►
From YouTube: IETF106-TLS-20191121-1740
Description
TLS meeting session at IETF106
2019/11/21 1740
https://datatracker.ietf.org/meeting/106/proceedings/
A
A
Okay,
Session
two
agenda,
so
for
this
session
we
do.
Do
we
have
okay,
so
we
will
have
somebody
potentially
be
adding
just
a
short
brief
discussion
on
ticket
requests,
not
really
discussion,
but
an
update
when
David
gets
here
and
we're
going
to
switch
the
order
of
deprecating
in
d5
and
the
well-known
you
are
eyes
for
yes
and
I
and
I
think
if
we
have
time
afterwards
we'll
start
a
charter
discussion.
If
we
have
time.
B
B
Ok,
so
we
basically
made
the
change,
including
instead
of
saying
a
client
is
it
does
not
send
a
signature,
algorithm
extension
and
we're
serving
us
aboard
the
handshake
and
Sonny
hadn't
shake
failure,
alert
we
changed
what
to
if,
if
a
client
desert
does
not
send
a
signature,
algorithm
extension
and
the
server
must
evolve
a
handshake
and
Sonny
handshake
failure
alert,
except
when
digital
signatures
are
not
used
and
we've
included
an
example,
for
example,
when
using
PSK
ciphers
I
believe
that
it
addresses
the
concern
but
was
made
during
the
previous
ITF.
So.
D
C
My
very
next
question
is
like
who's
red
I
would
like
to
move
this
to
working
group.
Last
call,
if
you
haven't
noticed
so
I
want
to
show
of
hands
of
people
who
have
read
this
draft
I
mean
10.
So
unless
there's
any
raging
objections
to
what's
in
the
draft
now,
we
would
like
to
proceed
with
working
group
last
call
all
right.
So.
E
This
is
just
something
added
extra
for
yes
and
I
that
came
up
when
we
were
implementing
it
and
needed
to
publish
keys.
So
basically,
I
have
some
Apache
and
nginx
line
8.
That
is
my
enabled
web
servers.
Keys,
regularly
need
to
publish
them
in
the
DNS
I.
Don't
have
T
DNS,
but
you
have
a
machine
that
kind
of
creates
his
own
files
and
then
has
a
hidden
master
and
all
that
kind
of
stuff.
So
I
need
a
way
to
pull
the
East.
E
E
C
G
G
E
H
You're,
describing
this
as
something
that
your
your
DNS,
authoritative
server,
would
check
and
I'm
wondering
whether
you've
contemplated
this
being
something
that
the
client
actually
might
check,
as
well
as
a
way
of
bootstrapping.
Yes,
ma'am,
yeah
I
feel
like
we
should.
We
should
acknowledge
that
that
is
a
likely
scenario,
not
everyone's
gonna.
Have
it
sure
access
to
their
DNS
server.
This
can
be
able
to
run
a
cron
job.
The
way
you're
talking
about
yeah
I
also
think
this
should
specify
the
some
sort
of
mime
type.
H
I
Tony
Polly,
Apple,
yeah
I
think
this
is
a
interesting
thing
to
do.
I
think
you'd
be
good
to
explore
whether
or
not
we
really
need
the
well-known
for
it
or
we
can
do
it
another
way
so
something
to
into
so.
When
we're
asking
the
server
for
the
the
keys
for
a
given
name.
Is
there
a
how
do
I
know
which
names
I
can
ask
in
my.
I
It
may
be
good
to
at
least
have
some
considerations
around
that
because
you
know,
potentially
if
this
is
something
that
the
server
isn't
able
to
give
me.
The
keys
for
I've
down,
told
the
server
I'm
accessing
this
names
like
if
I
have
this
mismatch
and
I'm
sending
this
well
known
to
some
random
rogue
server,
not
a
rogue
server,
but
someone
who's
not
really
authoritative,
for
it.
I've
just
sent
it
a
whole
bunch
of
names,
FairPoint
yeah,.
J
David
Skinner's
e
Google,
Chrome
I
think
this
is
interesting.
Yeah,
let's
bring
it
I,
don't
know
yeah
here
versus
HTTP.
It's
always
tricky
I
like
well
known
cuz.
This
is
a
server
wide
policy
thing
and
so
preventing
like
if
it's
a
blog,
a
random
page
from
changing
policy
is
generally
a
good
thing,
but
that's
work.
Let's
keep
this
here.
I
like
it.
E
E
K
I
guess
like
well
just
in
terms
of
we
should
do
perhaps
like
perhaps
a
couple
spins
the
crank
before
we
do
much
of
anything.
Oh
yes,
the
idea
but
I
think
like
I,
like
that,
be
sure,
I
guess,
Ezra's
cussing,
later
yes
and
I
is
a
history
of
like
I
was
doing
things
in
discovering
they
stink
so
which
I
am
I'm
a
prime
offender.
But
so
so
perhaps
it's
perhaps
that's
what
we
sure
forgot
here
too
yeah.
L
Php,
yeah
and
kind
of
I
think
that
this
might
turn
out
to
be
problematic
because
at
the
level
that
you're
doing
the
es,
ni
authentication
you're
talking
about
it,
you're
really
talking
about
keys
that
have
more
to
do
with
the
host
connection,
rather
than
the
service
and
I
think
that
the
conflict
between
the
two
might
well
yeah
I
think
it
might
be
problematic.
Okay,
if
there's
cases
where
it's
problematic
could
be
good
to
know
that
yeah
dan.
H
Oconnor
you're
more
again,
I
think
one
of
the
things
that
maybe
this
draft
ordered
explicitly
state
is
whether
this
is
expected
to
be
an
exclusive
list
or
an
additive
list
that
is
yeah.
If
it
doesn't
exist,
what
does
it
mean
it
that
it
doesn't
exist
if
it
has
one
element
in
it?
What
does
that
mean
if
another
element
is
discovered
in
some
other
way?
Right?
That's
I
think
that
the
trickiest
part
for
thinking
through
what
this
means,
because
now
there's
two
different
ways
to
get.
