Hannes Tschofenig

We have recently submitted a new version of the privacy and identity management terminology document:
http://www.ietf.org/internet-drafts/draft-hansen-privacy-terminology-01.txt

The full document titel is “Terminology for Talking about Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management” and here is the abstract:

This document is an attempt to consolidate terminology in the field
privacy by data minimization. It motivates and develops definitions
for anonymity/identifiability, (un)linkability, (un)detectability,
(un)observability, pseudonymity, identity, partial identity, digital
identity and identity management. Starting the definitions from the
anonymity and unlinkability perspective and not from a definition of
identity (the latter is the obvious approach to some people) reveals
some deeper structures in this field.

Please let us know whether the terminology is useful and complete. Your input is highly appreciated!

With the recent announcement on the mailing list the ATOCA working group has now finally been created:
http://www.ietf.org/mail-archive/web/earlywarning/current/msg00358.html

Scott Bradner <sob@harvard.edu> and Martin Thomson <martin.thomson@andrew.com> will lead the working group.

The milestones of the groups are:

• Jan 2011 Submit “Terminology and Framework” to the IESG for publication as Informational
• Apr 2011 Submit “Addressing security, performance and congestion issues for alert distribution” to the IESG for publication as Informational
• Apr 2011 Submit conveying point-to-point Authority to Citizen Alerts to the IESG for publication as Proposed Standard
• May 2011 Submit “Discovering alerting servers” to the IESG for publication as Proposed Standard
• Jun 2011 Submit conveying point-to-multipoint Authority to Citizen Alerts to the IESG for publication as Proposed Standard
• Aug 2011 Submit “Considerations for interworking with currently deployed alert distribution systems” to the IESG for publication as Informational

The IAB and IESG would like to announce a joint design session on Forwarding Plane Operations, Administration and Maintenance (OAM) to be held on October 12 through October 14 at George Mason University in Fairfax, Virginia, USA.

IP and ICMP support very simple forwarding plane diagnostic tools (e.g., PING, TRACEROUTE). During the Internet’s first decades, these tools fulfilled most operational requirements. However, during the last decade, network operators have deployed many technologies that rely upon tunneling. These technologies include Pseudo-wires, Layer 2 Virtual Private Networks, and Layer 3 Virtual Private Networks. While the Internet community has enhanced its forwarding plane diagnostic tool kit with the deployment of Bidirectional Forwarding Detection (BFD), some suggest that the tool kit is still inadequate for tunneled applications.

The purpose of this design session is to discover and document operational requirements and constraints for tunneled forwarding plane OAM. The design session will also entertain solution proposals. While most activity in this area has been associated with Multi-Protocol Label Switching (MPLS), session organizers also encourage generic proposals that include other tunneling mechanisms (e.g., IP-in-IP).

The scope of this design session is limited to the forwarding plane. Proposals concerning control and management plane protocols will not be accepted. For example, a proposal that probes a tunnel for continuity would be acceptable, while a proposal for reporting tunnel continuity to a routing protocol or management station would be productive, but beyond the scope of this workshop.

Those intending to make presentations must submit position papers to the IAB/IESG by September 24. Position papers should constitute one to five pages on the problem or solution space, with a particular emphasis on areas that the IETF should address or revisit. Evaluation of the position papers will be performed by a committee consisting of IESG and IAB members. A limited number of seats will be available for persons not presenting.

Position papers will be made publicly available. On the basis of the position papers, a number of invited speakers will be asked to present at the workshop. A final agenda with timeslots will be published by October 1.

Further information about position paper submission procedures are forthcoming. Interested parties are advised to subscribe to the oam at ietf.org mailing list for discussion and announcements related to the workshop. Additional information will be available at http://www3.tools.ietf.org/area/ops/trac/wiki/oamJDS.

