Internet Engineering Task Force 106, 21 Nov 2019

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF106-TLS-20191121-1000

Description

TLS meeting session at IETF106
2019/11/21 1000

https://datatracker.ietf.org/meeting/106/proceedings/

A

B

All right, we have a note-taker.

B

All right, it's time to get started, welcome to TLS at IETF 106 in Singapore.

B

I'm sure you're all familiar by now with the note. Well, if you're, not please familiarize yourself with it.

B

The blue sheets are now going around, we have a jabber scribe and we have a note-taker all right. So should we just get started with yeah? Okay. Does anybody here's the agenda for today any additions and modifications.

B

Any additions or modifications to the agenda.

B

C

With no hat on so he said it goes nicely alongside come back to us. I would prefer to not do that. We can move before batch signing. If that works, I mean we could move it before. Compact.

D

Crs you ready one.

C

Sure yeah can you if you could stick to 15 minutes, that's fine. I can.

D

Do it in 12, perfect.

B

Any other requests all right on to external PSK.

C

All right, so this we have like 15 minutes for this, but it shouldn't take that long. We've been talking about this for a while importing the external piece case for TLS. There have been a number of updates since the last draft. In particular, we used to have this weird way to express what was the protocol for which we were importing a PSK, and what was the specific hash algorithm that you wanted to use to import that PSK? We sort of simplified things and now the way you import and target particular protocols.

C

By saying this is specifically the protocol I want to use the you know, the two byte code point value, and then here is the specific KBS for which I want to import this PSK. There was a new registry defined in the document for identifying these KDF. Currently, it's just the TLS 1.3 kts, and if we have more in the future for TLS, 1.12 or whatever, we can add them as needed.

C

We also added a new slot to the imported identity struct, which is this opaque contacts field, primarily to help mitigate and deal with the selfie attack. So the idea is that, if you or have a deployment in which selfie is relevant, fill out the contents of this context field accordingly and there's guidance and how to do that in an appendix, and we also added some security considerations to document where, as previously, they were just sort of TBD and still there's kind of all still TBD.

C

Although we have started the analysis to sort of give us confidence that it, the imported BS case do have the desired properties that we want, and ideally we complete this before publication of the document.

C

There are two outstanding PRS right now, the first of which is a clarification on the selfie attack. It rewrites the appendix in a way, to help provide more crisp guidance, in my opinion, I think that a lot of it can be simplified by just stating that role should be unique. However, the author of the PR is here to make the case. Oh boy,.

E

Yeah, you can leave me for sending this pool request and it may seem overly complicated, but one challenge I faced when I posted the paper on the mailing list is somehow people thought that this is a Mis configuration issue and not not really not really a problem with the TLS external PSK. So maybe was my poor explanation, but I'll use another example and cheers. Please please let me have my minute of Fame.

E

So if Joe and Joe and I are chairing another working group- and we want to have secret chat or communication, we I call up Joe. We exchange a PS k and a PS K identity, and now he can open a connection to me and send a message and I can open a connection to him and send a encrypted or protected message, and this is vulnerable to selfie attack and attacker doesn't need to know the PS K. So, depending on how you look at it, some people say this is not group communication.

E

This is client and server. Some people might say this is a group of two or group of four, because both of us can be client and server. So I think there is many variations. It's not just that oh you're, using PS k in a group and someone with the PS K and the group misbehaves can cause selfie attack.

E

There is also your shin, so selfie attack where it's possible to do this without knowing the PS K, and this is the reason I had added that text- that if the PS K is shared between two parties, you only need to make sure that that the identities are or the identity of the the part is not the same as yours. And if you share the PSK across a whole group, then you definitely need some. Some better information about the identity. I also go to comment from Martin Thomson that this requires some kind of signalling.

E

I actually disagree, because you can't open a TCP connection without knowing like the MAC, address or IP address of the other party. So you don't necessarily need need the signaling to do that. I'm happy to make changes to the pull request, but my question to the working group is soon: this be a rata on it for 4:6 and like shouldn't, we fix it once and for all in this draft burn. Do you want to comment on that wrong?.

F

You know Martin Thompson's really hard to do this without the text in front of me in the comments that I made I forget what the signalling comment was specifically, but I wanted to sort of go to the core question here.

F

Yeah the I said that then I think there may be a comment on the text, not the design as much and I. Think there's a point in here. That's really important, which is that understanding? What role you you're expected to play in here is is critical. One. The text in the appendix preceding this poor request was I think adequate to that task.

F

Probably my biggest objection to the text here was: it was starting to create new privacy implications that I think would regress the properties that we've already agreed existing in TLS. The signaling aspects of this thing, I, don't think, are as as critical to that.

E

So sure Mohit, so even the previous text was saying that you can use identities such as an MAC address. I, just elaborated the text saying that if, if it's only between two parties, you only make need to make sure that the MAC address or the other part is not the same as yours.

E

But if it's shared by the group, you need some some more protections so kind of clarifying both the cases, maybe TLS as a working group, decides that PSK should never be shared between more than two parties, which is fine, but I'm sure people will still still do something else, but you know that's that's a decision for you guys to make yeah.

C

I'm sort of viewing the PRS and it like I, say an attempted clarification of the existing text, so I don't have a strong opposition to it. Personally. I just want to make sure that you know to Martin's point we're not like regressing other properties in introducing and trying to. You know flush out more details about the mitigation.

C

If that makes sense, go ahead. John John.

D

Of northern CloudFlare I think the only thing we just need to make sure doesn't happen, and this is what I feel is the underlying cause of selfie is that people assume that role and identity are in some way tied, and so you know, if I had a few people suggest that Oh, instead of just putting whatever instead of putting you know whatever your name is they'll, say: oh just put client and server and of course that doesn't fix anything at all, because either party can be either client or server.

D

So it's just about making sure that they have always different, which is not the same as always unique identities. I.

G

Mean so the I means I as I understand the current text or the design idiom here is to start with one PSK and create N squared PS case, um um which basically correspond to the mesh of possible possible talk, each other correct, yes um and then in some unspecified way, um its I'm not specified way figure out which PS Katie's for any connection right, namely like I'm aware of I'm, aware the identities and nexon, and that the system has some set of rules for like how I construct for like I, name people and how and how ice and and how I turn my show.

G

Then these these context rings right. Yes,.

H

G

So, like that seems like a reasonable line, not the only one, every single design um and I don't quite understand, like I, guess: I'm, not understanding what they said towards the text. The prayer is different, it seems to be, it seems. It seems to be somewhat confusing and worse, like I, don't understand what is recommending each 10 points less one globe. You identify images in all. Psk handshakes means um like we're aware that, if how is that enough are used, I mean I mean the the text here is like.

G

The text here is like I have some unspecified mechanism for getting the keys. So so one thing is not um so anyway, um yeah the.

C

Current textures choice yet to punt that sort of to the application, because that's a strictly and deployment sort of problem. So that's the goal of the current text and whether or not we need to be more specific in this particular document is the question: I, guess and I. My opinion is no, so bang hey Doc, it seems to me like when we were doing a four four six. We were thinking a lot about the resumption tsks and we sort of left external, pious k's off to the side, and we didn't think about them too much.

C

We didn't give them a full analysis for all the cases that might be applicable, so I think my suggestion would be to have a standalone document that sort of fills in those missing pieces and gives us like these are the considerations for using external PS case with TLS 1.3, and it can go into the analysis about how the identities come into play and what you need to do to avoid the selfie attack and other attacks and the privacy considerations of those identifiers x', maybe even come up with ways.

C

Do you, like rotating identities, that you have less of a privacy issue, I think this could evolve into a larger scope thing and so I'm not sure we need to stuff it into the the current document per se. That seems reasonable as well. Well, he well.

E

Hit a quick tool, quick clarifying question: should we remove selfie from this document, then and and solve it in another document? Sure date for force have an errata and bowie as a working group warned to allow use cases where the PSK is shared between more than two parties, I.

C

So I don't think we should remove any mention of selfie because, like we specifically added that spot to deal with to like, but let this other draft that Ben just mentioned possibly exist in. You know the details about how it's used to go there I, don't think we need an errata on a four for six to deal with this and I'm. Not sure we can say much about like PSK is not being sure I mean applications will do crazy things and deployments with you crazy things. So.

F

Yeah yeah Martin mom times when I was gonna, get up. I got up specifically to say what Ben said. The a lot of this is uh I think going on a little bit further down the path of doing a design, then we're comfortable with in this document and to do that design. Justice.

F

We need another document, because an appendix is definitely not the place to start embarking on something as complicated and as nuanced as this and and that's I think where my objection was coming from, and so, if we can do this in and in another document and keep this high-level advice, that would be. That would be fine.

F

Recognizing the existence of the problem is kind of kind of important because of this assumption, Jonathan talked about, but yeah all the stuff, with how we agree on what the identifier czar and how you construct those identifiers and how they might be might be exchanged and and built into PSK, IDs or not, is is kind of complex and I'd, rather not do that yet. Yeah.

I

So so what I'm hoping to do? What I'm kind of hearing is that, like we know, we have this problem and we need to identify and write it somewhere. So we need to mention selfie here, so we have text already. So what I'm hearing is this PR gets rejected? We start another draft, possibly led by a design team to delve more into this, but that basically means when you reject this. We push this draft forward like immediately. No does that. Does that basically sound like a plan?

I

Is there anybody who's interested in joining a design team to look at these these different issue, all right, so I see Hannes yeah, ed, Martin, Jonathan, hecarim,.

