►
From YouTube: IETF101-LAMPS-20180323-1150
Description
LAMPS meeting session at IETF101
2018/03/23 1150
https://datatracker.ietf.org/meeting/101/proceedings/
A
A
At
the
SEC
Dispatch
meeting
earlier
this
week,
two
giraffes
were
discussed
and
the
recommendation
of
the
SEC
dispatch
working
group
was
to
send
them
here.
So
the
first
one
has
to
do
with
short
live
certificates
and
the
second
one
has
to
do
with
using
hash-based
signatures
in
the
cryptographic
message
syntax.
A
So
these
both
are
clearly
out
of
charter.
So
it's
interesting
that
we
have
a
new
way
of
getting
suggestions
to
have
that
impose
a
recharter,
so
I'm
not
going
to
use
anything
during
this
meeting
to
start
discussing
charter
text,
but
in
the
next
week,
or
so
we'll
start
a
discussion
to
tackle
that
action.
B
A
C
A
I
believe
that
the
area
director
believes
all
of
the
open
issues
have
been
sorted.
That's
what
that's
for
sure
that
you
know
I
saw
anyway.
The
next
one
is
two
documents
that
have
been
sent
to
the
is
G:
they
together
define
sym
4.0,
and
we
have
some
issues
and,
and
that
were
raised
and
Jim
is
gonna
address.
Those.
F
E
Sure
the
ad
that
basically
when
I
looked
at
them
I
said
oh
I'm,
not
really
too
sure
what
the
right
answer
for
then
this
isn't
just
an
easy
edit.
So
next
slide
so
the
first
one
is,
he
requested
a
simplification
of
the
language.
This
is
basically
the
traditional
language
that
Russ
wrote
way
way
back
when
and
everybody's
just
cut
and
pasted
it.
Since
then,
and
as
Tucker
pointed
out,
it
is
redundant
as
all
get-out.
E
E
A
E
E
G
H
E
E
And
be
wrong,
but
we
don't
give
any
guidance
what
you
should
be
doing.
We
just
write
so
far.
It
basically
said
no
one
does
it.
We
can
ignore
that
problem.
So
when
any
of
those
things
happens,
we've
got
a
couple
of
different
things
we
can
do
and
they
may
differ
based
upon
which
violation.
It
is
one
by
one
thing
would
be
to
say:
just
ignore
the
attribute
entirely.
One
would
be
to
come
up
with
a
canonicalized
method
of
choosing
which
one
you
want
to
use
and
one
would
be
kind
of
a
mixture
of.
E
If
it's
something
you
care
about,
then
you
need
to
make
an
error
out
of
it.
Otherwise
you
can
just
let
it
slide
so
choosing
which
one
is
first
and
using
that
one
is
interesting,
because
is
they
sit?
Basically,
the
thing
could
occur
multiple
times
and
with
each
occurrence
there
could
be
multiple
values
so
choosing
which
ones
first
should
be
like
kind
of
saying:
let's
collect
all
them
together,
sort
them
and
by
lexical
lexical
order
and
then
take
the
first
one.
A
I
C
This
is
information
about
what
my
kids
Stephan
Stephan
Saunders
on
3xa
security,
so
I
mean
as
mine
capabilities
advertisement
of
my
capability
correct.
So
if
I
stated
something
that
violates
not
being
once
I
mean
I
still
stated
it
sorry,
there's
no
harm
in
assuming
that
I
can
deliver
on
that
statement.
So
I,
don't
know
why
you
should
say
should
ignore.
A
C
K
Paul
Hoffman,
who
actually
only
came
here
for
CAA
but
for
history
value?
Well,
the
other
problem
we
had
was
signed
and
the
signature
has
to
be
valid.
So
when
we
came
up
well,
but
but
this
was
one
of
the
reasons
why
we
sort
of
left
it
at
just
be
ignored,
is
if
that
part,
if
that
part.
Thus,
if
the
signature
is
broken
on
that,
we
don't
want
to
say,
therefore
everything
goes
to
hell.
We
just
want
to
say:
okay,
ignore
it.
At
least
that
was
that
was
the
thought.
Ten
or
fifteen
years
ago,
I
mean.
I
Mean
so
no
I
mean,
maybe
so
you
know
consider
so
consider
the
following
situation:
we
have
a
pair
of
client
and
server,
so
I
sent
a
receiver
where
they've
been
using
RSA
1024
and
they
both
grow.
The
capability
to
do
occur
to
500
and
the
and
the
sender
sends
you
a
message
with
SMI
capabilities
is
that
is
a
signed
message
and
si
capabilities
that
are,
but
they
say,
here's
you
509
and
no
I
think
about
that
order.
L
L
I
Just
did
I
say
I'm,
not
sure
I
have
a
real
thing,
I'm
just
sort
of
saying,
like
it's
not
obvious
to
me
that
it
did
it
I
mean.
Certainly,
is
it
obvious
to
me
that
it
did
ignoring,
under
these
circumstances,
academies
or
career
implications,
but
again
like
this?
Is
it
this
is
working?
Were
decisions
a
lot
like
saying
you
shouldn't?
Do
it
I
mean
I'm,
saying
I
personally,
like
that
I'm
surprised?
That's
why
feeling
is
a
good
idea,
but
like
about
like?
F
John
Levine
I
don't
purport
to
be
an
expert
in
this
area,
but
I
can
say
in
every
area
every
other
place
where
we've
tried
to
guess
how
people
screwed
up
and
recover
from
it.
It
does
not
turned
out
well
we're
telling
people
out
it
we're
telling
people
how
to
interoperate
so
like
if
you
want
it.
If
you
want
it
to
work,
do
this
and
if
you
don't,
you
know,
and
if
you
do
something
else,
you're
taking
your
chances
so
I
think
ignore
is
probably
the
simplest
advice.
