Hannes Tschofenig

You may have seen the press release about the publication of the European Next Generation 112 Long Term Definition standard (“NG112 LTD”) flying around last week. The publication of the NG112 LTD document was a big success for us from the EENA NG112 Technical Committee, who had been working on emergency services for such a long time.

Here is the document that covers a wide range of next generation emergency services features for an IP-based PSAP architecture.

With 258 pages the NG112 LTD was certainly a lot of work. Describing the functionality in clear and precise terms so that even those who are new to emergency services can understand it requires some additional pages.

Luckily, we knew about the ongoing global developments since many of us are involved in various standards developing organizations, such as IETF, 3GPP, ETSI, NENA, and many other groups. Those familiar with the National Emergency Number Association (NENA) and in particular with the NENA i3 work will recognize many common aspects. By re-using the best available standards we were able to accomplish the work on this document in a reasonable time-frame.

I am looking forward to meet many of you from the emergency services community at the EU Emergency Services Workshop 2012 in Riga this week where this work will be presented and discussed. If you look at the agenda of the meeting you will notice that Helmut Wittmann, Cristina Lumbreras, and myself will also give a detailed talk about this new standard.

Thanks to the European Emergency Number Association (EENA) for organizing these community gathering event.

Category: emergency services, IETF, Publications | No Comments »

There are a couple of OAuth events going on this week. Here is a list:

• Sunday:

OpenID Connect Workshop
https://oic-workshop-ietf-83.eventbrite.com

• Tuesday:

ISOC lunch event with the title “Authentication and
Authorization: Next steps for OpenID and OAuth”
http://www.internetsociety.org/events/isoc-panel-openid-and-oauth-ietf-8
3

OMA IETF MIF API Workshop (18:10-20:00, room 212/213)
http://www.ietf.org/mail-archive/web/ietf/current/msg72651.html

• Thursday:

Harry’s lunch event with the title “Beyond HTTP
Authentication: OAuth, OpenID, and BrowserID”
http://www.ietf.org/mail-archive/web/http-auth/current/msg00991.html

OAuth working group meeting
https://datatracker.ietf.org/meeting/83/agenda.html

In addition to these events there are related activities you may also
find useful, such as

• WEBSEC WG meeting on Monday afternoon
• IAB Technical Plenary on Monday evening about “Implementation Challenges with Browser Security”
•  JOSE WG meeting on Tuesday (for the JSON specs)
•  KITTEN WG meeting on Tuesday (SASL OAuth stuff)
•  Simple Cloud Identity Management (SCIM) BOF on Thursday
•  RTCWEB WG meeting on Wednesday/Thursday

Category: Identity Management, IETF, OAuth, Security | No Comments »

Last Friday we had our “Smart Object Security” workshop. (Btw, it was not an IAB sponsored workshop.) I am going to talk at the IETF #83 SAAG meeting about the highlights and Jari will go into the details during the IETF LWIG working group meeting. We have received a number of good position papers. You can find them here:

Below is the agenda with pointers to the slides. The most important one is the summary slide.

Agenda

• 08:30 – 09:00: Arrival of Participants and Coffee

• 09:00 – 09:30: Opening Remarks

Thomas Clausen, Ecole Polytechnique: Welcome and logistics (15 min)

Hannes Tschofenig, NSN & Jari Arkko, Ericsson: Agenda (5 min)
http://www.tschofenig.priv.at/sos-papers/slides/agenda.pptx

• 09:30 – 10:30: Requirements and Use Cases

Paul Chilton, NXP: Security challenges in the lighting use case (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Paul.pptx

Rudolf van der Berg, OECD:  Open interfaces, identifier spaces, and economic challenges (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Rudolf.pptx

Discussion: What are the core security requirements? What has the industry already deployed, and what are they struggling with? How to design for choice considering economics, and competition for smart object security?

• 10:30 – 10:40: Break

• 10:40 – 12:30: Implementation experience

Carsten Bormann, Universitaet Bremen: Light-weight COAP & DTLS implementations (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Carsten.pdf

Hannes Tschofenig, Nokia Siemens Networks: TLS and Raw Public Keys Implementation (5 min)
http://www.tschofenig.priv.at/sos-papers/slides/Hannes.pptx

Mohit Sethi, Ericsson/Aalto:  Public Key Crypto Implementation Experience (5 min)
http://www.tschofenig.priv.at/sos-papers/slides/Jari.pdf

Discussion: What is our experience with implementing some of these protocols? What worked and what didn’t? What advice can be given? Where is further research, standardization, and implementation work needed?