Ron Bonica, IESG
Danny McPherson, IAB
Hannes Tschofenig, IAB

A new mailing list has been created for the discussion about key assurance with DNSSec

List address: keyassure@ietf.org
Archive:
http://www.ietf.org/mail-archive/web/keyassure/current/maillist.html
To subscribe: https://www.ietf.org/mailman/listinfo/keyassure

Description: This list is for discussion relating to using DNSSEC-protected DNS queries to get greater assurance for keys and certificates that are passed in existing IETF protocols. The main idea  is that a relying party can get additional information about a domain name to eliminate the need for using a certificate in a protocol, to eliminate the need for sending certificates in the protocol if they are optional, and/or to assure that the certificate given in a protocol is associated with the domain name used by the application. In all three cases, the application associates the key or key fingerprint securely retrieved from the DNS with the domain name that was used in the DNS query.

In his announcement Ondřej Surý provides further background information:
You may want to read:

The problem statement I and Warren wrote:
http://www.ietf.org/mail-archive/web/keyassure/current/msg00000.html

New I-D by Jakob, Paul, Warren and Adam:
http://www.ietf.org/internet-drafts/draft-hoffman-keys-linkage-from-dns-00.txt

Slightly older CERT RR (which we already have):
http://tools.ietf.org/html/rfc4398

And various older proposals which didn’t make it:

(Jakob’s)
http://stupid.domain.name/ietf/draft-schlyter-pkix-dns-02.txt

(RR TYPE request I did)
http://www.ops.ietf.org/lists/namedroppers/namedroppers.2009/msg00421.html

Here are the conference call details for the HASMAT pre-BOF conference call:

Date: Wed 14-July

Time: 9am PDT (for ~1 hour)

Webex bridge details:

1. Bridge Nr: +1-866-469-3239
2. Meeting Number: 491 333 963
3. Webex link: https://welcome.webex.com/welcome/j.php?ED=8689638&UID=24463123&PW=NZTJmMzAwN2Vi&RT=MiM2
4. Meeting Password: Maastricht
5. Details: http://www.ietf.org/mail-archive/web/hasmat/current/msg00034.html

It took a long time to finish the charter discussions in response to the “Authority to Citizen Alert (ATOCA)” BOF. In any case, here is the charter text we came up with and the ADs are now tasked with the job of finding chairs to form a working group.

Authority to Citizen Alert (ATOCA)

There are a variety of mechanisms that authorities have available to notify citizens and visitors during emergency events. Traditionally, they have done so with broadcast networks (radio and television). For commercial mobile devices, broadcasting services such as the Public Warning System (PWS), the Earthquake and Tsunami Warning System (ETWS), and the Commercial Mobile Alert System (CMAS) are standardized and are in various stages of deployment.  The Internet provides another way for authority-to-citizen alerts to be sent, but
it also presents new challenges. While there are some existing
layer 2 mechanisms for delivering alerts, the work in this group
focuses on delivering alerts to IP endpoints only.

The general message pattern that this group is intended to address is the sending of alerts from a set of pre-authorized agents (e.g.,
governmental agencies) to a large population without impacting
layer 2 networks (e.g. causing congestion or denial of service).

The goal of this group is not to specify how originators of alerts
obtain authorization, but rather how an ATOCA system can verify
authorization and deliver messages to the intended recipients. A
critical element of the work are the mechanisms that assure that
only those pre-authorized agents can send alerts via ATOCA, through an interface to authorized alert distribution networks
(e.g., iPAWS/DM-Open in the U.S.).

The ATOCA effort is differentiated from and is not intended to
replace other alerting mechanisms (e.g., PWS, CMAS, ETWS), as the recipients of ATOCA alerts are the wide range of devices connected to the Internet and various private IP networks, which humans may have “at hand” to get such events, as well as automatons who may take action based on the alerts. This implies that the content of the alert contains some information, which is intended to be consumed by humans, and some which is intended to be consumed by automatons.

Ideally, the alerts would contain, or refer to media other than text
media (e.g., audio and/or video). The initial work in the group is
focused on small messages, which may be mechanically rendered by the device in other forms (text to speech for example). Future work in the group may investigate rich media.