F
D
I
I
The
table
are
like
is
it
you
know
if
people
comply,
I
mean
I,
guess
I
would
claim
people
comply
with
this
now
then
then
Japanese
harmless
and
will
agree,
heat-resistant,
better
act.
M
H
K
And
I
would
like
to
speak
against,
should
reject
just
because
a
history
that
hasn't
been
being
rejected
till
now
I
certainly
would
assume
that
you
know
the
folks
who
are
doing
s.
Mine,
capable
clients
will
do
this
and
all
of
a
sudden,
a
message
that
worked
yesterday
will
not
work
today
because
it
should
reject
is
going
to
be.
You
know
that
means
default
project
and
I.
Don't
think
we
have
a
good
reason
why?
K
A
K
A
K
E
E
There's
some
language
about
weak
cryptography,
which
is
left
over
basically
from
the
days
of
40
bit
40
bit
stuff,
and
since
we've
now
basically
moved
Triple
DES
into
the
world
of
we,
we
think
that
that's
too
weak
to
be
used
language
saying
that
we
cryptography
basically
gives
you
no
benefit,
is
a
bit
more
sketchy
than
it
used
to
be
so.
Should
we
clean
this
language
up
or
can
we
or
do
we
just
leave
the
language,
as
is
the
first
sentence,
is
basically
what's
in
the
document.
I
N
Yeah
I
mean
Phil
Hardberger.
The
issue
is,
is
weak,
being
used
as
a
term
weak
Rafi
being
used
as
a
term
of
art
here
or
just
descriptive
term,
because
if
a
es
is
strong
well,
it's
not
weak,
so
I
mean,
but
you
could
just
fix
it
by
saying
instead
of
having
offers
replace
it
with
small
lowercase
may
offer.
So
it
says
using
sweet
cryptography
s.
My
may
offer
little
actual
security
over
sending
plaintext
and
then
we're
done.
E
O
L
I
E
I
I
I
mean
I
get.
My
point
is
this
document.
This
is
a
term
of
week
in
this
document
need
to
cover
them
as
well.
If
it
does,
then,
when
you
revise
your
72
so
with
like
so
that
so
it
covers
them
and
then
and
then
I
think
maybe
I
mean
I
got
my
items.
There's
a
new
texture.
I
mean
you
basically
just
say
like
you
know,
like
I
mean
I
guess
only
we
can
do
wants.
This
is
like
weather
summary.
Is
it
what
it
says?
Is
you.
E
E
D
This
is
Daniel
con
Gilmore,
so
I
mean
well
I,
my
inner
patent
degrees
with
everyone.
This
text
is
false,
like
it
seems
to
me,
like
the
security
considerations
goal
here,
should
be
to
give
concrete
and
and
and
opinionated
guidance
on
what
people
should
be
doing
and
I
don't
I.
Don't
actually
think
it's
a
that
big
of
a
deal
to
have
an
overstatement
here,
so
I
would
say,
leave
it
alone,.
H
I
I
Think
those
suggestion
we
find-
or
you
know
you
know-
does
not
meet
modern
security
standards
and
may
offer
the
little
security
over
plaintext
things
like,
like
a
number
of
things
you
find
here,
I
just
think
I,
just
think
it's
like
Ashley
before
ok.
E
E
I
I
So
the
type
this
tested
I
being
a
trusted
agent
right
so
right
so
I
mean
the
problem
is,
if
you
have,
let's
let
us
say
you
have
situation
where
you
have.
You
determine
a
trust
agent
by
doing
pika
verification
from
some
for
some
right
and
so
like
I,
don't
know
the
agent
is
agents
got
the
name,
timestamp
co-signed
calm
and
you
do
to
do
PR
resolution
now.
I
So
you
were
see
the
message
and-
and
it's
got
a
signing
time
some
time
like
role
to
be
four
in
the
past
and
you,
and
so
you
evaluate
the
certificate
chain
on
the
basis
of
that
time,
which
is
from
the
trusted
agent.
But
in
the
meantime
this
is
been
revoked,
and
so,
but
that
means
you
can't
trust
that
that's
like
the
tare
tine
is
that
the
sign
ten
is
in
there.
So
I
shoulder
say
that
how
this
text
provides.
E
E
E
C
E
E
A
H
A
R
So
in
case
you
haven't
heard,
CAA
is
a
great
success.
It's
mandatory
for
CAS
and
the
web
PPI
now
as
I've
last
September
along
the
way
we
proposed
and
approved
in
this
working
group,
an
errata
m--
to
how
CAA
records
are
discovered,
in
particular,
how
they
handle
see
names
and
do
names
so
as
implemented
in
the
web
PKI
when
the
cname
chain,
you
just
evaluated
it
straight
through,
and
you
don't
go
into
each
post
name
into
the
CAA
chain
and
do
additional
trephining
on
that.
R
R
R
R
O
Tim
Holly
week,
there's
also
another
errata
that
Corey
has
opened
about
the
issue
of
when
there's
and
when
there's
a
CAA
tag
and
there's
no
issue
record
in
that
everybody
on
the
list
is
clear.
What
the
correct
interpretation
is.
The
a
strict
reading
of
the
existing
document,
though,
does
not
actually
say
that
so
that's
another
one
that
I
think
you're
going
to
want
to
fix.
R
K
Hoffman
so
I've
been
touristing
on
some
of
the
various
cab
form
lists
where
this
sort
of
blew
up.
You
know
some
months
ago,
I,
don't
think
we're
that
close
to
done
necessarily
until
we
see
the
working
group
document
simply
because
some
of
those
things
that
you've
documented
in
the
you
know
strangeness
as
we
found
out
they're
the
people
who
reported
them
when
they
said
we
did
something
really
meant
it
as
we
did
it
in
good
faith.
