Editor's Note: Minutes recieved 7/21 CURRENT_MEETING_REPORT_ Reported by Doug Barlow/DEC Minutes of the Trusted Sessions Working Group (TSESS) The Group had drafted Julie LaMoine (MITRE) to Chair the Group at this meeting, but she couldn't make it, so Doug Barlow filled in for her. Mike Matthews (Addamax) presented an overview of the Addamax token mapping service. Addamax is also planning on writing an Addamax ATN Profile to compliment the TSWG framework. We reviewed the status of outstanding homework. Available for progress were the following: o The Framework Document o The Commercial Multi-level Distributed Security (CMDS) Profile o The MaxSix V2.0 Profile o The DNSIX V4.0 Profile The Framework document was approved for submission to the TSIG plenary, with the following edits: o The order of sections 4.1 and 4.2 are to be reversed, to conform to the order presented in the diagram. o In section 5, the phrase ``Addamax plans to present this'' is to be changed to read, ``Addamax has presented this''. The CMDS Profile was approved for submission to the TSIG plenary, with the following edits: o Section 2.4, last bullet, the phrase, ``supplying he local'' is to be changed to read, ``supplying the local''. o Section 4, the incorrect ASN.1 syntax in the first line of the Commercial Label Exchange protocol is to be corrected to read, ``COMMERCIAL-LABEL DEFINITIONS ::=''. The MaxSix Profile was approved for submission to th TSIG plenary this decision was rescinded later -- keep reading), with the following edits: o The version number specified in the title is to be changed from ``3.0'' to ``2.0''. 1 o In Section 2.3, paragraph 4, the phrase ``the MaxSix Security'' is to be changed to read, ``the MaxSix proposal for DNSIX Security''. o A paragraph will be added explaining how to obtain the referenced MaxSix documents, since they are not in the TSIG archives. The Trusted Realm Environment Exchange Service (TREES) document was approved for submission to the TSIG plenary without modification. The DNSIX V4.0 Profile was provided as status information, but is not yet complete, and was not considered for progression at this time. John Batzer (ITT) told us about work he is doing on a project named ``Dragonfly''. It is a hardware-assisted session layer security protocol which uses RSA to validate packets. As there were several newcomers, we also provided an overview of the work the Trusted Sessions Working Group has done. We examined possible future paths for the TSWG. Suggested alternatives were: o Help other TSIG working groups utilize trusted sessions. o Move existing applications (telnet, ftp, rcmd, etc.) to trusted sessions. o Work on the token mapping problem. o Agree on a common API for operating trusted sessions. o Work on a TSIG Security Architecture Framework. o Provide consistent management of trusted sessions (a la MIBs). Paul Vasquez (DIA) was invited to attend our Group and give us an update on DIA's plans for DNSIX V3.0. Paul called for any and all TSIG attendees to comment on the MaxSix proposal for DNSIX V3.0. Comments must be received by the end of July. So far, out of the 22 vendors to which DIA has made the MaxSix documents available, only IBM and Digital have returned comments. Two other proposals for DNSIX V3.0 have been received by DIA, the one from Addamax, and one from Digital. However, DIA does not plan on distributing those proposals. Paul recommended that people contact the submitters directly to obtain them. DIA would entertain comments on the other proposals as well. Paul went on to describe what he felt were requirements that any proposal for DNSIX V3.0 must meet: o IPSO (nee RIPSO) is required. o An API specification is desirable, but not required. o A token mapping capability is desirable, but not required. o Backwards compatibility with DNSIX V2.1, which was originally stated to be a requirement, isn't really a requirement, since there are no installed DNSIX V2.1 sites in DIA to be backwards compatible 2 with. The Group felt that the current TSWG method of providing a profile for every possible DNSIX V3.0 submission did not meet the goal of standardizing on a single solution. Hence the previous decision to submit all completed documents was rescinded, and a vote to forward each individual document to the TSIG plenary was taken. The results of the voting was: o Framework for Trusted Session Protocol -- Yes: 6, No: 0, Abstaining: 3. o CMDS Profile -- Yes: 6, No: 0, Abstaining: 3. o MaxSix V2.0 Profile -- Yes: 0, No: 5, Abstaining: 4. o TREES Document -- Yes: 5, No: 0, Abstaining: 4. The ``No'' vote on the MaxSix V2.0 Profile is taken to be an indication that the Group wishes to wait and see the progress of the DNSIX V3.0 specification. The Group reserves the right to reconsider this document for submission to the TSIG plenary at a later time. NOTE: In the closing TSIG plenary, TSIG voted to accept the submitted documents -- Yes: 14, No: 1, Abstaining: 7. Concerns were expressed that the profile mechanism still does not guarantee interoperability between ALL secure systems, and that some newer people were not familiar with the TSWG work. Doug Barlow (Digital) volunteered to present an overview of the adopted papers at the next TSIG meeting in Minneapolis. Attendees Doug Barlow barlow@decwet.dec.com John Batzer Luc Boulianne lucb@cs.mcgill.ca Dean Jagels dpj@sware.com James Lin yeejang@cup.hp.com Clifford Neuman bcn@isi.edu Richard Newton rnewton@csd.harris.com Paul Sangster sangster@ans.net Paul Vazquez vazquez@dockmaster.ncsc.mil Charles Watt watt@sware.com W. Stan Wisseman swissema@oracle.com 3