Rough Guide to IETF 99: Trust, Identity, and Privacy Thumbnail
Building Trust 17 July 2017

Rough Guide to IETF 99: Trust, Identity, and Privacy

By Karen O'DonoghueFormer Director, Internet Trust and Technology

Trust, Identity, and Privacy continue to be topics of interest for the IETF community. Below I will highlight a few of the many activities. There is something for everyone interested in these areas here at IETF 99 in Prague this week!

The work privacy started before the IETF meeting itself actually began with the IETF 99 Hackathon. As you are reading this, the Hackathon will have already been completed. This Hackathon had the largest attendance ever and reached full capacity. It was an energetic event highlighting a number of emerging technologies. An overview of all the Hackaton projects is available on the Hackathon wiki (

There are two especially relevant efforts in the Hackathon that I’d like to bring to your attention. The first one is a large collaboration of people working on DNS, DNSSEC, and DNS privacy. This is a well-established project that has been active in several recent IETF Hackathon events. The second was a team of people working on HTTP error code 451 (RFC7725). This is an error code to report legal obstacles for serving a webpage. During the hackathon they focused on implementing and measuring this status code to make censorship more transparent.

Moving onto the extensive work on trust, and identity, and privacy in the IETF, I will remind folks that the excellent work of the DNS Privacy working group (dprive) was covered in an earlier rough guide post (

The first two working groups I’m going to highlight in this post are working on topics related to the certificate infrastructure for the Internet. The Automated Certificate Management Environment (acme) working group is specifying ways to automate certificate issuance, validation, revocation and renewal. The main order of business is to discuss the working group last call comments on the core specification Automatic Certificate Management Environment ( The working group will also be discussing working group last call comments on the CAA Record Extensions for Account URI and ACME Method Binding ( document. New drafts to be discussed include ACME Identifiers and Challenges for Telephone Numbers ( and ACME Identifiers and Challenges for VoIP Service Providers (

The second certificate related working group is the Public Notary Transparency (trans) working group. It has been working since 2014 to improve the confidence of users in the Web PKI. The underlying premise of this work is to create transparent logs of certificates so that mis-issuance can be detected. That which is transparent can be observed and monitored for unexpected behavior. The core document ( is in working group last call.

Anyone with an interest in the Internet of Things (IoT), will be interested in the Authentication and Authorization for Constrained Environments (ace) working group. This working group is working to develop standardized solutions for authentication and authorization in constrained environments. They published a use cases document last year, and this week’s agenda includes discussion of existing working group documents on authentication and authorization for constrained environments, a DTLS profile for ACE, a CBOR Web Token (CWT), and an architecture for authorization in constrained environments. In addition, there will be discussion of a number of new drafts for working group consideration.

The Web Authorization Protocol (oauth) working group has been working for years on mechanisms that allow users to grant access to web resources without necessarily compromising long term credentials or even identity. It has been a very prolific working group with around 15 RFCs published to date. IETF 99 will be another busy week for those interested in this area including sessions on both Tuesday and Friday. Agenda items for these two sessions include a mutual TLS profile, security, incremental authorization, JWT best practices, device flow, token exchange, and token binding.

There are two additional working groups meeting this coming week that are related to the OAUTH work. The first is the Token Binding (TOKBIND) working group that is tasked with specifying a token binding protocol and specifying the use of that protocol with HTTPS. This working group will be discussing two key drafts: Token Binding for 0-RTT TLS 1.3 Connections (draft-ietf-tokbind-tls13-0rtt), and HTTPS Token Binding with TLS Terminating Reverse Proxies (draft-campbell-tokbind-ttrp-00). This working group works in collaboration with the TLS, HTTPbis and Oauth WGs and with the W3C webappsec WG.

Also related to oauth, the Security Events (SECEVENT) working group is working on an Event Token specification that includes a JWT extension for expressing security events and a syntax for communicating the event-specific data. This is a fairly new WG, formally chartered in January 2017. The meeting this week will discuss several topics including the token specification, token delivery, a management API, and use cases for RISC and SCIM.

More related to the identity of devices than the identity of individuals but included here for completeness, the Identity Enable Networks (ideas) BoF proposes to examine how existing protocols that separate identifiers from their location may benefit from the concept of identity. The two drafts that form the structure of the meeting are Problem Statement for Identity Enabled Networks (draft-padma-ideas-problem-statement) and Gap Analysis for Identity Enabled Networks (draft-xyz-ideas-gap-analysis). Also under discussion is Identities and Identifiers for ION and the IETF. Come along to this session if you are interested in seeing whether or not the IETF might charter work in this space.

For the security crowd, no IETF week is complete without the Security Area Advisory Group (SAAG) meeting. This meeting features a quick run through all the working groups doing security related work in the IETF across all areas, a set of short talks, and an open session to bring issues and topics forward from the community. This week the talks include Post-quantum Crypto, Pretty Easy Privacy (pEp), and a Certificate Limitation Profile.

Finally, for those with a keen interest in privacy, the W3C Privacy Interest Group (PING) will again be meeting for their regular PING and friends get-together during the lunch break on Thursday, 20 July 2017 in Rokoska. Anyone with an interest in privacy is invited to join the meeting (but it is bring your own lunch).

All in all, an action packed week for trust, identity, and privacy related topics here at IETF 99!

Relevant Working Groups at IETF 99

acme (Automated Certificate Management Environment) WG
Friday, 21 July 2017, 0930-1130, Athens/Barcelona

trans (Public Notary Transparency) WG
Wednesday, 19 July 2017, 1520-1650, Berlin/Brussels

ace (Authentication and Authorization for Constrained Environments) WG
Monday, 17 July 2017, 09:30-1200, Congress Hall I

oauth (Web Authorization Protocol) WG
Tuesday, 18 July 2017, 1330-1530, Berlin/Brussels
Friday, 21 July 2017, 0930-1130), Karlin III

tokbind (Token Binding) WG
Monday, 17 July 2017, 1550-1720, Berlin/Brussels

secevent (Security Events) WG
Tuesday, 18 July 2017, 0930-1200, Karlin I/II

ideas (Identity Enable Networks) BOF
Wednesday, 19 July 2017, 1330-1500, Congress Hall II

saag (Security Area open meeting)
Thursday, 20 July 2017, 1330-1530, Congress Hall III

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 21 February 2020

NDSS 2020: The Best in Security Research – For the Good of the Internet

On 23 February, the 27th consecutive Network and Distributed System Security Symposium (NDSS) kicks off in San Diego, CA....

Building Trust 11 February 2020

Every Day Should Be Safer Internet Day

Safer Internet Day is an opportunity for people and organizations around the world to join forces in a series...

Building Trust 28 January 2020

This Data Privacy Day It’s the Little Things That Count

Today we’re celebrating Data Privacy Day, which is all about empowering people and organizations to respect privacy, safeguard data,...