Editor's note:  These minutes have not been edited.


SSH Working Group Minutes
June, 1996 IETF
Montreal, Canada

Prepared by: Phil Nesser, Barbara Fraser 

The working group met once during this IETF. The time was split 
between review of the current Site Security Handbook draft and the 
new draft of the User Security Handbook.

I. Review of current Site Security Handbook Internet Draft 

The group discussed a number of outstanding issues and came to closure 
on them:

1. Internal References: Do we want to make these work? 
There was no strong feeling one way or the other. It was mentioned that 
reviewers for each chapter might take this on as they review chapters, 
but there will be no requirement to do so.

2. Tool List: byf alphabatized and fixed capitalization of the list. 
The list seems a little weak and contains mostly UNIX tools. However, 
there were no suggestions for other tools to be added so the list will 
stand as it is.

3. Document Index:
Gary Malkin will create an index for the document after the final 
version has passed all the IESG hurdles. 

4. Section 3.2.3.5: Is it okay or not to co-locate ftp & www on the same 
server?
We agreed to strike the sentence about it being okay since its not! We 
will add a pointer to the earlier text about why its bad (3.1.4). 

5. 4.6.2 Jim Galvin had some comments about audits and where the data 
is kept, like WORM drives, online, printers, etc. He suggests a dual 
approach. Should we make this suggestion?
Nobody felt strongly that this was needed, so no changes will be made. 

6. Annotated Bibliography: It takes up 1/3 of the document. Should we 
take out the annotation version, leave the references in and publish it 
as a separate RFC.

We decided to consult with Joyce to see where it should be published. It 
was generally agreed that we'd leave the alphabetical listing in the 
document, but pull out the annotated list and publish it separately. We 
will consult Joyce as to the right vehicle, but the group felt it would 
make a good informational rfc (and FYI?). 

7. There was a comment about the quantity of legalese and the US-
centric nature of it. The group has tried, all along, to make the 
document as universally applicable as possible and many, if not all, of 
the references about specific agencies have been removed. Much of the 
language that remains pertains to "seeking legal advice" which may or 
may not be appropriate in all countries. We decided we needed someone 
to carefully review the entire document for legalese and Eric Luiijf 
(luiigf@fel.tno.nl) volunteered to do this.

8. Gary wants to remove text from 5.2.2 "There are many ..." and the 
four little things that follows since it is redundant many times over. It 
will be gone over by Erik while he's reading for the legalese. 

9. In section 3.2.3.5 there needs to be section about Web clients. 
Phil Nesser will write it.

10. 4.5.4 Missing a section on ISDN?
The group decided it had been covered adequately. 

The group discussed the schedule of the remaining work. We will 
review chapters carefully and submit comments to the list so that 
Barbara can incorporate the changes. The following are the reviewers: 

Intro	Nic Strauss
Sec. Policies	Phil Nesser (pjnesser@maritgny.ai.mit.edu)
Architecture	Lorna Leong (+ DNS Security) (lorna@singnet.com.sg)
Sec. Services & Procs Steve Glass (glass@ftp.com) Sec. Incident 
Handling Eric Luiijf - legal aspects (luiijf@fel.tno.nl) 
Marijke Kaat (marijke.kaat@sec.nl)
Ongoing Activities	Tom Killalea
Tools & Locations
Mailing Lists
References	Jules Aronson (aronson@nlm.nih.gov)
Annotated Bibliography

Due date of August 1, 1996 for reviews.

BYF will have final draft to Joyce by 9/1 for last call. 

BYF will add a disclaimer to the Bibliography saying that not all 
references available in all countries.

II. Review of User Security Handbook draft 

We reviewed the outline that we had established at the last meeting 
and everyone was still happy with it. A few minor changes were made. 
It was suggested that we might need a very short, one or two page 
checklist/tips at the front of the document, something like "The N 
Commandments...". There was discussion and it remains an open issue. 
We don't want readers to skip the meat of the document yet we don't 
want them to be turned off by a long techie document.

Specific Changes that were recommended:

1. Change "Security Policy" to "READ.ME" 2. Change "Security 
Procedures" to "Just Do It" 3. Change "Incident Handling" to "Bad 
Things Happen" 4. Switch the order of chapters 6 and 7. 5. Add a 
security considerations section. 

Some general comments:

1. Security Policy section may be too heavy handed - should be more 
like section 6.
2. We need to balance too many words vs cryptic bulleted lists 3. It was 
suggested that we add a section "Who Cares?" to replace the more 
formal-sounding "Introduction".
4. We agreed that we still want to include anecdotal stories for each 
section and Gary will send a note to the IETF list soliciting stories. 5. 
We discussed structuring chapter 7 to go from most common applications 
to least common applications so the general user gets what he needs 
quickly.
6. It was suggested that we move the section about ISPs up front right 
after the horror story. Here's the new order: 
7.1 Horror Story
7.2 What to know about your ISP
7.3 Email
7.4 Don't get caught in the web
7.5 Perils of downloading
7.6 What program is this anyway?
7.7 Remote login
7.8 Beware of Daemons

Some content additions:

1. point out that users should always check login messages (last logged 
in on ...). "Where were you the last time someone logged in"??? 2. add a 
sentence in 6.1 for "poor performance". 3. add caveats about appearance 
and disappearance of files. 4. remove the word "system" in 6.1
5. There was discussion that sometimes a user will be using a system 
that he/she owns but other times the user will be using a system 
managed by a system administrator. The advice we give needs to reflect 
those two distinct situations. It was suggested that we add a navigation 
aid like "If you are responsible for your machine then read on, 
otherwise contact who you need to contact".
6. This brought up another point. We need to add some text up front to 
help the user discover "who they need to contact". 7. add text up front 
about how to use the document. 8. get rid of the little paragraph at the 
beginning of chapter 7, and then put simple titles on the sections.

Finally, we signed up to write various pieces of the document. Barb's off 
the hook until the other document is completed. Writing assignments 
will be due by Septenber 1, 1996.

0. Who Cares	Gary Malkin(gmalking@xylogics.com)
1. The N. Commandments (open)
2. READ.ME	Gary Malkin(gmalking@xylogics.com)
3. Just Do IT	Jonathan Pullen (sheet@access.digex.net)
4. Paranoia is Good	Lorna Long (lorna@singnet.com.sg)
5. The Wires Have Ears Steve Glass (glass@ftp.com) 6.,7.	Erik 
Guttman

*note: "Paranoia is Good" will be able social engineering. 

We plan one meeting at the next IETF meeting.