Session Date/Time: 20 Mar 2025 10:00

saag

Summary

The Security Area Advisory Group (SAAG) meeting covered working group updates, notably OAuth and the new SSH Maintenance Working Group (SSHM). Damien Miller gave a presentation on SSH's history, current state, and future directions. A proposal for a new working group to standardize post-quantum hybrid key exchange (HPKE) was discussed. The open mic session included discussions on DNS handles, post-quantum migration guidance from the UK NCSC, PTP security, and a request for review of Web Authentication.

Key Discussion Points

Working Group Updates: Updates from OAuth, including progress on several drafts and upcoming interchaining session.
SSH Overview: Damien Miller's presentation covered SSH history, its role in the internet infrastructure, and the SSHM's focus on standardizing existing widely deployed extensions and post-quantum key agreement algorithms.
HPKE Standardization: Richard Barnes and Martin Thompson presented a proposal to charter a new working group to standardize HPKE as a proposed standard with minor changes and define post-quantum cipher suites. The proposal was met with general support and discussion around ensuring cryptographic review and compatibility.
DNS Handles and JS Contact: A discussion on using JS Contact (V-card in JSON) as a way to manage user's crypto credentials in one blob, seeking experts on SSH, PGP and S-Mime for collaboration.
PPC Migration Guidance: The UK NCSC has published guidance on timelines for Post Quantum Cryptography (PQC) migration, and is seeking publications of experiences of migrating to PQC from both big companies and smaller ones.
PTP Security: The NTP working group is seeking a list of algorithm identifiers for HMAX and is interested in making something similar to the AEAD algorithm list.
Web Authentication Review: A request for review of Web Authentication in collaboration with W3C as the version 3 is approching.

Decisions and Action Items

HPKE Working Group: The SAAG will consider chartering a working group to standardize HPKE and define post-quantum cipher suites after coordinating with CFRG. Richard Barnes and Martin Thompson to coordinate with CFRG and then propose a charter to the SAAG list.
HMAX Algorithm Identifiers: Sean Turner will provide a pointer to an existing hash algorithm registry to David Vanuk for use with PTP security.
Web Authentication Review: The SAAG will put out a message to the Seg list to ask for review for Web Authentication when receiving more information from W3C.

Next Steps

Richard Barnes and Martin Thompson will coordinate with CFRG chairs regarding the HPKE working group charter proposal.
The SAAG will post a call for feedback on the proposed HPKE working group charter to the SAAG mailing list after internal review.
Sean Turner will provide David Vanuk with information on hash algorithm registries.
The SAAG will distribute the W3C's request for review of Web Authentication to the Seg mailing list.