[763] in WWW Security List Archive
WTS Working Group Meeting in Stockholm
daemon@ATHENA.MIT.EDU (Charlie Kaufman/Iris)
Fri Jul 7 22:38:31 1995
To: www-security <www-security@ns2.rutgers.edu>
From: Charlie Kaufman/Iris <Charlie_Kaufman/Iris.IRIS@iris.com>
Date: 7 Jul 95 18:57:31 EDT
Errors-To: owner-www-security@ns2.rutgers.edu
As some of you may not be aware, this mailing list has been commandeered as the
official mailing list of the WTS (WebTransaction Security) working group of the
IETF. The first meeting of this working group will be at the Stockholm IETF
meeting Tuesday 7/18 9-11:30.
Our charter (attached) calls for us to reach consensus on a requirements
document at this meeting. A candidate requirements document was posted in the
internet drafts directories quite a while ago. It is:
draft-bossert-httpsec-req-00.txt
I've seen little discussion of those requirements - hopefully because there is
consensus, but possibly because few people have read them. I have some thoughts
on additional requirements that I've been remiss in not posting.
Our charter also calls for us to have proposals posted in time for this meeting
with hopes on reaching consensus on a proposal by the end of the year for
advancement. The deadline for posting I-Ds ahead of the meeting is today. The
"current" SHTTP spec is:
draft-rescorla-shttp-00.txt
It was hoped that a revised version would be posted ahead of the deadline and
discussed at the meeting. I don't know whether it will make it in. If it
doesn't, I would hope it would be posted to this list and discussed anyway. I
heard of one other proposal that may or not make it by today's deadline.
I don't yet have a formal agenda for the meeting. The following are the people
who have volunteered to talk or lead discussions. Let me know if there's
anything else I should include.
Simon Cooper - Work on a new web security protocol - 20 min
Doug Rosenthal - Work on connecting web security with the GSSAPI - 15 min
Don Eastlake - (not confirmed) - Using DNS as a public key distribution
mechanism - ?? min
Simon Cooper - Discussion of Web security requirements document - ?? min
Eric Rescorla and Allan Schiffman - Discussion of SHTTP document - ?? min
Another topic which I expect will pervade some of our discussions is how broad
the scope of this working group should be. In particular, there are several
"payments" protocols under development and there is a separate BOF to discuss
them. SSL is a deployed protocol for web security and it also is having a BOF
at this meeting. My belief is that those efforts are sufficiently independent
of the specifics of HTTP that they should proceed in separate working groups. I
am not sufficiently familiar with the proposals we'll hear from Simon and Doug
to know whether they should be considered here or elsewhere. This is a
difficult thing to consider in an open meeting, but it may come up - hopefully
at the end of the meeting. Comments on this mailing list are always welcome.
Several people wrote to me asking for a copy of the group's charter, and some
of them had non-functional return addresses (at least from my site). For them
and for anyone else interested, here it is:
Web Transaction Security (wts)
------------------------------
Chair(s):
Charlie Kaufman <charlie_kaufman@iris.com>
Security Area Director(s):
Jeffrey Schiller <jis@mit.edu>
Mailing lists:
General Discussion:www-security@nsmx.rutgers.edu
To Subscribe: www-security-request@nsmx.rutgers.edu
Archive: http://www-ns.rutgers.edu/www-security
Description of Working Group:
The goal of the Web Transaction Security Working Group is to develop
requirements and a specification for the provision of security services
to Web transaction, eg. transactions using HyperText Transport Protocol
(HTTP). This work will proceed in parallel to and independently of the
development of non-security features in the HTTP Working Group. The
working group will prepare two documents for submission as Internet
Drafts; an HTTP Security Requirements Specification, and an HTTP
Security Protocol Specification. The latter will be submitted as a
Standards Track RFC.
Goals and Milestones:
Done HTTP Security Requirements submitted as Internet-Draft.
Jul 95 HTTP Security Requirements finalized at the Stockholm IETF. Submit
HTTP Security Specification proposal(s) as Internet-Drafts.
Dec 95 HTTP Security Specification finalized at the Dallas IETF, submitted
to IESG for Standards Track action.
------------------------------------------------
Charlie Kaufman Iris Associates
508-392-5276 charlie_kaufman@iris.com
