Meeting minutes - SACRED Working Group meeting, 53rd IETF, Minneapolis, MN Meeting Chair: Magnus Nyström, RSA Security. (Co-chair Stephen Farrell missed the meeting for personal reasons.) Magnus started the meeting by going over the agenda, which was as follows: Introduction, agenda walkthrough, WG status - Magnus Nyström Framework draft - Dale Gustafson Protocol draft - Merlin Hughes Updated milestones - Magnus Nyström All Other Business Since there were no objections to the proposed agenda, Magnus started with the WG status. He began by reviewing the objectives of this working group, and the objectives of this session. He then summarized the WG status as follows: There are 2 I-D’s: the Framework ID; the current version is version -03, which was submitted in February; and the protocol I-D. The current version of that is version -02, which was also submitted in February. Dale Gustafson then spoke on the Framework draft, which is co-authored by himself, Mike Just, and Magnus Nyström. Dale started by reviewing the SACRED Network architecture. He noted that the purpose of the architecture is to allow credentials to be uploaded or downloaded into a variety of devices. The WG’s job is to define a protocol between end-user device and credential server. Management/administration of credential server is beyond the scope of this WG’s charter. Dale then summarized comments from the SACRED mailing list on previous drafts of the framework document. There were lots of comments in the August - December timeframe, so the authors went through list archives for comments that apply to the framework draft. They also harmonized the framework draft with the latest SACRED protocol draft. Draft -03 was posted to the mailing list March 4th and again on March 6th (it was the same version). The most important change from draft -02 is the reordering of several document sections. The authors are waiting for comments from WG members to be posted on the mailing list. Issues remaining on the Framework document include: - ID/fingerprint: the framework document was updated to use ID/fingerprint for all conditional operations (per recent list discussion), but the latest protocol draft uses the "last update" method. Should the authors change the framework document to match the protocol document, or leave it as is? - Security considerations section: the authors would like to ask mailing list members to review this section, and determine whether or not it is complete. Dale then summarized plans for draft-04. The authors expect minimal or no changes for this document going forward. They will put out a revised draft soon, and expect WG last call in May 2002. Merlin Hughes then summarized the Protocol document, written by Stephen Farrell. Version -02 is current. Merlin summarized the changes from the -01 draft. He then identified the issues that are still open. These include: - the "multiple substrates" issue; - the SASL authorization identity issue; - should we apply for a port number; - should the DTD or the schema be considered normative; - fix the DTD extensibility scheme; - should we specify a max value where "unbounded" is in the schema. Multiple substrates issue: this relates to how the protocol should be defined, and whether it should be bound tightly to a single lower-layer protocol stack, or left open for implementation on top of a variety of protocol stacks/transport mechanisms. There was lots of discussion of this issue on the list, and at the Salt Lake City IETF meeting, but no clear consensus. Currently, the document defines the bindings for the SACRED protocol to run over BEEP. Since there was no clear consensus to change this, it was decided to leave the protocol the way it is. Anyone who wants to modify the protocol to run over some other transport service will have to do the work himself. Magnus Nyström asked whether the WG felt that the protocol document should be left the way it is, with the PDUs, bindings, and protocol spec all in the same document; or would it be better to split the protocol into two documents, with the PDUs and bindings in a separate document, to make later implementation of the protocol on another transport easier. The WG consensus was to leave it as a single document. SASL authorization identity issue: the document does not address this at this moment. Bob Morgan suggested that this be modified to explicitly state that this is undefined. That is now legal under the SASL document. There was consensus to do this; Bob was asked to provide words for the document. Applying for a port number: There was consensus that the WG needs to apply for a port number for its protocol. It was also pointed out that it might be appropriate to register a service name and/or a URI, as SASL requires that all protocols making use of it have a registered GSSAPI service name. It was agreed that we ought to register a service name. DTD or schema being normative: The WG seemed to favor having the schema be normative, and drop the DTD. DTD Extensibility scheme: Stephen has agreed to fix this in the next draft; there was no further discussion. Specifying a max value: The consensus of the group was to leave this as "unbounded". Merlin stated that Stephen’s plan is as follows: once the meeting minutes from this meeting are published, a summary of issue resolutions will be sent to the list. Then, Stephen will wait a week, and publish the -03 protocol draft. He hopes for WG last call on -03. If all goes well, that’ll be in May. Magnus then proposed a suggested new WG schedule. For the framework document, he proposed to have the -04 I-D in April; take that to last call in May, and submit the Framework document to IESG in August for publication as an Informational RFC. For the Protocol document, he proposed taking the Protocol I-D to WG last call in June. (This assumes that there will actually be a couple more iterations of the document, to address last-minute comments.) The Protocol will be submitted to IESG in September for publication as a Standards-track RFC. Magnus noted that the Protocol document has a dependency on SASL-SRP draft, so it can’t actually be published as an RFC until after that document is done. Magnus asked if anyone had any insights into the progression of the SASL-SRP draft. Lawrence Greenfield said that the last he knew, there were no outstanding issues on that draft, and he has no real idea what’s holding it up. Thus, it’s possible that the block from SASL-SRP will soon be removed. Given all of that, Bob Morgan suggested that there don’t seem to be three months’ of protocol issues left to be resolved; maybe the work will actually progress faster than the proposed schedule. Magnus said that that would be good; but it’s probably better to set a schedule and beat it than to set a more aggressive schedule and slip. Bob Morgan noted that there might be IPR concerns around SRP that could hold this work up. Jeff Schiller said that the IPR situation around SRP is "a mess". David Jablon gave a quick presentation on draft-jablon-speke-00.txt. This individual I-D describes several password authenticated key exchange methods, including SPEKE, and discusses their relation to other methods and patents, including a Phoenix patent. Toward the end of the presentation, Jeff Schiller asked David whether this is a technology that is patented by Phoenix, but in order to use it one has to ask Phoenix for license terms. David asked Jeff if it's proper to discuss license terms in an IETF meeting. Jeff answered no, it's not proper. David answered yes, Phoenix has a patent, with terms obtainable by asking. Jeff Schiller stated that it was inappropriate to be soliciting business in this manner. The meeting ended at 1400.