• 12:30 – 13:30: Lunch Break

• 13:30 – 15:30: Authorization and Role-based Access Control

Richard Barnes, BBN: Beyond COMSEC (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Richard.pdf

Jan Janak, Columbia University: On Access Control (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Jan.pdf

Discussion: What is the interaction between business processes (such as installation, change of ownership; including non-business processes such as home admin), the roles we have to manage in the system as a result of that, and the crypto we can do to implement those roles?

• 15:30 – 16:00: Coffee Break

• 16:00 – 17:30: Provisioning

Johannes Gilger, RTWH Aachen: Secure pairing (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Johannes.pdf

Cullen Jennings, Cisco: A deployment model (10 min)
http://www.tschofenig.priv.at/sos-papers/slides/Cullen.pdf (joke)
http://www.tschofenig.priv.at/sos-papers/slides/Cullen1.pdf

Discussion: What are practical deployment models, and corresponding protocols?

• 17:30 – 18:30: Summary

http://www.tschofenig.priv.at/sos-papers/slides/sos-conclusions.ppt
(raw slides as created during the meeting)

Evening: Dinner for those who want (self-organized)

Category: IETF, Security, smart objects, workshop | No Comments »

At this IETF meeting we will have a lot of talks about OAuth, as it seems. Harry Halpin just announced another meeting. Here is what he wrote:

While OAuth has solved the authorization problem, currently authentication on the Web is still insecure as it has yet for the most part failed to go beyond user-names and passwords. However, at this point a number of new client-side capabilities, including the possibility of W3C standardized Javascript cryptographic primitives, are emerging and a number of specifications such as OpenID Connect, BrowserID, and discussions over the future of HTTP Auth have shown that there is interest in understanding better how client-side key material can be used to enable a more secure Web authentication. However, there has yet to be consensus on how client-side cryptography can enable higher-security OAuth flows. The purpose of this side meeting is to look at a more coherent picture of how technologies in the space of identity, authentication, and authorization combine and interact and to help frame future work in Web authentication.

This informal meeting will present a number of proposed technical proposals in brief, including relationships to other existing work (such as RTCWeb and the upcoming W3C Web Cryptography Working Group), and to help frame future work in the area.and then precede with open discussion.

For any questions, please contact Harry Halpin (hhalpin@w3.org)

Time and Location:

Thursday March 29th lunchtime (1130 to 1300) in room 252A just between the SCIM BoF and OAuth WG as part of IETF83 in Paris.

Schedule

11:30-11:45 Lightning presentations to “level-set” participants.

• Mike Jones (Microsoft) will present the latest work from JOSE and OpenID Connect
• Eric Rescorla (Mozilla hat on) will present Mozilla Persona and RTCWeb/WebRTC work
• Blaine Cook will present OAuth 2.0
• Harry Halpin (W3C) will present the upcoming W3C Web Cryptography API.

11:45-13:00 Open discussion on co-ordination between OAuth, HTTP Auth, OpenID Connect, BrowserID, and W3C.

Category: Uncategorized | No Comments »

ISOC regularly organizes panels at IETF meetings (and elsewhere). At the upcoming IETF 83 meeting there will be a panel on Tuesday, 27 March, 11:45am-12:45pm (local time). The topic is Authentication and Authorization: Next steps for OpenID and OAuth

As the IETF-developed OAuth nears draft standard status, and with the recent publication of the OpenID Connect 1.0 draft, now is a good opportunity to look ahead at what’s next for both. This panel of experts will discuss the path ahead for deployments of OAuth and OpenID Connect, as well as their intersection with other standards. The panel will also discuss some of the potential challenges in deployment related to issues currently in the news, such as informed consent, privacy, and data correlation.

