Rough Guide to IETF 98: Trust, Identity, and Privacy Thumbnail
‹ Back
Building Trust 24 March 2017

Rough Guide to IETF 98: Trust, Identity, and Privacy

Karen O'Donoghue
By Karen O'DonoghueDirector, Internet Trust and Technology

It should come as no surprise that there are numerous activities related to Trust, Identity, and Privacy on the agenda for IETF 98. Below I will highlight a few of the many activities and provide pointers to a number of additional ones. There is something for everyone interested in these areas in Chicago in the coming week!

The fun starts before the meeting even begins with the IETF 98 Hackathon. There are two relevant efforts in the hackathon that I’d like to bring to your attention. The first one is a large collaboration of people working on DNS, DNSSEC, and DNS privacy. This is a well-established project that has been active in several recent IETF Hackathon events. Many of the regular contributors to this project recently met with a number of academic researchers in San Diego at the Network and Distributed System Security (NDSS) Symposium 2017 for a full day workshop on DNS Privacy. This work is actively driving improvements in the DNS privacy space. (See also our Rough Guide on DNS Privacy and Security.)

The second hackathon project related to our overarching topic of trust is the one on COSE/JOSE. Javascript Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE) are two related standards for the definition of objects for signing and encryption for JSON and CBOR environments respectively. These efforts are foundational to some continuing work in the IETF around tokens in the web and IoT spaces.

After a few days of diving deep into the details, it might be time to broaden the perspective again. The next session I’d like to suggest, especially to those new to the development of IETF protocol standards, is the Sunday tutorial on Security Considerations. This tutorial explores some of the many aspects of security that might get overlooked during the development of a protocol. The IETF security community is in the process of updating the current guidelines represented in RFC 3552 “Guidelines for Writing RFC Text on Security Considerations.” Additional volunteers are being sought to help finish this effort.

For those with a keen interest in privacy, the W3C Privacy Interest Group (PING) will again be meeting for its regular PING and friends get-together during the lunch break on Thursday, 30 March in Montreux2. Anyone with an interest in privacy is invited to join the meeting (but it is bring your own lunch).

Unfortunately, in a slot directly conflicting with the W3C PING meeting is a session that is also of potential interest. It is a lunch talk by John Mattsson, a Senior Specialist at Ericsson Security Research with a focus on Security Protocols, Cryptography, and IoT. This talk will look at the evolution of cellular security from cryptographic beginnings in 2G to a vision for 5G with improved security and privacy. Grab a quick sandwich and head to what is sure to be an interesting and informative session. The good news is that this session will be streamed live and archived on the IETF YouTube channel.

With the hackathons, tutorials, side meetings, and guest lectures covered, we have now arrived at the detailed work of the IETF. The first step to adopting work in the IETF is a Birds of a Feather (BoF) session, and there is one relevant BoF in our space this time. The Protocol for Dynamic Trusted Execution Environment Enablement (TEEP) BoF is considering an effort to define a standardized version of an application layer security protocol for the configuration of security credentials and software running on a Trusted Execution Environment (TEE). There is a proposal available ( to help jump start the activity.

The Network Time Protocol (NTP) working group has been working for some time to define a replacement for the NTP Autokey protocol. Autokey was developed many years ago, has been identified with numerous flaws, was published as an Informational RFC because of those flaws, and has never been broadly deployed and used. The Network Time Security (NTS) for NTP effort ( specifies a mechanism to provide cryptographic security for NTP for using Transport Layer Security (TLS) and Authenticated Encryption with Associated Data (AEAD). Accurate, reliable, and precise time synchronization is key to a number of underlying security protocols, and this improvement to NTP is long overdue and needed. The NTP working group will also be discussing the publication of a BCP for NTP addressing some of the key misconfiguration issues that lead to DDoS attacks on NTP and some minor updates to NTPv4 to fix some outstanding issues.

