Stuff about me

Interests

Working in IT security since 1986, I have accumulated a very broad range of engineering experience and expertise in many areas of computer security, primarily those involving the use of cryptography. Since 1995 I have been involved in a range of IT security standardization activities, which has given me the opportunity to work alongside some of the most well-known experts in the field. As well as authoring various standards documents, I'm currently a co-chair of the Internet engineering task force (IETF) OpenPGP and LAKE working groups. I'm also a co-chair of the Internet Research Task Force's (IRTF) Usable Formal Methods Research Group (ufmrg). In the past, I co-chaired the IETF's homenet and sacred working groups and one working on an anti-spam technology called domain keys identified mail (dkim). I also co-chaired a world-wide web consortium (W3C) working group on XML key management (xkms), and was once an invited expert participating in the W3C web security context working group (wsc), which was basically a group of security and browser folks who were trying to improve on the current "padlock" security indicator in browsers.

Between 2011 and April 2017 I was one of two IETF security area directors, and hence was a member of the Internet Engineering Steering Group, which is the technical management committee of the IETF. That meant I needed to read, and (sort-of) "vote" on all new IETF RFCs for those six years . In one week (2011-05-26 telechat), that meant reading and commenting on 623 pages of Internet-drafts, but that was a bad week - the average was 350 pages every two weeks. So I learned (for me) a huge amount from that. Between March 2019 and March 2021, I was a member of the Internet Architecture Board that aims to "provide long-range technical direction for Internet development" but which also does a bunch of bureaucracy as part of the IETF, handling various appeals and appointments. I'm currently an "at-large" member of the Internet Research Steering Group (IRSG) which does a somewhat similar job for the far fewer documents produced by Internet research task force (IRTF) research groups.

Areas of security I've mostly worked on include Public Key Infrastructure (PKI), authorization and security for web services. In terms of my current approach to that kind of work, I would generally like to see better deployment of security technology, even if that appears to come at the expense of "purity." That represents a bit of a change from the approach we all had when we first started working on PKI.

Until I started doing more security again recently, I was really more interested in networking and, in particular, highly-challenged networks (e.g. networking in deep-space as envisaged by the group working on the InterPlaNet). That work is mainly done in the context of an IRTF group on delay tolerant networking (DTN) where I also help out as co-chair. In 2006, I co-authored what we believe is the first book about delay and disruption tolerant networking. But I don't just do DTN bureaucracy - I'm also quite involved in most of the security work being done in that context as well as in the definition of a long-haul delay tolerant protocol called LTP (RFC 5326) that was used (by NASA, not me) to talk to a spacecraft 25 million km away! In that context, what's most interesting to me is how DTN concepts (and maybe even concrete protocols) might form a part of the future Internet architecture, especially for its more challenged nodes (which I reckon will always exist).

In day-to-day terms, other than teaching a bit, I'm currently more-or-less involved with the following projects:

• DEfO - Developing ESNI for OpenSSL funded by the OTF where I write code

My most recent EU-funded work is to help advise on standardisation as part of some Next Generation Internet (NGI) projects, headed by the NLnet foundation. Prior to that I worked on a supporting action called STREWS where we tried (and I think partly succeeded) to bridge between security researchers and those involved in W3C and IETF standardisation. STREWS sponsored and arranged (and I chaired) the 2014 Joint IAB/W3C workshop on Strengthening the Internet against Pervasive Monitoring (STRINT). In a similar vein, I instigated and helped setup a workshop at NDSS in 2016 to check if TLS1.3 was Ready or Not?. Most recently, I helped organise an IAB workshop on the impact (so far) of the COVID pandemic on the deployed Internet.