Yes,
my
keys,
and
how
do
you
juggle
those
things?
E
C
E
C
J
Sorry
this
was
just
a
quick
last
minute:
non
presentation,
I
guess
no
slides,
so
I'm
David's
gonna
see
from
Google
Chrome.
We
I'm
just
gonna,
really
quickly
talk
about
the
draft
Attila's
ticket
request,
so
30
second
point
of
the
draft
is
today:
the
server
decides
how
many
tickets
it
sends
to
the
client.
Some
clients
need
less.
Some
clients
need
more.
So
this
is
a
absolutely
trivial
extension
where
the
client
says:
I
want
and
tickets.
J
We
talked
about
this
at
previous
sessions.
It
is
now
a
working
group.
Last
call.
We
had
a
good
positive
conversation
in
the
last
couple
days
on
that
working
groups.
Last
call
I
chatted
personally
with
Daniel.
Are
you
in
the
room?
I,
don't
see
him
with
down.
We
go
about
this
and
my-
and
this
is
my
kind
of
personal
opinion
of
what
we've
been
seeing.
Is
people
like
this?
There
was
some
support,
and
but
there
were
a
few
questions
and
it
got
a
little
bit
confusing
and
we
tried
to
clarify
that.
J
So
it
sounds
like
folks,
so
the
the
number
of
tickets
you
request
is
not
normative.
As
in
its
assured,
like
you,
don't
the
server
it
doesn't
have
a
must.
Some
Daniel
wanna
was
interested
in
having
that
because
he
had
an
IO
to
use
case
where,
if
he
says,
I
only
want
two
tickets.
If
you
send
him
more,
it's
actually
uses
up
his
resources
and
that's
kind
of
bad,
but
server.
Operators
chimed
in
saying,
like
a
must,
is
a
bad
idea
because
that's
really
hard
to
implement
for
a
bunch
of
reasons.
J
So
the
sense
we
got
is
that
the
folks
that
brush
debated
in
this
conversation
wanted
this
to
be
published
even
with
I
should,
and
they
were
okay
with
it.
So
we're
just
I
guess
asking.
If
anyone
disagrees
with
that
statement,
please
come
here.
Can
we
have
that
conversation
here?
Otherwise,
like
chairs?
Let
us
know
how
you're
feeling
about
the
working
class
core.
Is
it
going
or
do
we
go
from
here.
C
So
I
think
if
we,
what
we've
done
is
we've
uncovered.
There
was
one
issue
in
this
draft,
so
what
we
can
do
as
a
second
working
group
last
call
not
just
on
this
particular
issue
with
the
actual
text
changes
if
any
and
just
knock
it
out.
Does
that
sound
like
it's
reasonable,
because
I'm
not
seeing
anybody
run
to
the
microphone
to
say
we
think
it
ought
to
be
a
must
or
we
think
if
somebody
wants
more
people
want
to
pile
on
to
say
it
so
should
that'd
be
great
for
them.
It
great
and
helpful
too.
J
J
I
Tell
me
Paulie
as
co-authoring
there,
so
Ike
yeah
I
want
to
also
emphasize
I
I
think
pointing
this
out
and
the
confusion
it
generate.
It
was
very
good
for
the
document
and
looking
over
the
text
that
you
reworked
and
thank
you
for
doing
that.
I
read
what
I
was
kind
of
thinking
all
along
there.
So
I
think
it's
what
was
intended
to
be
said.
So
I
I
think
you
didn't
send
that
to
the
whole
list
yeah
and
we
had
a
we've.
J
Had
a
good
conversation
today
right
to
answer
your
question,
this
is
already
the
second
working
group
last
call
with
this
all.
I
J
Because
Martin
Thompson
did
raise
the
point
at
the
first
one
that
he
supports
this,
but
every
time
we
have
or
he
will
ask
all
he'll
come
up
with
something
else
to
say
so,
maybe
at
some
point
we
need
to
stop
up
to
you,
but
you
know
like
just
maybe
let
it
run
for
another
few
days
to
make
sure
everyone
has
had
the
time
because
we're
all
not
necessary
check
email
today,
but
maybe
not
an
entire.
So.
C
J
C
J
C
K
So
backstory
here
is:
we
keep
taking
stabs
at
this,
but
having
some
problems
in
terms
of
getting
this
security
model
right.
You
know
I
feel,
like
you
know
we're
at
the
stage
where
we
were
with.
You
know
like
it,
took
a
long
time
to
figure
how
to
like
get
TLS
right
and
apparently
like
we're
tight,
isn't
a
compressed
time,
and
this
is
actually
more
complicated.
K
So
there's
been
so
one
reporting
now
on
I
think
the
result
of
a
pile
of
work
by
pile
of
people,
in
particular
on
Chris,
Wood
and
Karthik
Berger
Vaughn,
didn't
know,
spent
an
analysis
of
like
why
we
didn't
have
any
problems
in
the
past
and
then
the
design,
team
or
I'm
not
sure
we
have
a
design
team,
but
a
team
of
people
got
together
and
like
banged
out
about
97
different
options,
and
then
we
try
to
figure
out
what
to
do
so.
K
I
there
were
some
talk
about
like
actually
kind
of
walk.
You
through
the
reasoning
and
I
am
I
vetoed
that
because
it
turnes,
like
you,
spent
about
20
minutes
on
this
morning
and
like
so
most
that
being
like
wait,
wait.
What
are
we
talking
about
so
I'm?
Not
gonna.
Do
that
I'm
gonna
walk
you
through
it.
What
we
propose
we
do
as
the
outcome
of
those
discussions
as
opposed
to
the
reasoning
for
it.
K
We
have
documentation
as
LinkedIn
here
for
like
the
analysis
that
we
did,
that
kind
of
walks
through
the
options
and
we'll
keep
that
updated.
So,
like
there'll,
be
some
record,
you
can
read
about
why
we
think
it's
right
thing,
but
it's
just
too
hard
to
track
a
meeting
like
this
next
slide,
see
I'm
I'm
not
used
to
having
this
so
yeah.