So
I
think
that
there's
gonna
need
to
be
more
text
in
the
body.
K
That
says
explicitly
don't
do
this
for,
for
a
fairly
large
number
of
this
is
at
least
four
or
five,
even
though
those
of
us
who
are
used
to
reading
protocol
documents,
you
know
thought
that
I
was
surprised
by
the
the
number
of
different
implementation
errors
that
were
there
and
again
done
in
good
faith,
not
out
of
laziness.
These
aren't,
like
you,
know,
IOT
OEMs.
K
These
are
CAS
who
really
care
about,
become
you
know,
being
a
CA
next
year
and
so
I
I
think
it
would
be
really
good
to
lengthen
the
document
a
little
bit
with,
even
though
it
seems
like,
if
it
says,
do
X.
If
someone
do
the
inverse
of
ax,
you
know,
for
whatever
reason,
I
think
it's
reasonable
to
also
say
must
not
do
inverse
of
X
as
well.
Based
on
the
implementation
experience.
R
S
Tony
Finch
I
have
had
a
look
at
the
current
draft
and
I
noticed
in
the
deployment
consideration
section.
It
talks
about
dropped,
queer,
dropped,
answers
and
refused
answers.
One
of
the
problems
that
we
came
we
encountered
when
CAA
was
first
it
was
introduced,
was
the
problems
with
issuing
certificates
for
private
domain
names.
S
My
understanding
is
that
CAS
have
altered
their
code
to
make
it
more
lenient
in
the
kind
of
problem
cases
that
we
encountered,
but
I
wondered
if
that's
something
that
should
be
described
in
more
detail
in
the
draft
and
the
other
problem
we
encountered
was
to
do
with
cname
handling,
but
it
looks
like
you're
already
addressing
that.
So
that's
good.
R
Yeah,
it's
a
good
question.
You
know,
I
think.
The
experience
that
let's
encrypt
has
had
is
that
there
are
kind
of
two
common
mechanisms
for
having
a
private
sub-branch
of
your
main
public
domain
space,
and
one
of
them
works.
Fine,
where
you
you
publicly
and
show
a
return
sign,
X
domain
and
the
other
doesn't,
which
is
I,
believe
the
one
where
you
delegate
to
a
non-responsive
name,
server
for
subdomain
trees,
but
that
definitely
met
some
discussion
of
employment
considerations.
Q
J
J
So
last
time
we
receive
our
comments
from
the
group
and
to
make
changes
and
to
remove
the
DSA,
and
we
also
edit
a
lot
more
details
to
it.
J
J
And
here's
we
copied
the
OID
for
the
master
wave
function,
number
1
from
the
pkcs
number
1.
It's
not
right.
Now
number
is
8
arm
to
use
a
shake
as
the
mass
generation
function,
the
the
oh
I
D
must
accommodate
must
have
the
parameter,
which
is
a
hash
away
them
value,
and
so
in
this
case
you
have
to
use
either
one
of
those
two
IDs
we
mentioned
above.
J
So
here
we
copied
again
from
the
IFC
4055
in
this
document
we
required
the
D
either.
One
of
those
two
functions
to
be
used.
It
has
algorithm
and
the
shake
a
boot
lens
which
is
accommodating
the
shape
or
IDs
must
be
present
and
either
equal
to
32
or
64
depends
on
which
shake
is
used,
and
here
we
specified
the
length
the
shake
a
boot
lens
for
each
of
those
use
cases.
J
A
J
J
G
I
For
what
it's
worth
for,
it's
worth
in
TLS
for
requiring
salt
greater
than
or
equal
to,
and
the
signature
requiring
greater
or
equal
to
the
natural
digest
length
all
right.
That
makes
sense.
Now
that
I've
course
you
don't
place
any
requirements
on
what
has
to
appear
in
the
senator
carlucci
had
felt
right.
I
I
Recognize
that
yeah
I
mean
it's
well
like
I
would
actually
prefer
just
to
just
define
you
know,
ID
or
SAS
sa
PSS
shake
256,
mm-hmm
and
actually
I
I
mean
I
guess
so
it's
worth
considering
whether
we
should
just
do
that.
I
mean
it's
not
actually,
particularly
to
like
I
mean
like
as
a
consumer
of
this
to
of
the
stock
technology.
Is
that
actually
helpful
to
have
to
like
parse
that
PSSA
and
then
parse
this
crap?
I
And
given
that
we're
now,
basically
defining
you
know
new
algorithms
I,
don't
know
like
I
mean
sleeping
me
out
of
an
opinion,
I
mean
this
is
like
this
is
a
show
right,
so
I'm
gonna
get
out
of
it,
but
I
I
can't
decide
like
I
mean
like
like
I,
keep
hoping
that,
like
maybe
like
you
know
like.
Maybe
you
have
it
I
mean
me
ventually,
but
I
only
have
the
ones
that
are
if
we
started
doing
good
ones
when
we
have
the
ones
that,
like
totally
helpless.
T
Ryan
sleepy
yeah,
so
I
agree
with
that
I.
We
we've
had
a
lot
of
talk
from
an
implementer
side
for
RSA
SSA
PSS
and
the
the
notion
of
having
you
know
our
ID,
our
SAS
si
ESS
shape
you
know.
128
is
certainly
preferable.
The
idea
of
the
variable
complexity-
even
you
know,
with
this
of
configuring,
the
salt
line
for
shake
and
then
throw
this
in,
is
not
something
from
an
implementer
and
from
an
ecosystem
standpoint
that
we'd
be
terribly
thrilled
with
at
least
on
the
public,
PKI
I.
