LTANS WG Meeting Minutes (59th IETF) WG Summary 11:04-11:09 : Santosh See LTANS WG Status Summary ppt for the agenda and schedule - no additional items to agenda were added by the participants - a little behind in schedule LTANS Requirements 11:10 - 11:26: Santosh See LTANS Requirements-summary ppt - timestamps o [Larry Masinter] requirements does not call for 3161, so should not be an issue for requirements o [Russ Housley] we should be ok with what the current doc says, in regards to patents - emulator o Suggestion was to permit including applications that were used to generate the archived data and/or can be used to view the data as part of requirement - long-term identification, authentication, and authorization: o How to define this over such a long time. o Some suggested that it be discussed as part of requirements o [Santosh] this could be part of signed or unsigned attributes, as part of metadata. We don't want to mandate it in the protocol, leave optional o [Stefan]Authentication of access, and policies on information objects, XML work XRML in OASIS o [Santosh and Larry] this does not deals with long term I&A and authorization issues. - New comments from the floor o Need to separate out archive service requirements and archive protocol requirements. o No major ERS 11:26 - 11:53: Brian See ers-ltans-ietf59.ppt - Suggestion was to use multiple hash trees (using different hash algs) - [Larry] Why do we need the hash trees at all - [Larry] Security considerations sections should address the time based threats and need to re-hash. Protocol 11:53 - 12:45 - Santosh for Peter and Alex See protocol-ltans-ietf59.ppt - summary of protocol doc from Peter, Alex and Carl - [Larry] This 6 step infrastructure is confusing. - [Larry] Is what to audit a protocol concern or a policy issue? If it is a protocol concern, then protocol should include audit service related objects/functions. - In response to question, should replay attacks and idemtpotence be handled in the protocol, [Larry] Protocol should protect against all security threats that exist. But without a clearly defined threat model, this is tough to determine. - [Larry] There seems to be some presumptions in slides. Does URI allow anonymous access and how can someone get access to someone else's archived data. - [Santosh in response to the above]: It is assumed that both URI and TAA access will require appropriate I&A and Authorization checks. But, this points to additional requirements on the protocol - [Larry] Some metadata should also be archived. If the archived metadata can change, that points to the need to apply security services at the TAA for data and metadata separately. - [Brian] We need to have some sort of definition of what metadata will be. - [Santosh] We have defined some examples, and leave it open for adding new metadata types. This provides extensibility. - [Larry] Slide 12: Initiate searches is concerning. Proper scoping of the searching language in the protocol should occur. - Slide 13: Not sure of the intent of the integrity comments. - [Santosh] Decision of whether link hashing should be pursued needs to be first discussed off-list. - [Santosh] Should archival service be agnostic to signed data objects? - [Brian] Archive service should not validate signed data objects. - [Santosh] I agree. - [Larry] Is the index to the archived data object part of the protocol? - [Larry] Internal archive service operations should be hidden from client, should be opaque. In the long term, this architecture will change and not suitable for a client to know. - [Santosh] We agree. But there are some advantages of giving back a hint to retrieve the document, or evidence record. - [Larry] As long as they are hints and not tied to how the service performs its function, we are fine. - [Santosh] I find their proposal good in terms of the three classes of transaction Other comments - [Larry] I don't know whether the results of these efforts will be sufficient for a long term archival. I don't see the threat analysis being properly discussed. - [Santosh] I think we did a deep security consideration in the TAP Feb 2003, which give a coverage of the threat analysis, for the protocol and data structure. - [Larry] Long term issues such as loss of identity are not covered. - [Santosh] True. Those are not yet covered. If there are holes in the current threat analysis, please bring it up. - [Larry, off-line] May be instead of this n of m (Shamir splitting) technique should be used.