J

I

Plenty, so does that sound like a way forward? Does that.

G

I

I think I guess I think I'm.

G

Gonna get this for a little bit now and I think it's probably for tonight in between several things, which I think are not well just not having been that well fleshed out this discussion. So first of all, on Sophie is an active network attack bicep idol. If your attacker doesn't none of the endpoints right and so on, and so it has two modes.

G

One mode is confusion between like you're, acting as a client server for the same connection, um and um and that and that's that's, that's all the number of ways, including basically comparing the key shares as John Nelson suggested. um um It's also possible by basically splitting us.

G

You have a client server that you, you only use one Kishore as a client one case, your server, the one client server role on the as a separate class of attacks, which are about rerouting between rerouting between multiple clients of server pairs and yet a sort of and and then um and the typical way to solve this problem. This is the Canada have identifiers in the protocol, as opposed to as opposed to diversify, key the key material and um and now so finally, to get to the point of the text here.

G

Right is there's a separate class of problems, which is that if you have a group, if you have a group that all show the same key, then one member the group could appreciate another member of the group and that bob has to solve by giving them individual keys.

G

It can't be solved by expanding the keys this one squared this way, because they still could all generate any any any group, because at all, so um so without, like an extremely would wind up, um I actually think the power you remove all this material, um because the key diversification is because the the proper the proper solution these problems is identified is role, identification, the handshake, it's not key to versification and because which Alan was alluding to earlier, and so there's one way to do roles.

G

In fact, the trivial role of agent and shake as I say is. This, like you know, um is, is for the two party cases, just it's just like that. Reflection comparison and the end party case actually is like put something if I was mistaken, handshake and don't treat the PS Cayden if I were to humor than if I as.

I

An option we're.

G

Getting a bit into the actual, but.

I

Yes, I think we definitely just.

G

This PR, but III, think we actually sure taking altimeter lab rights.

I

Like we're gonna I think we've come did a conclusion right. Basically, unless somebody's going to get up and radically screen is that we are gonna, reject this PR, then I'll kick out the processing River before it will form a design team to get some. You know some additional information up about self. You know how to deal with it that well.

E

I won't lose sleep over rejecting this PR. That's fine if there seems to be consensus for that, maybe my only quibble was if we are going to add identities to they say into to importing external peers case. At least the text could still give some guidelines on how to mitigate cell C. So the previous text, in my opinion, was not saying that the other identity, the identity or the other party should be different from any of your own and and perhaps at least it could do that.

D

It just boils down to a question of do you trust everyone who has your key and if you don't then like, why are we here? No.

E

It doesn't I said in the first comment that selfie attack can be caused by someone who doesn't have your PS k.

C

C

So there's actually one other outstanding pull requests and Jonathan. You might not want to sit down because it's just your poll request. So basically the idea is in addition to or the proposal is in addition to you importing an external PC and doing the key deprivation based on the protocol and the KDF.

C

You also change the label you use in the binder computation and then he is that in some pathological case, where the identity, some other application constructs, happens to match an imported PSK identity and the PS K is the same that both parties potentially aren't in agreement as to whether or not a key was actually imported.

C

Whether or not that's an issue in practice is less clear, so I think this is potentially something that like helps formal analysis. It you know it gives us good. It keeps things separate, so maybe that's better I'm, not sure it's needed, though. So do you want to comment yeah.

D

So I I think it's needed, is it I think it need? Is a general thing, I'm, not sure it should happen here. My presentation later also has this change and I I. Think if it's better in the other document than here so so we should still use when the labels, but where those binder labels are defined, I think should move.

K

G

Let's sort that problem that separately, that's document engineering, not protocol engineering, so I mean well now we have a video document. Yes it they have to be here right. um So I read oblique included that we have to do this. It makes me sad, a sad panda, but, um like we just like had too many problems with people with complicated attacks where people would you know, we would take a take the drive key and then stuff it in in some separate slot.

G

Separate, like I mean the way they this like, like we've introduced another rung in the ladder right, we're you know, here's where the keys went in and now we're have a thing, and we put them in here and I. Don't want somebody going in here, which is what this prevents so we're, Greta, bleah I think we've made this change great.

G

C

Opposed to inject are changing the label.

K

I'm not opposed those. Please state your name at the mic. Yes,.

L

C

You great so we work with Jonathan to tweak this PR and land it. We will reject the other PR and then hopefully move forward. So there are other outstanding issues for the document. Honest.

K

um Dishonest I always feel a little uncomfortable if we make some of those changes just based on a gut feeling where we think there could be a problem. But then we don't really know because it always makes heavy everything sort of implementation wise, more complicated.

C

True, it does change the implementation. Introduce additional complexity, however, like there is a case where this is potentially a problem, the one that I outlined earlier sort of described on the slide so I mean that seems sufficient to me.

D

So we do know of an attack, it's just. We can't think of an implementation stupid enough to make themselves honorable to it. That doesn't mean people won't be stupid.

K

Did you is that that described in a document.

C

In your PR, it is not described in the poll requests it that Polaris just sort of describes. What are the effective properties of the change not so much what the motivation of the changes it.

K

Would be, it would be good to document the motivation as well yeah.

C

Absolutely in the security considerations, perhaps rather than we can add some text, there actually think we're sort of out of time but Martin. If you can have if it's.

F

Quick yeah I, you were just summarizing. I realized in this discussion that I wasn't sure about something in the document. I just went back and checked. You say in here that you there are no changes on the wire in the protocol, except for expanding the set of identifies that appear on the wire yeah and that's.

M

A very important.

F

It's a very important statement to make, but I also realize that you don't really capitalize on you, don't really expand on what it means to expand the set of identifies and I'm wondering whether or not there's a formal structure of those identifiers employed by the document or whether there's an expectation that people work out what those identifiers are, because it's not very explicit in here so I just like to raise one more issue and on the structure of the imported identifies. Yes, that I'm, not here, say identified that you use one on the wire I.

F

Think the intent is to use the structure that you're having here right. Exactly yes, you need to say that clearly, yes, we can add a sense. Can you.

I

F

For that, I will follow an issue. Thank.

I

You excellent I think that's it.

C

Oh yeah status, we're working on implementations and hopefully, when we're done, we can move the document forward. Well,.

I

Nick Sullivan you're up for the next two.

A

A

N

Cut-And-Paste I'll fix that so we're on the back nine for TLS expert, Authenticator sis, but we're gonna have a bug on both, so this has gone through last call and it's gone through reviews, and essentially there is one last point that needs to be addressed. This is right raised by your own Scheffer and it comes down to the specific line right here. As a reminder, TLS exported authenticators is a way to export a a piece of data that corresponds to essentially a certificate request and then a certificate.

N

It's useful for higher-level protocols like HTTP that need to have the security of a is essentially the proof of ownership of a certificate, but without having to implement the crypto at a higher layer. It relies on TLS to do so.

N

One of the use cases here for export authenticators is for client initiated server authentication. So this is a use case. That's not present in TLS, so it's you can think of it as the server has already. If you've already made a connection, the server's already authenticated for one certificate and you wanted to authenticate for a second certificate, and so the mechanism for doing that exported authenticators is to create an Authenticator request on the client and then a which mirrors what would be in the certificate request in in TLS.

N

And then the server responds with an export Authenticator, which contains the certificate certificate, verify and finish message, because in TLS this is something that's almost all with that is always initiated by the server. The set of extensions that fit into the certificate request is determined by the list in Ayana, so.

N

Mcclee, something like SNI is only a client extension where it's not it's not a server extension, and so this use case implies that you have an extension in certificate request. That's not allowed according to TLS 1.3, so the suggestions were to change the document to update RFC 84 46, which seems like a pretty heavyweight change for this document that actually does not update this RFC significantly.

N

The other suggestion is to kind of spin out a new extension point for s and I. Well, that is basically an extension point that says this is an S ni, but it's in a certificate request, not an S ni that sits in the client, hello that that seems like it also might be a bit of an anti-pattern there you might have to if there's any other extension, that's going to fit into this, and you have to spin out a duplicate mean, meaning folks, extension sni is exists in client, hello.

N

So it's it's not finding certificate request in TLS, but this this is.

N

This is a certificate request, looking structure and then there's the third third question and the third option here is my preference and I put up a pull request for this, but essentially the certificate requests like structure and the client generated export authenticated request treated looking like a client hello when generated by the client with respect to which extensions you can add, so allow client hello, valid extensions when this is allowed and if it's coming from the server allowed certificate request extensions, and these are the three proposals to help solve this.

I

F

I

The line after Jonathan.

F

Right, good I think this is the right approach. One of the things we did in tail s13 was start to pull apart the various extensions and the and there, but we never really did that for client, hello, and there are multiple different types of extensions that that exist in client helotes. We have the ones that change the shape of the protocol. We have the ones that are the govern key exchange. We have the ones that are used in selecting certificates and some of them are overlapping and they fill multiple roles.

F

I think this is the simplest way to manage this by simply saying that yeah. This is the client asking for a certificate. That's exactly what it does with a lot of the extensions in the client below there are some in here that won't make any sense key share, for instance, but you just ignore them as once. It's fine.

O

Kinda crits I'm not sure if this is exactly what you're saying by Z, but what it makes sense to essentially treat. This is a different message, like client certificate request. If we're going to have these like weird mismatch of requirements anyway,.

N

If so, I don't think it makes sense to request a new column in Ayana for this, but I think just one line of text here should be enough.

