►
From YouTube: IETF102-LAMPS-20180719-1550
Description
LAMPS meeting session at IETF102
2018/07/19 1550
https://datatracker.ietf.org/meeting/102/proceedings/
A
B
C
B
So
we
were
just
reach
our
turd
five
days
ago
and
for
new
work
items
were
added
as
part
of
that
recharter.
So
there's
a
call
for
adoption
for
each
of
those
four
at
this
point
about
half
of
the
people
are
speaking
for
and
against
one
of
the
documents
and
everyone
who's
spoken
on.
The
other
three
is
been
supportive.
We'll
make
a
call
on
that
shortly.
B
B
B
D
D
B
A
E
Okay
I'm
the
next
slide.
This
is
not
it
okay,
so
there's
a
new
draft
entered
as
a
working
group
draft
and
if
you
skit
skin
through
to
section
eight,
there
is
a
differences
section
which
is
kind
of
you
know
useful
and
I'm,
taking
on
faith
that
there's
no
other
changes
in
there,
I'm,
not,
but
so
basically
we're
obsoleting,
RFC,
eight
four,
six,
eight
four,
four
modifying
the
qidt
qidt
climbing
algorithm,
which
was
the
main
semantic
change
that
we
needed
to
make,
and
this
has
to
do
with
basically
well.
E
E
The
deployments
consideration
that's
been
added,
which
is
now
based
on
experience
and
there's
a
clarification
of
the
a
B
and
F
grammar
and
clarification
fiying
issues
like
what
happens.
If
you
do,
you
have
a
CAA
record,
but
there
isn't
an
issue
or
an
issue,
wild
record
and
all
these
corner
cases
that
people
have
come
up
with
and
chose
to
decide
that
there
was
ambiguity.
I
mean
I
I,
don't
think
that
we've
actually
changed
anything
semantically,
but
we
have
removed
the
the
ability
to
claim
there
was
ambiguity.
E
Okay,
so
next
slide,
there's
a
few
things
outstanding
on
the
list.
One
thing
that
we've
not
fully
closed
on
when
CAA
was
first
proposed.
It
did
actually
have
a
policy
tag,
so
it
allowed
you
to
say
this
domain
only
has
extended
validation,
search
for
it
that
was
removed
and
the
reason
for
that
is.
If
you
have
a
record
that
says
you
can
only
issue
certificates
from
Alice
CA
for
this
domain.
E
Well,
anything
beyond
that
can
be
agreed
out
of
bandwidth
out
between
the
subject
and
Alice
CA,
and
that's
better
than
trying
to
put
every
piece
that
you
might
want
to
put
in
that
conversation
into
the
CAA
record.
At
least
that
was
our
feeling.
So
that's
what
we
have
said
on
the
list
and
if
anybody's
got
any
disagreement
with
that,
please
say
so
unless
pretty
soon,
because
I'd
like
to
mark
that
closed.
E
You
know
if
we're
gonna
check
change
the
way
that
it's
done
in
CAA
I
would
prefer
to
do
it
in
a
way
that
is
replicable
by
other
working
groups,
and
there
is
a
proposal
to
do
that,
based
on
some
work
that
Dave
Crocker
has
done
on
cleaning
up
the
prefixes
in
DNS,
and
so
we've
got
to
see
what's
happening
with
that
draft
before
you
write
a
new
text
around
it.
So
that's
an
action
item
on
me
to
talk
to
the
ADEs
concern
to
find
out
if
they're
progressing
due
dates,
drafts
questions.
F
G
E
Yeah
I
mean
there
were
two
issues,
one
that
some
folk
wanted
to
put
dashes
in
the
tags
and
I
didn't
laugh
that
originally
yeah.
H
That
rich
Saul's
acne,
so
the
plan,
the
we
were
doing
we
came
up
with
in
the
working
group-
was
we're
gonna
submit
in
a
router
the
six,
the
original
dock
that
will
basically
map
the
whitespace
mapping
to
what
this
one
is,
because
we
don't
want
to
wait
on
our
extension
draft
on
our
CAA
usage,
our
CA,
a
challenge
draft
for
this
to
go
through
the
cycle,
so
we're
just
gonna
submit
errata,
it's
gonna
be
ad
approved
and
then
the
two
will
be
compliant
in
the
white
space
area.
That's
all!
Okay!.
E
I
Cornell
trust
with
so
the
a
BNF
actually
see.
So
if
you
look
at
had
an
ambiguity
based
on
the
white
space
but
then
also
in
Section,
three
and
and
it
specified
that
the
parameter
deliver
is
a
semicolon.
So
the
document
is
actually
just
downright
contradictory
and
some
ca's
went
off
and
used
semicolons
of
fill
in
the
parameters
and
other
ones
used
white
space.
So
beyond
that
I
think
the
Acme
CAA
the
proposal
there
uses
semicolons.
So
when
I
originally
submitted
the
mostly
corrected
a
B
and
M
grammar
264
visa.
I
Earlier
this
year,
I
switched
it
to
use
semicolons
there
and
then
Allari,
Luis
bara.
Sorry
I,
butchered
the
name
for
the
founder
problem
again
with
the
with
the
ABN
F,
alluding
that
basically
multiple
white
space
characters
so
put
the
a
B
and
F
tools
through
their
paces,
and
hopefully
that's
they'll,
be
the.
E
Last
issue:
okay,
great
yeah,
the
semicolons
I
think-
is
the
right
way
to
do
it,
since
that's
the
way
that
happens
in
or
all
the
RFC
a2
to
type
parsers
have
been
using
semi
coerce
a
pass
header
since
forever.
Now,
so
that's
the
way
to
do
it,
and
also
that's
what
DNS
service
discovery
says
to
do
so.
I
think
that's
the
path.
J
J
So
we've
been
adding
the
shakes
to
crickets
and
CMS
for
signatures
and
hashing
and
Mack.
J
We
also
updated
the
public
key
sections
and
within
the
new
IDs,
and
more
description
about
usage
of
the
new,
oh
I
DS
for
the
pickets
draft.
We
remove
the
shake
hash
function
section
because
it's
not
needed
anymore,
because
we
Huck
hold
it
or
the
hash
phones
in
India
the
digital
signatures,
and
we
do
a
lot
of
editorial
fixes
to
make.
The
draft
read
a
lot
nicer,
shorter
and
cleaner.
J
So
here
are
the
hadees,
the
first
two
ones
or
the
O
IDs
for
the
the
the
is
a
PSA
which
shade
one
card,
a
handshake
256
and
with
this
new
IDs
parameters
are
empty,
absent,
nothing.
There,
the
hash
function
corresponding
to
to
the
name
indicated
there
and
the
hash
function
used
in
the
MFF
MFF
function
is
the
same
with
hash
function,
which
has
his
messages.
J
For
the
CMS
we
have
for
hashing,
we
have
the
shape
or
IDs
himself
over
there
and
again,
the
lens
would
land
for
this
functions
or
correspondingly
256
and
512
bits,
and
we
have
kmac
which
it
used
instead
of
H
Mac
and
also
it
carries
no
parameters
at
all.
It's
just
one
OID,
because
we
have
coded
everything
in
there.
The
s
value
is
empty
in
this.
In
this
definition
and
the
output
land
is
again
256
and
512,
so
there's
no
need
for
any
parameters
in
two
to
go
along
with
our
IDs.
So
it's
very
clean.
K
B
L
B
B
M
J
J
A
B
Okay
in
London,
this
internet
draft
went
to
SEC
dispatch,
SEC
dispatch
sent
it
here
and
the
Charter
was
done
to
allow
a
place
for
this.
