Markdown Version | Session Recording

Session Date/Time: 11 Nov 2021 16:00

saag

Summary

The Security Area Advisory Group (SAAG) session provided updates from various working groups, reports from the Security Area Directors (ADs), and a key discussion on proposed changes to RFC 8447, concerning the "Recommended" column in TLS IANA registries. Working group progress was noted for OHAI and MLS, with Curdle and SecEvent nearing closure. AD reports highlighted updates to the security area wiki, recurring issues in document reviews, and the status of new and closing working groups. The central technical discussion revolved around expanding the TLS "Recommended" column beyond a simple "Yes/No" to better reflect the status of various parameters. A poll indicated a modest preference for a three-state system (Yes, No, Bad/Deprecated/Not Recommended) compared to two states or more than three.

Key Discussion Points

• Working Group Updates:
  • OHAI: Reviewed proposed starting point drafts, with a favorable adoption call initiated.
  • MLS: The protocol draft is nearing completion, aiming for Working Group Last Call (WGLC) in December. The architecture draft is expected to follow, with both targeting ISG submission in Q1 2022.
  • Curdle: Expected to close once its final document enters the RFC Editor queue.
  • SecEvent: Expected to close soon, contingent on finishing or declaring victory on a related draft.
• Security Area Director Updates:
  • The Security Area Wiki has been updated to be more accessible regarding new work and processes; feedback is requested.
  • Recurring issues identified during AD and Telechat reviews are documented, and working groups are urged to consult this list.
  • Public URLs are available to view AD queues and the overall Sec Area document processing status.
  • Discussion on Post-Quantum Agility continues on the mailing list; feedback is still needed on a proposed charter.
  • New Working Groups: OHAI, DANCE, and SKIM (Art Area, but security-related) have spun up since the last SAAG meeting.
  • Closed Working Groups: TRANS has concluded.
  • Rechartering: SUIT is discussing rechartering to address extensions beyond its core manifest.
  • Thanks were extended to SEC reviewers for their critical contributions to document quality and security.
• TLS "Recommended" Column (RFC 8447bis) Discussion:
  • Problem Statement: RFC 8447 defined a "Recommended" column (Y/N) in TLS IANA registries. The "N" value was found to conflate "not evaluated," "deprecated," and "limited use."
  • Proposed 8447bis States: "Yes" (recommended for general use), "No" (discouraged for general use), and "Blank" (unevaluated).
  • Community Feedback:
    • Hecker: Advocated for a minimum of three distinct states: "Good" (Y), "Haven't Looked" (blank), and "Actively Bad" (some form of 'N' or 'D'). Expressed strong opposition to re-using 'N' with a new meaning if its previous meaning was "unevaluated."
    • Stephen: Preferred sticking to two states (Y/N), arguing that more values would lead to excessive debate and not provide additional clarity.
    • Hannes: Highlighted the importance of non-web TLS use cases and the potential for parameters critical in specific domains to be mislabeled as "not for general use" if "general" only considers the web. Suggested linking to clarifying documents.
    • Phillip: Also favored two states, specifically to avoid the IETF evaluating cryptographic algorithms, a task best suited for dedicated crypto competitions.
    • Yoav: Suggested three specific values: "Yes," "Don't Use" (for deprecated/limited use), and "Go Read The Document" (for nuanced cases).
    • Rich: Stressed that any chosen parameters/values must be "unambiguously and without judgment calls" determinable to avoid AD/DE involvement. Also noted that a 'space' character for "unevaluated" is poor for accessibility.
    • Yaron: Raised concerns about potential coordination issues and duplication of work with the UTA (TLS Usage & Advice) working group if the IANA registry adds nuanced deprecation or limited-use indicators.
    • Watson: Emphasized that changes should initiate a deprecation process, and the ecosystem should be able to move off deprecated items.
  • Poll Results: A hand-raise poll was conducted with three options for the number of states:
    • Two states (Yes/No): 15 votes
    • Three states (Yes/No/Bad): 32 votes
    • More than three states/requires further discussion: 18 votes

Decisions and Action Items

• The modest preference from the poll (32 votes for three states) suggests a path forward.
• ACTION ITEM: The TLS chairs (Joe Salowey, Sean Turner) will draft an update to RFC 8447bis proposing a three-state system for the "Recommended" column (e.g., Yes, No/Discouraged, Bad/Deprecated).

Next Steps

• The drafted RFC 8447bis update will be circulated for further feedback from the community.
• Discussion regarding the "limited use" category and potential coordination issues with the UTA working group is encouraged to continue on the mailing list.
• Other proposals for more or different states can also be drafted and discussed.