H

Then Schwartz with option like option C that my one concern is, if you think of your safe, you put yourself in the shoes of a bad server, implementer I, wonder what kind of mischief could be created if, for example, you just said Oh, this contains client, hello, extensions, I'll, just process, whatever client hello, type extensions show up in this field.

N

Yeah, it might make sense to just have a whitelist.

D

On certain client, hello, extensions mandatory, which would make this very weird because you'd either be like, we ignore the mandatory ones, yeah.

N

I think the text that I proposed does not say treated like a client. Hello, just allow client, hello, enabled extensions, so it wouldn't have the mandatory requirement it wouldn't be at mine. Hello would be a certificate request. Looking structure then allows specifically one client, hello extension, which is sni and so.

D

Yeah white, less than sounds more reasonable because otherwise steak. What does the server do when they receive random client on our extensions? Okay,.

G

Yeah I'm not not sure what I do like, but I, don't like see, I'm concerned of the same thing Ben Schwartz just raised. It just seems like really like what the heck does that, what the heck does like Keisha I mean here and I, don't want to ignore and I want to like um I want to follow draft IEP. You know: what's it called now, the stuff was wrong, you know, and and and reject it.

G

If it's bogus so um I think we could discuss pellet um III, no problem about being from 84 46 as a general matter. Ivan is that we think about the technical point, but, like I, mean get.

N

Away, how do you feel about just whitelist client alone? um Yes and I, for example, I mean this is the only contentious point is about s and I, and that's the only it client hello extension used to select certificates that is relevant in this use case.

G

I'm not sure prepared to like I understand it yet I think: okay,.

I

All right, so more discussion required. Okay,.

N

This is this is on the list. So please, if you have a comment, posted list.

N

Okay, this is also not CFR. Gene whoops, alright delegated credentials. This is another one that is been moving along pretty nicely, particularly. We have an update here of running code. There's some public announcements of support for the draft version of this protocol in Firefox nightly, as well as CloudFlare and Facebook has done been doing they they have an endpoint that supports it and have talked about supporting it more thoroughly in their in their infrastructure.

N

One of the issues that was raised at the last ITF that indicated there's another potential small issue here. This is really a flexibility issue and it's not clear that there are too many stacks this would affect, but.

N

One of the one of the issues in TLS 1.3 that came up was this idea of having supported algorithms and supported algorithms certificate as to lists of supported algorithms, one for which spki is allowed in the leaf certificate, verses which spki is allowed to be used in the certificate chain for signing the leaf certificate and because the peak a stack is sometimes different from the TLS stack. These two things are potentially just disjoint lists or different lists in kind of polling.

N

The implementation audience here, there's there's sort of a dual: a overloaded use of the supported algorithms and export of authenticators explore an authenticator x' does not use the leaf certificates spki to sign the handshake. It uses the delegated credentials.

N

Extension spki to sign the sun handshake, so there's potential for a mismatch here. If your TLS stack supports an spki, but your PKI stack does not support that spki in assert. So the the specific use case here is say you advertise support for an IDI to 55.9 signature scheme as a supported, algorithm and delegated credentials, and you support at 255 or ninth Ella gated credentials.

N

But your PKI stack does not support extracting the IDI five nine spki from the leaf cert then you'd be in the situation where the server supports this type of key and doesn't support delegated credentials that could send down a cert that supports this key type and your stack isn't not able to effectively communicate that distinction to the server. So this this is not necessarily a problem in in some of the stacks that we've seen.

N

But it's it's a potential problem in one or two of the stacks and I've heard anecdotally from from folks that this may be a problem. Yeah.

F

Some tomaten Thompson we originally struggling with problem with RSA PSS, which I don't think anyone's actually going to deploy, but the implementation kind of had to deal with it. So we sort of run into a few problems there.

F

We have multiple pieces of the stack and multiple pieces of the policy enforcement infrastructure that all have to support this thing before we can turn it on, and it turns out that it's okay for us at the point that we can turn on PSS generally we'll be able to use it here, but I can see how others might be affected by this I'm. Okay, with this I think that having a very small, controllable set of signature schemes for delegated credentials is a nice feature. I don't think it's absolutely essential, but I can I.

N

I'm, ok with this proposal, okay, yeah I would imagine that the typical deployment will only have say two elliptic curve support and not say RSA of any sort support in that yeah. This prevents you from having to deal with RSA base delegated credentials. If you don't want to so.

G

P

G

You see you're privileged to put field in the DC extension that is like here. They'll remove the support. That's right, just a list, yeah I guess I like how you have the with it here, because I guess I can live with that. If I can also live with not having it I think you know, yeah I, think I guess this is like one of these. Like beauty contest things, so I guess is there. Is there anybody feel strongly on one side of there?

G

Is there anybody.

K

O

Kyle nekritz um I agree, there's a use kiss for this, but I guess my question is: is anyone going to actually use this I, don't think we would use this like advertise a different algorithm or advertise a different set of algorithms. So as online you mean or as a server is, this is that this is advertising as a client somewhere.

O

But if someone really wants to use it, then I have no problems. It.

N

Yeah I think this. The the reason that this will come into play is in moving forward with new algorithm types. It likely gives us more flexibility with adding new things like, for example, on the semi static, th side. We might be able to advertise in this without necessarily supporting semi static, th and the leaf cert yeah.

F

Not in Thomson I was just about to get up and say, let's not add something that when we don't have a good, clear use case for, but that's a good reason to do this, we're having a. We have a little bit of trouble getting all of the different pieces in place when it comes to our certificate, validation, infrastructure and being able to say, do a PQ algorithm.

F

A 4dc would be kind of a nice way to experiment with those signature, algorithms, without actually having to commit to putting all the cab form rules in place, for instance, or changing here. So.

I

I think this summary is basically we're. Gonna accept this proposal. What son, what.

K

I would like to comment on on a separate issue which is okay can I do that yeah is this from so the maximum lifetime of the delegated credential appears to me pick pretty randomly and seven days so I wonder what is that's really good idea in in use. Cases that we are looking into seven days seems a little short um and I was wondering whether you can sort of motivate someone in the seven days or why I would want to do that rather than five days or 10 days.

K

Understand that you ideally would like to put the number in there, but I'm not sure it's a that's a great idea. Yeah.

N

It's a maximum and it was based on the typical deployment of OCSP. So what works right now, as the minimum for revocation and for short-lived certificates measured on the web, is where we came up with.

K

She's veena, but in context, that's the context in which this came on yeah.

F

So someone Thompson- this is really coming out of the way. Right, though, we're basically, basically assuming that this is a web deployment scenario and maybe maybe the right way to thread. This is to essentially say that absent other information.

F

Endpoints should set a policy of seven days maximum, but that would leave it otherwise unspecified so that those deployments that want to do things like I, don't know putting a certificate on a camel. That's gonna then go across the desert and then have to be valid at the other end of it and I. Don't.

N

Know so I guess honest and you have a use case for which you have a certificate that you can't shorten to the time that you want, but a DC that you want to expand to past seven days. I! Don't imagine that there's any case of that.

K

So yeah I can't talk entirely about the use case, but it's originated in the IOT space, where some of the devices are not always connected and so having them sort of the connect to just to get that delegated credential. Just for the sake of fulfilling that Cerf requirement appear to be a little tricky, given that today, there OCS B is not even used at all, let alone a certificate revocation, which is more used in a in a sort of like firmware, update a sort of scenario. We can argue better.

K

That's a good approach or not, but I think using that work. This this recent work there in those environments would improve security overall, so I think Martin's approach of tying it or augmenting it in to the specific context and I I the web context in a bad context. That makes total sense to me. Okay, so you understand the.

I

Based on mark yes,.

K

I

H

Ben Schwartz I'm not convinced that there's a web context in that is detectable or identifiable to the server operator, who is deploying an HTTP service in particular that they don't know what kind of client it is at this point, one thing that you could do is signal a maximum expiration lifetime in your client, hello.

F

M

Discussed that- and we do not this.

F

This only fits into the I, don't know what the client has in their trust or space I don't know, but that the policies are I, don't know, there's a lot of that vagary already in in practice, so I don't know that we're making it worse. By making this one thing.

O

Carla crits, if we don't have a must on the validity, then I'm worried what we do in a client-side. If we get a delegator credential that has a fluidity over what the client is willing to accept.

G

Right I mean I mean the purpose.

G

The purpose of this is to ensure that the server never sends the client something with too long a lifetime and the clients willing to take, and so right now what PGI certificates like how like a maximum I like, essentially if it's not a lifetime, no like Ryan's levy, she's like dialing a town um and but it's like a rule right and so the claims are we on this or if the sir rules on the client, something the client sir, will make like a two-year GC into the client aquatic nope.

G

And then you like screwed, so I mean in what you want is like thee and so either we have to have like a rule written down or if the signal light and suddenly it seems like, are right on the I guess. What I would suggest is um that when we get to the point where those an aggressive use case, it needs a longer value like we can there's a way to signal. A death. Nice I've Hannes is saying, like I, have a use case right now. Our new super long value like they may.

G

We have to live with that, but I quite understand like how how how real that is yet, for you.

K

Yeah I was I was one I'm, specifically also in a TLS specification. We have some some wording specific for the algorithm Sunda mandatory to implement algorithm absent a specific profile. We, those are the mandatory to implement, algorithm and and I, could imagine in, in this case its symbol, a similar absent to a specific profile. The default is seven days and yeah.

