Purpose
The IAB Privacy and Security Program is a successor to its previous Security and Privacy programs. It provides a forum to develop, synthesize and promote security and privacy guidance within the Internet technical standards community. While security and privacy have been each been explicitly and implicitly considered during the design of Internet protocols, there are three major challenges which face the community:
- most Internet protocols are developed as building blocks which may be used in a variety of situations. This means that the security and privacy protections each protocol provides are also necessarily piecemeal and that default requirements for use are commonly either missing or ill-understood.
- many security approaches have presumed that attackers have resources on par with those available to those secure the system. Pervasive monitoring, distributed networks of compromised machines, and the availability of cloud compute each challenge those assumptions.
- many systems breach the confidentiality of individuals’ communication or request more than the minimally appropriate data from that communication in order to simplify the delivery of services or meet other requirements. When other design considerations contend with privacy considerations, privacy has historically lost.
This program seeks to consolidate, generalize, and expand understanding of Internet-scale system design considerations for privacy and security; to raise broad awareness of the changing threat models and their impact on the properties of Internet protocols; and to champion the value of privacy to users of the Internet and, through that value, as a contributor to the network effect for the Internet.
Membership
Volunteers should send a statement of interest to privsec-program@iab.org, specifying which focus area or areas are of interest. The current IAB members are:
- Ted Hardie (Program Lead)
- Mary Barnes
- Marc Blanchet
- Russ Housley
- Brian Trammell
Non-IAB members include:
- Richard Barnes
- Alissa Cooper
- Nick Doty
- Stephen Farrell
- Joe Hall
- Christian Huitema
- Eliot Lear
- Xing Li
- Lucy Lynch
- Karen O’Donoghue
- Andrei Robachevsky
- Thomas Roessler
- Christine Runnegar
- Wendy Seltzer
- Juan Carlos Zuniga
Areas of Focus
Internet scale resilience area
This area will describe threat models related to route hijacking, distributed denial of service, and related attacks; it will describe the available mitigations and work with related IETF programs to limit the development of protocols which offer amplification opportunities to the attackers.
Work products anticipated:
- Threat model document
- Mitigations document
- IAB statement on prevention of UDP amplification attacks
- Program slides and white paper for broad audience
Confidentiality Area
This focus area will describe the threat models related to surveillance, describe building blocks which may be used to mitigate that threat, and provide a systems engineering level of description of how to build a confidential application which flows across the open Internet.
Work products anticipated:
- Threat model document
- Mitigations document
- IAB statement on applicability of cleartext protocols for Internet deployment
- Systems engineering document
Trust Area
This focus area will work with the IETF and IRTF working groups related to PKI infrastructure, with a specific focus on how to manage protocol systems in which there are multiple sources of truth which may provide assurances related to identity, authorization, or repudiation.
Work products anticipated:
- Threats related to multiple sources of truth
- Mitigations document
- IAB statement on designing protocols with multiple sources of truth.
- IRTF charter for work exploring block-chain models as sources of truth for community managed resources
