Privacy 1 November 2013

Rough Guide to IETF 88: Trust, Identity, and Privacy

By Karen O'DonoghueFormer Director, Internet Trust and Technology

Recent and ongoing revelations about large-scale Internet surveillance activities have caused concern amongst Internet users worldwide. These users have started to question their basic understanding of the privacy and security of their information online. While there is much to be concerned about in the revelations, this information disclosure also represents an opportunity to focus on the development of more robust technical solutions and improved user understanding. The IETF has a key role to play in setting standards for digital identity, security, and privacy, and in ensuring that the standardization process contributes to the overall trustworthiness of the Internet. Many Working Groups and Birds of a Feather (Bof) sessions will take place at IETF 88 in Vancouver next week to discuss these issues.

This IETF meeting in particular has several activities of interest related to trust technologies, identity authentication and authorization, and privacy. The first such activity is the BoF session on Handling Pervasive Monitoring. This session will immediately follow the IETF Technical Plenary on Internet Hardening discussed in an earlier blog post in this series. The primary goal of this session is to identify and scope specific IETF efforts to address pervasive monitoring. The mailing list for this discussion was established after IETF 87 and has been very active since its inception with discussions related to threat models and various technical and nontechnical solutions. The challenge for the BoF will be to define concrete executable actions for the IETF community.

In another privacy-related development, the IAB Privacy Program has developed a tutorial for IETF working group chairs to help them better understand and apply privacy considerations in their respective working groups. This tutorial is based on the recently published RFC 6973 on “Privacy Considerations for Internet Protocols“. This tutorial will be offered to all attendees at future IETF meetings. RFC 6973 and the coming tutorial information will both help improve IETF protocols with respect to privacy.

Work also continues in a number of working groups related to trust technologies and identity authentication and authorization. A longer list of these working groups is provided at the bottom with a few highlights below.

The JOSE (Javascript Object Signing and Encryption) working group continues to focus on the development of signing, encryption, and key representation tools for JSON developers. The specifications have been updated several times since the last IETF, and this meeting will focus on the resolution of remaining open issues prior to moving the document set to working group last call (WGLC).

The WPKOPS (Web PKI Ops) working group is investigating the current state of Web PKI operations in light of several revelations in the past about failures of this infrastructure. The initial trust model document has been published, and the agenda features several discussions on various aspects of PKI operations including certificate processing and revocation.

OAuth 2.0 is a mechanism that allows a user to give third-party websites or applications access to protected resources without providing them access to their long-term credentials or resources. The OAuth (Web Authorization Protocol) working group was chartered to update and improve the security mechanisms in the original OAuth protocol. OAuth 2.0 has been published and the working group is focusing on several follow-on efforts. A related side meeting will occur on Sunday, 3 November at 1400 PST on a strategy and plan for OAuth 2.0 interoperability test suites and a possible future interop test event.

The SCIM (System for Cross-domain Identity Management) working group was chartered to standardize methods for creating, reading, searching, modifying, and deleting user identities and identity-related objects across administrative domains, with the goal of simplifying common tasks related to user identity management in services and applications. This meeting will be focused on the remaining open issues.

Related Working Groups and BoFs at IETF 88:

  • perpass (Pervasive Passive Monitoring) BoF
    (6 November 2013, 1300 – 1530)
  • abfab (Application Bridging for Federated Access Beyond web) WG
    (7 November 2013, 1730 – 1830)
  • httpauth (Hypertext Transfer Protocol Authentication) WG
    (8 November 2013, 0900 – 1100)
  • jose (Javascript Object Signing and Encryption) WG
    (7 November 2013, 0900 – 1130)
  • kitten (Common Authentication Technology Next Generation) WG
    (7 November 2013, 1520 – 1720)
  • oauth (Web Authorization Protocol) WG
    Agenda: (not published as of 1 Nov)
    (4 November 2013, 1450 – 1720)
  • scim (System for Cross-domain Identity Management) WG
    (8 November 2013, 1120 – 1330)
  • wpkops (Web PKI Ops) WG
    (7 November 2013, 1520 – 1720)

IEFT 88 Rough guide:

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

10 March 2021

Internet Society Joins Leading Internet Advocates to Call on ISPs to Commit to Basic User Privacy Protections

Mozilla, the Electronic Frontier Foundation, and the Internet Society call on AT&T, T-Mobile, and Verizon to commit to limiting...

Strengthening the Internet 22 February 2021

The Best and the Brightest Security and Privacy Experts Are Gathering Virtually at NDSS 2021

NDSS 2021 will be one of the biggest NDSS symposia yet, featuring two keynotes, 90 peer-reviewed academic papers, six...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...