G
J
G
U
A
E
J
I
No,
what
I
mean
yes,
yes,
but
I
mean
but
I
mean
we're
advocating
defining
annoyed.
That
only
has
one
value
for
each
these
parameters.
I
mean
there's
a
so
ceated
with
one
value
for
these
parameters
and
therefore
the
salt
length
would
be
exactly
one
value,
I
mean
and
yes,
the
the
parameters
you
select
are
the
right
parameters,
but
when
we're
suggesting
is
like
having
a
wouldn't
yell
them
down,
yeah.
A
T
Ryan's
like
plus
one
to
that
is,
is
that
all
of
the
parameters
are
fully
expressed
within
the
oeid.
Every
time
we've
seen
a
permutation
of
parameters
as
applied
to
both
TLS
and
the
PKI.
It
becomes
an
interoperability
mismatched
both
on
policy
and
implementation.
So
the
one
way
that
expresses
everything
you
want
to
configure
plus
one.
Q
A
E
E
Okay,
I'm
pulling
out
of
memory
as
I
actually
would
need
to
go
back
and
double-check
this.
But
in
point
of
fact,
my
if
I
remember
correctly,
the
salt
length
is
actually
was.
Is
there
as
an
imposition
from
the
public
key
to
the
signature
algorithm
and
the
actual
value
it?
The
verifier
does
not
actually
use
that
value.
So
you
don't
you
don't
care
what
the
salt
length
is
when
you
verify
the
signature,
because
you
don't
know
what
the
salt
is
anyway,
but
I
have
to
go
back
and
double-check
that
but
I'm
not
I,
think
that's
correct.
E
I
I
So
I
knew
the
validation
worked,
really
I,
don't
think
that
doesn't
feel
right
not
to
go
read
it
remember
how
picky
I
thought
PSS
was
like
done
like
a
la
the
official
way
to
do.
Pkcs1,
where
you,
where
you
weave
forward,
generated
the
block
and
then
just
compare
no,
so
then
you
must
need
the
salt.
You
must
need
the
salt
length
because,
like
you're
not
doing
it
is
like
there's
no
way
else.
That's
all
to
go
right.
I
think
it
sets
the
line
between
the
two
that.
U
J
H
I
Bye
children,
you're
gonna,
need
new
IDs
for
the
public
keys
when
the
PSS
public
key
is
right
for
right,
I
mean
by
the
way,
these
just
to
be
clear.
It's
like
PS
s,
public
the
whole.
This
whole
like
PS
s,
only
like
keys,
is
like
itself
a
menace.
Oh
honey,
like
I,
mean
if
you're
gonna
do
it,
you
should
do
it.
They
should
do
it
this
way
right,
okay,
so
we
do.
We
knew
it
and
you're
gonna
need
your
knee.
I
I
I
J
All
right
next
slide
yeah
and
we
had
this
security
consideration
section
and
it's
copied
most
of
the
text
from
the
previous
RFC,
and
we
just
talked
this
crap
about
a
chase
function
as
an
addition,
information
to
the
section
we
fundamentally
saying
the
they
are
deterministic
functions.
So
when
you
you
don't
generate
multiple
outputs
from
the
same
input
multiple
times.
A
J
I
have
one
question
for
the
year
for
the
chain
for
n
for
the
group.
Should
we
say
something
about
how
the
salt
should
be
generated
in
the
documents.
J
So
in
case
it
if
the
the
random
sauce
is
is
lousy,
bad,
they
privately
could
give
the
additional
security
benefit
to
it.
For
example,
I
run
in
the
the
shake
over
this
salt
can
connected
with
the
private
key.
So
basically,
the
salt
would
be
like
a
randomized
value
for
the
private
key
as
the
the
the
key
generation
secrets.
J
I
I
I
J
A
J
Here
so
basically,
K
Mac
is
what
we
use
in
from
the
nist
SP
800
185
and.
J
Follow
that
and
we
make
a
fixed
lens
for
the
output
size,
he
do
126
bits
for
the
shake
128
or
5
bits
for
shake
256
to
make
it
symbol
and-
and
so
I
don't
know.
If
the
group
would
like
some
flex
beauty
for
the
Albert
lands
or
the
group
would
be
happy
with
the
fixed
lands
like
life
in
the
post.
Right
now,.
M
J
Yeah
coded
with
an
Audi
the
hash
function,
we
we
fix,
we
don't
need.
The
thing
is
the
employing
the
hash
function
requires
the
parameter,
but
if,
but
if
we
could
change
the
the
Oh,
a
DS
for
the
hash
function,
with
our
parameter
that
that
would
be
possible.
However,
that
would
would
make
a
little
more
convocation
in
a
mass
generation
function,
because
the
mastery
function,
the
output
lands
for
the
hash
in
a
mass
generally
function,
is
different
from
the
output
lens
or
when
it
has
it
used
in
hashing
messages.
J
J
J
J
So
right
now,
as
you
define
the
hat,
D
shake
128
256
whenever
the
OID
for
either
one
of
those
is
used,
the
pyramidal
output
lands
must
be
accommodated
along
with
it,
because
there
are
two
situations
at
least
four
different
lens.
The
first
one
is
250
sickness,
for
example,
shake
128
when
using
as
a
hash
function
and
all
the
output
lands
is
number
the
modernist
size
miners.
The
hash
value
minus
1
when
shake
1
today
is
used
in
the
mass
generation
function,
but.
I
I
J
I
They
basically
like
fix
everything.
Ok,
you
fix
everything
right
so,
like
so
be
a
be
a
lookup
table.
Lets
tell
you
what
to
do
right
based
it
so
then.
So
then,
usually
you
need.
It
seems
to
me.
You
need
three
separate
lights.
