From: Carl Ellison <cme@cybercash.com>
Date: Thu, 4 Jul 1996 09:57:56 +0800
To: cypherpunks@toad.com
Subject: Minutes Of the WWW I&A Forum
Message-ID: <2.2.32.19960703215331.00736f58@cybercash.com>
MIME-Version: 1.0
Content-Type: text/plain


>Return-Path: <NIEMCZUKJ@bah.com>
>Date: Wed, 03 Jul 1996  5:45pm
>From: "Niemczuk John" <NIEMCZUKJ@bah.com>
>To: vanbelld@bah.com, hapemand@bah.com, anthony.vitale@qmgate.trw.com,
>        balenson@tis.com, ballodi@paralon.com, bdorsey@v-one.com,
>        benner_tim@bah.com, bitting@mitre.org, bonatti@bah.com,
>        cme@cybercash.com, crowan@jgvandyke.com, cscrugg@spyrus.com,
>        dale@sctc.com, davidh@checkpoint.com, davids@checkpoint.com,
>        fred.unterberger@east.sun.com, ghilborn@csc.com, hecker@netscape.com,
>        hh@columbia.sparta.com, hittman@v-one.com, housley@spyrus.com,
>        hthomas@smiley.mitre.org, iolson@mitre.org, j_rolen@hud.gov,
>        jacksont@lfs.loral.com, jalexand@aero.org, james.prohaska@litronic.com,
>        janispel@caas.com, janisple@caas.com, jbiggs@csc.com,
>        jfurlong@mitre.org, jharrell@centech.com, jim.beattie@network.com,
>        jim@lsli.com, jmat@vnet.ibm.com, jmyers@mitre.org, jswang@v-one.com,
>        kearny@betuvic1.vnet.ibm.com, khrose@annap.infi.net,
>        khutton@lfs.loral.com, kurowski@lfs.loral.com, lnotargi@us.oracle.com,
>        louden@mitre.org, luther@sware.com, migues_sammy@prc.com,
>        mikez@secureware.com, mjm@reston.ans.net, mkrenzin@mail.hcsc.com,
>        mmancuso@v-one.com, mulvihil@smiley.mitre.org, netland@scc.com,
>        olkowskid@comm.hq.af.mil, oswald@columbia.sparta.com, pguay@mitre.org,
>        price_bill@prc.com, ray@sesi.com, sferry@raptor.com,
>        shlomo@checkpoint.com, sledgerw@bdm.com, smith@sctc.com,
>        tcfarin@sed.csc.com, tehrsam@us.oracle.com, thomps1r@ncr.disa.mil,
>        vritts@cscmail.csc.com, watt@sware.com, wneugent@smiley.mitre.org,
>        woycke@mitre.org
>Cc: jhsteve@missi.ncsc.mil
>Subject: Minutes Of the WWW I&A Forum
>
>                          Multilevel Information Systems Security Initiative 
>(MISSI)
>                               Identification and Authentication (I&A) Forum
>                                          3 June 1996, Meeting Minutes
>
>     The theme of this I&A Forum was security for the World Wide Web (WWW). 
> The following was the agenda for the meeting:
>
> -    Introduction - Dave Luddy, National Security Agency (NSA)
> -    Web Technology Overview - Dave Dodge, NSA
> -    INTELINK Security Needs - Susanne Rosewell, ISMC
> -    Mitre Corporate Experiences Using The Web (An Information Security 
>[INFOSEC] Point Of View) - Michael Louden, Mitre
> -     Security Policy Summary - Dale Hapeman, Booz, Allen & Hamilton
> -    Internet Engineering Task Force (IETF)/Worldwide Web Consortium (W3C) 
>Secure   Web Standard Activities - Judy Furlong, Mitre
> -   Netscape and Web Security - Frank Hecker, Netscape
> -   Protecting Web Sites From Attack - Dr. Rick Smith,  Secure Computing 
>Corporation
> -   Security products For WWW Applications - Mike Zauzig, SecureWare
> -   WWW Access (Attempting Solutions) - Dale Hapeman, Booz, Allen & Hamilton
> -   Forum Wrap-up - Dave Luddy, NSA
>
>     Mr. Dave Luddy, the Forum Chairperson, opened the meeting with an 
>overview of the forum.  He discussed:
> -   The goal of the forum is "to insure the commercial availability of 
>affordable I&A solutions that meet our customer's security, performance, 
>interoperability, and security management needs."