So
I'll
foreshadow
the
idea
the
end.
This
is
to
make
sure
that
you
have
the
information
you
need
to
respond
to
the
call
for
adoption
next
slide,
so
the
CFR
G
has
been
working
on
digital
signatures
that
are
based
on
one-way
hashes.
Since
2013.
B
One
of
those
documents
is
Draft
McGrew,
hash,
SIG's
11,
which
has
completed
the
last
call
within
that
research
group,
and
it's
based
on
the
light
and
makalah
t
work
that
is
in
turn,
based
on
the
Lamport
Diffie.
I
cannot
say
his
name,
winter
Nance
and
Merkel
basically
uses
merkel,
hash
trees
to
create
signatures.
B
It
has
the
properties
that
it
has
small
private
keys
and
public
keys,
fast
signatures
generation,
fast,
signature,
verification
using
a
small
amount
of
code
where
the
hash
function
itself
is
actually
the
biggest
part
of
that
code,
but
it
has
very
large
signature
values
and
the
key
generation
it
can
be
fairly
slow
depends
on
the
size
of
the
tree
that
you
want
to
use
the
interesting
property.
In
addition
to
those
is
that
the
hash
based
signatures
will
remain
secure,
even
if
the
attacker
does
get
a
large-scale
quantum
computer.
B
N
I,
don't
Eric
wants
to
expand
the
money.
I
mean
I'm,
even
confused
in
Winder
sitting
with
Grover's
algorithm
got
you
square-root
more
or
less,
irrespective
of
the
size
of
it.
I
mean
a
practical
size,
no
quantum
computer
so
so
like
you
should
get
incredibly
huge
to
get
like
that.
It
must've
is
for
that.
That's
my
totally
layman's
understanding,
I.
B
B
My
motivation
ties
back
to
RC
4108,
which
is
a
specification
on
how
to
use
CMS
to
protect
firmware
packages
where
the
small
verification
code
size
is
attractive.
In
many
of
these
small
devices
that
we're
talking
about
for
IOT,
and
the
idea
is
if
we
can
deploy
a
quantum
resistant
signature
now,
then
what
we
ever
need
to
de
rooy
deploy
the
rest
of
the
quantum
resistant
cipher
suites
will
have
a
way
to
provide
integrity,
protected
firmware
packages
to
implement
those
algorithms.
B
A
P
Hands
on
how
many
people
have
actually
read
it:
okay
I
mean
we
could
do
a
quick
come
on
people's
general
feeling
on
the
position
of
you
know.
How
do
you
feel
about
the
current
draft
if
people
would
think
that
would
be
helpful,
I
think
a
lot
of
people
haven't
read
it
yet,
but
yeah
I
was
surprised
as
well.
The
drafts
been
around
for
a
while
because
it
went
through
sex
dispatch
and
I.
Think
probably
a
lot
of
people
read
it
at
that
point.
Before
I
got
referred
over.
P
Yeah
yeah,
exactly
no
I
I
think
it
would
be
useful
to
see
so
since
it's
not
sort
of
an
approval
or
not
approval
thing,
let's
go
with
option
a
is.
This
is
looking.
This
is
looking
good.
We
need
to
discuss
it
and
make
some
comments,
but
we
think
we
should
go
forward
with
this
and
let's
go
with
option
B.
There
are
some
more
serious
things
that
need
to
be
reworked,
and
it's
it's
not
just
going
to
be
a
little
bit
of
a
little
bit
of
editing
gear
in
there.
A
B
The
concern
is
that
if
we
do
get
a
large-scale
quantum
computer,
that
RSA
diffie-hellman
handled
with
the
curve,
diffie-hellman
will
all
become
vulnerable
and
that
any
traffic
that
the
adversary
has
observed
and
stored
when
they
do
get
the
quantum
computer
that
be
able
to
defeat
those
key
management,
algorithms
learn
the
key
and
decrypt
them.
The
proposal
here
is
in
the
near
term,
we
can
mix
in
a
pre-shared
key
to
key
derivation
function,
and
that
means
that
the
attacker
will
have
to
also
get
a
hold
of
that
pre-shared
key.
J
B
B
So
this
slide
provides
just
an
overview
of
what
I
just
said,
except
that
it
points
out
a
few
more
steps
and
that
a
key
derivation
function
will
be
used
to
do
that.
Mixing
next
slide
again,
I'm
hoping
for
review
and
comment
excellent
and
the
ask
is
again
adoption
and
again
Tim
will
make
the
consensus
call.
Please
do
review
and
comment.
P
Q
Thank
you.
It
squealing
from
afar.
We
so
presently
I
like
this.
It's
dropped
ours.
This
topic
I,
have
another
note
I'm
yet
to
read
the
document,
but
I
would
like
to
read
it
later.
My
question
is
this
one,
so
you
mentioned
something
like
the
strong
PS
King.
So
what
does
it
mean
for
strong
they'll
have
some
particular.
B
B
B
Q
B
B
B
And
key
agreement:
key
transport
is
the
cryptographers
term
for
RSA
style,
key
management,
where
I
make
up
the
key
and
encrypted
your
public
and
send
you
the
encrypted
one
and
you
decrypt
it
with
your
private
and
key
agreement
is
more
like
diffie-hellman
style.
Where
I
send
you
my
public,
you
send
me
your
public,
we
I
use
my
private
and
your
public
and
you
use
your
private
and
my
public
and
we
drive
the
same
key
I.
R
B
M
Okay,
Sean
Leonard,
so
I
understand
the
premise
of
why
this
works,
of
course,
but
given
that
it's
also
acknowledge
that
this
is
a
stopgap
measure
compared
to
strong
quantum
resistant
functions.
I
guess
I
would
question
whether
it's
time
right
now
for
us
to
adopt
this
as
number
one
as
a
working
group
item
yet
because
it
might
be
a
little
premature
and
then
second,
whether
this
should
be
on
standard
track
or
a
different
different.
You
know
categories
such
as
information
on
so
I
would
argue.
It's.
B
U
What
is
my
software
is,
but
I
want
to
talk
that
there
is
a
similar
work
in
IPSec,
immediate
group
and
interrupt
is
currently
in
last
goal
and
I
just
want
to
say
it.
It
uses
the
same
technique,
mixing
per
shift
key
and
but
in
our
drawers
as
long
as
codes
flow
and
giving
good
and
honest
company
keys.
Well,
these
this
particular
shared
key
is
called
both
want
and
we
should
get
special
ten.
It's
probably
a
good
way
to
consider
the
same
terminology.
U
B
N
V
N
P
All
right,
so
we
had
a
few
more
comments
on
that
one,
so
I
think
we're
gonna
go
again
with
with
option
a
you
think.
The
draft
looks
more
or
less
the
way
it
needs
to
option.
B
is
you
have
some
concerns
about
whether
it
should
be
informational
or
whether
there's
other
work
to
do
so?
Let's
go
with
that
right
now
so
option
A.
A
A
A
G
A
queue
in
it
now
so
you
have
to
understand.
Even
if
they
finish
at
that
point
Olivia,
then
we
have
to
start
standardizing
those
algorithms
or
actually
write
in
every
second
me
we
already
started.
We
haven't.
We
have
the
this
quantum
Gracie
stunt
as
we
call
it.
This
is
not
protective
of
escala
just
resistant
to
start
using
this
pretty
postponed
ever
first
quantum
safety
or
subtracted
PPK.
G
So
so
that's
the
stopgap,
and
then
we
have
already
started
making
the
protocol
that
if
we
have
protocol
that
loop
be
protected
away,
what
doctors
tell
me
might
have
a
raw
infrastructure
sheet
ready
for
it
when
they
publish
the
documents
published
they
actually
algorithm
is
that
are
usable,
and
in
that
case
we
also
actually
still
want
to
keep
the
old
stuff
there.