K
So
we
did
oh
for
had
some
problems,
I'll
walk
through
a
couple
of
them,
but
basically
there
was
number
of
ways
to
extract
the
the
yeah,
the
name
of
the
server
you're
talking
to
which
obviously
is
it
kind
of
obvious
the
point
because
we're
trying
to
have
that
happen.
They
were
all
like
active
attacks,
some
better
some
worse.
They
do
not
in
fact
threaten
TLS
itself,
but,
like
says,
the
point
is
to
suppress
the
knowledge
this
and
I,
like.
Obviously,
that's
not
good.
K
Here's
the
first
one
with
a
nice
little
MC
s
diagram.
This
is
basically
a
ticket
Oracle.
So
the
idea
is
that
the
attacker
goes
in.
The
hacker
connects
to
the
cert
to
the
server
that
he
thinks
you
might
be
connecting
to
and
acquires
a
ticket
of
his
own.
So
the
ticket
is
bound
to
you,
know
example.com,
right
and
or
in
this
case
X
and
then
what
the
attacker
does.
He
captures
the
client
hello
and
he
acts
laps
on
his
own
PSK,
PSK
and
PSK
binder.
K
We
have
ticket
for
X
and
then
he
looks
to
see
if
I
mean
looks
at
the
server
responds
and
seizes
the
server
like
accepts
the
ticket
and
as
the
server
accepts
the
ticket,
then
it's
probably
the
right
of
Sun
Alliance
or
doesn't
it.
The
thing
is
probably
wrong.
Yes,
tonight
it's
not
like
perfect,
because
I'm
multi
CNS
and
like
me,
the
tags
have
one
lifetime,
but
it's
a
leak,
especially
if
he's
like
those
are
really
quickly
right.
So
so
this
is
one
kind
of
thing.
This
is
like
a
reaction
attack
on
the
server.
K
So
that's
not
great.
The
second
attack
is
this
HRR
attack.
So
basically,
the
idea
is
there's
nothing
connecting
like
HR
1,
HR
2,
so
the
client
says
the
first
client
hello
and
does
the
S
and
I
and
the
bet
and
and
the
server
Rick
responds
they
sure
are
book-
is
like
this.
Clients
got
the
wrong
key
for
some
reason:
there's
no.
This
is
like
totally
that
the
attacker
is
not
doing
anything
here.
K
This
is
just
like
bad
luck
on
the
client
server,
so
the
so
the
so
the
client
like
Jenners,
clang,
hello
and
regenerates
the
whole
thing
with
an
aureus
and
I
block
and
the
server
like
strips
at
CVS
and
I
block
and
basically
because
it's
not
just
everything
right
and
so,
and
so
now
this
is
sort
of
an
attack
on
like
a
kind
of
scurry
server
implementation.
K
Oh
well,
that
sucks,
no,
it's
not
so
with
the
innocent
on
with
the
assign
the
corresponds
to
get
from
the
from
the
initial
client
hello,
and
this
is
that
since
the
G,
the
X
came
from
the
attacker
like
he
sends
this
difficulty
attacker.
So
how
can
me
if
we
attack
her
so
again
like
we
could
tell
like
a
servers?
Let's
do
this,
but
like
there's,
some
concerns
man
anyway.
K
So
it
seems
like
we'd
want
to
have
a
defense
that
might
makes
it
hard
to
jump
server
so
like
when
you
sort
of
try
to,
in
the
mentioned
Chris
and
Karthik
kind
of
sat
down
for
two
days
in
in
Paris
and
like
worked
out
like
I
attempt
to
analyze
I
thought
the
source
of
these
problems.
It's
like
like
what
are
the
things
were?
K
What
are
the
principles
are
violating
this
causing
us
to
have
this
problem,
so
the
gluten
was
basically
it's
like
a
lack
of
things
being
bound
together,
which
is
like,
but
a
persistent
problem
with
like
deal
has
across
the
years,
so
basically
the
ES
and
I
and
the
client
low
contents,
because
you're
only
binding
the
key
share.
We
weren't
like
binding
anything
else
between
the
client,
hello
and
client,
hello,
one
inclined
hello
to
and
between
the
es
and
I
and
back
there,
a
meaning
secret
and
a
handshake
secrets
itself.
K
K
So
the
first
thing
we
want
to
do
is
like
bind
the
entire
client
holo,
and
so
one
thing
we
could've
done
circuit
extended
like
the
aad
that
we're
already
using
to
bind
the
key
share,
but
a
that's
like
hard
to
implement
and
be
it's
like
well,
that's
actually
quite
inconvenient
because
that's
less
good
than
you
like,
because
we'd
like
it
actually
like
to
cover
as
much
of
the
clinical
as
possible,
not
just
a
crypt.
K
So
basically,
the
idea
here
is
to
tunnel
the
entire
client,
hello,
inner
encryption
and
I'll
explain
how
I
did
in
a
second
second
to
tie
the
client
whole
l1
and
client
hello
to
so
that,
basically,
you
know
that
client,
Allah
woman,
clan,
interconnected
and
finally,
to
make
the
handshake
secrets
to
pin
somehow
in
the
yes
and
I
block
and
you'll
notice,
like
these
last
two
there's
a
little
bit
of
hand
waving
going
on
because
right
time
for
exactly
how
to
do
them
still.
K
So
here
is
like
I
I've
added
some
disclaimers
here.
As
you
can
see,
I
was
trying
to
fear,
had
some
more
so
the
that.
Basically,
the
idea
is
that
we
have
an
new
extension
called
the
client
encrypted
client,
low
extension
you're,
going
to
love
that
one,
and
this
looks
pretty
much
like
the
old
DSi
extension.
It's
got
a
cipher
suite
that
tells
you
like
what
you're
using
to
encrypt
under
it
tell
it's,
got
the
the
diffie-hellman
the
diffie-hellman
key
share.
K
That's
like
your
half
of
the
other
of
the
of
the
HP
key
ii
system.
It's
like
telling
the
server
how
to
drive
the
key.
It's
got
the
record
digest,
which
tells
you
what
yes
and
I
record
you're
using-
and
this
is
all
old.
