Secure Network Time Working Group Minutes 20 March, 2001 1. Pat Cain presented an overview of the agenda. The first topic was a review of the charter. This group is not intended to revise the Network Time Protocol, but to augment the protocol to authenticate the source of the packets. 2. (Current draft) Next, Pat presented the current status of the draft. The last draft has expired, but a new version was submitted unofficially to the list. A new official I-D will be submitted after the next meeting. Remaining issues: use of PKI certificates, support IPv6 addresses, and use SHA-1 instead of the current draft's MD5 for authentication. Next draft will be draft-ietf-stime-ntpauth-02.txt. 3. (Certificate support) The original draft left a hole for PKI because they thought it was way too hard. The current proposal is relatively straightforward and allows a client or server to request either a PGP or X.509 certificate. There had been concern about large (>5K) certificates, but the list has demonstrated that most are 2K or less. Certificate validation is a local option. The certificate is used to verify the digital signature on the NTP autokey message. 4. (IPv6 support is still an issue.) The autokey generation takes a hash of the client IPaddr, server, server IPaddr, cookie, and private value. The IPaddr is used to spread the key space slightly and to bind some identity information into the keystream. The first idea was to expand the 32 bit IPv4 address to 128 bits( IPv6 address size). Ran Atkinson explained that architecturally, binding the identity to the IP address is not a good idea. Systems may wish to change addresses without dropping their connections. Pat was thinking of proposing allowing a client to supply a 'random' quantity for this value. Marcus Leech (one of the Area Directors) indicated that he could support that idea. Watch for this one on the list. 5. A new draft will be posted soon after the Minneapolis meeting, correcting some bugs and adding more detail. The WG intends to have Last Call on that document or its successor. The goal is to complete last call before London. The WG does not expect to meet in London. The session closed. W. Tim Polk compiled the minutes. There were approximately 30 attendees at the meeting. N.B. An old version of the WG page appeared out of nowhere at the ietf web site. The subscription information for our maillist is incorrect. The correct info is: To subscribe (or unsubscribe) to authtime@nist.gov, please send an email message to listproc@nist.gov containing the single line "subscribe (or unsubscribe) authtime". (The subject line is optional/ignored.)