We
actually
do
both.
G
We
do
both
the
traditional
and
the
post
quantum
calculation,
because
there's
so
much
the
post,
contemn
stuff
is
so
new
that
we
want
to
make
sure
that
we
actually
don't
make
it
be
weaker
by
just
adding
that
or
taking
out
the
old
one
and
adding
new
stuff
that
is
completely
broken
would
be
valid.
So
I.
B
B
K
Said
yeah
yeah,
I
think
the
time
frame
looks
like
it's.
You
know
useful,
but
the
problem
that
I
have
is,
rather,
you
know,
figuring
out
where
all
the
additional
below
that
you
need
to
do
to
have
the
out
of
been
channel
for
the
PS
right.
That's
that's
I'm,
not
sure
who
could
help
to
make
a
judgment
call
whether
they're,
you
know
sufficient
good
examples
where
this
hula
hoop
is
worth
it,
because
that
would
be
for
me
the
criteria
to.
B
B
So
the
idea
is
that
if
you
have
a
root
certificate-
and
you
add
to
it
an
extension
that
says,
I
have
a
hash
of
the
next
public
key
that
will
replace
the
one
that
is
in
the
certificate.
Then
you
publish
that
hash
value
as
part
of
the
certificate.
If
you
ever
see
a
future
self
signed
certificate,
that
has
a
public
key
that
hashes
to
to
that
value.
It
is
the
replacement
for
the
one
that
you
have
in
hand.
So
it's
just
a
rollover
mechanism
next
slide.
B
Basically
the
ideas
at
the
time
you
set
the
the
initial
circular
get
up.
You
create
the
first
key
pair
and
you
include
in
it
the
hash
of
the
next
public
key
from
the
next
key
pair,
and
you
publish
this
and
then
again
when
you
want
to
create
move
to
that
second
key
pair,
you
need
to
compute
the
third
pair
so
that
you
can
hash
that
public
and
put
it
in
that
certificate
and
so
on.
Yes,.
N
Is
that
assertion
guided
by
the
lifetime
of
the
first
certificate?
Unless
you
renew
right,
you
can
certainly
do
certain
renewal,
no
I'm,
sorry
about
the
other
way,
I
mean
so
I've
got
a
certificate.
I
got
a
root
certificate
with
a
hash
in
it
that
extends
told
today
and
then
tomorrow
and
then
for
some
reason:
I
don't
get
any
kind
of
renewal
and
then
tomorrow
I
get
a
that.
I
got
a
thing
that
has
the
right,
pre
image
and
I
supposed
to
accept
that
I
would
think
so,
but.
N
B
N
Yeah
I
mean
I
mean
the
idea
I
would
have.
My
head
would
be
the
same
reason
why
we
should
still
get
expert
this
way,
which
is
to
say
that,
like
that,
you
know
that
I'm
always
much
treated
as
valid
for
that
period
of
time
and
and
that
you
know
perhaps
it
perhaps
person
perhaps
in
this
whole
thing
has
been
revoked.
I
know
not
really
revoked
but
effect
of
your
vote,
but
I'm
not
I'm,
not
getting
updates
right,
I.
N
D
D
U
B
Issue
a
new
self
signed
sure:
okay,
that's
the
the
that
ties
to
what
Eric
asked.
If,
if
I
can
create
another
self
signed
certificate
using
that
same
key
pair,
but
you're
gonna
put
a
different
h2
in
it
great
and
that's
the
whole
reason
for
enforcing
the
not
before
or
not
after
that.
Eric
was
talking
about,
but.
B
C
P
X
E
G
Yeah,
accelerating
quite
a
lot
of
those
self-signed
certificates,
we
trust
are
still
actually
signed
by
mt5
because
they
are
very
old,
not
anymore,
I.
Think,
most
of
the
last
time,
a
couple
of
years
back
when
I
check
out
my
mozilla
roots,
and
here
is
what
step?
What
is
really
that
you
know
that
what
you
are
trying
to
gain
from
I
mean
they
to
be
able
to
update
the
trust,
Ankara
mm-hmm,
it's
as
I
said
it
comes
out
of
band
I,
really
think
about.
G
Okay,
if
somebody
ever,
you
know,
gives
you
some
any
certificate
anyway,
sambar
how
somehow,
during
the
negotiation
or
TLS,
or
something
like
that,
you
happen
to
get
the
certificate
that
has
a
hash
that
matches
your
your
any
of
your
trust
anchors.
You
are
going
to
be
accept
that
that's
trust,
anchor
yeah.
B
B
G
That
allows
you
to
do
so,
and
it
automatically
will
take.
If
you
ever
see
more,
it
was
there
some
out
of
bad
management.
That
tells
us,
oh
by
the
way
now
I'm
going
to
update
my
you
know,
trust
anchor.
So
here's
the
new
truck
soccer
and
yes,
you
can
verify
that
the
previous
out
of
fun
thing
had
the
same
hash
of
that,
which
actually
would
mean
that
it
doesn't
have
to
be
stored
into
the
CA,
certainly
that
cell
at
all,
it
has
to
be
stored
along
with
the
thi
dividend.
J
A
X
What,
if
what
if
you
instead
included
a
hash
of
a
very,
very
secure
key
that
can
be
used
to
verify
the
next
public
key
to
advantages?
One
is
that
you
could
have
some
ridiculous:
the
secure
key
that
takes
a
long
time
to
process,
but
once
you
do
it,
you
only
do
it
once
to
validate
the
next
key
line
and
if
something
happened,
and
you
want
to
change
key
size
or
anything
because
cryptographic,
research
and
everything
changes
you
can
decide
when
the
next
key
is
issued.
B
X
A
N
N
This
isn't
to
say
this
is
something
women
shouldn't
do,
but
my
understanding
of
the
way
the
root
programs
work
at
least
Pasillas-
is
this,
but
not.
We
would
not
accept
this
certificate.
I
agree,
namely
we
require
like
so
in
that
said,
they
take
the
case
of
a
subordinate
right,
which
is
inherently
verifiable.
We
require
you
to
notify
us
when
you
when
you
change
yourself
like
when
you
change
our
own
internal
subordinates,
so
we
wouldn't
accept
the
certificate.
We
insist
you
can't
give
it
to
all.
N
M
Work
for
problems
right,
okay,
Sean,
Leonard,
so
I
guess
I
have
a
question:
wouldn't
it
be
better
or
consider
the
approach
of
instead
of
adding
a
second
key
that
you're
going
to
use
in
the
future?
Why
not
have
a
hash
or
information
in
the
new
root
certificate
that
can
be
used
to
identify
and
constrain?
Essentially
the
damage,
that's
caused
by
the
compromised
or
expired
prior
root
certificate,
because
you
have
to
receive
the
new
root
certificate
through
and
secure
out
of
fan
mechanism
now,
I
understand.
B
V
V
B
V
J
V
B
V
P
V
It's
so
suddenly
I
receive
a
new
certificate
and
it
chains
up
to
a
root,
see
I
had
never
seen
before,
but
it
matches
a
thumbprint
mm-hmm.
Then
you
go
to
start
then
do
I
expect
the
log
to
have
logged
it,
even
though
the
log
may
not
have
logged
it.
So
I
don't
expect
a
lot
to
have
logged.
So
now,
if
I'm,
requiring
CT
yeah,
do
I,
accept
the
new
cert
or
do
I
not
accept
the
new
cert.