As
this
new
thing
called
a
ch1
binder,
you
notice
a
TBD,
I'm
I
was
handing
being
a
bit,
but
basically
what
it
is.
It's
what
connects
ch1
to
ch2.
So
in
the
case
of
ch1,
that's
probably
emptying
the
kiss
th.
It's
got
something
that
derived
from
ch1
I
was
saying.
K
Hash
Karthik
had
some
worries
about
that.
So
maybe
it's
like
a
derived
hash,
but
something
and
then
finally
there's
what
used
to
be
called
like.
Yes
and
I,
and
now
it's
called
a
cryptic
client
hello,
which,
like
an
entire
client,
which
is
the
entire
client
hello
that
you
started
with
so
that
the
idiom
here
is
a
client
generates
like
a
client,
hello,
like
encrypts,
the
entire
thing,
there's
a
new
client,
hello
and
stuffs
the
encrypted
client,
although
in
Hindi
in
the
original
client
hello.
So
now
the
relationship
between
these
is
a
little
fuzzy.
K
I
think
it
might.
My
intention
was
generate
them
like
entirely
independently,
essentially,
but
on
particular
one
opportunity
you
have
would
be
to
have
the
exterior
client
elope.
We
do
more
or
less
interesting
than
the
Easter
in
the
interior,
client,
hello,
there's
some
tension
here,
because
on
the
one
hand,
that
makes
it
easier
it
makes
it
harder
to
grease
the
existence
of
S&I,
but
in
their
hand
it
makes
it
makes
heard
a
fingerprint
taste.
Your
client
allows
so
some
tension
between
those
two.
K
K
We
had
the
like
thing
with
encrypted
si
in
it,
and
now
you
have
to
you
have
if
the
es
ni
is
accepted,
meaning
if
you
know
the
s
ni
ki,
then
it's
the
client,
hello,
inter,
if
you
are
in
fallback
mode,
which
is
to
say
you've,
forgotten
the
s
ni
key
and
you're
gonna,
basically
complete
the
handshake
with
the
public
name,
which
and
then
deliver
like
a
newest,
anti
Keys
record
I'm
gonna
care
what
section
it
is,
but
Adam
Langley's
fallback
hack,
then
his
client
Jolla
outer,
which,
by
the
way,
includes
encrypted
client
hollow
in
or
so.
K
How
does
the
client
know
what
happened?
We
went
back
and
forth
from
this.
One
thing
you
could
do
is
you
can
actually
have
like
an
extension
in
the
server
hello,
but
we
concluded
trial.
Decryption
was
fine
and
would
like
be
like.
Let
go
like
make
it
harder
to
fit
the
FIR
attacker
to
where
I
was
going
on.
That
may
be
something
we
imagine
reversing
later,
it's
like.
Why
does
this
work?
K
So
obviously
the
entire
client
hello
is
protected,
so
that
prints
you
from
changing
any
piece.
So
you
can't
like
replace
G
to
the
X
for
your
own
G
to
the
X.
You
can't
like
add
a
PS
k
binder,
which
was
when
Brock
was
part
of
the
session
ticket
attack,
says
that
climb
hello
to
contains
a
hash
of
client,
hello,
one
so
that
provides
mix-and-match
attacks
between
them
so
on.
There
was
a
several
attacks
here:
what
Elm
one
by
Nick
onyx,
all
of
him,
which
I
didn't
show?
K
And
finally,
the
handshake
secrets
depend
on
the
s
and
I
block
I'm.
Actually,
two
ways
to
think
about
to
have
this
happen.
One
is
that
we
have
the
ESI
nonce
that
we
already
had,
or
you
or
alternately
as
David
Benjamin
suggests
ik,
you
have
to
climb
hello,
random,
be
different
between
external
and
internal,
and
so
since
that
affects
the
handshake
keys.
That
means
that
anyone
who
doesn't
see
the
yes
or
no
yes
and
I
block
their
collateral
inner.
K
Therefore
I
can't
derive
the
key
material
on
the
second
option,
which
is
to
explicitly
take
some
value
off
the
SMI
keys,
block
and
shove
into
the
key
schedule
explicitly,
rather
than
simply
view
the
transcript.
So
one
option
is
basically
so
right
now
we're
not
using
HP,
so
you
have
like
is
easy.
This
is
easy
from
like
G
from
like
the
diffie-hellman
exchange
around
yes
and
I,
and
you
could
just
HK.
You
have
some
other
thing
off
it
and
shove
it
in
the
key
schedule
like
at
the
zero
or
with
the
extended
key
schedule.
K
Stuff
Jonathan
was
talking
about
on.
So
these
are
two
options.
We
haven't
quite
side
between
them.
I'll
talk
for
a
few
minutes
later
about
why
you
might
want
one
of
the
other.
So,
like
objection
like
one
is
like
wait,
wait
wait
wait!
This
is
like
really
big
cuz
like
you
have
like
lanolin
ER
and
you
have
planned
a
whole
other
in
the
same.
K
It's
like
now,
it's
like
twice
the
size
like,
so
this
is
not
like
a
crisis
like
most
the
time
these
right
now,
because
these
are
schemes
will
be
pretty
small
and
like
in
quick.
In
fact,
you've
got
like
basically
pad
the
whole
thing
out.
2012
anyway,
it's
like,
which
is
like
thing,
is
ghosty
padding.
But
if
we're
gonna
do
post
come
on
key
exchange,
we're
gonna
be
kind
of
like
sad
people,
because,
like
these,
these
things
are
really
big
and
now
like
having
be
twice
as
big
as
that.
K
So
we
came
up
with
this
hack,
which
is
basically
that
you
hoist
the
extensions
like
out
of
inner
and
outer
or
out
of
outer
and
inner.
However,
you
want
to
think
about
it.
The
bottom
line
is
the
extension
like
when
the
client
general
is
client,
hello
in
or
anything
he's
duplicating,
which
probably
be
key
sheriff
in
this
case
he
made
that
he
basically
takes.
He
basically
generates
the
whole
client
hello
in
her,
including
the
P
escape
binders.