You
need
one
annoyed
for
on
the
108
for
like
shot
three
from
three
central
groups
of
whites,
only
for
shot
three
as
a
digest
function,
one
annoyed
for
RSA
with
like
each
variant
of
shot.
I
Three
and
one
wait
for
Shaytan
one
a
for
each
variant
for
each
shake
variant
with
each
frames
or
sell
three,
so
you'll
need
what
I
guess
have
mm
three,
so
you
need
six
ones
as
far
as
I
can
make
out.
I
A
I
The
parameters
that
resolve
the
water
are
one
hash
hash
function
for
when
you
need
to
do
like
I
guess
for
when
you
put
at
the
front
of
like
a
CMS
message
right,
one
to
the
the
type
of
the
RSA
key
which
is
associated
with
which
now
we've
agreed
is
associated
with
all
the
all
the
sha
three
values:
hello,
no
I'm,
just
I'm,
just
talking
I'm,
just
like
like
all
possible
ways
with
like
the
union
of
these
specs
and
as
far
as
I
can
tell
six
and
whites
one,
the
pair
hash,
one,
the
combination
of
RSA
with
each
hash
and
three,
the
shake
combination
with
each
hash,
which
I
want
to
have
a
fixed
output
size,
which
is
the
natural
size
of
this
digest
right.
I
So,
okay,
so
and
you
never
need
represent
and
when
shake
I
agree,
shake
is
used
as
mg
as
an
mg
F.
But
you
don't
need
that
doesn't
need
representing
the
wire,
because
that's
implicit
in
the
oeid
assignment.
We
know
RSA
and
Shari
I
I.
J
J
J
All
right
do
you
know
what
to
do
I,
I
think
so,
but
yeah
I'm,
seeing
a
about
the
the
lens
output
in
a
massive
range
of
us.
You
know:
that's,
okay,
I
go
go
with
that!
Okay,.
J
N
So
we
had
a
little
incident,
so
at
first
got
interested
in
this
when
or
basically
the
incident
happened
like
this,
a
an
affiliate
to
one
CA
decided
to
change
to
being
an
affiliate
to
another
CA,
and
so,
as
part
of
that
switchover,
they
said
to
their
first
CA.
We
would
like
you
to
revoke
all
your
certificates,
because
we've
just
reissued
them
for
the
other
CA
okay.
Now,
firstly,
it
is
ca,
said
no.
N
We
want
to
keep
those
certificates
because
you
are
not
the
subscriber
and
therefore
you
don't
have
the
right
to
revoke
so
affiliate
then
sent
an
email
containing
a
list
of
15,000
private
keys
for
said
certificates
saying:
okay
now
they
have
been
compromised
revoke,
which
CA
did
so.
There
are
two
separate
questions
that
interested
me
here.
One
one
of
them
is
well
shouldn't.
We
have
a
better
way
of
proving
compromise
of
a
certificate,
that
of
a
private
key
rather
other
than
actually
posting
the
private
key
itself.
N
N
A
standard
for
a
suicide
note
and
I
asked
Russell
rusts
contributed
the
first
five
bullets
here
and
then
the
Acme
folks
said.
Well,
we
all
should
also
have
a
revocation
message.
So
that's
one
issue:
Jim
is
about
to
tell
me
another
one,
yeah
I'm,
about
to
tell
you
no
crl
to
list
yourself.
Yes,
now
that
that
is
actually
my
preferred.
N
One
would
be
to
simply
have
a
crl
signed
by
the
certificate
itself,
because
that's
what
one
that
is,
probably
the
easiest
to
create
with
existing
toolkits,
so
I
mean
like
one
work
possible
work
item
for
a
group.
The
group
is
okay,
we've
got
six
possibilities
here
and
Jim's
just
added
a
seventh.
We
should
have
one
well
we'll
need
to
have
one
if
we're
going
to
expect
anybody
to
do
it.
N
Essentially,
they
were
a
technology
provider
to
a
webs,
a
web
hosting
provider,
and
they
were
almost
certainly
managing
the
whole
crypto
interface
for
the
web
hosting
provider,
if
not
more
and
the
that
is
a
very
common
thing
in
our
industry.
Now,
in
that
you
have
technology
providers
who
are
managing
multiple
web
hosts
on
a
cloud
infrastructure
and
what
they
will
be
doing
is
pulling
a
host
from
here
and
moving
it
to
there
and
moving
it
from
here
and
when
you
think
about
the
management
that
those
people
need.
N
Of
course,
the
certificates,
the
private
keys,
are
going
to
end
up
in
some
database
somewhere,
and
so
that's
a
point
of
vulnerability.
I
think
that
we
need
to
be
aware
of
and
start
to
think
of
ways
of
maybe
avoiding
the
nee
providing
the
ability
to
manage
all
those
cloud
services
without
having
such
an
enormous
single
point
of
failure.
N
O
Tim
Holik
there
are
a
bunch
of
other
one.
This
is
a
very
hard
incident
to
discuss
because
of
the
fact
that
there
are
a
bunch
of
really
interesting
things
that
happened
and
it's
not
a
particularly
one
probably
wants
to
base
ones
best
practices
off
of
hypothetical
occurrences
in
which
people
are
actually
interested
in
following
best
practices
right.
O
And
if
you
look
at
some
of
the
practices
that
existed
around
this
incident
as
well,
including
you
know,
cross-site
scripting
vulnerabilities
that
allow
you
to
get
rude
on
the
host,
even
if
you
did
have
a
best
practice
for
demonstrating,
revocation
I,
think
there's
very
good
evidence
that
we
still
probably
would
have
received
a
zip
file
full
of
private
keys.
So
you
know
I
had
to
spend
an
entire
afternoon.
Writing
a
best
practices
document,
there's
a
lots
of
things
around
these
providers,
and
things
like
that.