> -   The focus is on MISSI FORTEZZA based solutions.
> -   The development of an I&A Concept Of Operations (CONOPS) will be used as 
>the means of capturing I&A requirements for WWW access and other network 
>applications.
> -   The forum participants and modus operandi are documented in the I&A 
>Forum Charter.
>
>     Mr. Dave Dodge, from the Operations Directorate of NSA, presented an 
>introduction to the WWW technology.  Mr. Dodge presented an overview of:
> -   The Hypertext Transport Protocol (HTTP) which is one of the most 
>flexible tools for navigating the Internet.
> -   Uniform Resource Locators (URLs) which allow a user to identify the 
>location of a resource and the method used to retrieve it.
> -   The HyperText Mark-up Language (HTML) which is used to format Web pages 
>and present URLs to users.
> -   The Common Gateway Interface (CGI) which allows programs run on a server 
>to receive data from a user via an HTTP connection.
> -   JAVA which allows a program to be moved from the server to a client and 
>then executed on the client.  JAVA is designed to "protect you from itself". 
> It has checks that are made during execution.  JAVA is not universally 
>implemented yet.  There is no tag in the HTML
> -   The Secure Socket Layer (SSL)
> -   The Secure-HTTP (S-HTTP)
>
>Questions and Answers:
>Q:   Is a firewall able to differentiate an access made by a user from an 
>access originated by a JAVA applet?
>A:   (from Dave Dodge and Frank Hecker): No.  A JAVA applet can open any 
>random port to the server that provided it.
>Q:   Can a JAVA applet make an access through a proxy?
>A:   (from Frank Hecker).  Either the applet needs to know about that proxy 
>ahead of time or it can make use of the existing HTTP browser.
>Q:   Do search engines present any special I&A issues?
>A:   Most search engines are implemented using the GET or POST HTTP commands 
>which feed a program running on the server.  Control of access to that 
>program is the same as access to any Web page.
>Q:   Is there an IETF Working Group (WG) for WWW?
>A:   The W3C is an industry consortia that deals with Web issues (it's 
>responsible for the new HTML standard).  There are many IETF WGs and 
>standards related to Web topics.
>
>     Ms. Susanne Rosewell, from the ISMC Security office presented a 
>briefing on INTELINK security needs.  She pointed out that there is a panel 
>working on security issues that meets monthly. They are supported by several 
>WGs that are addressing:
> -   JAVA
> -   Access Control
> -   Firewalls
> -   Inter Domain security
>
>     Ms. Rosewell discussed some of the security issues and goals related to 
>INTELINK:
> -   Currently, Local Administrators provide security by reviewing server 
>logs to track who has had access to a server (i.e., no access control). 
> INTELINK would like to provide access control at the "front door" and not 
>at individual servers.
> -   They are looking at using X.509 Version 3 certificates to provide the 
>ability to limit access to no foreign (NOFORN) information.  They also want 
>to use X.509 certificates to identify community of interest (COI).
> -   The Inter Domain WG is investigating the use of commercial off-the-shelf 
>(COTS) multi-level security (MLS) servers to allow a Secret user to access 
>Secret and below data from a server that also contains Top Secret data.
> -   A long term goal is to provide "true data labeling" so that data may 
>carry and maintain a sensitivity label.
>
>Questions and Answers:
>Q:   Isn't it harder to get Secret data into a Top Secret enclave than to 
>get Secret data out of  a Top Secret enclave?
>A:   Yes.
>Q:   Is the goal to provide servers that contain both Top Secret and Secret 
>data that is connected to both (S and TS) networks?
>A:   Yes.
>Q:   Is data aggregation an issue?
>A:   Current efforts are to only label individual data objects.
>Q:   How will an individual user determine what technology to use and when 
>to upgrade?
>A:   INTELINK will be mandating a SSL capable browser in the future and is 
>asking people to comply with that requirement now.
>Q:   Will the INTELINK e-mail solution be Simple Mail Transfer Protocol 
>(SMTP) or X.400.
>A:   The E-mail application package that INTELINK will standardize on is 
>still an issue.  They need a application now and consider SMTP as the only 
>current option. X.400 applications (from the Defense Message System [DMS]) 
>are somewhere down the road.