K
If
there
aren't
and
then
as
part
of
the
process
of
encrypted
right
before
encrypting,
he
like
moist
them
out
and
replaces
them
with
like
a
pro
a
stand
in
that
basically
says:
go
look
at
the
outer
for
this
thing
on
then
the
client
so
on.
Then,
the
client
facing
server
after
the
communis
and
I
block
restores
them.
So
you
have
a
complete
client
below.
K
Is
it
supposed
to
be,
and
obviously
they
have
to
be
authenticated,
because
otherwise,
your
the
problem
of
light
makes
impact
attacks
again,
so
this
guy
is
something
that
Afeni
Kate's
them
in
the
PR
that
I
have
basically
I
had
just
like
some
extension
that
says,
like
this
extension
was
come
from
the
outside
and
here's
the
hash
David
Benjamin
points
out
that
that
means
that,
like
you,
can
only
use
this
trick
for
for,
like
things
which
are
inherently
super
large,
as
opposed
to
things
which
are
small,
there's
some
tension
about
how
much
we
want
to
encourage
people
to
do
this.
K
So
there's
some
suggestions
out
how
to
spell
this,
but
the
bottom
line
is:
it's
got
to
be
like
be
able
to
pull
it
back
out
and
back
in
again
it
has
to
be
authenticated,
but
the
bottom
line
is
at
the
end
of
this
process.
You
end
up
with
like
an
ordinary
vowel
to
client
hello,
including
if
there
was
a
PSK
binder
that
PS
cane
binder
is
valid
because
you
put
like
whatever
he
took
out
back
in
again.
K
So
whoever
told
you
you
couldn't
compress
and
curcuit
stuff
I
guess
there
were
other
way
around
okay,
so
one
of
the
big
open
issues
here
is
this
handshake
keys
thing
as
I
said,
the
handshake
keys
must
depend
or
be
depend
on
the
ESN
I
block,
otherwise
your
Oracle
problem
so
on.
K
It's
clearly
a
case
of
something
like
trivial
level
that
if
we
have
like
the
nonce
or
we
Garrett
require
a
different
client
random,
then
it's
part
of
the
transcript,
and
that
includes
part
of
the
handshake
keys.
So
this
seems
to
have
the
nice
property
that
maybe
it
allows
I
can
unmodified.
Back-End
surfer
deserves
there's
the
big
baby
there.
K
So
on
there's,
like
a
number
of
reasons
why
you
might
think
I'm
unmodified
back-end
server
might
not
work
as
one
example,
as
Nick
Sullivan
point
pointed
out
to
me
lately
it
may
not
be
padding
like
the
court.
The
certificate,
in
which
case
like
you
might
be
kind
of
sad.
So
we
have
to
decide
how
much
you
value
that
the
sort
of
annoying
part
about
this
is.
It
requires
some
more
assumptions
about
the
transcripts
secrecy
and
the
nature
of
each
KDF.
K
So
we
don't
ordinarily
assume
that
the
client
hall
that
was
secret
at
all,
and
so,
if
you
had
some
problem,
we're
like
TLS
leave
the
client
hello
in
some
way,
then
this
whole
thing
falls
apart
and
so
like
as
an
example
that,
as
an
example,
the
court
they
pointed
out.
K
Imagine
that
you
built
your
stateless
HRR
mechanism
by
like
taking
the
entire
client
hello
and
like
stuffing
it
in
like
a
unencrypted
but
like
a
chthonic
gated
block
in
the
cookie
right
now,
you'd
like
obviously
how
that
kind
of
a
problem
so
like
that
maybe
seem
like
a
far-fetched,
but
there
you
go
on
so
option.
Two
is
to
throw
away
the
nonce,
so
you
don't
need
the
nonce
anymore.
K
At
this
point,
I,
don't
think,
don't
think
and
then
take
somehow
take
the
es
and
I
shared
key
and
generate
a
new
cue
off
it
and
shove.
Then
the
key
schedule
explicitly.
This
obviously
requires
modifying
the
back-end
server
and
it
requires
not
want
to
find
the
back
in
the
server
but
having
a
way
for
the
for
the
front-end
server.
If
they're,
if
they're
split
she
liked
all
the
back-end
server,
what
the
key
was,
so
we
can
shove
it
in
the
key
schedule.
So
that's
like
sort
of
annoying
credit
and
coordination.
K
On
the
other
hand,
it
seems
to
rely
on
let's
dance,
some
poor
assumptions,
because
if
you
don't
don't
worry
about
the
you
know
the
what
you
don't
don't
worry
about
the
the
transcript
secrecy.
One
thing
you
might
worry
about,
however,
is
what
happens
to
the
back-end
server
and
server
lies
about
what
goes
into
the
key
schedule.
I,
don't
think!
That's
a
problem
with
this,
but
Jonathan's
talk
really
at
this
morning
made
me
worry
about
that
a
little
bit
so
so
something
we
have
to
think
about.
K
So
all
the
pros
resolution
here
is
to
start
by
publishing
for
after
6:00,
just
to
get
like
most
enter
brush
out
of
the
way
use
option,
one
because
it's
like
straight
or
straight
forward,
but
reason
about
and
then
do
modeling
on
both
involve
in
the
list,
I
think
from
for
the
perspective
of
of
the
people,
my
prospective
and
I
think
other
people
looking
to
play
this
quickly.
K
A
lot
of
the
uncertainty
here
is
about
like
getting
the
DNS
pieces
working
and
getting
some
experience
can
anything
working
at
all
and
if
it
turns
out
that
we're
like
rolling
it
out
and
like
there's
something
sell
all
this.
That
creates,
like
the
creates,
like
a
wait.
A
reaction
of
attack
so
like
extract
this
and
I
like
that's,
obviously
not
good,
but
if
we're
just
all
we're
doing
really
is
trying
to
get
some
deployment
experience,
then
it
wouldn't
be
a
disaster
as
long
as
it's
an
implicit
TLS.