Pervasive Monitoring (PM) is something that took up a lot of my time as IETF security area director after we started getting a better picture of exactly how much some government actors are snooping on the Internet. That however re-invigorated a lot of Internet security folks with the result that a lot of good progress was made on Internet security since 2013. I helped to lead some of that within the IETF where I was the main author for RFC 7258 titled "Pervasive Monitoring is an Attack" and which set the scene (well, I think it did:-) for a number of other security activities for example, the IAB statement saying encrypt it all, the DNS Privacy working group, the TCP increase security and RFC 7435 on opportunistic security and on confdientiality for MPLS. And lots more too. I think it's fair to say that the STRINT workshop and working to get IETF consensus on RFC 7258 were both significant enough contributions to all that happening. A few of use recently wrote a 10-year retrospective about all that which was published as RFC 9446.

In terms of other/older projects, the most fun one was an EU funded DTN project on reindeer tracking and communications services for the reindeer herders - that was called N4C (Networking for Communications Challenged Communities) and started in May 2008 for 3 years. We've published the full results of our N4C trials in the arctic, including all the code, logs etc. and there's an informal blog-like description of our 2010 trial here.

In August 2010, we started a related project on Information Centric Networking, (in our case based on DTN) - that's being done as part of a very large EU funded project (an "IP") call SAIL where TCD worked on the so-called Network of Information (NetInf, in our case a DTN-based ICN just to talk acronym-babble for a moment:-). SAIL was my main day-to-day project in TCD until about the end of 2012. I also did a little work on yet another EU funded project on medical informatics, in that case providing a security model and a content security API - that's the TRANSFoRm project, but our involvement is quite small there, at least in terms of effort.

Also in 2010, with a couple of partners, I also started up a campus company, Tolerant Networks Ltd. to do non-research DTN projects. As Tolerant Networks, we're worked with a UK company called SciSys as a subcontractor on a European Space Agency (ESA) funded study about the use of DTN protocols in space. And we subsequently carried out another DTN study for ESA on potential uses of DTN for (Earth orbiting) satellite. (MUDSAT)

Before all of those I worked on an Enterprise-Ireland funded (2005 technology development fund) project on sensor networking with delay tolerance (SeNDT - intended to sound like "scent"), focused mainly on piloting some DTN based technology we had developed for environmental monitoring, in particular, lake water quality monitoring, but using delay tolerant protocols.

I'm also on the editorial board of IEEE Internet Computing magazine. And I'm a Expert Advisor to the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG).

From July 2007 until April 2010 I was part-time chief technologist with NewBay software, an excellent company that provided user generated content management software and services for mobile network operators. (Later acquired.) That was a kind of Web 2.0 meets the bell-heads gig, which was interesting, especially when the applications were offered to such large sets of users (in the millions).

Education

• PhD "A Delay- and Disruption- Tolerant Transport Protocol," (2008, Trinity College Dublin, Ireland)
• Joint Honours degree in Mathematics and Computer Science (1986, Grade II.1, University College Dublin, Ireland)

Current Employment

Teaching

In 2019 I initiated a new Trinity elective module: What is the Internet doing to me? (TEU00311). That accepts students from all over college (so not just engineering/CompSCI) and aims to better prepare students in how they deal with the Internet. That ran for it's second time during the 2020 pandemic, which was timely I guess;-)

I teach a course on computer security and privacy (CS7NS5 aka CSU44032) as part of the Masters in Computer Science and also other programmes and have supervised a number of NDS MSc dissertations (~10 to date), and a PhD (Alex McMahon) and MSc by Research (Aidan Lynch). Course materials are at https://down.dsg.cs.tcd.ie/cs7053/. I've also taught other courses at various times (see here).

Past exam questions (with marking schemes/answer outlines) for my courses can be found at: https://down.dsg.cs.tcd.ie/old-exams/index.html.

Previous Employments

With NewBay I contributed to product architecture and creating product, services and operational security processes. I also established NewBay's internal patent scheme and filed a number of patent applications on NewBay's behalf. (See USPTO applications 20110004924 and 20100064377 if you care;-)

I began with Baltimore as Chief Security Architect, reporting to the Director of Research (a position I assumed in Spring 2000 until transitioning to part-time in May 2002 as Senior Research Associate, I only finally quit in June 2003). With Baltimore my main responsibilities included:

• Managing & leading Baltimore's non-product related R&D activities (generally a group of 3-4 researchers)
• Managing & leading Baltimore's memberships and activities in a range of technical industry and standards fora. (E.g. IETF, W3C, PKI forum, WAP Forum, TCPA).
• In consultation with other senior staff, setting Baltimore's future product and services strategy.
• Carrying out technical due-diligence for some acquisitions.
• Representing the company at various (primarily technical) events, e.g. conference speaking, panel sessions, etc.
• Establishing Baltimore's patent incentive scheme.