>Q:   Commercial MLS servers are not readily available, the market has not 
>been established. How will INTELINK obtain COTS MLS servers?
>A:   There are a few MLS workstations available.  INTELINK is working with 
>NSA and vendors to solve this issue.
>Q:   INTELINK is requiring the use of Version 3 X.509 certificates, DMS has 
>an infrastructure based on Version 1 certificates.  Is anyone working on 
>solving this issue.
>A:   There is an INTELINK representative on the MISSI Key Privilege & 
>Certificate WG (KP&CWG) which is working on the problem of incompatible 
>X.500 infrastructures.  Conversion from Version 1 to Version 3 X.509 
>certificates is a transition issue for DMS.  The issue is the timing of the 
>conversion to Version 3 certificates.  There was never any intention to 
>interoperate between the two versions.
>
>     Mr. Michael Louden, who is involved with Mitre corporate management of 
>computer and network operations briefed "A Corporate Experience Using The 
>Web (An INFOSEC Point Of View).  The briefing provided an overview of the 
>Mitre Information Infrastructure (MII).  In the area of security, the 
>briefing included the MII security environment, key security features, 
>security trade-offs, and security issues. Miter has different access control 
>mechanisms (e.g., Passwords, Tickets) for different servers and would like 
>to centralize/standardize the access control mechanisms.
>
>Questions and Answers:
>Q:   When Mitre splits into two separate organizations, will you have to 
>totally rework your access control rights?
>A:   Mitre plans to duplicate the access control system and then delete the 
>individuals from the other organization.
>
>     Mr. Dale Hapeman, the Booz(Allen I&A task leader, presented a briefing 
>on "Sensitive But Unclassified (SBU) WWW Requirements."  He started the 
>brief by reviewing the Context Diagram from the I&A CONOPS and presented an 
>operational environment which showed Web clients an servers relative to SBU 
>enclaves.  Mr. Hapeman followed with an explanation of how each facet of a 
>MISSI security policy could be applied to data as it is being transferred 
>between a Client and Server through multiple firewalls.  He provided 
>definitions of Authorized and Authenticated.  Mr. Hapeman finished with an 
>invitation to the audience to consider the policies they would like to see 
>implemented at the different components involved in a WWW access (client, 
>server, and firewall).
>
>     Ms. Judith Furlong is a lead INFOSEC Engineer at the Mitre corporation. 
>She presented a briefing titled "IETF/W3C Secure Web Standards Activity." 
> Ms. Furlong started her briefing with a discussion of the following 
>existing Web security standards
> -   SSL Protocol
> -   S-HTTP
> -   Private Communication Technology (PCT) protocol
> -   Secure Electronic Transaction (SET) Protocol
>
>     Ms. Furlong followed with an overview of the W3C, including a 
>discussion of the W3C Security WG. Ms. Furlong covered:
> -   The Protocol Extension Protocol (PEP), a W3C proposal for extending HTTP 
>to accommodate additional capabilities such as security, watermarks, 
>labeling etc. She further described the Security Extension Architecture 
>(SEA) using the proposed PEP.
> -   The Joint Electronic Payment Initiative (JEPI), a joint WG between the 
>W3C's Electronic Payments WG and CommerceNet which is developing an Internet 
>payment protocol negotiation scheme and a standard interface for payment 
>modules.
> -   The Digital Signature Initiative which deals with issues associated with 
>applying digital signatures to objects such as video frames.
> -   The Platform for Internet Content Selection (PICS) WG which has the 
>charter to design technology to support "values-based" content 
>rating/labeling. The PICS technology has security applicability.
>
>     Ms. Furlong provided an overview of the IETF and its Web Transaction 
>Security (WTS) and Transport Layer Security (TLS) WGs.
>     She completed her briefing with a discussion of the following security 
>areas not being addressed by standards efforts:
> -   Secure Search capabilities
> -   Mobile Code Security
> -   Security Management Functions
> -   Interfaces to Security Infrastructures
>
>     Mr. Frank Hecker, a senior systems engineer with Netscape 
>Communications Corporation, presented a briefing on Netscape and Web 
>Security.   The briefing covered the security areas and technologies that 
>Netscape is active in.  Mr. Hecker started with a discussion of SSL and how 
>Netscape has improved it through upgrades to their Navigator software as 
>well as additional SSL issues they are investigating.  He also covered 
>Netscape's security related issues:
> -   Support for hardware tokens other than FORTEZZA.