K
Otherwise,
if
someone
else
thinks
and
analysis
is
wrong,
I'm
certainly
inclined
to
hear
it,
but
I
think
that,
like
Alexis
can
make
some
progress
and
we
expect
it
be
the
same
software.
Another
case
really
three
similar
software.
Another
case
so
again,
like
I,
said
we're
trying
to
get
that
right.
The
plain
experience
in
terms
of
in
terms
getting
yes
and
I
filled
and
like
because
right
now,
the
asana
that
I
was
leaking
all
the
time
like
this
didn't.
K
If
it
turns
out
that,
like
yes
tonight
does
not
in
fact,
but
if
he
has
neither
we're
hoping
like
I
shouldn't
make
the
situation
worse,
one
hopes
I'm
gonna
come
to
regret
that
saying
that
I'm
sure
we
I
mean
we
certainly
don't
want
to
play
anything.
We're
not
confident
make
the
situation
worse,
which
is
one
reason
to
stick
with
option.
One
where
we're
like
I
think
we
can
go
out
to
be
confident,
does
not
make
the
TLS
stack
tales
one
three
week
or
otherwise
again,
one
hopes,
that's
what
nightly
is
for
the.
K
This
is
about
how
the
DNS
is
deployed,
they
said,
is
deployed
in
DNS,
so
David
Benjamin
pointed
out
that
right
now
on
HTTP
service,
we
allow
one
HTTP
conveys
and
I
can
fake
prayers
to
be
service
record,
which
obviously
means
like
that,
whatever
light
I'll
really
we
have
on
thinking
like
the
IP
address
and
they
yes
and
I.
Config
is
like
totally
confusing,
and
if
you
like
pick
the
IP
address
and
then
you're
like
oh
wait,
I
don't
speak
the
CS
and
I
can
fake
version
maybe
have
to
fall
back.
K
So
it's
like
really
goofy
his
solution.
It
was
I
agree
with
is
to
bundle
all
this
and
I
can
fit
options
into
es
mi
configs
and
put
that
in
HTTP
service.
This,
like
seems
totally
sensible
and,
like
you
know,
I
think
we
should
do
it
if
anybody
objects
like
this
speaking
now.
This
is
PR
200,
okay,
Pio,
201,
Oh.
K
K
It's
like
reflex,
okay,
so
the
second
thing
David
Benjamin
suggested
was
to
flatten
the
s9
config
itself.
So
right
now,
it's
9k
fake,
contains
like
a
master
list
of
parameters
like
the
cipher
suites
and
then
multiple
key
shares
David's
just
it
that
we
flatten
this.
So
you
have
like
one
key
share
per
config,
and
if
you
want
more
than
one
key,
then
you
have
more
than
one
can
stick
that's
unfortunate.
That
said
some
unfortunate
typesetting
there,
because
you
have
you-
know
multiple,
yes
and
I.
Config,
oh
I,
see
where
I'm
going
with
this.
K
So
on
that
last
s
on
that
last
line
should
not
be
set
in
whatever
font
it
is
that
she'd
be
set
in
like
the
in,
like
the
main
font,
it's
okay,
that
was
here,
wasn't
it
so.
The
upside
of
this
avi
is
nominally
implementation,
simplicity,
I'm,
actually
that's
the
case,
but
David
seemed
to
think
it
was
yeah.
I
know.
I
have
the
same
thing
on
the
down.
K
Side,
obviously,
is
duplication,
which
is
that,
like
you
know,
if
you
have
like,
if
you,
if
you
have
four
keys,
then
you
end
up
with
four
copies
of
the
parameters.
Lacrosse.
D
Alessandro
cadena
CloudFlare:
this
is
how
we
implemented
es
and
I
already
anyway,
but
it
like
from
our
perspective.
It
wouldn't
change
anything
but
I.
Also
don't
really
care
about
I,
don't
see
the
the
simplification
in
the
implementation
that
much
to
be
honest,
I
mean
even
if
we
add
like
multiple
keys
so
because
like
if
you
have
multiple
keys,
you
would
have
the
same.
K
E
I
I
K
That
I
think
the
point
is
that
the
client
did
the
client
negotiation
of
augmentation
iterate
over
the
key
shares,
so
I
think
I.
Think
the
issue
is
right
as
I
understand
it
is
that
I
guess
David
I,
guess:
I'm,
not
sure
what
your
implication.
You
have
a
mind
like
the
one
I
expected
I
mean
your
implementation.
Is
you're
gonna
parse,
all
these
and
then
pick
up
a
ball
with
the
key
sure
you
want
so.
N
That
was
basically
looking
at
Steven
Pharaohs
draft,
the
the
the
representation
for
the
server
configuration
is
a
list
of
of
tuples
of
es
and
I
config,
the
public
part
and
then
a
list
of
keys,
and
so
you've
got
this
like
double
list
structure,
and
so
when
we
were
trying
to
add
an
API
for
it,
we
were
like
okay.
Well,
we
need
to
have
like
add
keys
and
here's
the
public
thing
and
we
need
a
list
of
keys
over
there
and
then
you
call
it
multiple
times
and
it
just
got
a
little.
N
K
I
mean
so
again:
I
don't
kill
a
young
either
I
would
made
it
for
our
case,
but
from
like
the
way
our
implementation
works
is
we
deceive
realize
the
structure,
and
then
we
negotiate
things
in
sequence.
Right,
and
so
now
we
have
to
do
is
like
deserialize.
All
of
us.
You
know
visualize
to
start
either
reduce
your
odds,
all
structures
and
stuff
them
in
a
list
or
deer
shows
a
structure.
K
Let's
find
the
key
share,
then
look
at
what
you're
saying
it's
and
I
pass
it
like
stuff
like
like
store
all
the
other
stuff
and
then
come
back.
Maybe
if
we
put
the
key
sure
first
that
problem
going.
G
Ben
Schwartz,
so
since
it's
not
explicit
here,
I
want
to
point
out
that
I
think
the
the
only
significant
thing
that
we're
talking
about
duplicating
is
the
fallback
name,
the
the
other.
The
only
other
thing
that
I
think
where
we
duplicate
here
is
the
cipher
suite
yeah
identity,
which
is
minimal
yeah.