Baltimore are no longer in the technology buisness, though the company still seems to exist (sort-of). There's a wiki page about it (usual caveats!)

Earlier Employments

Publications

2023

• " Reflections on Ten Years Past the Snowden Revelations", S. Farrell, F. Badii, B. Schneier, S.M. Bellovin, Internet RFC 9446, July 2023.

2021

• "Report from the IAB COVID-19 Network Impacts Workshop 2020", J. Arkko, S. Farrell, M. Kühlewind, C. Perkins, Internet RFC 9075, July 2021.
• "Deprecation of TLS 1.1 for Email Submission and Access", L. Velvindron, S. Farrell, Internet RFC 8997, March 2021.
• "Deprecating TLS 1.0 and TLS 1.1", K. Moriarty, S. Farrell, Internet RFC 8996, March 2021.
• D.J.Leith and S.Farrell, "GAEN Due Diligence: Verifying The Google/Apple Covid Exposure Notification API", Proc CoronaDef'21, NDSS.
• Douglas Leith, Stephen Farrell, "Contact Tracing App Privacy: What Data Is Shared By Europe's GAEN Contact Tracing Apps", Proc IEEE INFOCOM 2021.

2020

Covid-19 Contact Tracing Apps:

Doug Leith and myself have some internal TCD funding for our work on contact tracing apps and have setup a small project website to try to start gathering results together in one place.

• Coronavirus Contact Tracing App Privacy: What Data Is Shared By The Singapore OpenTrace App? (28th April 2020)
  Update 27th June 2020: Accepted for SecureComm 2020.
  See also: Podcast and Short Talk at IEEE Security & Privacy Conference, May 2020
• Coronavirus Contact Tracing: Evaluating The Potential Of Using Bluetooth Received Signal Strength For Proximity Detection (6th May 2020)
  Update 18th Aug 2020: Accepted for ACM Computer Communications Review.
  Measurement data from this report. See also news reports in: Science, New Scientist
• Tech report: A Coronavirus Contact Tracing App Replay Attack with Estimated Amplification Factors (19th May 2020)
• Tech report: Measurement-Based Evaluation Of Google/Apple Exposure Notification API For Proximity Detection In A Commuter Bus (15th June 2020)
  Measurement data from this report. See also news reports in: BBC News, Irish Times, Irish Examiner, Telegraph.
• GAEN Due Diligence: Verifying The Google/Apple Covid Exposure Notification API (16th June 2020)
  Update 23rd August 2020: Accepted for Corona Defcon21 Workshop, part of NDSS 2021
• We were invited to make a submission to the Oireachtas (the Irish parliament) committee that is considering Ireland's response to the pandemic. Our submission is here (16 June 2020).
• Measurement-Based Evaluation Of Google/Apple Exposure Notification API For Proximity Detection In A Light-Rail Tram (26th June 2020)
  Update 16th Sept 2020: Accepted for publication in PLOS ONE
  Measurement data from this report. See also some German news coverage: Heise, Deutsches Arzteblatt, Frankfurter Allgemeine Zeitung, Bild
• Countries using the Google/Apple API publish the TEKs of the handsets of infected people. We've started to monitor these to track trend, see here (28th June 2020) and here (9th October 2020).
• Contact Tracing App Privacy: What Data Is Shared By Europe's GAEN Contact Tracing Apps (18th July 2020) Update 7th Dec 2020: Accepted for publication in Proc IEEE INFOCOM 2021

2019

2018

• "Low-Power Wide Area Network (LPWAN) Overview", S. Farrell (ed.), Internet RFC 8376, May 2018.
• Farrell, Stephen. "Clusters of re-used keys", (preprint), March 2018. https://eprint.iacr.org/2018/299

2017

• "Report from the Internet of Things Software Update (IOTSU) workshop 2016", Farrell et al, Internet RFC 8240, September 2017.