> -   Making a browser "firewall aware" (e.g., able to authenticate to 
>intermediate firewalls) without becoming susceptible to man-in-the-middle 
>attacks.
> -   Providing directory services for use by many different types of 
>applications.
> -   Downloadable applications (JAVA and JAVASCRIPT)
> -   Financial transactions - Netscape will implement SET
> -   Secure e-mail - S/multipurpose internet mail extensions (MIME) 
>(initially not FORTEZZA)
> -   Public key infrastructure - Committed to X.509 Version 3 Certificates
> -   User and/or administrator configurability - Netscape will have a toolkit 
>to support Navigator 3.0.
>
>Questions and Answers:
>Q:   What are Netscape's plans for supporting applications other than Web 
>browsing over SSL connections?
>A:   Netscape currently implements HTTP, NNTP over SSL.  They plan on 
>implementing lightweight directory access protocol (LDAP) over SSL in the 
>future.  file ransfer protocol (FTP), TELNET, and SMTP/POP3/IMAP4 are 
>possible but not planned.  Other vendors or individuals have implemented 
>TELNET and FTP over SSL.
>Q:   How does a user deal with non-SSL servers or optionally implementing 
>SSL on a connection?
>A:   A page that must be accessed with SSL is designated with a URL starting 
>with https:// (instead of http://).
>
>     Dr. Rick Smith an information security consultant with Secure Computing 
>Corporation presented a briefing titled "Protecting Web Sites From Attack". 
> Dr. Smith started his presentation with a history of some of the more well 
>known sever penetrations.  Dr. Smith discussed several types of attacks and 
>methods of protection with Type Enforcement Encapsulation.
>
>Questions and Answers:
>Q:   Where are the tables used for type enforcement defined?
>A:   There is an Administrators Tool that includes this function.
>Q:   How many domains and types can Sidewinder implement?
>A:   Dozens.
>
>     Mr. Mike Zauzig, a senior products development engineer with 
>SecureWare,  presented a briefing on "Security Products For WWW 
>Applications."  Mr. Zauzig provided an overview of  his company, aspects to 
>web security, and the following SecureWare products:
> -   Hannah - Network Security
> -   Troy - Platform Integrity Assurance
> -   SecureMail - E-mail Security
> -   Secure Web Platform Integrity - Safe Web Server
> -   Interceptor - Transmission Control Protocol (TCP)/IP Firewall
> -   Internet Scanner - Attack Simulator
>
>Questions and Answers:
>Q:   Is SecureWare's mail package interoperable with other FORTEZZA e-mail 
>implementations.
>A:   Yes (Dave Luddy).
>Q:   The Security First Network Bank shows a Web server that is connected to 
>directly the Internet (not through the firewall).  Is this machine running 
>SSL on one side and Hannah on the other?
>A:   Yes.
>
>     Mr. Hapeman presented a briefing which attempted to summarize the 
>security requirements presented at the day's meeting.  He reviewed the 
>security services needed and the requirements that are allocated to 
>components.  He also discussed the protocol requirements and possible 
>solutions available to secure the Web.  Different options for authenticating 
>to firewalls placed between clients and servers were presented.  Much work 
>remains to secure the proxy or tunneling solutions.
>
>Questions and Answers:
>Q:   The Internet Protocol Security (IPSec) protocol has not been mentioned 
>all day.  It is very mature and has had much NSA input (especially the 
>Internet Security Association and Key Management Protocol [ISAKMP] key 
>management protocol).  It should be considered as a security solution.
>A:   Agreed.  IPSec is a viable option, especially for authenticated 
>firewall-to-firewall connections.  It was not mentioned by name but is 
>certainly being considered as a solution.
>
>     Mr. Luddy's closing comments were:
> -   NIST FIPS PUB JJJ has been discussed at previous I&A Forums.  Although 
>it presents an authentication scheme, it does not provide for interoperable 
>solutions.  Dave Kemp has authored a Public Key Login Protocol that provides 
>the detail needed for interoperability.  The document will be submitted as 
>an IETF Internet draft.  Comments are solicited.
> -   The I&A CONOPS document will be sent out by e-mail to everyone who 
>registered.
> -   The topic for the next I&A Forum is Access Control.  It is scheduled for 
>8-9 July 1996.
>
>
>