In situations of a major emergency there could be scenarios
where there are multiple alerts generated that may require that a
priority mechanism (defined by alert originator policy) has to be
used. The work on a resource priority mechanism is out of scope of
the initial charter, but may be revisited at a later date.

Which devices should get alerts is primarily driven by location.
The first set of recipients that must be catered for are those
within the area identified by the alert originator to be affected
by the emergency event.  In many jurisdictions, there are regulations that define whether recipients/devices within the affected area have opt-in or opt-out capability, but the protocols ATOCA will define will include both opt-in and opt-out mechanisms. The group will explore how to support both opt-in and opt-out at the level of communication protocols and/or device behavior.

Another class of recipients that are in scope of the work are
explicit opt-in subscriptions which ask for alerts for a specified
location, not necessarily the physical location of the device itself.
An example of such a subscription would be ‘send me alerts for
location x’ (previously determined as the location of interest).
This work may build on existing IETF GEOPRIV location work.

There are efforts in other fora on early warning, which will be
considered in this effort.  For example, we expect to make use
of the OASIS Common Alerting Protocol (CAP) for the encoding of
alerts. OGC, ATIS, TIA, ITU-T, ETSI and 3GPP also have alert
efforts underway, and consultation with these efforts will be
undertaken to avoid unnecessary duplication of effort and also
to avoid unintentional negative impacts on the networks. Of course, existing protocols for delivering messages (e.g., SIP) will be the basis for the message delivery system of this working group.

The security implications of mechanisms that can send alerts to
billions of devices are profound, but the utility of the mechanism
encourages us to face the problems and solve them. In addition, the potential performance and congestion impacts to networks resulting from sending alert information to billions of devices must be considered and solved if such a service is implementable. To avoid manual configuration of servers distributing alerts a discovery mechanism will be specified.

Goals and Milestones

Aug 2010  Submit “Terminology and Framework” document as initial WG item. A starting point for this work is
draft-norreys-ecrit-authority2individuals-requirements.

Sep 2010  Submit “Conveying alerts in SIP” document as initial
WG item.
A starting point for this work is draft-rosen-sipping-cap.

Dec 2010  Submit “Conveying alerts through point-to-multipoint
methods” document as initial WG item.

Oct 2010  Submit “Discovering alerting servers” document as initial WG item. A starting point for this work is
draft-rosen-ecrit-lost-early-warning.

Dec 2010  Submit “Addressing security, performance and
congestion issues for alert distribution” document as
initial WG item.

Jan 2011  Submit “Interfacing existing alert distribution systems”
document as initial WG item.

Jan 2011  Submit “Terminology and Framework” to the IESG for
consideration as an Informational RFC.

Mar 2011  Submit “Conveying alerts in SIP” to the IESG for
consideration as a Standards Track RFC.

May 2011  Submit “Conveying alerts through point-to-multipoint
methods” to the IESG for consideration as an
Informational RFC.

Apr 2011  Submit “Discovering alerting servers” to the IESG for
consideration as a Standards Track RFC.

Jun 2011  Submit “Addressing security, performance and
congestion issues for alert distribution” to the IESG for consideration as an Informational RFC.

Aug 2011  Submit “Interfacing existing alert distribution systems”
to the IESG for consideration as an Informational RFC.

More information can be found on the ATOCA mailing list at https://www.ietf.org/mailman/listinfo/earlywarning

At the next IETF meeting in Maastricht (end of July 2010) we are going to have a BOF about “Federated Authentication Beyond The Web”. In case you have not noticed the work relates to RADIUS and Diameter.

I wrote this very short problem statement document to explain the purpose of the BOF:
http://www.ietf.org/internet-drafts/draft-tschofenig-moonshot-ps-00.txt

The abstract of the document says:

It is quite common that application developers and system architects are in a need for authentication and authorization support in a distributed environment. At least three parties need to cooperate, namely the end host, the identity provider, and the relying party. At the end of the exchange the identity provider asserts identity information or certain attributes to the relying party without exposing the user’s long-term secret to the relying party.