2016

• Farrell, Stephen. "Requirements Analysis Required--Otherwise Targeted Monitoring Enables Pervasive Monitoring." Computer 49.3 (2016): 34-40. (Extended form locally here)

2015

• "Report from the Strengthening the Internet (STRINT) Workshop", Farrell, et al, Internet RFC 7687, December 2015.
• "HTTP Origin Bound Authentication (HOBA)", Farrell, et al, Internet RFC 7486, March 2015.

2014

• Farrell, Stephen. "Why Pervasive Monitoring Is Bad." IEEE Internet Computing 18.4 (2014): 4-7.
• "Pervasive Monitoring is an Attack", Farrell et al. Internet RFC 7258/BCP 188, May 2014.

2013

• Dannewitz, Christian, et al. "Network of information (netinf) - an information-centric networking architecture." Computer Communications 36.7 (2013): 721-735.
• "Naming Things with Hashes", Farrell et al. Internet RFC 6920, April 2013.

2012

• Arkko, Jari, et al. "Demo: Snowcat5-Networking in Snow." (Extremecom 2012).
• Dannewitz, Christian, et al. "Network of Information (NetInf)–An information-centric networking architecture." Computer Communications 36.7 (2013): 721-735.
• Farrell, Stephen. "CRiSIS 2012 security standards tutorial." Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on. IEEE, 2012.

2011

• "Delay- and Disruption-Tolerant Networking (DTN): An Alternative Solution for Future Satellite Networking Applications," Caini et al, Proceedings of the IEEE, Nov. 2011. DOI: http://dx.doi.org/10.1109/JPROC.2011.2158378.
• "Report on an Arctic Summer DTN Trial," Farrell et al., Springer Wireless Networks, volume 17, issue 5, page 1127, ISSN: 1022-0038, DoI: 10.1007/s11276-011-0323-1, July 2011.
• "The Need for a Web Security API," Turner et al. W3C Identity in the Browser Workshop, Mountain View, Califronia, USA, May 2011.
• "Security in the Wild," Stephen Farrell, Practical Secuurity Column, IEEE Internet Computing, vol 15, no. 3, pp 86-91, May/June 2011.
• "Bundle Security Protocol Specification", Symington et al. Internet RFC 6257, May 2011.
• "Leaky or Guessable Session Identifiers," Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol 15, no. 1, pp 88-91, January/February 2011.

2010

• "N4C DTN Router Node: 2009 Results, 2010 Plans," Farrell et al. ExtremeCom 2010 workshop, Dharamsala, India, September 2010.
• "Endpoint Discovery and Contact Graph Routing in space and terrestrial DTNs," Stephen Farrell, 5th Advanced satellite multimedia systems conference (asma) and the 11th signal processing for space communications workshop (spsc), September 2010, Cagliari, Italy, pages 89-93, E-ISBN: 978-1-4244-6832-4, DoI: 10.1109/ASMS-SPSC.2010.5586850
• "Applications Directly using Cryptography," Stephen Farrell, Practical Secuurity Column, IEEE Internet Computing, vol 14, no. 3, pp 84-87, May/June 2010.
• "An Internet Attribute Certificate Profile for Authorization," Farrell et al, Internet RFC 5755, January 2010.
• "Why didn't we spot that?" Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol. 14, no. 1, pp. 84-97, January/February 2010.

