CURRENT MEETING REPORT Reported by Charlie Kaufman Minutes of the Web Transaction Security Working Group (WTS) The WTS Working Group met on Wednesday morning December 6th. There were a series of presentations. Simon Cooper went over a few last wording changes in the requirements document, and there was consensus that as soon as they could be incorporated into an Internet-Draft, we should go to working group last call with the intention of advancing the document to Informational RFC. There was no significant controversy. Simon also announced that the working group mailing list would be moved to wts-wg@postofc.corp.sgi.com (requests to wts-wg-request) instead of using the www-security list that predated the working group and that we commandeered. The intent is that participants in the working group would automatically get listed on the new list, but the logistical details of making that happen were not spelled out. Doug Rosenthal presented the status of his GSSAPI-WWW work. He has Windows and MAC browsers and a modified httpd server that implement it with a public key based (SPKM) GSSAPI toolkit. He recently published the spec as an Internet-Draft. The system is being deployed in a commercial environment and he would like to eventually advance the spec to Internet Standard. There was no discussion of a proposed schedule. There was some discussion about the lack of availability of public domain implementations of SPKM, and about how GSSAPI-WWW interacts with PEP. There was some confusion around the difference between GSSAPI the API, and GSSAPI the implied protocol spec for the underlying mechanisms. Rohit Khare gave a presentation on PEP, and general extension mechanism for HTTP. PEP could be used to encode security extensions to HTTP instead of using an encapsulating protocol like SHTTP or GSS- HTTP. The existing protocols could probably be converted to this alternate syntax without extensive modifications to their crypto and parsing engines. The W3C is building reference code and there is an Internet-Draft for PEP. There appeared to be consensus that SHTTP was sufficiently far along in deployment and that it should continue toward standardization without PEP integration, but that PEP integration would be an important thing to look at in the not too distant future. Alan Schiffman and Eric Rescorla played tag teams for a presentation on SHTTP. Alan hinted that there are multiple SHTTP implementations conforming to the spec, but could not give details. There was some discussion of the desireability of having presentations on these other implementations at the next IETF. The SHTTP spec has been nearly stable since before the WTS Working Group was formed and is nearly ready for advancement to Proposed Standard. There are a handful of open issues around the ways the world is evolving under the spec. SHTTP supports two encodings: PKCS-7 and PEM (There was a third, PGP, but it was removed for lack of interest.). There was a discussion of whether MOSS should be substituted for PEM, and the consensus was that it should be if it is technically feasible. SHTTP used some of the secret key encodings of PEM that are missing from MOSS, and Eric Rescorla volunteered to write up those differences as a proposal into MOSS so that SHTTP could use it. There was consensus that SHTTP should be advances as soon as possible-possibly before the next IETF-if we can resolve the remaining issues on the list.