D
G
It's
the
it's
duplicating
the
fallback
name,
that's
of
concern
here,
and
the
other
thing
I
want
to
point
out
is
that
the
ES
and
I
configure
a
bundle.
I
like
the
es
and
I
bundle
name
is
still
only
scoped
to
a
single
IP
pool.
Essentially,
so,
if
you
are
in
a
multi
CD
in
case,
you
will
still
have
about
multiple
RRS
and
it'll
be
divided,
so
that
that
may
mean
that
essentially,
yes,
my
bundles,
are
not
going
to
be
very
large,
that
is
their
their
scope
is
still
limited.
G
C
K
So
next
steps
I
think
we're
gonna,
publish
six
I.
Think
we're
gonna
want
to
spend
some
time
doing
some
modeling
I
got
something
disagrees,
republished,
those
six
with
like
variant
one
with
the
nuts
I
think
the
next
I
want
to
be
persuade
ourselves
that,
like
actually,
this
is
like
safe,
at
least
as
far
as
like,
not
affecting
one
three
before
you
ship.
Anything
like
that
would
I'm
gonna,
be
as
if
I
was
saying
earlier.
I'm
gonna
be
pretty
blocked
into
like
ship.
K
This
in,
like
in
the
product
until
I
have
like
some
sense
analysis
that
shows
it
doesn't
make
one
three
worse.
That
would
be
scary
and
then
simultaneously
do
modeling
on
the
unnatural
options
and
see
which
one
we
think
works
and
see
like
a
is
it
possible
to
avoid
modifying
the
server
at
all
and
be
his
transfer
of
secrecy
ever
a
property?
We
don't
need
and
the
circumstances
the
and
sounds
like
we
have
a
resolution
for
two
hundred
will
discuss
201
in
the
list
and
then
I
think
we
need
to
decide
on.
K
Maybe
this
that
document
renamed,
because
it's
not
Lee
it's
an
eye
anymore.
That's.
C
I
guess
on
to
Oh
on
the
point,
for
the
working
group
is
that
I
still
think
we
should
be
shooting
for
starting
the
working
last
call
in
early
2020,
so
that
to
me
means
like
end
of
January,
because
it's
holidays
and
who
knows
what?
But
it
would
be
nice
if
people
could
get
their
eyes
on
201
to
see.
If
we
can,
you.
K
K
Sorry,
thank
you.
I
miss
that
so
right
now
we're
using
this
sort
of
bespoke
quasi
HP
key
thing
where
we
generally
like
we
published
a
few
Hellman
key
and
then
we
didn't
really
new
fresh
to
be
on
one
key
and
like
essentially,
is
HP
key,
but
it's
not
HP
key
on
so
I
think
I'd
suggested
several
suggested,
like
just
wasting
an
HP
key
I
I
can't
really
think
I
want
to
share
to
the
last
time
I
camera
roll,
it
was
was
it
Martin,
but
Nikki's
I.
K
Think
I
should
do
that,
but
I'm
also
willing
to
listen
to
somebody
said
you
shouldn't
so.
E
F
K
F
F
F
K
I
If
anybody
Ajax
tell
me
Polly
Apple,
so
yeah,
thank
you
for
all
of
this
work
and
I
think
the
plan
sounds
good
in
all
of
these
options
are
good
things
to
dig
into.
Hopefully
we
can
get
this
done
in
that
timeframe
as
a
clarification,
or
also
like
a
bike
shed
type
thing.
When
we
talk
about
the
encrypted
client
hello,
do
all
of
the
options
require
essentially
having
like
the
full
client
hello
in
there
or
is
it?
Is
it
really
just
like
an
encrypted
set
of
extensions
rather
than
a
client,
hello,
yeah.
K
Give
you
a
question
I
guess
my
instinct
is
to
I
guess
this
is
a
matter
of
sort
of
like
so
we
say
intuition
right,
like
my
intuition,
is
get
it
all
in
there
like
every
time
we
tried
to
like
light
the
snake
out
with
less
we've
been
sorry,
so
my
intuition
is
get
it
all
in
there.
I
guess.
When
you
perspective
people
have
intuitions
different
I,
guess
my
intuition
is
to
make
them,
as
I
mean
does
a
said
earlier.
My
intuition
is
to
generate
like
a
completely
fresh
clan.
K
Hello
essentially
and
have
them
be
different,
because
I
say
that
the
the
actual,
like
the
actual
like
space
overhead,
is
remarkably
low.
When
you
separate
the
key
shows
themselves,
and
so
that's
like
where
I
am
but
like
I
think
other
people
may
be
here,
it
may
be
different.
I.
Think
Richards,
like
nodding,
I
told
you
so
since
he
like
was
the
person
who
originally
suggested
like
encrypting.
Basically,
everything.
I
K
K
Of
the
other
yeah
okay
modular,
this
goofy
decompression
procedure,
yes,
so
like
that.
That
definitely
will
make
clear
in
the
specification
and
so
like
in
particular,
like
you
know,
like
the
randoms,
may
be
different,
so
they
say
this
is
also
a
source
of
tension
between
greasing
and
and
fingerprint
avoidance,
because
the
fingerprint
avoidance
is
actually
very
attractive
to
have
more
or
less
of
standardized
external
client.
Hello
is
the
only
purpose.
The
external
fine
hello
is
to
allow
the
server
to
respond
with
the
fallback
keys,
and
so
like
you
don't
need
like
first,
this
post
quantum.
K
I
Just
one
last
point,
I
think
part
of
the
reason.
Probably
my
intuition
is
the
other
way
is
I,
come
from
more
like
doing
Mike
and
like
there's
a
lot
of
precedent
there
for
having
you
know
your
main
protocol,
header,
you're,
essentially
extensions
and
then
a
block
of
encrypted
extensions,
and
so
there
is
a
fair
amount
of
precedent
for
the
church
in
these
type
of
handshakes,
I.
K
G
H
O
If
we
do
key
injection,
it
becomes
much
easier
to
reason
about
whether
you
can
just
do
in
Krypton's.
