[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Preliminary minutes for the IPSRA WG meeting

One thing I didn't understand was the result of the straw poll: Get Cert 7,
PIC 6.

When I look at the results of the poll in the archive (starting with
http://www.vpnc.org/ietf-ipsra/mail-archive/msg00939.html), I only see: Get
Cert 4, PIC 3.

Were some of the votes cast offline or assumed? (e.g. that the authors of
the draft would vote for their own proposal)

Upon closer inspection, I saw that the line
dividing black from white was in fact a shade
of grey. As I drew nearer still, the grey area
grew larger. And then I was enlightened.

> -----Original Message-----
> From: owner-ietf-ipsra@xxxxxxxxxxxxx
> [mailto:owner-ietf-ipsra@xxxxxxxxxxxxx]On Behalf Of Paul
> Hoffman / VPNC
> Sent: Sunday, April 01, 2001 7:46 PM
> To: ietf-ipsra@xxxxxxxx
> Subject: Preliminary minutes for the IPSRA WG meeting
> Greetings again. Here are the preliminary minutes for the
> IPSRA meeting
> in Minneapolis. If you have any corrections to what was said
> or who was
> saying it, please send them to me in the next few days so I can turn
> the minutes (and Scott's presentation) into the IETF for the
> proceedings.
> Sara and I expect to start the straw poll later this week or
> early next
> week once we get the wording down.
> Preliminary IPSRA minutes
> 50th IETF, Minneapolis
> Cochairs: Sara Bitan and Paul Hoffman
> Sara led the meeting; Paul took the minutes.
> WG general status
> 	Low traffic on mailing list
> 	New requirements draft came out in January
> 		There were no comments
> 	DHCP draft is waiting for IETF last call
> Remote user authentication
> 	PIC is using EAP
> 	GetCert will change to use EAP
> March Straw Poll
> 	Few votes: 7 for GetCert, 6 for PIC
> 	Is anyone interested???
> Proposal
> 	Advance requirements draft to Informational
> 	Advance DHCP draft to Standards Track
> 	Abandon PIC or GetCert due to low interest
> 		and inability to pick between them
> Current status of remote user authentication
> 	XAUTH, mode-cfg well-deployed, with some interopability
> 	Both of these have serious security considerations
> 	This will probably not be fixed by son-of-IKE
> 	"Group shared secret", other problems
> Alternatives for moving forwards
> 	Flip a coin and work on one
> 	Move the problem to IPsec WG, try to work in son-of-IKE
> 		But that will not be allowed
> 	Change IPSRA charter to allow change IKE
> 		But that will not be allowed
> 	Leave things as they are, and get no protocol
> Comments from the WG
> Bernard Aboba
> 	Why it's not working:
> 	We don't have the right group of people
> 		We're not cert people
> 	Possibly move the work to PKIX
> Marcus Leech
> 	We only need one solution to succeed
> 	Previously, vendors with proprietary VPN moved to IPsec
> 		Therefore we will probably see reticent vendors go with
> 			whatever IPSRA picks
> 	It will be failure if we don't pick one and make it a standard
> Steve Bellovin
> 	He is not attached to GetCert
> 	Wanted to show that remote access authorization without
> 		changing IKE could be done
> 	If it goes to PKIX, we have to hold their feet to the fire to
> 		actually do the work
> Bill Sommerfeld
> 	He would rather flip the coin than not do either
> 	Also thinks the numbers of votes are high enough to indicate
> 		interest
> Cheryl Madson
> 	Too many things (the ones that need IKE changes) were thrown
> 		off the table
> 	Interop happens even without standards (hinting at XAUTH)
> Dan Harkins
> 	The WG was doomed from the start because of the charter
> 	Political problems cause current lack of solution
> Eric Flieshman (apologies if I spelled this wrong!)
> 	Customers want GetCert or PIC, not "no solution"
> Magnus Nystrom
> 	Maybe reuse the work being done in the SACRED WG
> Steve Bellovin: SACRED does not have our legacy auth constraints
> Sara and Paul and Marcus put their heads together and mumbled
> There will be a new straw poll with different questions on the
> 	WG list in the near future
> Bob Moskowitz on expected revisions to GetCert
> 	Will go from SCEP to CMP
> 	Will add EAP
> 	Do we go with CMP or CMC?
> 	Will still have ASN.1 coding
> 	Nice feature: GetCert box can act like RA
> Sara Bitan on PIC
> 	Currently uses EAP on a transport that looks like IKE
> Scott Kelly on requirements
> 	Listed the changes from -02 to -03
> 	Much more on L2TP/IPsec
> 	IPSRA WG has lost focus, we should be emphasizing secure
> 		aspect of access, not just remote access
> 	IPSRA WG has pushed the L2TP folks away
> 	Is the current L2TP/IPsec sufficient for us?
> 	Main security issues
> 		Transit selectors are opaque to IPsec
> 		Complexities of L2TP-IPsec interactions
> 		User auth is not done until Phase 2: biggest problem
> 	Our primary interest should be security: just try to
> 		secure the pipe
> 	Should allow lower security if the customer understands it
> Bernard Aboba
> 	Using passwords to get a cert lowers security of certs
> 	Need to be clearer about the security issues
> General feeling
> 	L2TP is not needed, but should not be shunned
> Meeting adjourned