Editor's note: These minutes have not been edited. SSH Working Group Minutes June, 1996 IETF Montreal, Canada Prepared by: Phil Nesser, Barbara Fraser The working group met once during this IETF. The time was split between review of the current Site Security Handbook draft and the new draft of the User Security Handbook. I. Review of current Site Security Handbook Internet Draft The group discussed a number of outstanding issues and came to closure on them: 1. Internal References: Do we want to make these work? There was no strong feeling one way or the other. It was mentioned that reviewers for each chapter might take this on as they review chapters, but there will be no requirement to do so. 2. Tool List: byf alphabatized and fixed capitalization of the list. The list seems a little weak and contains mostly UNIX tools. However, there were no suggestions for other tools to be added so the list will stand as it is. 3. Document Index: Gary Malkin will create an index for the document after the final version has passed all the IESG hurdles. 4. Section 3.2.3.5: Is it okay or not to co-locate ftp & www on the same server? We agreed to strike the sentence about it being okay since its not! We will add a pointer to the earlier text about why its bad (3.1.4). 5. 4.6.2 Jim Galvin had some comments about audits and where the data is kept, like WORM drives, online, printers, etc. He suggests a dual approach. Should we make this suggestion? Nobody felt strongly that this was needed, so no changes will be made. 6. Annotated Bibliography: It takes up 1/3 of the document. Should we take out the annotation version, leave the references in and publish it as a separate RFC. We decided to consult with Joyce to see where it should be published. It was generally agreed that we'd leave the alphabetical listing in the document, but pull out the annotated list and publish it separately. We will consult Joyce as to the right vehicle, but the group felt it would make a good informational rfc (and FYI?). 7. There was a comment about the quantity of legalese and the US- centric nature of it. The group has tried, all along, to make the document as universally applicable as possible and many, if not all, of the references about specific agencies have been removed. Much of the language that remains pertains to "seeking legal advice" which may or may not be appropriate in all countries. We decided we needed someone to carefully review the entire document for legalese and Eric Luiijf (luiigf@fel.tno.nl) volunteered to do this. 8. Gary wants to remove text from 5.2.2 "There are many ..." and the four little things that follows since it is redundant many times over. It will be gone over by Erik while he's reading for the legalese. 9. In section 3.2.3.5 there needs to be section about Web clients. Phil Nesser will write it. 10. 4.5.4 Missing a section on ISDN? The group decided it had been covered adequately. The group discussed the schedule of the remaining work. We will review chapters carefully and submit comments to the list so that Barbara can incorporate the changes. The following are the reviewers: Intro Nic Strauss Sec. Policies Phil Nesser (pjnesser@maritgny.ai.mit.edu) Architecture Lorna Leong (+ DNS Security) (lorna@singnet.com.sg) Sec. Services & Procs Steve Glass (glass@ftp.com) Sec. Incident Handling Eric Luiijf - legal aspects (luiijf@fel.tno.nl) Marijke Kaat (marijke.kaat@sec.nl) Ongoing Activities Tom Killalea Tools & Locations Mailing Lists References Jules Aronson (aronson@nlm.nih.gov) Annotated Bibliography Due date of August 1, 1996 for reviews. BYF will have final draft to Joyce by 9/1 for last call. BYF will add a disclaimer to the Bibliography saying that not all references available in all countries. II. Review of User Security Handbook draft We reviewed the outline that we had established at the last meeting and everyone was still happy with it. A few minor changes were made. It was suggested that we might need a very short, one or two page checklist/tips at the front of the document, something like "The N Commandments...". There was discussion and it remains an open issue. We don't want readers to skip the meat of the document yet we don't want them to be turned off by a long techie document. Specific Changes that were recommended: 1. Change "Security Policy" to "READ.ME" 2. Change "Security Procedures" to "Just Do It" 3. Change "Incident Handling" to "Bad Things Happen" 4. Switch the order of chapters 6 and 7. 5. Add a security considerations section. Some general comments: 1. Security Policy section may be too heavy handed - should be more like section 6. 2. We need to balance too many words vs cryptic bulleted lists 3. It was suggested that we add a section "Who Cares?" to replace the more formal-sounding "Introduction". 4. We agreed that we still want to include anecdotal stories for each section and Gary will send a note to the IETF list soliciting stories. 5. We discussed structuring chapter 7 to go from most common applications to least common applications so the general user gets what he needs quickly. 6. It was suggested that we move the section about ISPs up front right after the horror story. Here's the new order: 7.1 Horror Story 7.2 What to know about your ISP 7.3 Email 7.4 Don't get caught in the web 7.5 Perils of downloading 7.6 What program is this anyway? 7.7 Remote login 7.8 Beware of Daemons Some content additions: 1. point out that users should always check login messages (last logged in on ...). "Where were you the last time someone logged in"??? 2. add a sentence in 6.1 for "poor performance". 3. add caveats about appearance and disappearance of files. 4. remove the word "system" in 6.1 5. There was discussion that sometimes a user will be using a system that he/she owns but other times the user will be using a system managed by a system administrator. The advice we give needs to reflect those two distinct situations. It was suggested that we add a navigation aid like "If you are responsible for your machine then read on, otherwise contact who you need to contact". 6. This brought up another point. We need to add some text up front to help the user discover "who they need to contact". 7. add text up front about how to use the document. 8. get rid of the little paragraph at the beginning of chapter 7, and then put simple titles on the sections. Finally, we signed up to write various pieces of the document. Barb's off the hook until the other document is completed. Writing assignments will be due by Septenber 1, 1996. 0. Who Cares Gary Malkin(gmalking@xylogics.com) 1. The N. Commandments (open) 2. READ.ME Gary Malkin(gmalking@xylogics.com) 3. Just Do IT Jonathan Pullen (sheet@access.digex.net) 4. Paranoia is Good Lorna Long (lorna@singnet.com.sg) 5. The Wires Have Ears Steve Glass (glass@ftp.com) 6.,7. Erik Guttman *note: "Paranoia is Good" will be able social engineering. We plan one meeting at the next IETF meeting.