Hi, I was not in Rhodos at RIPE43, but there was a techsec-wg meeting. No official/approved minutes of that meeting were posted. however, there was a draft going around. In absence of the official/approved minutes, the best we can do is look at the draft, IMHO. -- Ted. -----Original Message----- From: webmaster@ripe.net [mailto:webmaster@ripe.net] Sent: 24 September 2002 11:35 To: matthew@ripe.net Subject: Re: RIPE 43 TechSec-WG Minutes - 1st draft HI, Are these minutes approved already? -J "Matthew Williams" <matthew@ripe.net> writes: * R I P E 4 3 R H O D E S * * Technical-Security Working Group Session * 12-September-2002 Minutes * * * Chair: Daniel Karrenberg * Scribe: Henk Uijterwaal (Matthew Williams) * Participants: ?? * * * 1. Administrativa * * Daniel welcomed us all to the meeting and then handed out the * participants' list. Henk Uijterwaal from the RIPE-NCC volunteered * to take the minutes. * * The agenda for this session and minutes from the previous meeting * at RIPE42 were approved without further ado. * * * 2. Olaf M. Kolkman: DISI Update * * Presentation available at URL: * * http://www.ripe.net/ripe/meetings/archive/ripe-43/presentations/ripe43-t * echsec-disi * * Comments on slide #4: * Bind 9.3s20020722 should not be used in production due to the * protocol bug that Olaf mentioned. In fact, Bind snapshots should * only be used for tests. (Ed Lewis) * * Be careful using tools that ship with earlier versions of Bind. They * may seem to work, but are incompatible with new developments, * i.e. tools from earlier Bind versions do not tell you that they are * incompatible with 2535. (Bill Manning) * * Question regarding slide #12: * Q: Can Bind run as secondary name server to NSD? (Ed Lewis) * * A: Yes. (Daniel Karrenberg) * * After the presentation, Bill Manning noted that when using * key-manipulating * tools one should pay special attention to internal procedures. * * Q: Once keys have been received and stored locally, how does one * guarantee * integrity and authenticity? (Bill Manning) * * A: No handles in the database yet. We are assuming that one can trust * * one's own machines and staff. It is important to simplify the * deployment of DNSSEC by not setting the barriers too high. The * system * should be easy to operate and not require special on-site security * * staff. More features can be added later. Tools alone do not solve * these problems. In the courses we want to make people aware * of security policies and procedures that need to be addressed * while * deploying DNSSEC. (Olaf M. Kolkman) * * Q: Ripe has a high profile here and should incorporate stronger * security * into the system. (Bill Manning) * * A: We are trying do that. There are additional tools, e.g. the * signing appliance, * that can be downloaded by sites that need them. (Olaf M. Kolkman) * * There were no further comments. * * Olaf mentioned that the slides would be available on the meeting * site. * * * 3. AOB * * Q: Is this WG the place where other groups should report on their * efforts in * this area? (Francis Dupont) * * A: Sharing experience and ideas will lead to better operational * procedures * and better understanding. Results may become best current * practices. * (Olaf M. Kolkman) * * Bill Manning has written a document on key management for the root * name * servers. His draft will be distributed on the DNSSEC mailing list * (dnssec@cafax.se). He also mentioned that there will be a workshop * prior to the ATLANTA IETF meeting. The details will be posted on * dnssec@cafax.se. * * Olaf clarified to the audience that all important info/links * regarding * this topic, including the mailing list above, are mentioned in the * DNSSEC * how-to. * * Finally, the chair closed the meeting at 12:30 pm. * * * Daniel Karrenberg, Henk Uijterwaal, Matthew Williams, September 2002 * * --- * > Matthew Williams-Bywater (MW243-RIPE) * > Customer Liaison Engineer * > RIPE NCC (www.ripe.net) *