N

um Guru that one um so I guess the other change. This change proposed solution of adding the list. I think, let's confirm that on the list and I'll just merge it in and then I think at this point with that change, I think we're ready for working. Your class call.

I

Vote did asking github whether we should do an early at early Co point allocation. Are there people that are trying to implement this now.

I

Dancers, yes, I mean I. Think the answer is yes, but like do you wanna needle already it up it's already in Firefox, so alright, so we should start kicking that process off yeah. You think.

G

So actually, um this is this is a very magenta bash, um but I'm gonna do anyway. um We really need a thing like MT is invented for quick, or we have provisional point allocations so that we get earlier or not so that we can like do this kind of stuff and so that we don't stop at each other like by accident.

G

huh Well, I'm happy to do that. Yes, so.

I

I'll start kicking off the early code for an allocation process for that this afternoon,.

I

Okay, thank you very much.

A

K

A

I

You change your slides.

D

Hi everyone, okay, so I want to talk about TLS, extended petite schedule. So why would you want to extend the key schedule? Tls has some like really nice properties, but maybe we want more, better, more exciting properties. Fine, for example, we might want some privacy properties for the client, hello. We might want to do some sort of hybrid key exchange where we use quantum safe keys as well as classical keys, and the question is: can we achieve these new different properties without breaking anything?

D

So we know that TLS has the properties we think it has, because it's undergone quite extensive analysis and modifying the key schedule might mean we have to redo a bunch of that, but it's non-trivial to get these new, exciting properties if we want them to without changing the key schedule, but it's also important that we don't create new attack surface.

D

So so I was motivated to do this because there are a bunch of drafts that are like. We want to change how the key schedule works, and we want to do this or we want to do that so for obvious examples, hybrid key exchange. If you want to be able to use a quantum safe, key exchange simultaneously with TLS without having to allocate new code points, you could just define yourself hybrid key exchange draft, and this would that you include these keys and injecting key schedule with having to worry about all.

D

Do we define composite code points? Do we define you know multiple lists, this just sort of walks around all of that? Yes and I as we're going to see later, there's been a bunch of inks built on whether we should inject into the key schedule or not external PSK importers?

D

How do we diversify keys before they're imported before they're used by TLS, rather than having to have N squared keys or whatever and semi static? If your Hellman also wants to adjust the key schedule to allow them to do various things? Okay, so what we need is an extensible framework.

D

All the drafts are just mentioned, modify the key schedule in neutrally incompatible ways, and they generally haven't had huge amounts of security analysis and they definitely haven't had security analysis of when you what happens when you use them with other key schedule, modifications- and there is lots of dragons there. So this draft attempts to do two things capture all of the work already done with key schedule, changes and providing a framework that lets us use. All of these key schedule changes in a consistent, secure and composable, most importantly, composable way.

D

So this is a TRS key schedule, truncated at master secret and we're proposing to inject at two and perhaps three points we want to modify the way PS k's are are used such that we can do fancy things and we want to inject an extra secret before the diffie-hellman Karthik suggested that we could also inject just before master secret. But you know that's for discussion, so the zeros are actually non-trivial the to zero aren't the same, even though they look the same. The top zero is a salt and actually just says.

D

We assume that PS k's are uniformly random and the I.

G

Understand that point, I'm I'll check out the bottom zero. So.

D

The your then you're, then using the HK DF as a dual PRF and because you're injecting two secrets and you're, assuming that both of them got the same property.

G

No, maybe ignore the top oh yeah, and the bottom is their bottom. Zero, like everywhere else in this key schedule, but then it comes on the left is this is isn't, is the is the is the one IP k right, um the initial random ikm and the thing that comes the top is a salt right so like and if you just like scroll up like 1 HK DF craft above, do your extract? Has a DHE secret, as I'm saying like when you want to when you want to do like I.

G

Don't understand, I, don't understand why you can't you why you can't put a rant. A I came at that unless.

D

0 slot at the bottom, so, okay! So if you want to inject stuff before the handshake secrets, you then have to do something with the EC athe. No.

G

I know I agree that the first two points, the points through a shady green I agree with you, oh yeah, okay, I'm, saying that this last point, the one that's shaded white, like that's, called like the thing that 0 there.

D

So that will so. You could also do that, but the question then is: do we want to do this in a consistent way and just like always do the same thing? Okay,.

F

So Thompson I would I would say that the consistent way is to change the thing on the left. But we've had this discussion. Wait till my last life exactly but the that's. The approach taken by the semi static thing with that zero.

M

F

Is what which is what I could got up to object to, and the PSK importer stuff does that with the PSK one there and but.

M

F

Different way it doesn't yeah, it really does. Doesn't it that's that's curious which wait to.

M

Do something that.

F

And a CD is another one that I'd like to have as well wait.

D

Till my last slide, okay, so just to like point out that there's a bit of syntactic sugar we've got, HKD, have extract and derive secret derive secret is syntactic sugar for an HK TF expand just FYI.

D

Okay, TLS uses an HK, D F and it has extract, expand, extract, takes non-uniform randomness and makes uniform randomness expand, takes uniform randomness and makes cryptographically related keys, just yeah okay.

D

So this is the change we're planning to make to the PS k extension.

D

All we do is add a context field and then use that as the ID instead and you can do that recursively, so the you might want to say, add three or four PS Kaizen chain and just each one comes with a context, and you just compress more and more of that into the yes key ID.

D

The context is not necessarily secret, but could be, but should be non guessable.

D

It should probably be a channel binding if you're doing anything complicated but leave I sort of leave that implementers, if you're, going to design complicated to sound, complicated okay. So what is this change? Give us and you combined extra information into the handshake, so I can bind non secret information to the handshake, and this is analogous to the TLS, export or interface, so in the same way that I can layer something on top of TLS.

D

This lets me layer two, he LS on top of something else and that's where you would effectively end up with channel bindings and this sort of just harmonizes the sort of structure that we should have done in the first place and if we I don't think it affects the security proofs and we shouldn't have to do anything. Fancy well.

G

I'm not gonna feature trolling there about what was your in the first place, but I just want to have a question so um ah one might the this at least one more reason about as injecting into the transcript, instead of injecting into the key schedule right, mm-hmm, okay, just running sorry, like I mean, if we like had if like, if, like every message, had light like if every message had like a extra like a like a notional like here's extra crap like it could hold in the transcript. That would be the same as this right.

G

I think, okay, I know. The other stuff doesn't like that. That the pescado stuff is like is a new secret interview. Yeah.

D

G

Is just like new stuff in the transcript yeah.

D

This is just saying here is a place to inject well, I think should be channel bindings, but like effectively whatever.

F

Back one slide: how is this different to the importer things.

D

It's not. This is not even bashing I think it should be moved here. Yeah, it's basically a copy yeah, there's.

F

An extra label that one's going to working group last call I, don't think we can do that. You might want to use this document to rationalize that, but I would not change the structure of what's already been agreed there. Okay,.

Q

Daniel kind, Gilmore, I, don't think this is exactly the same as putting stuff into the transcript where that car said earlier, in particular a few stuff arbitrary stuff to the transcript. It might look the same as stuff that is already that might already have been in the transcript, and this case is.

D

Additive, yes, so this is that's why you have to use a different point: a label. If you look on the bottom right, there's impact minder and in res binder, basically, if you're doing an extent, an out-of-band PSK using impact pointer as your label, we might need to shorten that. And basically that says you can't confuse and also fan PSK using this and that's been key. Not using this. Oh yeah.

G

I'm sorry, uh my my hypo was it we like injecting my favor was like. We don't like a faked handshake message that was like additional crap in the hint in the in transcript, don't put it in there and that bad I think will have the same properties as this in my head and if it doesn't that I want to reason about like the same way we did with the with with the reinjection for ch1, like I hope, so because otherwise, I'm not reason about this correctly.

G

That concerns me but I'm, not saying our problem with the tetragram they're, trying to make sure I understand what it's doing. Yeah.

D

The labels are important, but yeah. Okay, oh did I finish this. Oh yeah, the route, the reasoning why it shouldn't affect the security proofs is we're doing an HK DF expand and we assume that H k, DF expand, gives us disjoint key spaces or computationally distracted key spaces. Okay.

D

The second piece is here: you have a an extra drive secret and an extra HK D F extract, which is an extra expand extract, and the idea is that this will isolate the injected material from the rest of the handshake and in the inputs are injected in a fixed order. We'll have an eye on a registry that says you know this goes first. This goes second, this goes third okay.

D

So what does this give us? It's not the same. It gives us to add new secrets to the handshake. Before we could only add, we could only commit to new public values in the handshake, so we for doing cryptic line hello extensions or we can add quantum safe secrets without giving up any classical crypto.

D

Hugo pointed out that if there's no PSK and there's a weak diffie-hellman key, then a malicious out input may be able to bias the handshakes secret. But if the, if all your secrets are weak or controlled by the attacker, do we really care?

D

If we do really care, we can use this design, so this basically just uses the dual PRF property of HK DFS and we inject. This is copied from drafts tabular and labels combining ATF one and basically, we extract from the EC DHE and the well. In this case, we next-gen would be post B, quantum safe, but we'd replace that with just anything downsides to this.

D

The key schedule is no longer linear and also we can't necessarily repeat this I'm sorry, we wouldn't be doing the same thing lower down, although I guess we care, if you want so.

F

Thompson drafts a pillow covers a number of options that look like this or like the one that you're proposing yes I I'm, proposing that we do.

D

One of them yeah.