The Public Notary Transparency (TRANS) working group has been working since 2014 to improve the confidence of users in the Web PKI. The underlying premise of this work is to create transparent logs of certificates so that mis-issuance can be detected. That which is transparent can be observed and monitored for unexpected behavior. The core document ( has been through Working Group Last Call and 24 revisions. A number of recent issues have been raised and will be discussed this coming week. Additionally, the working group will be discussing redaction, the threat analysis document, and using transparency to improve trust of binaries.

The Web Authorization Protocol (OAUTH) working group has been working for years on mechanisms that allow users to grant access to web resources without necessarily compromising long-term credentials or even identity. It has been a very prolific working group with around 14 RFCs published to date. IETF 98 will be another busy week for those interested in this area including sessions on both Monday and Friday. Agenda items for these sessions include token exchange, device flow for and input constrained devices without browsers, authorization server metadata, token binding, proof of possession, authorization server to client key distribution, the OAuth 2.0 authorization framework, and additional security topics. This is a full agenda indeed! There is also some related work in the Hackathon and rumors of an OpenID working group hands-on session on building mobile apps with AppAuth (Native Applications Best Practices) to be held on Sunday, 26 March.

There are two additional working groups meeting this coming week that are related to the OAUTH work. The first is the Token Binding (TOKBIND) working group that is tasked with specifying a token binding protocol and specifying the use of that protocol with HTTPS. Additionally, the Security Events (SECEVENT) working group is working on an Event Token specification that includes a JWT extension for expressing security events and a syntax for communicating the event-specific data.

Wrapping up our tour through the trust-related working group activity this week, we have the ACE and LAMPS working groups. The Authentication and Authorization for Constrained Environments (ACE) working group is working to develop standardized solutions for authentication and authorization in constrained environments (think IoT). They published a use cases document last year, and this week’s agenda includes architecture, actors, and the CBOR Web Token (CWT) with multiple drafts to support the conversations. And the Limited Additional Mechanisms for PKIX and SMIME (LAMPS) is (as the name implies) making some specific updates to PKIX and SMIME. The agenda for the week includes drafts to update both RFC 5750 and RFC 5751.

Finally, no IETF week is complete without the Security Area Advisory Group (SAAG) meeting. This meeting features a quick run through all the working groups doing security related work in the IETF across all areas, a set of short talks, and an open session to bring issues and topics forward from the community.

All in all, an action packed week for trust, identity, and privacy related topics here at IETF 98!

Relevant Working Groups at IETF 98:

TEEP BoF (A Protocol for Dynamic Trusted Execution Environment Enablement)
Tuesday, 28 March, 14:50-16:20, Zurich E/F

NTP (Network Time Protocol)
Monday, 27 March, 13:00-15:00, Montreaux 3

TRANS (Public Notary Transparency)
Tuesday, 28 March, 13:00-14:30, Montreaux 3

OAUTH (Web Authorization Protocol)
Monday, 27 March, 17:10-18:10, Zurich C
Friday, 31 March, 09:00-11:30, Zurich C

TOKBIND (Token Binding)
Monday, 27 March, 15:20-16:50, Zurich A

SECEVENT (Security Events)
Wednesday, 29 March, 09:00-11:30, Zurich C

ACE (Authentication and Authorization for Constrained Environments)
Monday, 27 March, 09:00-11:30, Zurich C

LAMPS (Limited Additional Mechanisms for PKIX and SMIME)
Thursday, 30 March, 17:40-18:40, Vevey 1/2

SAAG (Security Area Open Meeting)
Thursday, 30 March, 15:20-17:20, Zurich D

Follow Us

There’s a lot going on in Chicago, and whether you plan to be there or join remotely, there’s much to monitor. To follow along as we dole out this series of Rough Guide to IETF blog posts, follow us on the Internet Technology Matters blog, Twitter, Facebook, Google+, via RSS, or see

‹ Back

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...

Join the conversation with Internet Society members around the world