B
V
V
B
V
B
V
V
J
H
J
H
Other
thing
is
I
think
this
is
useful.
It
doesn't
address
all
of
the
cert
lifecycle,
key
distribution
mechanisms.
That's
right,
however,
as
we're
moving
towards
more
things
that
are
on
the
net
and
things
that
want
to
do
secure
conversations
being
able
to
automate
those
automate
updates
of
those
things
securely
and
give
them
a
chain
of
custody
from
the
thing
that
they
got
from
their
manufacturer.
That
seems
really
really
really
worthwhile.
Thank
you.
J
Queen
dang
would
it
be
useful
instead
of
signing
the
public
key
alone,
you're
so
I
know
a
hashing
publicly
alone.
You
have
also
do
ID
of
the
next
algorithm.
You
will
you
to
sign
the
next
certificate
for
them
or,
if
you
do
I
say
now
next
time
you
do
ECE
say
for
example,
then
you
have,
the
OID
is
a
PC,
they
say
and
the
puppet
key
together.
So
in
that
case
again,
you
can,
you
know,
make
changes
that
it
more
flexible,
so
you're
saying
this
would.
Q
D
Q
You
second
one
is
that
I'm
concerned
a
little
theater
about
the
security,
because
I'm
not
very
clear
of
very
I'm,
not
very
familiar
with
their
real
Pressey.
You
two
issues
that
you
pick
it
or
something
like
this
one.
So
once
an
arrow
I'm,
just
imagining
is
this
one,
so
I
think
when
you
way
use
the
private
key
of
the
root
King
or
just
you
use
the
root
key,
your
issue,
certification.
Q
We
muster
very
be
careful
if
we
use
this
game.
Otherwise,
if
we
use
some
automation
system
to
check
the
certificate
in
some
case,
maybe
some
guy
are
some
pet
gaming.
That
may
ask
is
that
the
same
to
issue
a
certificate
which
is
actually
he
may
try
to
replace
the
future
root?
King
like
that
now
maybe
we
have.
The
rookie
are
three,
so
one
bad
guy
may
just
try
to
generate
the
routine
fall
and
ask
the
same
to
issue
a
certificate
of
for
him.
Q
Q
B
Q
Q
B
Q
J
W
Max
Pollock
overlaps
one
question:
for
you:
you
mentioned
that
if
you
start
seeing
the
new
certificate
use,
you
have
to
stop
trusting
the
old
one,
but
there
are
many
possible
way.
Many
possible
reason
why
you
started
seeing
a
new
the
new
trance
anchor
before
the
other
one
is
expire
when
I
want
to
keep.
You
know,
continuity,
continuity
across
you
know.
Many
different
devices
doesn't
mean
that
the
certificate,
if
the
key
is
compromised,
I
just
want
to
roll
out
the
next
one.
So
if.
B
W
W
W
W
C
B
S
C
B
P
All
right,
I
think
that's
a
fascinating
discussion
and
I
think
it
there's
lots
of
good
stuff
to
discuss
on
the
list.
One
thing
that
I
would
suggest
personally
that
I
got
out
of
this
is
I,
think
the
best
way
to
think
about
it
is
under
a
normal
Rover
rollover
situation.
Somebody
gives
you
a
new
key
and
root
certificate,
and
you
have
no
information
to
other
than
you
know
how
to
bend
stuff
in
order
to
evaluate
whether
it's
the
correct
one
or
not.
This
is
essentially
bit
commitment
where
somebody
has
said
somebody
has
said.
P
P
Well,
why
don't
we
make
that
a
third
option,
all
right
so
option
A?
Is
we
start
with
this
and
we
go
with
it
option?
B
is
now.
Let
me
see,
let
me
see
if
I
can
state
this
correctly
option.
B.
Is
you
like
this
that
you
think
there's
a
there's,
a
better
answer
that
could
be
written
up
and
set?
Is
that
what
you
want?
Okay
and
then
option?
C
is
you're
not
interested
or
we
should
go.
Do
something
else.
E
P
Y
Y
So
what
is
this
draft
about?
It's
called
star
certificate,
short-term
Auto,
renewed
certificates.
Now
both
of
these
properties
do
describe
star
certificates,
but
either
short-term
nor
auto,
renewed
is
the
point.
The
point
is
that
there
is
no
relocation.
Information,
so
short-term
is
what
we
have
to
do
to
make
up
for
lacking.
The
ability
to
revoke
and
automatically
issue
is
what
we
do
to
allow
us
to
overcome
the
operational
challenge
of
using
short-term
certificates.
Y
The
draft
is
intended
to
lift
the
operational
and
security
considerations
for
deploying
an
environment
with
star
certificates
and
the
intent
is
for
this
to
become
an
ACP.
It's
not
standards
tracked.
It
could
be
informational
or
better,
yet
DCP.
So
next
slide.
Okay
and
we'll
run
through
two
examples
which
run
pretty
quickly,
some
of
them,
because
neither
IPSec
nor
storage
is
the
point
of
this
of
this
discussion.
So
the
first
example
is
an
IPSec
VPN,
so
you
got
your
medium-sized
company.
Y
They
have
a
head
office
and
it
has
its
datacenter
and
they've
got
two
gateways
for
high
availability
in
case
one
of
them
breaks
down,
there's
also
a
backup
facility
that
has
its
own
two
VPN
gateways
got
your
R&D
centers
all
of
the
world
that
several
networks
be
inside
them
and
again
you
can
Gateway.
Then
there
are
the
regional
sales
offices
in
the
smaller
country
or
the
United
States
from
here
state
sales
office.
Each
one
of
them
has
between
five
and
thirty
people
and
of
course
yet
another
VPN
gateway.
Y
Then
you
got
a
bunch
of
people
who
work
from
home
and
for
some
reason
a
lot
of
companies
prefer
not
to
give
them
software
DPM
clients,
but
rather
give
them
small,
cps
and
there's
some
good
operational
reasons
for
that,
and
then
there
are
the
people
who
travel
around
and
then
have
they
have
to
use
some
sort
of
software
VPN
client,
maybe
they're
it's
installed
on
their
phones
or
company-provided
laptops
on
their
own
laptops,
either
way
we're
getting
hundreds,
maybe
thousands
of
clients,
gateways
and
clients,
and
all
of
them
have
to
be
authenticated.
So
next
slide.
Y
So
there
challenges
we
face
when
deploying
such
a
company-wide
VPN
is
well.
We
would
like
to
stop
intruders
from
connecting
to
our
beginning
or
data.
We
want
to
prevent
rogue
a
tourism
or
clients
from
impersonating
one
another
and
getting
the
wrong
kind
of
data,
and
we
don't
want-
and
we
want
to
allow
what
is
a
traffic
from
any
gateway
only
for
the
source
addresses
from
of
the
traffic
belong
to
the
network.
It
is
protecting
well
sort
of
an
anti
spoof
eating.
Y
Now
all
these
are
good
features
and
we
can
implement
off
them,
but
often
require
authentication.
So,
let's
run
to
you.
The
second
example
of
next
slide:
yeah,
that's
old
job,
a
new
job,
so
software-defined
storage.
It's
pretty
much
the
same
thing
that
used
to
be
called
the
storage
area
networks,
and
so
we
got
your
data
servers,
their
servers
that
have
a
lot
of
disk
space
five
to
100
terabytes
each
and
this
data
is
either
mirrored
or
it's
our.
It
uses
some
kind
of
parity
team
and
there's
anywhere
from
1
to
100
data
clients.
Y
These
are
application
servers,
web
servers,
whatever
that
use
the
data
and
they
have
some
kind
of
driver
installed,
and
these
may
be
co-located
with
the
data
servers
or
not.