F

And I would also propose neither of the two options you've presented on the screen: okay, so yeah I'm, perfectly comfortable with taking all of the inputs that we have at a given point in the key schedule and then combining them in some fashion. I, don't think we need H KDF extract for that. We we just need a mapping that is clear and.

G

F

Directive, you do just concatenate them in in a simple case, because of that most of these things are fixed length, but if they're not fixed length, we put length prefixes on and but everything's gravy. The reason that I say that is that we have in most implementations all the necessary machinery in order to switch out the thing that appears on that left-hand side.

F

Input to HK, deific extract and building on top of that machine allows us to effectively reuse an existing joint that we have in the protocol, rather than invent new once and extend the tissue dormant in the way that your proposed and I do think that Hugo's concern is valid because there are cases if, if the construction of HK DF extract as a dual PRF is not as strong in that in the direction coming down the down the chain as as coming in from the side then well, maybe we have promised with peers K's on their own, but I would rather have a come in the side.

F

G

Yeah III generally concur with Martin on that, basically a Center which we think. So if you go back to King I see you were previously sorry to.

G

That's a curry yeah so like attack, so it's like it's like I think they like. If you sort of scroll back and Inter like acceptor trolling previously, we should have done right. um You know the the annoying thing about the current. A loss and shouldn't tell askew schedule is that we basically only allow one secret each of those insert points right and so like when you're trying to send that you're like well.

G

This one says now we have to and it has the same annoying problem, and so does it invokes, is like the same annoying problem as well. There's only us two, and so, like the you know, the original sin here is like our failure to like allow an arbitrary number of key values, ation certain points and so on, and so whatever we do. Is you fix that?

G

If we think it's good, we should fix that and so like either we should do it by being, like you know, like so users, do it by being like you can have it over terminal things. You just expect justice justice tracked, that's one possibility and the other is you have a combiner and then you glue them in I. Think the combiner and glue them in like obviously makes more sense. I'm willing to like you know, I'd, be a caveman.

G

Also, like naturally do what Martin says, which is like concatenate them with like link fields and like him like, like and I, treat it all as one giant thing, I'm more than happy to be told, wasn't weird Reiger further along the caveman and like I, should XOR them or I should be some other garbage, um but like I, leave that to like the crypto people, but I think we should do is define an algorithm for saying.

G

Take n, Secrets, crank him down to 1 I, add an entropy bottleneck at at the KDF and then shove it in the left. Yeah sound good.

P

Russ Housley: could you back up to the green box? One.

D

P

D

P

Thank you. So what basically Ecker said was, if you look at this you, if you combine all of the stuff, you can replace that one zero and get a result, except for the early data situation and I, couldn't tell whether he was proposing something that affected early better or not.

G

P

G

Put is everywhere in this key schedule that we have a thing with. We have a thing with an arrow on the right, you're already hkh give abstract. We defined a new rule that if you have n things you combine them with formula X and then you shove it in and I guess just to make life simple.

G

If you have one you just you just shove it in um and um and then and then, and then, like very simple and like um and in fact, Martin's things nice, because Martin's thing like actually couldn't find it in coding, which is exactly this property. It's just a serialization. Now her forceplate do and actually this XOR by the way, um if we're forced to do some sort of like nonsense with like multiple HK TF stages, that won't work but yeah.

G

My point is basically it's just just take each of those hkfs right joints and like redefine that we defined this. My left Honus the lines cut after honest and honest. Please.

I

G

K

If you compare the Skip schedule of 1.2 to 1.3 like it became so much more complicated um and the argument back then was we need this, because it simplifies the proofs and and that's great but I, think, look and listening to your presentation.

K

We are making it incremental e, more complicated and I would wish that someone actually looks at how to simplify the proofs or to tailor it proves a little bit so that we don't have to make is more and more complicated, because if you look at the code and that we have today in 1.3 it's it's, this part is actually one area where it where you have way more cryptographic operations that you need to do way more code, and that also is, has its there's side effects of that right. Yeah.

K

D

That's actually one of my further questions.

D

Do we want to extend the master secret? Should we just concatenate the injected secrets? Should we be worried about the number of new hashing vacations?

D

Yes, and how should we a handle, extension negotiation so because this is crypto you have to if you're doing the PS KS you have to send either just one PS k that says we are using these extensions or you send a group of PS case that say, I'm happy with any of these combinations or you can send one PS k and rely on how to retry if the server's, like actually I, only want some of those or I want to add some of your other some other ones that you support, and the most important question is: is there interest in adoption.

P

Till Russ house way, I think this is very interesting but I think it's also very complex and the key schedule is the core to TLS 1.3, and so it looks like TLS 1 4 to me. So.

D

Just to answer that question: does that mean you think we should not do any of these.

P

No, it's very interesting and we should do it. But if we looked at it as a new version number, it would solve a bunch of those problems that you just listed so.

D

We should open tell us one for now: that's a reach out or any discussion. It certainly.

I

Would be so, let's take this to the list because it.

I

Really quick, ok,.

R

So I just want to emphasize I, see presents' a major change, so we have to be careful and not to rush that yeah all right. Thank you.

I

Some wonderful green shirts.

I

G

These slides are designed to ensure that you pay attention.

G

You know Martin and I had pretty walked in a contest to make the most offensive possible. Looking slides, I think.

G

Maybe hive is orange next David's.

S

Knaus II cool may I offer a slight suggestion that the two of you can take your rivalry about making really bad slides somewhere else. But.

G

Yes, okay, so um this is some work done by me: Richard Barnes and Hannes, the yes see, I, guess I guess I felt like if I thought, I didn't ever actually name. What it is see is compact by the way, that's why the C is lowercase, so, okay, what problems were trying to solve. um So, despite, like the you know, with the fact that everyone's, like really thrilled with how one three turned out jonathan, especially the you know, things are not perfect.

G

There's still someone annoying like a legacy craft, the TLS handshake, especially in like the like the client hellos, if it feels like a wave of legacy, can't be changed. Those are awesome um now, like, unfortunately like in many con has like stuck with that because, like welcome to the web and like you, can never send anything different ever ever ever but, like maybe I, saw something had a little bit forever. It's like like, particularly like we did quick. It was kind of still later like we have these quick messages that contain like like a legacy.

G

He, like version numbers that nobody uses on. Second, um even from the beginning of one three, um there was sadness about the sort of rich feature set, um and that has a number of problems. um Sometimes um one is it made it hard to do like, say: I, don't want zero duty and I made only and I like like? How do you define like what the minimal feature set that, like maybe ease your implement, is and maybe there's a reason about is um um so, um and second obviously makes the it makes the constraint up.

G

It makes the partition size bigger and the joints that you need to make work also make the make the call the wire bigger um so like, in particular like if you only have a phone key share like. Why do you have like a bunch extra values telling you how many he shares you could have and if you only for one key share like why he needs it? Why thrr, and if only for one key share like why do you need some way to like say these are the these?

G

Are the name groups that support because it's got all the same, stinking thing um and um so finally, um the UM you know there's there is a separation in one three between a handshake and the record layer, but it's not like quite as clean as you might have hoped, oops um and, um and so like, and you see that, like it looks fine, we did one three, but then we tried to do quick. It was like obvious that, like maybe that was not like quite as clean a set of cuts as you wanted I'm.

G

So quick is really like t lost one point three like handshake with a quick record layer, and that, like you, know like that works, but, like you know, it's like like the document is like take these ports or to your lesson like throw away these little parts to 0s and so try to cut that out would be it would be. Nice um there's also an issue if you look at like lake and when you might think I'm. Oh s course your record layer.

G

So in general, like um you know, it's it's from a pedagogical perspective, it's like much easier interpret if you think, isn't one protocol, but from a but from a like a pluggable perspective. It's maybe not I, think Christian.

G

We have made this point actually quite a while back I think Paul Baker did as well on so number of these issues like we're known, but we're kind of punted out of one three either because like being done as a feature, and they didn't really affect one for itself or because we couldn't change them like this in the case of of the legacy Croft um like we always knew, we could like do like a rubies profile, but, like we were too lazy, um I think Watson lad talked about doing like a TLS one, three light at one point, but never got done um so um that we thought might try actually solve some of these.

G

So there's a bunch of motivating use cases for this work. Ij's one is quick other than I was indicating. Another is a TLS is. Is that what you call it as a TLS set? Okay, the Google thing has some other name like alts or something um there's a lake for the screen, key for hand, constrain sizes and there's eat as well. We're also has been issued to have like a message sizes and anytime.

G

You try to map, there's also kind of an issue for DTLS I'm, not as not as much but kind of one, um so um so say that there's a but and and again in a TLS, you might think about. Maybe you don't need the record layer, for instance, on and like the same way, um so there's like two-and-a-half technical pieces here which we might adopt somewhere all off or none of for that matter.

G

So one is some, don't clean up on the handshake messages to make them like less like kind of gross and crafty um I'll talk about each of these in detail. The second is this kind of like um vaguely advanced specialization mechanism for describing substance. The TLS like in a way that isn't just writing new document profiles and, finally um or more clearly delineate the handshake in the records record cutscene. So it's no.

G

You know exactly where to cut um this last piece as I say, actually doesn't reappear in the spec when I'm pitching it now on and on.

G

It's not quite clear on this back mechanic way how we do it, because what you really like is like sort of go back and rewrite eighty-four 46, but in practice probably wanna write a met, a document which says these are the pieces you would need, and these are cut points and in particular this is what you like to pinned on or not um so, okay, let me start with the first point.