That
probably
could
be
improved.
O
It
would
be
great,
I
agree.
We
really
should
have
a
discussion
about
what
our
best
practices
on
ground
revocation
request,
because
everybody's
doing
it
differently
and
a
lot
of
the
methods
do
not
have
particularly
great
properties
and
I
agree
that
disclosing
a
private
key
for
the
purpose
of
proving
that
you
have
possession
of
it
is
perhaps
something
we
should
ban
it
slightly
slightly
different
from
awesome,
which
I
heard
right
next
to
me
from
somebody
who
probably
would
like
would
be
willing
to
say
that
in
public
yeah.
O
That's
that's.
Actually
the
direction
I
was
going.
Yeah
I
think
discussing
that
particular
cases.
That's
just
a
nest
of
zaniness,
so
we
should
think
about
your
case
is
actually
much
more
interesting
cloud
providers
that
have
a
legitimate
need
for
having
these
keys
and
things
like
that.
Well,
at
the
end
of
the
day,
any
area.
N
I
keep
well
I
used
to
keep
tabs
on
my
competitors,
I,
don't
know
why
I'm
doing
it
now
a
lot
of
the
time
you
can
just
say:
I
want
SSL
on
this
website
by
clicking
a
button
which
means
that
that
key
is
being
generated
for
the
subscriber
which
and
then
it
kind
of
like
whizzes
around
this
data
center.
So
yeah.
O
K
Paul
Hoffman,
so
I
don't
think
that
this
is
a
good
forum
for
figuring
out
best
practices
in
policy,
giving
people
a
way
to
do
something,
especially
if
it's
just
one
way
I
think
is
certainly
appropriate.
But
going
back
to
the
very
beginning
of
what
you
said
this
C.
You
know
that
this
sub
C,
a
I
called
them,
had
a
legitimate
desire.
They
ended
and
they
were
told.
No,
you
know,
and
so
they
ended
up
sort
of
forcing
it.
K
K
Should
there
be
a
way
of
Matt
of
doing
masking,
for
the
exact
reason
that
you
brought
up
at
the
very
end,
which
is
in
fact
there
are
a
million
private
keys
that
are
not
held
by
the
people
who
own
the
websites,
and
there
is
often
very
legitimate
business
reasons
for
moving
from
one
CA
to
another,
especially
the
CA
might
tell
you.
Oh
I'm.
Sorry,
we've
changed
our
name
with
changes.
K
N
I
mean
I
I,
don't
have
a
solution
yet
I'm,
not
sure
that
I
will
have
a
solution,
but
I
I
thought
that
we
should
I
should
raise
it
so
that
then
we
can
start
thinking
about
it,
and
it
may
be
that
in
the
medium
term,
we
end
up
wanting
to
change.
Tls
and
other
things
in
order
to
facilitate
I
mean
short-lived
certificates
might
be
part
of
the
mix
here.
N
I
I
mean
if
you
do
want
to
have
a
suicide
note,
one
important
property
that
says
suicide,
note
what
to
be
that
it
can
be
generated
immediately
upon
receiving
the
key
and
is
not
to
be
timely,
because
one
cup,
one
situation
is
my.
My
mic,
like
I,
have
a
key
on
my
machine.
If
you
in
stolen
and
now
I
can't
I
can't
generate
a
cancer
interpretation,
so
I
I've
involved
about
how
acnes
request
works,
but
I.
Imagine
it
like
all
their
Acme
requests.
I
It
has
some
TNT
before
the
mechanism
and
in
this
case
you
don't
want
any
view
for
that.
Catism,
that's
undesirable,
because,
like
so
so
yeah
I
mean
you
want
to
be
able
to
regenerate
it.
A.
V
V
Now
the
motivation
for
this
was
we
were
looking
at
all
the
migration
that
we're
gonna
have
to
do
when
the
post
quantum
algorithms
become
available,
and
if
you
think
about
key
establishment,
I
mean
that's
negotiated
between
two
peers
and
it's
all
easier
to
update
in
phases.
But
when
you
think
about
authentication-
and
we
depend
on
the
certificate
chain
that
is
issued
by
a
PKI-
that
only
has
a
single
algorithm
in
it
and
we
can't
really
migrate
unless
we
duplicate
infrastructure
duplicate
certificate
chains.
V
So
what
this
draft
describes
is
a
hybrid
certificate
of
sorts.
We
place
alternate
public
key
and
signature
inside
the
non
critical
extensions,
so
that
existing
clients
can
process
these
certificates
and
ignore
those
extensions.
Now,
if
that
certificate
is
processed
by
an
upgraded
system,
then
it
could
ignore
the
classic
signature
and
go
to
the
quantum
safe
one,
and
so
essentially
the
way
it's
done
is
by
layering
signatures.
We
take
all
this
certificate
attributes,
including
the
quantum
safe
public
key.
V
We
sign
it
using
a
quantum,
safe,
private
key
of
the
issuer,
and
we
place
that
signature
inside
a
non-critical
extension
as
well,
and
then
we
sign
it
using
a
classic
key.
Now,
this
type
of
certificate
is
a
little
larger
than
the
ones
we
have
right
now,
but
at
the
same
time,
classic
systems
can
process
it
without
failing
so,
we've
done
a
number
of
independent
experiments
between
the
three
companies
that
worked
on
this
format
and
we
have
posted
the
draft
describing
in
detail
enrollment,
revocation
everything
on
it.
N
N
K
Hoffman
we
may
be
heading
towards
a
world
where
there
are
multiple
post
quantum
algorithms
that
are
chosen.
Some.