That's
the
difference
between
converted,
software-defined
storage
and
non
converged
and
the
we
define
virtual
volume
and
are
they
are
mounted
on
the
data
clients
and
the
using
some
kind
of
protocol
to
read
and
write
data
from
the
data
service,
and
then
we
have
this
controller.
The
controller
corsets
replicator
like
everything
else,
it's
really
running
the
whole
thing.
Y
So
if
I
would
say,
I
need
a
new
volume
when
you
five
terabyte
volume,
it
elevate
the
space
by
one
megabyte
on
data
server
number
one
second
megabyte
Monday
the
server
number
two
and,
of
course,
different
data
servers.
All
the
raid
copies
and
mounting
a
volume
on
a
data
client
means
sending
it
a
map
you
telling
them,
where
all
were
all
the
different
megabytes
of
a
particular
volume
are,
and
so
the
controller
manages.
Y
You
don't
want
hosts
that
are
not
they
declines
to
access
your
data
servers
and
either
read
your
data
overwrite
it
and
you
don't
want
real
data
clients
to
access
volumes
that
you
didn't
want
them
to
didn't
amount
on
them,
and
you
don't
want
data
plans
that
have
read-only
access
to
write
on
the
data
and
you
don't
want
an
attacker
to
be
able
to
impersonate
the
controller
and
then
move
on
whatever
it
wants
to
and/or
data
server,
which
allows
them
to
either
read,
modify
or
fake
the
data.
So
these
are
all
good
features.
Y
Y
So
this
authentication
data
method-
you
can
do
the
authentication
using
pairwise
shared
secrets
anytime.
You
start
designing
something
like
that.
If
hundreds
of
nodes,
you
end
up
saying
now,
I'm
going
to
use
certificates
instead,
because
BKI
works,
so
what
can
I
get
certificates?
Well,
I
can
think
of
three
sources
for
certificates.
One
is
the
global
web
PKI,
your
commode,
your
digit
search
and
they're
they're
nice.
They
work
and
they're
very
professional,
but
they
are
very
much
geared
for
the
web
and
a
bit
for
email
they're,
mostly
for
the
web.
Y
That's
why
they
call
the
web
we
care,
so
the
other
source
you
can
get
is
some
kind
of
corporate
CA.
This
could
be
an
Microsoft,
Active,
Directory
or
several
other
things
that
are
either
bundled
with
an
with
an
L
doc.
You
can
even
use
your
own
ex-cia
or
whatever,
but
we
find
as
vendors
that
this
needs
a
lot
of
resistance,
because
the
people
running
the
LDAP
server
and
the
internal
and
the
corporate
CA
are
not
the
same
people
who
are
writing
the
storage
or
the
same
people
who
are
running
the
networking
and
the
VPN.
Y
And
then
you
need
sometimes
need
the
weird
names
for
your
servers
or
for
your
VPN
gateways
and
they
don't
fit
with
the
naming
scheme
in
whatever
company.
It's
really
difficult
to
use
the
corporate
CA.
You
get
this
with
a
few
customers,
but
most
of
them
don't
really
want
that.
So
the
third
option
is
to
roll
your
own
and
rolling
your
own
really
a
lot
of
time,
just
Python
scripts,
running
openness
or
commands,
but
wait,
but
it
works.
Y
Y
The
problem
with
rolling
your
own
is
that
you
really
don't
want
to
deal
with
notification.
Weaver
question
is
complex
question
it's
hard
and
it
adds
a
bunch
of
failure
modes
and
you
have
to
deal
with
those
failure
modes
with
your
Python
scripts
running
OpenSSL,
and
if
a
question
also
takes
time
so
from
the
time
that
I
figured
out
that
my
key
is
compromised
or
my
several
compromised
around
throwing
away
the
server
until
the
relying
parties
know
about
it
and
are
going
to
reject
the
certificate.
This
takes
a
long
time.
Y
This
is
at
least
hours
and
usually
measured
in
days.
Why?
Because
of
the
process
that
it
takes,
and
because
of
caching,
this
is
really
hard,
and
the
other
thing
is
that
you
know:
question
slows
down
connection
establishment,
because
I
have
to
go
and
check,
and
it's
really
hard
these
days
to
explain
why
issuing
blog
one
and
then
issuing
blog
two
to
say
that
to
the
relying
party
that
blog
one
is
still
valid.
That
doesn't
really
make
sense,
especially
when
issuing
blog
one
and
Bob
two
requires
same
effort
in
the
old
days.
Y
Yeah
issuing
the
certificate
was
hard
and
when
manual
process
was
issuing
CRL
Zoro
see
responses
was
automat
now
they're,
both
automatic.
So
why
do
we
need
both
next
slide?
Okay,
so
what
alternative
are
we
proposing
and
the
alternative
is
not
to
issue
new
certificates
and
to
stop
the
renewal
so
to
get
equivalent
Duty
properties?
We
one
would
propose
to
make
the
lifetime
of
a
certificate
short.
Y
How
short
short
enough
that
we
get
the
same
kind
of
time
between
stopping
issuing
until
the
certificate
just
expires,
as
we've
had
with
the
issuing
revocation,
so
short
could
be
days
could
be
hours.
It
all
depends
on
how
accurate
to
the
system
clock
is.
Yeah
use,
ntp
people
so
to
do
the
administrative
nightmare
of
issuing
hundreds
of
certificate
every
day
we
really
have
to
do
it
automatically.
There's
no
way
this
can
be
done
manually,
especially
when
there's
hundreds
of
data
server
or
hundreds
of
VPN
gateways
that
all
look
the
same
so
and
that's
life.
Y
There
so
this
crap,
admittedly
this
draft
requires
work.
These
are
some.
The
use.
Cases
have
to
be
expanded
and
pretty
much
through
there,
every
kind
of
issue
or
the
security
or
operational
that
I
could
think
of
probably
are
others
that
probably
pitfalls.
Besides
the
obvious
time
thing,
this
requires
a
lot
of
work
and
we
hope
that
this
work
can
be
done
in
this
working
group.
So
the
next
slide
just
has
some
anticipated
question
that
Joe
FB
to
run
up
to
the
mic
and
come
up
with
your
own,
so
next
slide.
Y
So
these
are
the
questions
that
I
anticipate,
and
so
is
this
for
the
web,
and
my
initial
instinct
is
to
say
no
I
mean
I,
don't
know.
Maybe
this
is
good
for
the
web,
but
for
the
web
we
already
have
acne
writing
documents,
especially
for
the
web.
There's
this
a
browser
form
making
rules
for
issuing
certificates
for
the
web.
There
are
lots
of
places
to
do
that,
and
this
drafting
lamps
is
not
the
place
for
that.
If
what
we
come
up
with
is
good
for
the
web,
so
much
the
better.
Y
But
this
is
not
the
news
pace
that
is
driving
this
draft.
The
other
question
is
there
was
a
proposal
that
we
need
some
extension
to
say.
Then
this
has
a
star
certificate.
We
have
no
revocation
information
rather
than
just
not
including
the
extensions
that
say
this
is
a
crl.
This
is
no,
she
responds
I,
don't
think
so,
but
if
the
group
wants
it,
it's
fine,
but
I
want
this
drug
to
this
document
to
remain
a
BCP,
you
or
informational,
and
not
a
standard
stretching.
Y
So
if
you
want
some
new
extension
that
says
with
a
noise,
it
says
no,
we
have
a
question
for
this
certificate.
Let's
do
it
in
a
really
small
different
draft
and
the
third
thing
is
well.
Do
we
really
need
to
skip
provocation
now
that
we
have
TOS
1.3
and
we
can?