G

um So cleaning up the handshake messages, um basically I'm so like I, think we can like in retrospect agree that, like maybe the encoding hon would kill us like. Why are encoding?

G

It's not amazing, so in particular, like lots of places where there like integers was like, were you too large for their like intended uses, or would you small for their intended uses and so like, even though queuing up space on the wire for no good reason or contrariwise, on there, um contrariwise you're, like hey, I, can't fit and um and also like, if you look at like they look like everybody's implementation, they all have like for every time you have to include an integer like they're functions for encoding and decoding integers all come with like a like some number.

G

That tells you how big the integer is. That's, like really amazingly awesome on. You know, I feel right. If you like this, if you just didn't see you like how like decode you int X and like there's a field, this is a big. It is, if you do in C++ you, like start thinking, function overloading and, like my time, fly, specialization and like that does work, except that then I said then there's no there's! No! You ain't 24, and so things don't work out so well uh-huh. So it's like not great!

G

um So like replace, every integer with a variant is like actually makes life substantially easier. It also means they, like you, don't have these goofy situations or you're not trying to decide like like I I, can't tell you how many arguments I've been we're arguing about, like should, like the maximum length of this field being code, be 65,000, Val, 65,000, like objects or up bytes or like 255 bytes. um So like, let me solve this go away which, like is it your crease, is loaded on us on um so removing some unnecessary legacy.

G

Fields like as I say these like these like veiled fields, which I only exist to make 1/3 look like 1/2 hum session. I need a good example of that. um Also Richard Barnes suggested removing the handshake message length from the handshake framing on and just saying, look the handshake messages like are self describing in terms of lengths. There's nobody get confused. This is actually quite a point of confusion. Your implementations were like you have, like. You know, think about that on. So one difficulty here is backward compatibility.

G

Obviously, you can't, like you, wouldn't be able to emit a client hello like according to these rules, it was possible by like but person why existing implementation, so um so I think we probably have to do realistically. Is you would do this, but then you'd say like hey, um you know um you also have to be like. If you don't know what the server does you have to be able, if it won't quite hello as well and receive it um the server hello, I'm sure we can find some way to make it obvious.

G

So they'll only change the first message, um so this is like semantically identical right. This is just like what you thought you might have thought of, if, like you like, had a different kind of online philosophy, went where necessary. 3 was designed by 25 years ago, I'm exact, we're just inheriting the structures from V 3 right on this would be like a non-trivial simplification, at least in my implementation. I suspect that others um next slide now on the next slide.

G

So so, like that's a simple piece right, the that sort of fancy piece is like I said: TLS is like generalized protocol. So, like you can do like an enormous number things, so all these joints to let you to go. She ate every possible thing.

G

um That's good in the sense like you get a very powerful object and you have a powerful object and particularly, we have like an analysis of entire thing, and so we can tell you, like you know, when the opportunity to tell you this is like this whole secure profile, she'll, us and but like with that said, maybe you don't want all that stuff and so on, and it's like. Why are you paying for that book from the wire and the implementation?

G

And so the idea we had actually do to karthik Bhargav on um is to um I'm your sole term from rust, run or vice. So you have a on. You have like a Jarek system which is polymorphic and what you do is you Mon Amour physis, so you take a given axis of flexibility, say the version number and you say well in principle like the system supported like 1.3, 1.4 1.2, but we're gonna model mortifies it down to 1.1 and so all 1.3, and so all the code.

G

You need like process versions, negotiations just go away and all the wire machine where you need to negotiate goes away, and so you can- and the idea here is- you can like independently montemor flies in every axis and then and here's the cool part, the karthik suggested, which is you reconstruct the transcript as if you had not montemor as if you had not specialized, and so you get the same wire transcript as you. Otherwise do you have the same thing and then in the key minute in the key schedules you otherwise would have it.

G

So you can just think of it as a piece of compression, um so um so that I have italicized my term. So we have monomer files and reconstruct I thought you'd appreciate that. um So the key idea here is you got specialization, but you also get forward compatibility. So um we like remove extensions. You don't need cuz you're, not using them, but if you, if there are new extensions, you need they just work, fine and so on, and so as an example, um you know we can ah ends and so otherwise unknown extensions. Just work.

G

Fine in the future. um I'm also get to it on known certificates, it certificates point, um but it's a general point. This gives you also way to compress certificates, but a way to also deal with difficulties ever heard off on.

G

So one way of thinking about this um I think also do a Karthik um is that this is like a compression layer between the handshake and the end, the record layer and so on. Like a mission, you compress using that using the profile as input to tell you what to compress out and on parsing you decompress, using the profile as input to tell you how to decompress DG's love in the second al.

G

um This is like a lot simpler. That sounds. Barnes's are like really compact implementation of this in it. um So especially themselves are. This was supposed to be hidden. I apologize, I, didn't mark it hidden, um especially since elves are like basically defined in JSON. So here's like a simple specialization this it. This says, like you, do only tell us more three and do only these on the cipher suite, and so, when you do this, you just don't put those things in the mark. They just appear.

G

So you just save yourself what like I, don't know like a octets so like that was some the but again, and so when you decompress the transcript, you have only the fields as you have like those long things reported. That means you have a once. One version in the version supported verses list and you have on both directions and you have one cypher Swedish brushes well,.

F

Button Tom some question for clarification: more for other people to understand. What's going on here, you're gonna signal which one of these profiles is available on the wire or assume that there's something available in the context. Thank you.

G

Yes, yes, quite so, and so that the nonsense previously they thought I admitted was, you might imagine actually having a way to signal on the wire that actually, you was always like injective and you could figure out what was going on, but on my supposed registration, um okay, um so um like so they we have a whole bunch of percenter points. You can actually see c'mon horrifies on it's worth on, dealing with extensions cuz, that's probably most complicated one in the source of most of the hold.

G

I was the actual size of Chalfont 3, um so whether they did a whole predefined extensions and basic the ideas. You say this extension only has this value so like here's, it only a OPN value and you just basically spit on a fixed text, string your stuff in the profile um on you on the extensions do pair of the transcendent.

G

As I say, um this allows you to have other extensions which are encoded as usual, which aren't the ones that are predefined, so it's just pop in normally and we we in order to make the the the decompression work properly and the question work properly. We require extensions to appear in code point order, which is a change from 1 3, but it's a compatible change, um namely you can so you're always allowed to do this, isn't for PSK and PSK. Just has to be at the end um of our call.

G

Crypto had this property to their didn't have PSK. um So um now we have a few places where um their asses and their sort of non orthogonal axes that we've defined. um That I, don't think appears here, yeah um that um don't just involve predefined. So as a given example like if you say why, only due to curve two five, five one, nine that like has implications on a bunch of things, but it's one axis about an organization. So here's like a good example.

G

um This is like a sort of highly compressed profile, um so you can see a center version has one cipher suite. There's this D age group parameter, which means I only support to 5 5, a 9, which means I'm not going to send supported groups and I'm only gonna send one key share and like by the way, don't do HR, because I doesn't make any sense. um This has like reduced random the finish sizes to give you a high, a compact on thing.

G

This is like this is going back to the lake use case and then here the extensions, um so that's s and I, and that um and their signature algorithms as well force difficut requests. So this also implies you're gonna do TLS indication, um so this is sort of like both conditional convenience, but I'll see you might imagine, having a machine-readable implementation which could process this and then either either enforce this automatically or actually to go back to the circuit or extended rust example.

G

Really Mont amorphous, where, like I, have an implementation, which is really too many implementation. It processes this and it spits out a straight line. Implementation, which only does these things um and the idea is in that case. What you do is you just like pick over the you just pickle the strings on the Indira publication directly, um one special point which is worth getting at, which is this million certificates so like in any real on any real situation, um we're um a vast majority. The data on the wire is the.

T

Certificate himself.

G

So you need some way to compress them. um There are some nice work um by uh um I. Think I got entire.

G

Who did this work now um who's only who's in the name of this, um some people um about um compression certificate generically using like compression algorithms, but you can do much better if actually, what certificates are and so on, Richard had this great idea of basically, you basically have a map of this difficut s--, which is just the like: the flat-out certificates and a nickname for them, and then you literally just encode the nickname in the certificate entry fields.

G

If we were certificate and as long as you make sure that, like you can distinguish them from certs, then it's not a problem so like don't, have them begin with o x3 o or have them be like holy short on, and then these get blown over the transcript. Like everything else, that's actually a really important point, because you don't want to have like very short names that don't appear in the transcript, because that creates confusion about in the transcript you're.

G

Talking to so like you know, you can type seductive attacks, so um this is like very straightforward, but it works nicely. um It's kind of analogous it's kind of like it's kind of like a specialized version of cash info. um So um this gives you an enormous amount of compression. If you do all this stuff, where the profile I just showed you. um Basically, you like, reduce the size of TLS. By, like you know, a factor of three or four so like this oppress are pretty good about of reduction.

G

um A lot of that ought, to be honest, is Judas difficut, but not all of it. um So um this is something obviously we're working a little bit. We have a draft implementation in mint. Yes, sir, you might look on the front anyway, it's boring back there.

U

Christmas, here kind of game out, so this is the compression you're showing here is actually bytes on wire. Now it's nothing to do with code by.

G

Some wire yeah yeah yeah, those 21 bytes of code yeah.