Would
you
know
one
that
a
world
that
I've
heard
of
is
an
algorithm
with
small
keys,
large
signatures
and
then
another
one
where
it
is
large
key,
smaller
signatures
and
what
I
didn't
see
in
your
document
was
a
way
of
multi
signing
the
multiples.
Is
that
something
that
you're
intending
to
do
or
you're,
assuming
that
CA
is
going
to
have
picked
one
for
creating
the
certificate?
So
the
motivation.
V
For
this
was
migration
so
that
legacy
systems
can
process
these
certs
yeah.
That
is
why
we
only
had
one
algorithm
edit.
Now
nothing
prevents
us
from
adding
multiple
sets
of
those
extensions
or
creating
a
hybrid
signature
of
sorts
where
the
oil
describes
multiple
signatures,
and
then
the
signature
is
a
concatenation
of
multiple
signatures,
so
I
mean.
K
I
certainly
hope
those
worlds
don't
appear
and
that
we
get
one
but
from
the
tussle
that
we
are
hearing
those
of
us
following
the
NIST
list.
I
I
believe
that
there
that
we
will
be
worse
off
than
just
shot
two
and
sha-3
I
think
we
there's
a
reasonable
chance
that
NIST
or
whomever
or
NIST
Plus
whomever
is
going
to
end
up
that
we
might
have
three
or
four
to
pick
from
right.
So,
okay,
great
okay,
I,
just
long
as
that's
something
in
your
mind,
because
I
didn't
see
in
the
current
one
of
that.
V
V
I
I
Yeah
yeah
right
so
I
mean
the
thing
is
that
so
I'm
gonna
said
something
like
I'm,
not
sure
I'm
like
like
very
much
either
but
I
mean
certificates
like
this
will
be
almost
unusable
in
like
any
like
any
web
context
because
of
the
two
of
ours
right
and
no
one's
gonna.
No
one's
gonna
take
two
more
MSS
is
to
deliver
the
certificate,
so
one
in
in
in
so
in
general,
is
a
problem
in
in
the
interactive
context.
I
So
the
one
thing
you
might
imagine
doing
is
actually
emitting
this,
inter
the
emitting
the
post,
columns,
integer
or
placing
with
essentially
a
digest
of
the
post
quantum
signature
and
treating
that
as
a
promise
and
then
delivering
this,
the
sir
that
the
the
offending
party
separately
and
so
the
way
this
would
work
would
be.
Do
you
think
any
imported
get
two
things
we
get?
It
would
effectively
get
a.
We
get
a
we
get
a
certificate
that
was
a
such
a
classical
certificate.
I
We
have
a
set
effectively
a
promise
for
the
for
the
put
for
the
post,
quantum
signature
and
potentially
a
problems
for
the
post
quantum
key
to,
and
then
it
would
get
a
separate
object
which
and
then
went
and
with
a
client
and
then,
as
I
can
tell
last,
the
client
would
say:
look
I,
won't
post
quantum
and
then
you
deliver.
I
You
know
you
deliver
the
cert
and
you
deliver
the
part
of
the
things
that
fall,
the
promise
separately
and
so
that
way
that
way,
not
that
way,
no,
not
every
else
in
the
world
has
to
absorb,
like
the
extra
I
mean
if
you
want
to
get
ready,
grow
employment,
like
basically
new
servers,
gonna,
accept
like
having
that
big
circus
mansion.
But
if
talking
about
big
expansion
of
like
you
know,
seventy
bytes,
that's
the
sort
of
story,
and
people
might
take
that
so
I
don't
know
like
I've
involved
about
it
really
clearly.
I
So
maybe
you
don't
care
interactive
context,
but.
I
V
I
A
T
So
Ryan
sleepy
I
just
want
to
give
a
plus
1
dagger
suggestion
when
we
look
from
a
browser
perspective
at
the
real
world
deployment
of
OCSP
stapling,
for
example,
this
is
actually
one
of
the
concerns
that
comes
up
the
size
of
the
OCSP
response
being
delivered
in
the
handshake.
The
fact
that
you're
delivering
it
to
clients
that
mary
have
the
OCSP
handshake,
so
the
caching
matter
that
the
10
mentioned
so
putting
it
in
the
certificate
in
the
fact
that
you
need
to
deliver
this
to
downlevel
clients
becomes
a
problem.
So
in
looking
at
what
this.
T
This
looks
like
the
idea
of
a
negotiation
who
opted
into
this,
whether
it
like
the
TLS
level,
etc.
Acura
solution,
I,
think,
is
probably
cleaner
because
it
it
is
within
that
bound
of
overhead
that
you
could
probably
just
send
it
anyways,
but
for
something.
If
you
do
go
down
this
route,
then
it's
it's
more
than
likely
going
to
be
that
you
have
multiple
certificates.
You
have
the
down
level
certificate
that
does
not
have
any
repost
quantum,
precisely
because
you
need
to
support
client
to
simply
do
not
care
about
that.
T
G
Hi
Sean
Turner
I
mean
this
also
brings
up
the
other
thing
that
we
talked
a
little
bit
earlier
with
you
know
the
the
the
the
supported
stuff
for
sy
I'm.
That's
one
capabilities.
You
got
the
old
in
the
new
and
which
one
do
you
do
and
if
one
doesn't
work,
you
know
you
take
the
new
one
and
that's
a
policy
thing,
and
we
don't
know
what
to
say
about
that,
and
we've
tried
that
a
couple
of
times
the
ITF
and
we
pretty
much
fall
on
her
face
so
I'll
be
curious
to
see.
G
If
you
put
tune
in
one
or
two
or
more
in
right,
then
you
figure
out
like
which
one's
good
and
I
don't
know
and
I
think
this
is
like
the
third
algorithm,
that's
post
quantum
safe,
so
we
have
to
decide
which
one
is:
post
quantum,
safe
and
I.
