Rough Guide to IETF 92: Trust, Identity, and Privacy Thumbnail
‹ Back
Building Trust 22 March 2015

Rough Guide to IETF 92: Trust, Identity, and Privacy

Karen O'Donoghue
By Karen O'DonoghueDirector, Internet Trust and Technology

Wrapping up the series of Rough Guide to IETF 92 posts is our focus on Trust, Identity, and Privacy. ISOC has been working over the past five years in these areas, and each subsequent IETF has seen advancing work and progress being made on multiple fronts. IETF 92 in Dallas this week is no exception.

First, while there won’t be a meeting on it this time, I’d like to remind folks of the mailing list created last fall to discuss vectors of trust at The impetus for this mailing list came out of an ISOC-sponsored workshop this past September. It is hoped that these discussions will lead to further consensus on concepts around trust and levels of assurance. There are rumors of an informal bar BoF to further discussions on this topic. Monitor the mailing list for details. This is a great opportunity to get involved in a potential IETF activity at a very early stage.

The W3C Privacy Interest Group (PING) will again meet face-to-face alongside IETF on Thursday, 26 March. Topics for the meeting include: the WiFi Privacy Experiment at IETF; W3C Technical Advisory Group (TAG) finding “Securing the Web” through the use of cryptography; Proposed Edited Recommendation Geolocation API; as well as PING’s ongoing work on privacy reviews and guidance for Web specification authors. Please join the meeting if you have an interest in privacy on the Web and would like to help develop better privacy features in Web standards. Meeting details are provided here:

And since I mentioned it above, I’d also like to highlight an experiment that will be hosted on the IETF network. As stated at the link below, the IEEE 802 EC Privacy Recommendation Study Group, in coordination with the IAB and IESG, are working on privacy enhancements for link layer technologies. As part of this effort, they are carrying out a WiFi MAC randomization trial/experiment at IETF 92. The experiment is similar to the one carried out at IETF 91, but this time it’s been upgraded with more support for operating systems (including mobile) and it will run integrated into the main IETF 92 WiFi network. If you are attending in person, you can participate in this experiment. Details on participation can be found on the IETF Meeting Wiki; there is also an article about the privacy trials in the latest issue of the IETF Journal.

As for the IETF working groups, there are several ongoing working groups addressing topics in this space.

The jose (Javascript Object Signing and Encryption) working group will have a short meeting on Tuesday evening to discuss new proposals to develop a Concise Binary Object Representation (CBOR) encoded message syntax for signatures, message authentication codes, and encryption similar to those developed for JSON. The four core jose specifications and the cookbook have both progressed to the RFC Editor and should be coming out sometime soon.

The oauth (Web Authorization Protocol) working group has a full agenda for its Monday afternoon meeting based around its continuing work on proof-of-possession security assertions, token introspection, and token exchange among others. There are several oauth documents that are currently in IESG processing or the RFC Editor queue.

The ace (Authentication and Authorization in Constrained Environments) working group is continuing to develop documents on use cases, actors, architecture comparison, and object security. There is also a side meeting organized on Monday evening to help accelerate consensus on architecture, terminology, and scope. The plan is to meet from 19:10 to 20:40 after the plenary (look to the mailing list for details). Additionally, the technical plenary on Monday evening is on Smart Object Architecture and is highly relevant to this area of work.

The scim (System for Cross-domain Identity Management) working group has successfully sent their core document to the IESG for processing. This includes use cases, an api, and core schema. The meeting this week will discuss new drafts on soft deletes and event notification.

The relatively new stir (Secure Telephone Identities Revisited) working group is looking to develop mechanisms to correctly identify where SIP requests are being originated. In a nutshell, how do you prove ownership of a telephone number on the Internet? The problem statement (RFC 7340) and threats (RFC 7375) documents were published earlier this year, and the “Authenticated Identity Management in the Session Initiation Protocol” and “Secure Telephone Identity Credentials: Certificates” documents are again on the agenda for this meeting.

The web PKI certificate infrastructure continues to be a source of trust related operational issues in the Internet. The primary effort of the trans (Public Notary Transparency) working group is the generation of a standards track version of the experimental RFC 6962 on Certificate Transparency. The primary focus of this week’s discussion will be resolution of issues on the update to RFC 6962. Additional topics for this week’s agenda include a threat analysis, client behavior, and the gossip protocol.

The httpauth (Hypertext Transfer Protocol Authentication) working group’s document for a basic http authentication scheme is in the RFC Editor queue, and the HTTP Digest Access Authentication document is with the IESG. This meeting will focus on mutual authentication, algorithms for mutual authentication, and extensions for interactive clients.

Finally, the dprive (DNS PRIVate Exchange) working group is a relatively new working group chartered to develop “mechanisms to provide confidentiality to DNS transactions, to address concerns surrounding pervasive monitoring.” They are working on a problem statement and some initial proposals. And, the kitten (Common Authentication Technology Next Generation) working group is addressing a long list of documents related to authentication.

As you can see, the IETF is devoting a significant amount of time and energy on efforts related to trust, identity, and privacy. There is plenty to follow and contribute to in this space.

Related Meetings, Working Groups, and BoFs at IETF 92:

Follow Us

There’s a lot going on in Dallas, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...

Join the conversation with Internet Society members around the world