G

This is the this is the fights of the wire, and so basically on these over what the overhead numbers mean is like there's some there's like some basic amount of data which you like need to have in her to like make it work at all like the crypto variables has to be given given given fixed size, and the overhead is like how much more we are over the fixed over like the minimum fix ID you had to have it's like you know, you can't have diffie-hellman without like carrying you to five funding keys around and so like.

G

That means they're like if he's like a minimum size. The handshake is like is like we're also it's large, so this is all about reducing things about that. um So like just. Let me like. Let me open with like I understand that, like this, like this, like pressurization thing, looks a little fancy and like and like we're sort of back and forth on like how overwrought it is, I may be a little overwrought. So definitely you know um feedback who desired.

G

Unlike maybe, we got too fancy and pieces of it, but um it actually worked out pretty well and I. Think it's a good way to define sir these noble profiles, as I say both for compassion and also for and also for you know, implementation want to be simple as I sort of the cost of some at the cost of the simple limitations of having a bunch of like fixed strings floating around at this system.

G

So um right. So the final thing is this handshake record layer, separation and say this doesn't really appear in the draft very much of some hand waving about it.

G

um The nominally we like actually had a handshake in a record layer, but actually and like like the security proofs of TLS, like actually don't really depend on, like the record layer at all, at least for the handshake, um but nevertheless like like the record layers like glued in there, um quick separated them, but like not like in any any freezes carefully, not a principal in an unprincipled way from a document perspective, but in a fine way from a tactical perspective and the reason from the document perspective is we given them?

G

No hooks to do this with, and so the proposal here is is to actually do the like do. The document engineering describes. This is where the cut point is. This is the expectations TLS has about the record layer. This is the points at which the keys get emitted. This is what you can do here here and here um and that and that, and that basically, this is arising after interface, be the record layer intention and the handshake layer on so yeah as I say here, this is really retconning.

G

What we did we didn't quick, but the idea is, if you wanted like another thing like that, like say for like say for OS Koroth, it would then be straightforward. You know exactly with interface points work, so um I, don't have anybody read this okay I see some people raising their hands. I mean these. Are your questions online? The.

I

Question really is right so where this would go, the 80s directed us that, basically, if it was going to get adopted anywhere, it was going to get adopted in this working group. So this is a request, but we can only really adopt this after we change the Charter, so I'm going to take this home because I want to do this. It's obviously module on the fact that we can get an agreement on the Charter Daniel.

I

R

Daniel me go Ericsson I think it's not the first time we're compressing protocol. It's a well-known thing. The IT I forgot a lot of experience in that and the LP one working group has been focused on that and they've defined. A framer I think we should work with them and try to be as close as I was I mean to reuse the concept at least ever use the dimension and use the same syntax, at least to express the compression. So I think we should work with them enough.

G

In the way that work but I'm happy to take a look, Richard.

I

You're gonna have to come forward that mics not working I'm, also going to cut the line. Yeah.

G

I think I think certainly like this is like these V, like negative one so like, if like, if they're working, who wants to work on this and like go in this general direction, like I, think we'd have like a lot of like a room to like screw around with what the actual syntax was like. This was like made up by me like in two hours over a beer dudes.

S

Cannot see quick enthusiasts, just first off clarifying question, you mentioned quick as a use case, just state. What I think is the obvious, but to double check you're, not suggesting this for quick view. One you're suggesting a first rate, reversion right, I.

G

Think what I'm suggesting is is that the arm? Yes, yes, and as they say what I'm suggesting is, is that on V.

G

This piece here would wreck on what we hit in quick. So it just matched wouldn't create dependency on quick, but what natural we didn't quick and that then ins and then, if we did cool things that they might have kept dodging quickly to cool.

S

In that case, it just wanted to say that I, like this I'm, really supportive and I, would like to see it move forward in this working group, and if that means a recharter, then that sounds fine to me.

T

This plus I think it's an important work and I think that the less working group should go convict. But I have one clarifying question, so it seems that profiles are distributed out of band and client and server must have exactly the same profile to be compatible and.

J

T

You do in case the profile need to be changed, for example, in the extension, is that it or I don't know something is removed, for how will you solve the problem of.

T

Simultaneously, changed profile for client and server without any disruption of the service, so assume this problem. Should this.

G

Sort I agree: I have some ideas: they're not they're, probably even too half-baked to make up at microphone, but I agree. It's a real problem.

V

Tommy Polly Apple, so yeah I think this is very good work. I'd love to see it adopted here so I, also working on quick I think it would make a lot of sense to streamline things but to the point that, like Daniel was making earlier I mean. Yes, we have a lot of other things that do compression, but I kind of see this being having other benefits.

V

Besides just making the handshake smaller and giving compression it's not merely that, because I also see a lot of trends in you know people doing kind of like new application cases in which people look away from TLS because, like oh, it's too complex, it's too extensible or these other things so I think this will also make I'm TLS more attractive to people. Looking for these lightweight use cases and that's a really big benefit in my mind, yeah.

G

That's really something we've been thinking about and I think that's a bit of a point where Richard and I, but going back and forth a little bit and that there's like syntactic compression mechanisms you can use and there's semantic compression mechanisms you can use and I've been definitely more her semantics. In many cases, that's the cost of some some syntactic complexity, so I think that's the part worth is it where is to think about.

G

Like is what's the most awesome, ol mix of those and I think there's geese um and you can see even here, there's some. You know like there's some pieces with your basic syntactic, which is like replace this extension with this like string and there's some places with your semantics, which is like we only do this diffie-hellman group and trying to find the right mix of that is very difficult. Daniel I cut the line.

M

Center of Internet do we really have a serious advantages because of switching from the fix Atlantians integer variable lengths, integer.

G

It is not enormous you get probably I mean I loved. When I looked at this I think we got like we offer a basic TLS handshake. We probably saved off like 30 or 40 octets, so it wasn't like enormous. It was partly like so like I'd, be I'm, not fixated on keeping that it's just like, like I, felt like doing any kind of like doing any kind of work here and not cleaning from those gross bothered me a little bit but like I'm, not I'm, not gonna lie down on the road over it. Alright.

I

So I'm gonna take two hums and then we're gonna. Take it to the list. First time is whether we want to adopt it as a working group item. One is whether we do not want to adopt it as a working group item. So please, huh if you would like to adopt this as a working group item, please hum and now.

I

If you do not want to adopt this, as a working group item, please home now, the yeas have it again we'll take this to the mailing list. I would I will note that it was silence on the know.

I

I

We I've gotten multiple, multiple complaints up here about this slide. Color selection, so going forward, will try to be a little better.

I

Yeah so I mean, if somebody did if somebody did want to say no and get to the microphone, feel free to explain.

I

Great Ted are you taking the Vantage.

W

Tardy it was really no and which is the the unusual variation of yes and I, actually think all of the work is interesting, but that it should be decomposed. The retconning, for example, I think, is going to be much faster and very very useful quickly where some of the the compression stuff there's lots of different ways. You can approach this and that, if you split the split the work up in it might be significantly faster to get some pieces of it done that that's not a no to the work.

W

In other words, it's no to this particular cluster. Being all one thing at the end of the day, but I'm fine, with the answer being yes after the homes are taken. I'm, it's a very tiny place in the rough to be in.

G

I'm also happy to defer to the wisdom of the chairs and AEDs, and the working group on like I've got these pieces. Often.

C

Great all right, so this is the heavy stacked. If you helmand, draft the looting to earlier. We have talked about this previously in London Nick gave the presentation. Draft has been sort of revved a couple times since then not much changes, but, given the you know, renewed interesting, come back to LS and how this helps we figured. We bring it back to the working group and see if there's interest so for those of them for those of you that are not familiar.

C

The semi psychic tiffy Hellman is basically plugging a hole in the opt LS design that was not yet filled by TLS 1.3, which supports the normal one. Rt t case non semi static, where the server actually gives you a certificate. Instead of you know, a Tiffany share getting them both PSK variants, so the semi static case is instead of the server sending a cert and a signature computed over.

C

Basically, the handshake transcript you get a you know: static, diffie-hellman, key share, either in a delegate, credential or via carrier pigeon, or something else mix that into the key schedule and then replace the certificate verify, which is typically a signature with a Mac and presumably everything else will sort of fall into place.

C

This sort of that looks like, if you think of it, in the opt loss flow so claim hello goes out the door server low comes back. You get both a diffie-hellman key shear and a femoral one, which is G the Y here and is, and in addition to that, a semi static key, which is typically represented to you, the s and then the rest of the computation is sort of the same. Instead of my signature, we there's a Mac great.

C

A motivation, for this is I, guess they're a couple points that we want to highlight, the first of which is there. There may be scenarios where you only want to use a single, primitive. You might not to use signatures at all. Like you can imagine, clients and servers supporting 70 settings. Iffy Holman client only need to you know: support like have code to do diffie-hellman operations. They wouldn't have to do any signature verifications assuming that the server did not deliver.

C

You know the semi said a key share by a certificate or anything like that, and potentially also that the client is like pinning the diffie-hellman visit a static share that the server gets. So it knows like we're, saying to use and doesn't have to like basically punting but punts the authentication of the semi static share. In that context, and in the web, where a semi static, he shares deliver vital you credential, you still have to do a signature verification on the certificate.

C

This just allows you to potentially do different algorithms like the ones that Nick was referring to earlier and also has benefits in that it's potentially a lighter key exchange variant, not in the you know, certificate case. But in this you know sort of deployment model where you have only diffie-hellman using semi static instead of massive signatures or massive certificates and signatures is potentially more appealing in those. Those contexts also has the benefit of mixing explicitly missing a long-term secret, which is the static share into the master secret.