Moderator:

• Lucy Lynch, Internet Society

Panelists:

• John Bradley
• Harry Halpin, W3C
• Mike Jones, Microsoft
• RL Bob Morgan, University of Washington
• Hannes Tschofenig, Nokia Siemens Networks

Additional information is available at: http://www.internetsociety.org/events/isoc-panel-openid-and-oauth-ietf-83

Category: Identity Management, IETF, OAuth, Privacy, Security | No Comments »

IETF participants, the Internet Engineering Steering Group (IESG) and the Internet Architecture Board (IAB) occasionally organize workshops and place a requirement for an accepted position paper onto workshop attendees. Such a position paper requirement allows the workshop organizers to ensure that only those persons attend the workshop who are committed enough to spend through the additional effort of writing down their ideas. This avoids “tourists” and off-topic input. It also gives the workshop organizers a planning tool: since the workshops are typically free of charge the organizers rely on a host to provide meeting facilities and there are typically limitations.

So, what is a position paper?

The author(s) of a position paper are asked to describe (on a small number of pages) their thoughts relevant to the workshop theme. Since we are all experts in a specific area we typically have many views and so we have to decide for one specific topic that we are most interested in. This is typically a tough decision making process since there are so many things to write about.

A position paper does have the requirement to provide novel ideas. In fact, it is perfectly fine for a position paper author to have the view that no further work is needed. This factor differentiates a position paper from an academic paper. The focus on “why” something should be done, what the assumptions are, and what problems/challenges exist is more valuable input than yet another solution description. In fact, there will typically be too little space to lay out a solution in a reasonable level of detail anyway.

While it sounds easier to write position papers than academic papers that’s not necessarily true. The authors are asked to understand technical as well as non-technical aspects. For example, an understanding of the broader eco-system, which includes the deployment reality as well as needs from the society, are certainly valuable since many problems are not only caused by a pure technological failure.

Needless to say that the authors should pay attention to the workshop theme when they write their position paper. Workshop organizers have the difficult task to be as precise as possible in their call for position papers but they try not to be too restrictive to eliminate ideas that are a bit outside the mainstream. Providing a clear theme for paper authors requires that the workshop organizers to have some insight into the topic and to express the goal clearly. Look around for workshop announcements and judge yourself whether you believe that the organizers provide enough guidance. If the workshop announcement is a simply laundry list of hype terms then better wait for the next workshop. For this purpose it is encouraged to interact with the workshop organizers and to ask them question. Don’t be shy – ask them ahead of time whether they think a position paper on a specific topic would be a good fit. Since experts can typically write about a large range of topics even asking the workshop organizers to pick from a set of topics is reasonable.  Interacting with the workshop organizers is particularly useful if the author is not yet well-known in the community.

Ideally, the position of the author should be clearly recognizable from the abstract of the document and the rest of the paper supports the argument.If possible, the author also suggests next steps. When suggesting next steps try to be realistic and think about what the involved stakeholder are actually able to do. For example, suggesting that IETF participants organize a BOF to start new standardization on a protocol is realistic in a workshop organized by the IETF or IAB (with the qualification that the workshop organizers or any of the participating IESG members will not just say “yes – approved” but that the standards process has to be taken into consideration). Asking for world-wide adoption of the architecture presented by the paper author is not realistic. Asking firewalls and NATs to disappear because they are inconvenient for protocol designer is not useful either.

From a format point of view a position paper is not so much different from an academic paper. The paper has a title (not just “position paper by foo”), lists the authors with their contact information, provides information about the workshop they paper was submitted to, includes figures with titles that are referenced in the text, includes references to relevant work, etc.

Let us pick two position paper examples from the March 2011 IAB workshop on Smart Objects:

Margaret Wasserman submitted a contribution with the title IT’S NOT EASY BEING “GREEN”

The paper clearly articulates the opinion of the author by saying:

In this paper, I would like to talk briefly about energy efficiency in IETF protocols. This is an area that I believe has been largely ignored by the IETF in the past, and one where we could achieve significant benefit by raising widespread IETF awareness of the issues involved.

Margaret then describes a couple of protocol design aspects that impact energy consumption in protocol design and suggest future work that can be done by the IETF/IAB.

Tero Kivinen submitted a paper describing how to develop a minimal IKEv2 implementation (by omitting optional features in the IKEv2 specification). Tero’s view is that a lightweight client implementation of IKEv2 is possible when certain features are omitted and he supports his argument with a detailed description and code. Tero did not suggest next steps in his paper but he submitted a draft for standardization to the IETF.

These two position papers provided me valuable feedback for the agenda preparation of the workshop.

So, if you write a position paper next time for an IETF/IAB workshop please consider some of my recommendations.

PS: As a workshop organizer I provide review comments to the authors and I expect them to update their submission accordingly.

Category: workshop | No Comments »