We
can
use
OCSP
stapling
on
both
the
client
and
the
server
side
and
I
think
we
still
need
notification
certificates
and
the
reason
is
that
it
does
solve
the
issue
that
we
used
to
have
that.
Y
Well,
assuming
tell
us
one
point:
three
years
clears
off
48
and
it
does
solve
the
issue
that
we
can't
do.
Mutual
authentication
with
OCSP
stapling,
but
it
does
not
solve
the
complexity.
It
is
not
of
the
requirement
to
have
an
always
on
relocation
server.
It
reduces
some
failure
modes,
but
it
does
not
eliminate
them
entirely,
so
I
think
there's
still
great
value
in
doing
a
simplified
PKI.
That
does
not
include
checking
with
a
patient.
So
that's
the
last
slide
and
yeah.
N
X
I
really
really
really
think
it's
a
really
bad
idea
to
call
this
short-term
certificates.
I
really
like
non
replication
of
certificates.
I
think
it's
very,
very
important
to
have
non
replication
certificates.
I
would
like
to
get
rid
of
short
term,
because
short
term
is
only
one
uses.
Example
and
I
really
want
to
use
this
for
solutions
or
situations
where
the
certificate
is
not
necessarily
long
short-lived
and
the
use
case
I
have
that
is
important
is
when
we
use
a
key.
X
We
generate
the
key
and
we
use
it
once
and
we
are
very
sure
that
we're
using
it
for
the
right
thing
and
we
should
the
certificate
the
certificate.
This
is
is
valid
for
a
long
time,
but
we
throw
away
and
destroy
the
key
immediately
after
using
it.
We
have
signature
systems
working
this
way
and
we
need
the
same
solution
there.
X
There
is
no
reason
to
have
revocation
for
that
certificate,
because
I
would
have
so
much
control
over
the
use
of
that
private
key
in
that
one
instance
before
it's
destroyed,
so
two
different
situations
that
needs
the
same
solution.
I'm
gonna
have
a
hell
of
a
lot
of
problems
selling
this.
If
it's
called
short
term,
because
people
believe
acronyms
and
names
and
say
no
okay,
you're
not
use
that
because
that's
your
term!
Well,
it's
exactly
the
same
usage
and
also
I.
X
Do
think
that
we
need
an
extension
or
to
use
an
extension
and,
ideally,
I
think
that
we
need
to
deal
with
situations
where
all
installations
do
they
just
require
a
crl.
So
that
could
be
a
link
in
the
certificate
saying
here's
an
m2
crl
for
those
who
cannot
understand
this
and
all
the
new
installation
is
a
new
software
that
can
deal
with.
This
could
read
the
extension
and
say
by
the
way,
don't
bother
check
the
CRL,
because
it's
empty
anyway,
there's
no
revocation
of
the
certificate.
X
Y
Right
so
I
tend
to
agree
about
the
naming,
except
that
there
are
other
documents
that
describe
such
certificates
and
going
around
the
ITF
and
they
are
using
the
name
star.
There's
one
in
acme
there's
another
potential,
one
that
make
come
to
acme.
So
I'm
fine.
If
the
group
wants
to
bike
shed
and
come
up
with
another
name,
but
for
now
I
use
the
name
that
is
used
throughout
the
ids.
Yes,
as
for
the
extension,
okay,
I
get
the
okay.
I
understand
that
again,
people
want
that.
Y
X
Y
X
K
Tallis
Eckert
coauthor
on
the
document
and
so
coming
from
the
automation
of
the
enrollment
system
that
we
have
in
anima
that
that
we
described
in
there.
The
the
key
aspect
for
me
is
simply
the
the
ability
to
express
as
a
permitted.
You
know
policy
within
the
the
PGI
definition
that
we
have
that
you
know.
Registration
authority
can
basically
leverage
expired
certificates
purely
for
the
purpose
of
renewing
them
right,
because
that,
in
the
whole,
automated
system
is
the
biggest
risk
that
happens.
K
Is
that
the
PGI
documents
that
we
have
does
not
currently
explicitly
permit
that
it's
not
clear
if
it
explicitly
denies
it,
but
so
far,
I
think
the
system's
I've
seen
would
not
permit
it,
and
so
simply
for
the
purpose
of
you
know:
renewing
the
keys
or
rekeying
whatever
you
know.
The
renewal
operation
is
also
permit.
K
The
expired
certificates
right
because
when
we
go
back
and
you
can
check
out
all
the
complexity
that
we
did
for
initial
enrollment
or
the
trust
staff-
that's
a
much
more
complex
operation,
which
is
why
you
know
I'd
love
to
have
that
better
leniency
explicitly
defined.
As
part
of
you
know,
the
PGI
procedures.
Z
Just
a
tour
list:
I
think
this
is
Sean
Turner,
the
CP
that
defines
how
you
use
your
ca
can
allow
you
to
use
expired
certificates.
You
can
explicitly
put
that
in
there.
Some
do
some
don't
I
know
that
there
are
some
that
do.
Support
allowing
you
to
renew.
K
Z
Are
having
its
RFC
3640
seven.
Is
the
CPU
now
to
write
that,
so
you
can
write
whatever
you
want
in
there
and
say
you
know,
use
an
expired
shirt.
You
can
use
it
for
one
day
expiry,
none
whatever
it
gets
a
little.
It
gets
a
little
issue
consuming
because
then
you
have
to
go
to
see,
get
the
CPU
laid
in
your
cert
and
there's
like
there's
legs
there.
Just
let
me
know
yo've
I
liked
your
presentation
a
lot
more
than
I,
like
the
draft,
so
I
agree
that
it
means
I
like
that.
Z
It
needs
work.
I
was
like:
oh,
that's,
totally
yeah,
it
kind
of
makes
sense,
I
guess,
but
in
reading
the
draft
I
think
that
there
were
some
things
that
were
factually
incorrect
and
I
think
it
would
be
way
too
early
to
adopt
its
draft.
At
this
point,
for
example,
it
says
things
like
the
certificate
discussed.
This
document
have
neither
RCR
LDP
extension
nor
OCSP
authority
of
footage
authority
info
access
extension,
in
other
words
such
as
such
a
certificate
cannot
be
revoked.
That
means
all
version.
One
certificates
can't
be
issued
and
any
version
three
certificate.
Z
Lavelle
PES
can't
be
revoked
and
that's
just
factually
incorrect
I
thought
that
the
rationale
and
section
two
was
really
funny.
Star
has
several
advantages
over
OCSP
stapling,
it's
like
you
know,
the
CA
is
issuing
it
things
so
quickly.
They
can
just
not
even
keep
track
of
reissued
certs.
Z
Have
you
ever
talked
to
an
auditor
like
hey
I,
used
this
cert
for
what
I
didn't
keep
track
of
that
good
luck,
there's
a
cut
the
couple
of
other
things
like
I:
don't
have
to
run
an
osseous
LSU
Spee
web
server
or
whatever
I
mean
yes,
it
is
more
complex,
but
it's
not
that
hard
I
mean
it's
like
putting
up
a
web
server
right.
I
mean
these.
These
are
literally
boxes.
Did
you
start
off
and
hit
the
button
off?
You
run,
I,
don't
know
I
and
I.
Think
really
what
the
rationale
is?
Z
You
don't
want
to
waste
the
time
to
go.
Get
the
this.
The
CRL
information
I
think
we
should
just
be
upfront
about
that,
and
that's
really
what
it
is.