2009

• "Delay- and Disruption-Tolerant Networking for Space and Satellite Networks," Stephen Farrell, IEEE Satellite and Space Communications Committee newsletter, SSC newsletter, Vol 19, no 2, December 2009.
• "Delay and Disruption Tolerant Networking," Alex McMahon, Stephen Farrell, IEEE Internet Computer, (standards column), November/December 2009.
• "Other Certificates Extension," Stephen Farrell, Internet RFC 5697, November 2009.
• "API Keys to the Kingdom," Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol. 13, no. 5, pp. 91-93, September/October, 2009.
• "An N4C DTN Router Node Design," Stephen Farrell, Stefan Weber, Alex McMahon, Eoin Meehan and Kerry Hartnett, 1st Extreme Workshop on Communication, Laponia, Sweden, August 8-14 2009.
• "Challenge-Response System and Method,", Farrell et al, USPTO Application US 2011/0004924, Irish Patent S2009/0506, July 2009.
• Special issue of computer communications on delay and disruption tolerant networking, Computer Communications, Volume 32, Issue 16, 15 October 2009, Pages 1685-1686 Vinny Cahill, Stephen Farrell and Joerg Ott (eds)
• "Keys Don't Grow in Threes," Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol. 13, no. 3, pp. 96, 94-95, May/June, 2009.
• "Why Don't We Encrypt Our Email?," Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol. 13, no. 1, pp. 82-85, January/February, 2009.

2008

• "Assessing the Environmental Impact of Transport Noise with Wireless Sensor Networks," Paul McDonald, Dermot Geraghty, Ivor Humphreys, Stephen Farrell, Transportation Research Record: Journal of the Transportation Research Board, Transportation Research Board of the National Academies, Washington, D.C., No. 2058, November 2008, p133 - 139, doi: 10.3141/2058-16
• "Password Policy Purgatory," Stephen Farrell,Practical Security Column, IEEE Internet Computing ,vol. 12, no. 5, pp. 84-87, September/October, 2008.
• "Licklider Transmission Protocol - Motivation," Burleigh et al, Internet RFC 5325, September 2008.
• "Licklider Transmission Protocol - Specification," Ramadas et al, Internet RFC 5326, September 2008.
• "Licklider Transmission Protocol - Security Extensions," Farrell et al, Internet RFC 5327, September 2008.
• "DTN: An Architectural Retrospective," Fall, K. Farrell, S., IEEE Journal on Selected Areas in Communications, Volume: 26, Issue: 5, pp: 828-836, June 2008. doi: 10.1109/JSAC.2008.080609
• "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile," David Cooper et al., Internet RFC 5280, May 2008.
• "Portable Storage and Data Loss," Stephen Farrell, Practical Security Column, IEEE Internet Computing, vol 12, no. 3, pp. 90-93, May/June 2008.
• "Access Rights for Digital Objects," Farrell et al, USPTO Application 20100064377, Irish Patent S2008/0215
• "Security Boundaries," Stephen Farrell, Practical Security Column, IEEE Internet Computing ,vol. 12, no. 1, pp. 93-96, January/February, 2008.
• "Assessing the Environmental Impact of Transport Noise Using Wireless Sensor Networks," Paul McDonald, Dermot Geraghty, Ivor Humphreys, Stephen Farrell, Transportation Research Board, 87th Annual Meeting, Washington, January 13-17, 2008.

2007

• "Evaluating LTP-T: A DTN-Friendly Transport Protocol," Stephen Farrell, Vinny Cahill, Third International Workshop on Satellite and Space Communications 2007 - Third International Workshop on Satellite and Space Communications 2007.
• "Transmission protocols for challenging networks," Fahad Syed Muhammad, Laurent Franck, Stephen Farrell, Third International Workshop on Satellite and Space Communications 2007 - Third International Workshop on Satellite and Space Communications 2007.
• "Sensor Networking with Delay Tolerance (SeNDT)," Paul McDonald et al., First International Workshop on Distributed Sensor Systems (DSS'07) in conjunction with IEEE ICCCN 2007, Turtle Bay Resort, Honolulu, Hawaii, USA, August 16, 2007.
• "End-by-hop Data Integrity," Stephen Farrell & Christian Jensen, Fourth European Workshop on Security and Privacy in Ad hoc and Sensor Networks, July 2-3, 2007, Cambridge, UK. (Here's the ppt that Christian used for the presentation at the workshop.)

