin) who will be overseeing the group (if it becomes a WG). Given Schiller's summary, it seems that we should look at DNS as a part of our solution. Those of us who started with this in the DNSEXT group were trying to shed a DNS past and try to be neutral - apparently we shouldn't shed the DNS. Of course, there are still issues - how (much of) DNS is to be involved. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NAI Labs Phone: +1 443-259-2352 Email: lewis@tislabs.com Opinions expressed are property of my evil twin, not my employer.