Then
it
could
encrypted
extensions
rather
than
encrypting
a
whole
client
hello.
Why
is
that?
Because
you
know
exactly
what
is
bound
where,
whereas
this
we're
just
using
TLS
as
a
transport
layer
and
so
much
go,
decompression
I
read.
K
O
The
if
you
have
if
you,
if
you
want
to
do
an
encrypted
client,
hello
and
you
know
exactly
the
and
you've
bound
it
to.
If
you
go
step
back
and
say
we
have
no
interior
clients
below,
and
you
then
just
have
a
key
that
is
used
to
just
encrypt
the
extensions
you
can
it's
easy
to
reason
about
who
who
has
that
key
at
what
points
on
whatever
and
you
can
just?
Oh,
if
you
know,
if
you
don't
want
to
work
through
the
I.
C
P
The
the
Telus
protocol
in
general
and
all
protocols
in
the
ATF
have
had
a
horrible
time
when
complexity
arises,
that
you
know,
implementations
get
stuff
wrong
so
honestly
as
to
which
I
would
do
I'd
be
very
tempted
to
implement
both
and
figure
out,
which
one
got
me
more
code,
reuse
and
and
less
prone
to
error,
because
that's
a
that's,
a
very
impressive
hack
and
I
can't
believe.
I
followed
the
whole
discussion.
To
be
honest,
sir.
D
K
Yeah
interesting
interesting,
interesting
suggestion
has
it
has
it
has
the
benefit
that
you
can
actually
as
the
benefit
that
actually
you
can
distinguish
that,
then
you
know
in
through
trial
decryption,
because
you
can
look
at
the
first.
You
can
look
at
the
first
bite,
whether
record
type,
which
will
be
application
data,
as
opposed
to
handshake.
Q
So
Deb
Cooley
NSA
can
I
get
you
to
walk
through
something
a
little
bit
so
client,
hello,
inner
and
outer
you've
got
the
inner
one
which
you
had
originally
you're,
encrypting
it
and
recreating
an
hour
one.
Are
you
gonna
force
a
validation
between
the
inner
values
and
the
outer
values
that
are
the
same.
Q
K
Like
yeah,
essentially
essentially,
unless,
like
like
imagine
you're
not
doing
this
compression
prick,
they
could
be
there
totally
independent
immersion
trick.
Is
you
know
they're,
obviously
ones
have
not.
That
are
that
are
that
are
duplicated,
like
can't
be
different,
but
the
ones
that
are
not
you,
the
ones
are
not
e
duplicated
yeah
they're,
like
they're
totally
independent,
is.
M
Q
M
Q
Kept
slate,
you
had
an
inner
header
and
an
outer
header.
Basically-
and
you
had
to
be
careful
that
too,
like
you
passed
it
are
you
translated
at
earth.
You
had
to
be
careful
about
how
you
did
it,
because
you
had
things
in
both
places
and
you
talked
about
like
an
IPSec,
it's
sort
of
the
same
idea.
There
too.
If
you
had
values
in
both
places,
you
need
to
make
sure
that
this
one's
the
same
as
that
one
yeah.
K
K
Q
Q
C
K
Q
Q
K
Q
G
G
H
Daniel
can
go
more,
so
one
thought
in
response
to
Richard
Barnes
suggestion
of
just
having
encrypted
server
hellos
in
response
once
things
are
encrypted,
is
it
that
gives
a
signal
to
the
observer
on
the
outside
whether
or
not
they
hi
hello?
It's
accepted
I'm,
not
sure
that
we
want
that
signal
to
be
visible.
Yeah.
K
We
want
there's
a
comment
in
the
PR,
but
that
I
think
because
I
was
going
back
for
for
the
same
reason,
the
so
like
that
that
doesn't
like
an
obvious
drawback
I
think
that
the
the
I
think
that
maybe
that's
right,
other
drawback
than
otherwise
was.
K
H
I
Apple,
just
to
the
point
of
if
we
have
such
a
duplicate
and
checking
I'm
concerned
that
if
we
say
oh
we're,
gonna
ignore
them,
but
they're
probably
gonna
be
the
same.
That's
not
gonna
be
the
case
like
at
some
point.
What
everyone's
doing
yes
and
I
people
will
use
the
fact
that
there
are
different
values
to
give
different,
signaling
and
so
I
think
if
we
have
duplicate
values,
and
some
outside
of
some
inside
people
will
start
using
that
joint
for
things,
and
we
need
to
think
about
the
consequences
of
that
yeah.
G
True,
you
can
get
it.
You
can
get
a
PKI
certificate
with
an
IP
in
it.
We
have
one
four
one,
one
one
one
so
so:
nix
11
cloth
layer
I'd
like
to
point
so
if
we
go
back
to
the
two
options,
I'd
like
to
to
point
out
that
these
are
not
necessarily
different,
I
think
option.
Two
can
be
complementary
to
option.
G
One
and
I
recommend
that
we
go
forward
with
option
one
and,
and
it
went
and
spend
a
draft,
as
he
said,
do
the
analysis
and-
and
this
will
protect
against
passive
observation
right
and
option.
Two
is
something
that
can
be
implemented
as
a
separate
extension
inside
the
encrypted
client,
hello
and
I.
Think
these
are
both
complementary
and
doing
option
one
without
option.
Two
gets
you
some
of
the
way
and
two
together
and
together
gets
you
I,
think
all
the
way
so
I
thinking.
K
O
F
C
You
so
the
one
thing
we
didn't
get
to
is
Treader
discussion.
Thank
you.
Thank
you,
for
this
lively
discussion
was
good.
We
bumped
the
Charter
discussion,
because
this
is
way
more
important.
We
were
basically
when
you
take
the
Charter
discussion,
the
list.
If
we
start
adopting
all
the
drafts
that
we
sent
out
working
group,
adoption
calls
for
today
we
have
to
recharter.
C
C
Job
guys,
don't
don't
forget
your
plugs,
you
know
yes,
I'll,
send
you
a
trap
stuff
because
I
just
wanna
like.