While the problem sounds challenging and interesting but it is not
new. In fact, various IETF groups have produced specifications to
solve this problem, such as Kerberos, RADIUS, and Diameter. Outside the IETF various Single-Sign-On solution for HTTP-based applications have been developed as well.

The reader might therefore wonder why there is need for new work
given the existence of readily available solutions. This document
tries to answer this question in a compact fashion.

I would like to remind you about the upcoming BOF on HTTP Application Security Minus Authentication and Transport (HASMAT).

The mailing list can be found here (https://www.ietf.org/mailman/listinfo/hasmat) and the charter text writeup is here (http://www.ietf.org/mail-archive/web/hasmat/current/msg00000.html).

For those who have not closely followed the topic we will have a pre-BOF conference call next week (Wed 14-Jul, 9am PDT). My announcement of the conference call can be found here: http://www.ietf.org/mail-archive/web/hasmat/current/msg00031.html. Webex details will follow.

Additionally of interest might be the presentation Jeff Hodges gave about the HTTPS security policy. He gave a presentation at the 10th Internet Identity Workshop (IIWX) and the recording can be found here:
http://idcoach.blip.tv/file/3650497

Jon Peterson, Bernard Aboba, Karen Solins, and myself recently published a short writeup with the title “The Role of the Internet Engineering Task Force (IETF) in Improving Privacy on the Internet”. The article can be downloaded from http://www.w3.org/2010/api-privacy-ws/papers/privacy-ws-32.pdf.

We wrote this short position paper as a contribution for the “W3C Workshop on Privacy for Advanced Web APIs”. More about the workshop can be found here: http://www.w3.org/2010/api-privacy-ws/.

A little bit of background: Some of us worked in the GEOPRIV working group and had been exposed to the topic of privacy for years already. Over time we got a better understanding of it, also with the help of privacy experts like John Morris and Alissa Cooper.

When the W3C then started their work on a so-called Geolocation API many of us had expressed concerns about how privacy is addressed in the design of that protocol. We got the impression that users would be exposing their location in surprising ways.

We weren’t, however, able to convince certain people involved in the design of the protocol and the Geolocation API got implemented and deployed. As deployment investigations later showed (see references in the paper) the privacy properties being provided in the wild weren’t “favorable” for users.

With the ongoing work on the Device API in the W3C there is even more risk of getting things wrong since this work essentially allows to expose your camera, microphone, contact list, storage, etc. via your web browser to Web sites (who sent you the right JavaScript code).

Now, it seems that even the last few folks have realized that there might be a privacy issue in the air.

Hence, the W3C schedule a workshop with the focus on these APIs.

We looked into the work various IETF groups did in the area of privacy and came to the conclusion that we do actually consider privacy in our protocol design. The paper highlights a couple of cases. We do not have a systematic approach of doing so but the structure of the IETF as an organization, the processes we have (with various levels of reviews), and the wide expertise allow us to catch or document potential privacy unfriendliness.

We (the IAB) would like to figure out what the IETF and the IRTF can do to provide better privacy protection and where our influence ends. To do so we need your help.

Your feedback to the article and the topic overall is appreciated.

Marit Hansen, Andreas Pfitzmann, and myself have recently worked on an Internet draft about privacy terminology.

The exact document title is “Terminology for Talking about Privacy by Data Minimization: Anonymity, Unlinkability, Undetectability, Unobservability, Pseudonymity, and Identity Management” and the document can be found here:
https://wiki.tools.ietf.org/id/draft-hansen-privacy-terminology-00.html

The abstract says:

This document is an attempt to consolidate terminology in the field privacy by data minimization. It motivates and develops definitions for anonymity/identifiability, (un)linkability, (un)detectability, (un)observability, pseudonymity, identity, partial identity, digital identity and identity management. Starting the definitions from the anonymity and unlinkability perspective and not from a definition of identity (the latter is the obvious approach to some people) reveals some deeper structures in this field.

We believe it is help for working groups in the IETF to have a consistent terminology for privacy.

We are looking for reviewers! Please drop us a note if you have some comments.