I think it is of utter importance that PFS for AKA gets published and deployed. The great SIM heist was a disaster for cellular security. The extension of the heist is not known, and the report from Gemalto was a joke trying to sweep thing under the rug. Potentially billions of secret keys where compromised, enabling pervasive monitoring on a global scale. The heist did not only enable tracking of users, but also passive eavesdropping of communication from these devices as well as installation of malware.
https://www.kaspersky.com/blog/gemalto-sim-hack/7774/ https://theintercept.com/2015/02/19/great-sim-heist/ https://motherboard.vice.com/en_us/article/4x354b/worlds-largest-sim-card-maker-has-no-clue-whether-it-was-hacked-by-the-nsa Even if AKA is primarily a 3GPP technology, IETF has a very important role to play as a driving force and guardian of security and privacy for all Internet users. IETF took an early stance in fighting pervasive monitoring everywhere and BCP 188 requires IETF work to mitigate pervasive monitoring when possible. Providing perfect forward secrecy for session keys has been identified as one of the easiest and most efficient ways to fight pervasive monitoring. John On Apr 3, 2019, at 1:37 AM, Joseph Salowey <j...@salowey.net>; wrote: > > Thanks for reviving this thread. I agree this is important work, but we need > to have consensus to bring the item into the working group. I think the IPR > issue is the main sticking point. > > I'll note that RFC 5448 has a similar IPR declaration and both documents are > targeted as informational. Some possible ways forward: > > 1. Come up with an alternative proposal. Since no one has already stepped > forward I don't think this is realistic. > 2. Accept the document into the working group. > 3. Reject the document, which will force the work to go through the > independent submission process, which will probably result in less broad and > thorough review. > 4. Amendment to the license terms of the IPR - I have received no indication > that this will happen > > The document will likely get published in either case 2 or 3 above. I'd like > to work through this discussion over the next few weeks so please voice your > views on this thread. > >Thanks, >Joe _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu
