Markdown Version | Session Recording

Session Date/Time: 27 Jul 2023 22:30

saag

Summary

The Security Area Advisory Group (SAAG) meeting covered working group updates, AD reports, and two special topics: the successful adoption of ACME/Let's Encrypt and the IAB's proposed program on identity ("Who It Is"). Discussions included TLS ECH, MLS publication, verifiable credentials, lightweight crypto (Ascon), workload identities (WINzy), and Errata backlog. The meeting also featured presentations on ACME adoption successes and the challenges and potential scope of the IAB's identity program.

Key Discussion Points

• TLS: TLS spent time discussing ECH with experimental results available. Goal is to finalize the draft and produce a new version by the next IETF, aiming for RFC publication in early 2024.
• MLS: MLS published as RFC 9420. A presentation on MLS deployment may be requested at the next SAAG meeting.
• Verifiable Credentials: Off-meeting is happening tomorrow to discuss verifying credentials. W3C media man group is discussing media types related to work at OpenID, IETF, and W3C.
• Lightweight Crypto (Ascon): NIST selected Ascon as their lightweight cipher. Specific modes are expected to be announced this year via an SP 800 series document. This impacts TLS key derivation functions, EDDSA, and other protocols, requiring preparation in relevant working groups.
• Workload Identities (WINzy): A new non-working group forming mailing list (WINzy) has been created to discuss workload identities in complex multi-service environments. A BOF is planned for IETF 118.
• Errata Backlog: A significant backlog of Errata exists, particularly in TLS, LAMPS, and OAuth. A large fraction of this Errata applies to bodies of work for which there are no currently active working groups. Working group participants are encouraged to help address these. A pointer to the Errata will be provided.
• ACME Adoption: Presentation highlighted the success of ACME/Let's Encrypt in driving HTTPS adoption. Success factors include early shipping, embracing prior art, targeted extensibility, formal models, and greasing.
• IAB Identity Program ("Who It Is"): The IAB is considering a program focused on identity across the Internet ecosystem. Discussion included the scope (human vs. non-human identities), the need for a common vocabulary, and potential initial steps such as creating a "lay of the land" document mapping terms and activities in different SDOs. Feedback is requested on the identity-discuss@iab.org mailing list.

Decisions and Action Items

• Errata: A pointer to the Errata backlog on the RFC Editor site will be sent to the mailing list.
• Identity Program ("Who It Is"): Community feedback is requested on the scope and focus of the IAB's proposed identity program, particularly on what types of identities should be included (human vs. non-human).
• New Secdispatch chair: Kathleen is departing as one of the Secdispatch chairs. Looking for a new person to step in before the next meeting.

Next Steps

• Continue discussion on the IAB identity program on the identity-discuss@iab.org mailing list.
• Address the Errata backlog in relevant working groups.
• Robust conversation is needed regarding the Tools buff on the mailing list.