I'm
not
trying
to
back
your
way
into
the
rationale
but,
like
I
said
I
like
the
idea
of
short-lived
certs
or
I
guess:
revocation
free
was
the
term
I
tried
to
you
last
time
it
pretty
nice
positive
spin
on
it,
but
I
think
this
drought
isn't
so
maybe
a
little
early
to
be
adopted
thanks.
M
Sean
Leonard
I
wanted
to
respond
to
one
point
here
about
the
extension
for
no
revocation
information,
so
it
turns
out
there
already
is
a
extension
defined
for
this.
It's
called
no
Rev
avail
and
it's
in
x.509
now
x.509
only
defines
it
for
attribute
certificates
not
for
public
key
certificates,
probably
for
all
the
reasons
that
have
been
alluded
to
you
know
in
this
discussion,
but
I
didn't
want
to
point
out
that
it
is
there
and
similar
to
you
know
what
Shawn
Turner
mentioned.
Y
W
J
W
To
actually
address
those
concerns-
and
this
really
scares
me
because
I
think
that
you
are
under
estimating
the
importance
of
these
concerns,
one
of
the
things
that
I
want
to
point
out
is
that
there's
no
way
that
you
can
demonstrate
that
shore-leave
certificate,
without
revocation
as
a
clearance
security
level
of
a
system
with
revocation
revocation
happens
for
many
reasons,
not
just
for
key
compromise.
Let's
say
your
employee
leave
the
company
and
you
want
to
block
the
access
right
away,
not
waiting
seven
days,
because
your
shot
lives
at
EPA
cannot
be
revoked.
W
So
there's
many
reasons
why
I
think
this
should
be
really.
The
scope
should
be
clearer,
more
clear.
You
said
the
scope
is
about
this
type
of
problems,
but
then
you
say
it
can
be
applied,
maybe
in
the
web.
If
it's
good
enough
I
would
say
if
you
want
to
publish
a
BCP,
you
have
to
clear
the
scope.
This
is
not
for
web.
This
is
for
this
type
of
use
cases,
contrary
to
what
you
said
before,
but
and
I
voice.
G
Turkey,
yet
I
have
response
to
that.
If
you're,
if
it's
an
employee,
leave
the
company,
you
want
to
clear
them
out
immediate.
Yes,
that
means
you
want
to
clear.
Alter
existing
connections
immediately
revoking
his
certain
gates
won't
do
that
in
most
of
the
bases,
even
if
you
revoke
it
for
Excel,
let's
say
IPSec,
which
I
know
you
have
an
IPSec
connection
to
there.
G
Even
if
you
revoke
his
certificate,
nothing
happens
in
IPSec
connection,
your
SSH
connection
that
you
have
you
revoke
the
certificate
that
was
created,
that
nothing
happens
that
they
success
connection
you
need
to
go
and
remove
his
credentials
into
the
system.
You
go
into
SSH
you
go
and
remove
the
past
when
I
kick
him
out
from
the
system.
Even
actually
you
remove
his.
You
know
et
Cie,
password
entry
that
doesn't
kick
him
out
to
the
system.
You
just
need
to
go
and
kill
his
SSH
connection,
revoking
credentials,
don't
break
the
existing
see
connections.
G
Usually,
so
that's
why
I
think?
Yes,
even
if
you
revoke
the
revoke
the
certificate-
and
of
course
you
know
see-
are
also
usually
one
hour
or
two
hours
and
so
on,
you
can
still
do
you
know
huge
loss
of
damage
to
provoke
removing
everything
in
the
last
two
hours.
You
want
to
make
sure
that
exists
gets.
You
know,
kicked
out
immediately
and
you
don't
use
revocation
for
that.
E
E
Twist
star
into
saying
that
this
does
come
up
quite
regularly
in
web
world
and
the
reason
that
turns
up
on
the
web
PKI
is
that
once
you've
got
two
OCSP
stapling
well,
your
OCSP
staple
is
de
factor
the
same
as
a
certificate
for
the
party,
that's
stapling
it,
and
so,
when
you
do
all
the
math
and
so
on,
why
have
two
things
when
you
could
have
one?
So
it
does
keep
coming
up
and
the
main
reason
that
the
web
hasn't
gone.
That
way
is
that
this
folk,
who
don't
believe
that
certificate
that
PKI
requires
revocation.
W
One
just
apply
to
that
you're
totally
true,
you
need
to
have
good
security
control
in
your
company,
however,
revoking
prevents
the
the
user
to
actually
care
in
using
these
credentials.
So
I'm
not
saying
this
was
just
an
example.
There
are
many
other
that
one
can
come
up
with
I.
Just
think
that
making
statements
like
the
same
security
level
is
probably
misleading.
W
You
cannot
have
the
same
security
guarantees.
I
made
examples
that
have
not
been
applied
to
in
the
main
list.
So
if
you
have
other
in
the
way
you
can
reply
to
that
and
demonstrate
that
those
are
the
same
level.
If
you
do
that,
happy
to
to
abide
by
that,
but
until
I
see
any
good
argument
around
that
I,
don't
think
NSA
I
think
that
the
draft
needs
to
be
and
take
a
look
at
a
little
more
seriously.
B
J
AA
So
yes,
and
this
presentation
I,
was
trying
to
insert
pretty
pictures
of
how
broken
existing
male
clients
are
for
this,
but
it
didn't
work
during
conversion,
so
you
just
have
to
trust
me.
I
can
I
can
tell
you
can
try
to
throw
yourself
right.
So
here
we
go
again.
I
would
like
to
protect
message.
Headers.
AA
B
AA
A
AA
AA
AA
C
AA
AA
Okay,
okay,
well
nobody's
perfect,
so
this
is
the
inner
message.
So
there
is
a
wrapper
content
type
message
here:
it's
a
and
then
you
include
any
headers
together.
You
know
with
the
rest
of
the
message,
so
in
theory,
according
to
RFC,
that
should
be
other
production
in
practice.
You
can
guess:
okay!
Well
yeah.
There
is
one
problem.
Is
you
know
if
you
really
want
to
include
arbitrary
nested
messages
at
top
level,
you
can
construct
some
messages
in
mine
and
it's
undistinguishable
in
this
case,
but
in
the
main
problem,
is
that
yeah
I?
Z
AA
AA
In
many
cases
it
displays
as
at
least
extra
set
of
headers,
which
is
confusing
to
users
and
in
worst
case
you
see
an
icon
on
which
you
need
to
click
to
actually
see
the
inner
stuff.
This
is
really
ugly
I'm.
Sorry,
the
existing
clients
do
that.
But
that's
just
the
way.
It
is
right.
Three
proposals
so
far
there
is
a
memory
hole
proposal
used
by
PGP
people
and
yes,.
V
AA
Then
there
is
RFC
7500
eight,
which
is
independent
stream.
Experimental
RFC,
which
says
includes
copy
of
header
fields,
into
special
attributes
that
included
in
a
signed
or
encrypted
CMS.
So
again,
they
sort
of
invisible
to
the
readers
that
are
compliant
with
this
mine,
but
don't
recognize
them,
and
the
third
approach
will
do
nothing
and
really
try
to
beat
existing
implementation
strategy
do
whatever
she
says
a
bit
more
details
on
this
next
slide,
please.
AA
B
V
This
is
dkg.
I
can
speak
to
more
detail
on
memory.
Hole
folks
are
interested.
This
is
the
this
is
the
core
of
what
it
does.
There
is
an
additional
thing
that
it
does
to
try
to
handle
those
clients
that
are
capable
of
decryption,
but
not
capable
of
reading
protected
editors
as
well
to
actually
display
things
like
subject
there,
but
this
is
that
this
is
the
core
of
it.
That's
right.
Yes,.
