The Wayback Machine - https://web.archive.org/web/20200731104021/https://ietf.org/topics/security/
security

Security & privacy

Trust by users in security and privacy on the Internet is a critical part of its success. A range of components, including robust implementations, careful deployment, and appropriate use of security technologies, is required to create a trusted Internet.

Technical standards and Best Current Practice documents developed in the IETF provide important foundational elements for security and privacy on the Internet. IETF standards strive to be resilient against a host of known and emerging threats. Internet security has long been an integral part of the process of developing Internet standards: for more than 20 years, all RFCs have been required to include a section that discusses the security considerations of the protocol or procedures that are the main topic of the RFC.

The IETF Security Area, with more than 20 active Working Groups, provides a focal point for security-related technical work in the IETF. Their work includes:

  • enabling secure and privacy-preserving communications; 
  • helping collect, verify, understand, and update the state of network end-points; and
  • providing protocols and applications the means to handle the authentication, authorization, and accounting of users, applications, and devices.

The IETF Security Directorate, consisting of the Working Group Chairs of the Security Area and selected individuals chosen for their technical knowledge in security, work with other groups within the IETF to help ensure IETF protocols provide an appropriate level of security for their intended usage.

A few recent and current efforts underway in the IETF are described below:

  • The latest version of the Transport Layer Security protocol, TLS 1.3, updates the most important security protocol on the Internet. TLS 1.3 delivers superior privacy, security, and performance over previous versions. This capability is a foundation of online commerce, medicine, and other sensitive transactions. For these and many other uses it is critical that transmitted information not be tampered with, forged, or read by anyone other than the sender and receiver. These features have been a key part of the Internet’s growth and are critical to many uses today. Importantly, given the significant improvements TLS 1.3 provides, its adoption rate since publication as a standard is increasing five times faster than the previous version.

  • The Automated Certificate Management Environment (ACME) protocol, recently published as RFC 8555, lets you set up a secure website in just a few seconds. When you connect to your bank or your health care provider over the Internet, you need to know that you’re actually talking to them, and not a bad actor who is impersonating them and might steal your information or tamper with the transaction. Security protocols such as TLS 1.3 provide encryption that protects you from everyone except the other side of the connection, but don’t themselves allow you to verify who that person is. ACME automates all the steps needed to verify that the other side of a secure connection is who you think it is, unlocking the potential for universal encryption on the Internet.

  • As an evolution of existing technologies for secure two-party communication, development of the emerging Messaging Layering Security (MLS) protocol has seen strong participation by significant industry players. MLS aims to provide a standards-based approach for message protection within groups, potentially very large ones. MLS aims to ensure message confidentiality, integrity and forward secrecy, which ensures previously sent messages remain confidential even if the system is compromised at some point in the future. Several widely-deployed applications have developed their own protocols to meet these kinds of needs. While these independently-developed  protocols are similar, no two are close enough to interoperate at a cryptographic level. The MLS Working Group is following the approach used in the development of TLS 1.3, benefiting from broad participation by industry and cryptographic researchers to implement and verify the protocol as it works towards standardization.