My take on the BoF session

[Edward Lewis <lewis@tislabs.com>]

We held a one-hour BoF session last week at the Minneapolis meeting.  The
minutes are not yet available, but I thought I'd send out my comments.

The BoF session did not succeed in convincing folks that a working group
should be formed.  On the other hand, we weren't told to give up.

The prime failing of the BoF was that we didn't offer a concrete proposed
solution.  I knew that we didn't have a mature idea, but I didn't think
that it would be seen as that much of a deterent.

In the SAAG meeting, Jeff Schiller, a Security Area Director, summed up our
BoF as an effort to stick keys/certificates in the DNS.  Although during
the BoF session he was very negative, this didn't show in his summary
during the SAAG meeting - perhaps he was being polite.  (SAAG is the open
security area meeting.)

Stepping backwards in time, I heard a rumor that some of the reviewers felt
that our writing was "DNS agnostic" but our presentations in the BoF were
tied to DNS.  (Rumor = someone told me that they heard someone else say
that.)

During the BoF, besides being grilled for have in ill defined problem,
these other comments stand out in my mind:

  1) There is a need to solve the key/cert problem for non-connective
applications, such as email.  These applications cannot transfer keys in
real time due to their store and forward nature.

  2) A contrarian viewpoint is that we should avoid those applications and
assist the connective ones, such as SSH.  I'd need to see the minutes for
the rationale.

  3) We should have but didn't discuss RESCAP.  This is true, but not for
the lack of trying.  I could not get someone to speak on RESCAP in time.

  4) We should have but didn't dicsuss AAA.  This is also true, I do
remember deciding not to review that groups documents becuase I was pressed
for time in the weeks leading up to the meeting.

  5) We didn't have a formulated idea.  With only one hour to present and
entertain discussion there wasn't much time to present the work to date.
Also, formulation kind of fell apart as the list fell silent.  (215
messages from Dec 13 to Jan 24 when the BoF was formed, just 12 since then.)

  6) The BoF description mentioned "not getting into a trust model."  It is
apparent that we do need to look at trust.  The words in the description
were written in the wrong context - that's all I can say.

After the BoF we were encouraged to derive a charter and try again at the
next IETF.  We have been given some help, assigned by the Security AD
(Steve Bellovin) who will be overseeing the group (if it becomes a WG).

Given Schiller's summary, it seems that we should look at DNS as a part of
our solution.  Those of us who started with this in the DNSEXT group were
trying to shed a DNS past and try to be neutral - apparently we shouldn't
shed the DNS.  Of course, there are still issues - how (much of) DNS is to
be involved.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                NAI Labs
Phone: +1 443-259-2352                      Email: lewis@tislabs.com

Opinions expressed are property of my evil twin, not my employer.