AA
The
advantages
of
this
is
that
again
most
clients
will
just
the
clients
that
don't
support
it.
Just
ignore
the
extra
header
fields,
because
they
need
to
have
had
Parsa
and
accept
arbitrary
hydrous.
They
don't
recognize
anyway
so
and
when
you
display
it,
it
will
not
show
it
as
a
forwarded
message.
It
will
just
show
you
how
this
regular
sign
encrypted
message.
AA
AA
Y
V
With
an
old
file
that
will
just
say
encrypted
message
right
so
so
the
memory
hole
approach
is
when
you
is
that
there
is
an
advise
that
there's
a
there's,
basically
an
additional
part
added
to
the
inside
of
the
encrypted
message,
which
is
text
RFC,
822
headers,
which
contains
those
headers
that
are
expected
to
be
displayed
by
the
by
older
male
user
agents,
so
that
you
can
see
it
like
sort
of
in
the
body
right
and
user
agents
that
understand
memory
hold
the
memory.
All
approach
are
expected
to
suppress
that
part.
V
So
you
yeah,
okay,
just
that's
just
to
clarified
that
that's
beyond
the
quick
that
that
part
is
considered
advisory.
You
don't
have
to
do
that
right
if
you're
talking
to
somebody
else
who
already
does
memory
at
all,
you
don't
need
to
include
it,
but
that's
that's
the
that's!
The
full
piece
of
it.
I
could.
B
AA
So
again,
I
mean
the
7508
again,
you
need
to
change
clients
and
you
need
to
do
it
sort
of
backward-compatible.
You
need
to
change
clients
to
support
it.
But
again
you
need
to
change
your
FC
and
do
nothing.
You
know
it's
sort
of
the
reverse.
There
RFC
stayed
the
same,
but
we
still
haven't
solved
the
problem,
so
we
really
need
you
know
it
requires
more
sort
of
marketing
outreach
and
talking
to
people
to
fix
stuff.
AA
V
Clearly
need
to
fix
this
we're
30
years
in
and
it
is
absolutely
ridiculous.
I
would
use
stronger
language
if
I
wasn't
speaking
at
the
mic,
so
the
mail
user
agent
I'm
working
on
the
the
patch
series
that
I'm
working
on
addresses
both
Alexa's
proposal
and
the
and
the
memory
hole
approach.
When
it's
interpreting
messages
I,
don't
know
what
to
omit
I'm
happy
to
admit
either
one
I
I,
don't
particularly
like
the
the
CMS
encoded
headers,
because
that
doesn't
work
for
open
PGP.
V
The
forwarded
equals
no
suggestion
that
number
Lexi
made
and
the
memory
hole
suggestion
both
work
for
arbitrary
mine
structure,
nesting,
which
works
for
RFC
31:56,
as
well
as
the
SVM
stuff.
So
I
just
want
one
way
to
omit
I'm
happy
to
make
my
mail
user
agent
process
multiple
ways
of
protection
on
return,
but
really
to
make
this
work
and
to
make
it
work
for
the
humans
who
actually
use
email.
We
do
at
some
point
need
to
start
talking
about
what
the
user
experience
is
supposed
to
be.
Russ's
question
is
right.
V
D
The
memory
hole
approach
may
actually
get
you
a
bit
farther
than
what
you
think
today.
The
reason
how
come
the
old
Microsoft
mail
program
did.
This
was
actually
a
bug
in
it.
So
in
point
of
fact
in
serialized
the
headers
in
before
it
encrypted
it
and
then
that
she
realized
that
is
again
and
when
it
decrypted
it
and
unser
realize
the
headers
it
had
it
serialize
them
back
to
the
top
level.
Some
point
of
fact:
the
encrypted
versions
over
wrote
the
unencrypted
versions
there
may
be
other
mail
programs.
That's.
D
D
V
B
V
The
fact
that
we
have
gone
ahead
and
have
these
like
arbitrarily
complicated
line
structures
is
a
serious
pain
point.
There's
a
pain
point
for
implementers
and
it's
a
pain
point
for
users
who
cannot
understand
where
the
crypto
in
their
message
applies.
So
I
mean
we
saw
this
with
a
fail
right,
I'm
sort
of
surprised.
There
hasn't
been
a
presentation
on
he
fail
at
this
session
because
we,
you
know
we
should
acknowledge
this
as
a
failure
of
this
community
for
a
long
time.
V
So
so
we
have
to
be
very
careful
when
we're
specifying
this
that,
yes,
when
you're
decrypting
and
then
extracting
headers
from
the
message,
there's
only
one
particular
point,
that
is
where
the
protected
headers
could
be,
because
if
you
pull
out
those
headers
from
two
stages
down
into
the
mine
structure,
then
you
end
up
writing
arbitrary
stuff
over
the
outside
message.
When
you
do
the
decryption,
when
we
met
me
and
be
very
clear
about
what
that
one
point
is.
Z
Hi
Sean
Turner
what
dkg
said
when
he
got
the
first
time.
I
agree
with
the
second
part
too,
but
still
now
that
we've
got
sy
version
for
out
there
and
we
the
idea,
was.
We
started
this
working
group
because
people
were
actually
gonna
go
out
and
implement
it.
Can
we
not
just
contact
the
same
set
of
people
that
wanted
to
do
the
authenticated
envelope
data
and
be
like?
Can
you
do
this?
I
mean
if
you're
gonna
drop
code
to
put
in
a
new
content
type
that
you
asked
mine?
Z
B
Z
AA
AA
Z
Z
D
This
is
just
and
yes,
arbitrary
structures
of
mine
is
going
to
be
fun
and
I.
Don't
know
that
we
can
always
say
that
you
have
to
take
it
from
me.
You
can't
take
it
from
the
second
level
down,
because
you
end
up
with
things
like
male
agents
which
push
everything
down
a
level
and
may
actually,
you
may
actually
at
that
point
end
up
with
two
multi-part
encrypted
pieces.
If
things
are
really
interesting,.
V
If
you
are
willing
to
to
force
your
mind
perception
into
this
view
that
there
is
a
cryptographic
exterior
envelope
and
a
cryptographic
and
there's
the
payload
and
yes
somewhere
in
the
pillow,
you
might
find
some
other
crypto
layers
and
they
are
not
going
to
affect
the
external
headers
of
the
message.
If
you
adopt
this
misconception,
the
simplification
of
mime
and
you
force
you,
your
you
force
your
mail
user
to
work
that
way,
then
you
it's
actually
fairly
easy
to
identify
the
location
where
you
expect
the
protected
headers
to
reside
so.
AA
V
But
but
if
you,
if
you
don't
conceive
of
a
cryptographic
envelope,
if
you
don't
have
that
conception,
then
it
becomes
very
difficult
to
identify
where
the
protected
headers
should
specifically
exist,
because
you
could
have,
when
you
have
a
triple
wrapped
message
right
now,
we're
talking
about
potentially
having
headers
that
are
pushed
from
the
outside
into
layer,
one
yeah
outside
into
layer,
2
or
outside
into
layer.
Three
and
potentially
in
all
three
places,
and
you
now
get
to
decide
which
message
you
exposed
to
the
outside
and
you
get
to
decide
how
you
expose
to
the
user.
B
D
B
V
B
B
So
I
think
the
question
that
were
faced
with
in
the
last
one
minute
of
the
session
is:
is
this
something
the
working
group
would
like
to
talk
to
the
ADEs
about
adding
to
the
chart
would
like
included
in
charter
yeah
do
not
want
included
in
the
Charter.
There
are
two
things:
we're
gonna
come
off,
okay,
want
to
add
it
to
the
Charter.
Now.