2006

"Delay and Disruption Tolerant Networking," Stephen Farrell and Vinny Cahill, ISBN 1-59693-063-2, Artech House, 2006. There's a selection of book sellers here and another here. The publisher's page is here.

• "When TCP Breaks: Delay- and Disruption-Tolerant Networking", Stephen Farrell, Vinny Cahill, Dermot Geraghty, Ivor Humphreys, and Paul McDonald, IEEE Internet Computing, vol. 10, no. 4, 2006, pp. 72-78.
  • https://down.dsg.cs.tcd.ie/misc/spotlight-dtn.pdf - 7Mb!
• "Security Considerations in Space and Delay Tolerant Networks", Stephen Farrell and Vinny Cahill, Space Mission Challenges for IT 2006 conference, Pasedena, July 2006.
• "Anonymous Revocable Attestation", Ellison, Farrell, TCD CS Tech. Report 2006-37.
  • This is an idea Carl and I worked back in 2002 that wasn't published but that we now wanted to be able to reference.
• "DomainKeys Identified Mail demonstrates good reasons to reinvent the wheel," Stephen Farrell, EuroPKI '06, Torino, June 2006, Springer LNCS vol 4043/2006.
  • The Springer folks claim they'll sell you this at: http://dx.doi.org/10.1007/11774716_12

2005

• "LTP-T: A Generic Delay Tolerant Transport Protocol", Stephen Farrell and Vinny Cahill, TCD Computer Science Technical Report TCD-CS-2005-69, 7 December 2005.
• "Internet X.509 Public Key Infrastructure Certificate Management Protocols (CMP)"  C. Adams, S. Farrell, T. Kause, T. Mononen, Internet RFC 4210, September 2005.
• (Invited) "Using the XML Key Management Specification (and breaking X.509 rules as you go)" Farrell, Kahan, IFIP CMS'05, Salzburg, Sep. 2005.
  • The conference proceedings were published by Springer (LNCS vol 3677/2005) and the paper can also apparently be accessed (i.e. bought!) via the following link: http://dx.doi.org/10.1007/11552055_45
• "XKMS Working Group Interoperability Status Report", Alvaro et. al, EuroPKI 2005. Canterbury, UK, June 2005.
  • This is also published by Springer in the LNCS series (Vol 3545/2005) as: http://dx.doi.org/10.1007/11533733_6

2004

• "Securely Available Credentials Protocol," S. Farrell (ed.), Internet RFC 3767, June 2004.
• "Security in Exotic Wireless Networks", S. Farrell, J.-M. Seigneur, C. D. Jensen in NATO Computer and Systems Sciences Series III vol 193 "Security and Privacy in Advanced Networking Technologies", ISBN 1 58603 430 8, ISSN, 1 387-6694, IOS Press, 2004.

2003

• "End-to-end Trust Starts with Recognition", J.-M. Seigneur, S. Farrell, C. D. Jensen, E. Gray, and Y. Chen, in Proceedings of the First International Conference on Security in Pervasive Computing, 2003.
  • There's a related technical report here: http://www.cs.tcd.ie/publications/tech-reports/reports.03/TCD-CS-2003-05.pdf
• "A flexible interplanetary Internet", presented at the 37th ESLAB Symposium, "TOOLS AND TECHNOLOGIES FOR FUTURE PLANETARY EXPLORATION", (workshop site) ESTEC, Noordwijk, The Netherlands, 2-4 December 2003.
  • This is really a minor update of the RAST2003 paper below (events within weeks of one another don't allow much work in between!). Supplementary materials are here inlcuding the conference presentation (ppt).
• "Scaling an Interplanetary Internet", S. Farrell, C.D. Jensen, in "Proceedings of the International Conference on Recent Advances in Space Technologies" (RAST2003), Istanbul, Turkey, November 2003, IEEE Catalog Number: 03EX743, ISBN 0-7803-8142-4.
  • Supplementary materials are here inlcuding the conference presentation (ppt, html).
• "Trajectory based addressing", Farrell, 8th Cabernet radicals workshop: (position paper), October 2003.
  • Note: this is an intentionally silly/controversial proposal as encouraged in the workshop cfp - so don't take it too seriously, though it could work I guess