Don't
know.
That's
that
gets
to
be
kind
of
challenging.
So
I
guess
I.
Just
think
that
I
think
there's
lots
of
dragons
in
this
space
and
I
still
think
that
having
two
certificates
just
makes
everything
a
lot
easier.
L
Q
U
O
U
Busy
very
soon
yeah,
but
the
key
point
here
is:
if
you
are
going
to
make
a
promise,
you
then
have
to
define
a
mechanisms
by
which
you've
fulfilled
that
promise
extension.
This
might
not
work
in
this
case.
What,
because
it
well
that
there's
someone
certainty
as
to
whether
or
not
you're
gonna
get
something
that
needs.
I
Fulfillment
so
I
actually
was
thinking
about.
I
was
thinking
about
this
precisely
for
the
purpose,
precisely
the
cuts
to
TLS,
and
so
so
bear
in
mind
so
I'm.
Assuming
that
you
would
offer
a
I'm
assuming
you
offer
two
extensions,
one
extension
would
be
the
signature
algorithms,
which
said
like,
which
would
only
have
a
place
one
algorithms
and
the
second
would
be
a
placeholder
extension
which
would
allowed
these.
We
still
have
the
server
to
send
you
in
the
certificate
entry,
the
things
of
full
the
promises.
U
V
So
the
experiment
we
did
with
TLS
is
what
we
did.
We
in
TLS
1.2,
we
modified
the
NSS
and
we
configured
the
Apache
to
have
the
certificate
with
two
signatures.
So
then
it
would
enable
two
types
of
cipher
suite
to
two
different
signatures
on
there
now,
depending
on
the
client.
If
you
only
understand
the
CDSA
that
would
be
negotiated
or
if
you
understand
post
quantum
and
then
the
server
will
just
send
a
same
chain
but
then
sign
that
div
Hellman
key
using
a
different
private
key.
I
Technically
works,
fine,
but
the
consequence
is
that
you've
made
the
service
light
much
bigger
and
like
we
had
a
lot
of
trouble
to
keep
the
server's
first
light
within
the
initial
initial
Seawind.
And
so,
if
you
make
the
thing,
though,
it's
bigger,
you
don't
you
gotta,
see
wind,
and
that
makes
everybody
really
sad.
So,
like
like
I
mean
it's
like
pretty
important
good
small
again
mr.
banner
I
mean
for
CMS,
maybe
doesn't
matter,
but
for
like,
but
or
maybe
does
betting
for
any
interactive
protocol
that
has
congestion
control
as
part
of
the
handshake.
E
Q
V
G
U
So
some
Martin
Thompson.
How
would
you
imagine
this
being
used
in
a
context
like
Tillis?
Would
you
get
both
signatures
over
the
handshake,
or
would
you
just
pick
one
or
I
mean?
Are
we
going
to
identify?
Are
we
going
to
identify
this
by
saying
I
want
the
the
X
MSS
signature
of
the
hint
or
well
that'll
be
fun,
wouldn't
it
or
I'm
willing
to
take
the
combination
of
that
and
something
else
there's
a
bit
of
a
combinatorial
explosion
there.
That
goes
on
that
we
record
to
think
about
a
little
bit.
V
Thank
you
and
just
a
comment
on
a
multiple
certificate
chain
idea:
I
mean
yes,
I
mean
there's
one
way
to
go,
but
if
you
think
about
large
enterprise,
then
you
have
to
let
user
or
the
application
select
which
credential
to
use
where
you
know.
If
you
bring
it
all
the
way
down
to
the
protocol
level,
it's
a
little
simpler
in
terms
of.
A
I
Like
mostly
protocols
already
do
have
mechanisms
for
selecting
for
letting
different
surrogate
change,
so
you
can
support
first,
this
RSA
NEC,
DSA
or
ECDSA,
and
easy
to
find
one
night.
So
I
think
you
know
like
there's,
no
seem
clever,
but
it's
not
entirely
clear
to
me
what
it
it's
better
to
have
you
multiple
chains
and
it
certainly
has
a
dream
in
central
Hardin
vessel
many
mechanisms
are
gonna.
Look
the
kind
of
blow
us
talking
about
so
I
mean
I.
I
I
It
seems
like
that
in
some
case,
we've
got
having
hybrids
and
so
like
as
obvious
about
that
and
like
I
can
imagine
like
so
one
thing
that
imagine
a
very
sensible,
hybrid
we'd
be
a
post
quantum
key
key
establish
an
algorithm
signed
with
a
with
a
classical
signature
algorithm.
That's
the
extremely
sensible,
hybrid
right
because
you
say
like
because
you
say
like
look
how
I
I.
Don't
trust
like
you
know,
I,
don't
trust
crossing
out
the
cost
of
called
key
change
against.
I
Take
that
post
take
the
you
know
to
use
the
post
climb
signature
to
verify
the
classical
as
in
Zagreb
medicine,
like
that's
good
right
so
yeah
it
seems
you
have
a
two
silo,
so
it's
not
creamy.
Why
mirja
name
is
sensible.
I
guess
I
got
a
little
carried
away,
trying
to
like
actually
design
anyways
orchestrate.
So
thank
you
so.
A
If
you
have
a
pairwise
pre
shared
key,
this
technique,
I
think
doesn't
make
a
lot
of
sense,
because
you
should
just
use
that
and
use
the
CMS
encrypted
data
technique,
for
example,
but
if
you
have
a
key
that
you've
described
to
a
group
and
then
use
mix
it
with
the
other
technique,
disclose
the
creation
of
the
large-scale
quantum
computer,
we'll
expand
the
scope
of
people
who
can
deal
with
the
back
traffic
to
those
who
have
that
preacher
key.
So
all's
this
is
is
a
call
for.