Markdown Version | Session Recording

Session Date/Time: 25 Jul 2024 22:00

saag

Summary

The Security Area Group (SAAG) meeting covered several topics, including updates on working groups, new mailing lists, errata processing, and presentations on OAuth terminology, the risks in RADIUS protocol, and a discussion on standardizing cryptographic algorithms and policies within the IETF. The meeting aimed to gather feedback on a straw man proposal for a more formalized process for handling cryptographic algorithms.

Key Discussion Points

• Working Group Updates: Updates were provided from several working groups, including SKiM, OAuth, MLS, and AD-DoT. MLS is nearing its re-charter, and AD-DoT has drafts out for adoption.
• New Mailing Lists: Announcements were made regarding new mailing lists for SSH, post-quantum DNSSEC, and network attestation for secure routing (Nassar).
• OAuth Terminology: A presentation highlighted the problem of inconsistent terminology across different identity-related working groups and proposed lightning talks and a living terminology document to address this. RFC 4949 and RFC 949 were referenced as resources for existing terminology.
• RADIUS Security Vulnerability: A presentation detailed a vulnerability in the RADIUS protocol due to the use of MD5 for authentication, allowing man-in-the-middle attacks. Requiring the message authenticator attribute and migrating to TLS were proposed as mitigations. Concerns were raised about the continued use of vulnerable protocols and the need for clearer security guidance in specifications.
• Cryptography for IETF Protocols: The meeting discussed the current informal process for standardizing cryptographic algorithms and proposed a more formalized approach. Key points included:
  • Limiting RFC publication for crypto algorithms to those vetted by the public cryptographic community or recommended by the CFRG.
  • Ensuring IANA registries for crypto algorithms include version numbers.
  • Avoiding venue shopping and ensuring algorithms are properly reviewed.
  • The definition of what constitutes "vetted by public cryptographic community" and the processes for considering national cryptographic algorithms.

Decisions and Action Items

• OAuth Terminology: A side meeting will be held to further discuss the creation of a living terminology document.
• RADIUS Security: Implementations should require the message authenticator attribute. The community should migrate to TLS for RADIUS traffic.
• Cryptography for IETF Protocols: The security area directors will consider the feedback received and revise the straw man proposal for a formalized process for handling cryptographic algorithms. The discussion will continue at a future meeting.

Next Steps

• The OAuth group will hold a side meeting to discuss the terminology document.
• The SSH, post-quantum DNSSEC, and Nassar mailing lists are available for those interested to join.
• The security area directors will revise the cryptography RFC process proposal based on community feedback.