2002

• "An Internet Attribute Certificate Profile for Authorization," S. Farrell, R. Housley, Internet RFC 3281,April 2002.
• "Secure ubiquitous computing based on entity recognition", Jean-Marc Seigneur, Stephen Farrell, Christian Damsgaard Jensen, in Ubicomp2002 Security Workshop, Göteborg, October 2002.

2001

• "Reuse of CMS Content Encryption Keys," S. Farrell, S. Turner, Internet RFC 3185, October 2001.
• "Securely Available Credentials - Requirements," A. Arsenault, S. Farrell, Internet RFC 3157, August 2001.
• WAP Public Key Infrastructure Specification, June 2001, [editor] (http://www.wapforum.org/what/technical.htm)
• "XBULK",Farrell et al. July 2001 (http://xml.coverpages.org/x-bulk200107Draft.pdf)

2000

• "Outlining Wireless Public Key Infrastructure", Farrell, December 2000. (Can't seem to find a copy of that;-)
• "The WAP Forum's Wireless Public Key Infrastructure," Stephen Farrell,Information Security Technical Report, Volume 5, Number 3, 1 September 2000, pp. 23-31(9) Elsevier, DOI: 10.1016/S1363-4127(00)03004-1
• "AAA Authorization Requirements," S. Farrell, J. Vollbrecht, P. Calhoun, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence, Internet RFC 2906, August 2000.
• "AAA Authorization Application Examples," J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence, Internet RFC 2905, August 2000.
• "AAA Authorization Framework," J. Vollbrecht, P. Calhoun, S. Farrell, L. Gommans, G. Gross, B. de Bruijn, C. de Laat, M. Holdrege, D. Spence, Internet RFC 2904, August 2000.

1999

• "Internet X.509 Public Key Infrastructure Certificate Management Protocols," C. Adams, S. Farrell, Internet RFC 2510, March 1999.

1997

• "System and Method for gaining access to information in a distributed computer system", Farrell et al, WIPO patent filing: WO 98/39889, March 1997
• "DEDICA EDI Security Function API specification", Farrell, 1997 (http://www.ejeisa.com/nectar/dedica/5.1/)

1996

• ECMA standard 235: The ECMA GSS-API mechanism, 1996 (http://www.ecma.ch/ecma1/STAND/ECMA-235.HTM)
• "ICE-TEL Architecture and General Specifications of the Public Key Infrastructure", Cicovic et al., 1996 (http://www.ejeisa.com/nectar/ice-tel/1/index.htm)

1989

• "RISKS DIGEST 8.38" Farrell, March 1989, (http://catless.ncl.ac.uk/Risks/8.38.html)
  afaik, the oldest thing I've written still visible on the net!

Internet RFCs

A note on RFCs as publications: Since I currently work in an academic institution, people care a lot about peer reviewed publications, but generally seem not to properly credit documents in the RFC series, so, with the aim of helping to redress this imbalance, here's a bit of history about one of the above RFCs. RFC 3281 is a standards-track document, published in April 2002 based on the of the corresponding Interrnet Draft. The first version was published in April 1999 and during that three year period members of the IETF PKIX working group (with O(100) active pacticipants) publicly commented on the draft many times, for example, the list archive shows 281 messages referring to this draft involving about a dozen different individuals. Over the entire period, perhaps O(100) independent comments were disposed of. In April 2017 Google scholar currently returned some 702 citations for this RFC. (The content returned there changes over time but overall it seems consistent.) The conclusion? Many, though not all, of the documents in the RFC series are important, high-quality publications that have undergone as thorough a review as a journal article and the fact that almost all aspects of that review are publicly archived gives the reader the chance to gain a much more fully-rounded understanding of the technology and its development.