CURRENT MEETING REPORT


Reported by Charlie Kaufman

Minutes of the Web Transaction Security Working Group (WTS)


The WTS Working Group met on Wednesday morning December 6th. 
There were a series of presentations.

Simon Cooper went over a few last wording changes in the requirements 
document, and there was consensus that as soon as they could be 
incorporated into an Internet-Draft, we should go to working group last 
call with the intention of advancing the document to Informational 
RFC.  There was no significant controversy.

Simon also announced that the working group mailing list would be 
moved to wts-wg@postofc.corp.sgi.com (requests to wts-wg-request) 
instead of using the www-security list that predated the working group 
and that we commandeered.  The intent is that participants in the 
working group would automatically get listed on the new list, but the 
logistical details of making that happen were not spelled out.

Doug Rosenthal presented the status of his GSSAPI-WWW work. He 
has Windows and MAC browsers and a modified httpd server that 
implement it with a public key based (SPKM) GSSAPI toolkit.  He 
recently published the spec as an Internet-Draft. The system is being 
deployed in a commercial environment and he would like to eventually 
advance the spec to Internet Standard.  There was no discussion of a 
proposed schedule.  There was some discussion about the lack of 
availability of public domain implementations of SPKM, and about 
how GSSAPI-WWW interacts with PEP.  There was some confusion 
around the difference between GSSAPI the API, and GSSAPI the 
implied protocol spec for the underlying mechanisms.

Rohit Khare gave a presentation on PEP, and general extension 
mechanism for HTTP.  PEP could be used to encode security extensions to 
HTTP instead of using an encapsulating protocol like SHTTP or GSS-
HTTP.  The existing protocols could probably be converted to this 
alternate syntax without extensive modifications to their crypto and 
parsing engines.  The W3C is building reference code and there is an 
Internet-Draft for PEP.

There appeared to be consensus that SHTTP was sufficiently far along 
in deployment and that it should continue toward standardization 
without PEP integration, but that PEP integration would be an 
important thing to look at in the not too distant future.

Alan Schiffman and Eric Rescorla played tag teams for a presentation 
on SHTTP.  Alan hinted that there are multiple SHTTP 
implementations conforming to the spec, but could not give details.  
There was some discussion of the desireability of having presentations 
on these other implementations at the next IETF.  The SHTTP spec has 
been nearly stable since before the WTS Working Group was formed and 
is nearly ready for advancement to Proposed Standard.  There are a 
handful of open issues around the ways the world is evolving under the 
spec.  SHTTP supports two encodings: PKCS-7 and PEM (There was a 
third, PGP, but it was removed for lack of interest.).  There was a 
discussion of whether MOSS should be substituted for PEM, and the 
consensus was that it should be if it is technically feasible.  SHTTP 
used some of the secret key encodings of PEM that are missing from 
MOSS, and Eric Rescorla volunteered to write up those differences as a 
proposal into MOSS so that SHTTP could use it.  There was consensus 
that SHTTP should be advances as soon as possible-possibly before the 
next IETF-if we can resolve the remaining issues on the list.