C

Of course, there are other ways to go about sort of mixing things into the master secret or like potentially helping with bad randomness, or something like that. There's a draft in the CFR G, which kind of talks about something different or a different proposal. But this is you know this. Has that consequence? So that's nice!

C

The the idea is basically to where we. This is the current TLS 1.2 1.3 key schedule. We're in the master secret is derived you'll notice that there's this nice convenient little zero on the left. That Jonathan was actually referring, or you know, covering earlier in his presentation. The change with the semi static key schedule is basically to take the output of the client, ephemeral and server static and put it in that slot more or less, and then computer Mac with that secret.

C

How convenient that we have that zero there to negotiate this thing there will be a extension of art. You know addition to the signature scheme, enumeration that says: I support signatures with p2p physics or whatever in the name group you want, and if the server supports it it would just you know, send back either a delegate or credential if you who also supported delegated entries or whatever mechanism, I, think the actual like details of how we get the keys deliver to the client and potentially something we can work out.

C

I'm sure there are, you know many ways: we can paint that bike shed.

F

Yeah, you know nothing Thompson I know this is just a spelling exercise, but I'm wondering whether the the scope of the changes you have here are appropriate for doing something in signature algorithms, rather than, for instance, having a new extension to signal these things and even potentially a new message that you would send in in replacement for certificate verify, for instance, so.

C

Go for one point: one of the open questions this one that we just drop. This tip here verify entirely and just rely on the aad kind of giving us that confirmation. So, yes, that's, potentially one option. You know new extension to negotiate it. A new message is to forget verify. Potentially this.

F

C

They're a little.

F

More comfortable with making making this a new extension I'm, not sure that I know how to make the decision about certificate, verify and finished here it seems like finished, might work but I'm uncomfortable with that. But yes,.

C

That certainly needs more analysis. The nice sort of appealing property is, it makes it more of like a noise like protocol, where you don't have like explicit things, giving you confirmation you or just like fold it into the key schedule as you go forward, yeah yeah.

G

So they think pieces right, um I mean I. Think that the reason we did this way that the design were like is indicating is, is like the size. The purpose that is the function these are serving right, I mean it is, it is verifying their certificate is binding the certificate to the to the transcript to the traffic you're sending.

G

In fact you know if you like, if you are, if you will notice like but cozy cozy and hose they refer to these things as soon as I believe very often I, don't like any more than you do, um but it is definitely I mean it's not a signature bit certificate verify.

G

um So, on the on this question about stevia, verified versus finished, um this turns out to be a full circle problem on a few electric we're here we would tell you is that the the reason why you have to have to forget verify is because you are using the warm diffie-hellman key to authenticate the short trend, refueling key, and that means that and and that me and that and that- and that means that you have to have a and so there's this question- that circular dependencies between those two and so and so finish, to use both of them and so uh and so like so this is a purse is so you must of you verify what you want to have.

G

Is you want to have a Mac that is solely composed of jadx and GES over the rest of the transcript and so I thought we thought the spec said, but am III was a while ago I? Would it does yeah yeah and so, and so you so and the purple are finished- is to provide liveness for the entire.

G

If I live this for the entire, the entire liveness and verification of both keys right and so, um and so it's and so, and so I mean you- can measure moving the finish in TLS ordinarily, but then you lose the property, the property that seek a property which is the handshake alone without any reference to the record layer guarantees, completion of the handshake in the properties, so I think you do I mean um that that's so I mean you could say: I, don't care, there's a girl, dependency and I sort of like Hugo told me this I was kind of like like I'm like a caveman so like whatever, um but um but like it seemed important and I'm gonna.

G

uh This is a situation. I'm kinda for any cool talk refers. He told me that, like this early fantasy, she's important.

G

F

I was I was more worried about this, extending to changes in the protocol that were more than just confined to the signature, negotiation and construction, because the insertion into the key schedule is is is a new thing that that some implementations, maybe you're, prepared to do. If you do that solving inside the certificate.

G

So I guess I would say that, like um so good, can we go to Chris's on benefits your benefit list? Yes, so I mean we could simply I mean way.

G

Could simply say we don't care at this lost benefit right and then we could dole sit your bowl assistant, which is isomorphic to 1/3, which really just use max instead, instead of instead of instead of signatures and um and would actually be like perfectly fine protocol right um and um I guess later later, on, Chris I think demonstrate Chris talks about client authentication and it's in the current clients in vacation mode.

G

We do not, in fact we not in fact mix them, um and so it is a little goofy honestly um and so like I would not actually I think Karthik was was pushing for basically keeping the current TLS like structure and not using that last joint in the protocol, so I'll be a totally valid thing to do. um um It would be um I am like different people have different laws. I guess you weren't in Lake yesterday, but different people, different levels of sympathy for this petitioner at the long term versus short term secrets.

G

I have like not a human and sympathy, because I generally figure they're sitting in the same like in the same like memory locations. um But if you had, the usual rationale is that you have the is that you have like the long-term secret in some way special box somewhere.

D

Two quick points: is it obvious that this gives you the same guarantees or equivalent guarantees, as tell us 1/3 in its ordinary mode.

C

The authentication properties are slightly different, obvious.

G

Might be false, I believe this, the case and I think digital modeling of it, but I think like that, would DVD right, sorry isn't I believe it does. But yes, um it may be to false. Is.

D

The intended design that it does yeah.

B

Can we make this quick because.

G

Yeah we just do separately.

D

I'm second thing: this is yeah a draft that is modifying the key schedule and we should do that in a consistent way. Oh convenient.

C

Cheap plug yeah, so there's also open question of how we have want to do clarification. The draft has one particular approach. Maybe that's not the one we go with. There is a entire open question about whether or not you use the semi sector for zero RTT and how you actually deal with early data instead of like using tickets to you, know, potentially internalize like early data encryption to a server and how you get the semi set of key and those particular scenarios and they're.

C

So an open question about how and when you can reuse a you know: semi static, diffie-hellman key share, particularly when you're dealing with post quantum stuff, which not it's not always safe to use Viki more than once so explicitly.

C

Considering that we have compact TLS going on and there's interest in, this particular work, and this has benefits relevant to that like to know if the working group is interested in adopting this and moving it forward. Of course, there are a lot of holes to plug and things to work on, but I think we could sort them out, especially in you know, in cooperation with Hugo and Karthik, and folks like that, going forward so yeah.

B

So I think we'd like to get a sense of the room, so we'll have a homme on first. If is this working group interested if people interested in pursuing this topic? Yes, and no so hum if you're interested in in pursuing this topic, um if you think the working group should not pursue this topic, okay,.

B

There's somebody want to get up and voice their discontent.

B

How many folks are willing to review this draft.

B

About 10, our folks willing to contribute text.

I

B

I

Take that to the list to verify group consensus for adoption and we'll kick that off. David Benjamin you're up next.

X

Hi yeah, so problems always get better when you throw more cultures at them. So why don't we do that.

X

Yes, so if we look at TLS handshake cost, we've got like various symmetric junk, which is basically free as far as we're concerned compared compared to the other stuff, client and server. Will each do any CDH operation, which is much slower than the symmetric stuff, but you know we can negotiate a fast DC curve and that's pretty independent of like other things, and then you've got like a signature with a long-lived key which can get kind of expensive in some scenarios.

X

For instance, if you're a hosting provider the customer may be provided you an RSA key, so you don't get to use any nicer like elliptic curve algorithm. Also, there's a long-lived secrets. You may apply various things to be less paranoid about them. Maybe you like RPC to some remote thing.

X

Maybe you stick it in some hardware thing and these things make them more expensive, and so can we lower the signature costs so other proposal is you go combine a bunch of concurrent batching signatures into a Merkle tree, sign one thing, and then that will cover exponentially many clients and that way we can amortize the cost of things. So yeah the structure is fairly boring. You have you can like either hash a leaf or hash two nodes together and then the signature is a path. This is more useful with a picture.

X

So, if you have say three clients come in at once and you're signing thread wakes up and you're like oh okay, I need to go, make a signature. They build a Merkel tree on top of this I'll talk about what the weird blind or nodes are later sign. The signature sign the root, and then you ship a path, or rather the nodes to the side of the path to each client and this constantly logarithmically many okay, it's not very coherent.

X

She slides, after all, to verify you do the usual Merkel tree verification thing: you recompute the rouge hat root hash by hashing the path nodes up. So in this picture you would start from input to go hat like compute the hash up. There pick the bottom node in the past recompute.

X

The next level pick the next node in the path recompute the level after that, until you get up to the root and then now, hopefully, that value matched and you'll find out, because if not the signature in the that you got chipped will not verify yeah, that's fairly boring the draft define.

X

So in order to advertise, we define some new signature, you've seen code points which say do the normal signature thing, but also this thing and as a result, we can now amortize our signature costs, while the signing thread or whatever is busy right, you're, presumably going to be queuing up inputs next time and wakes up rather than picking up the next input, it picks em all up and signs them all at once and at the cost of logarithmically many hashes added to the signature size, you can increase your signing capacity by two to the N and so for a few hundred bytes you get a hundred or a thousand or a million x in signing capacity.

X

So, basically you do not care about your signing throughput anymore at all. The TLS implementations need to be modified, but yours, but you can use the same certificate. You can use the same like signing, RPC or whatever, because the only thing that changes as far as the signing machine is concerned is the input we do require modified peers, and so presumably, if you have, if you have a new deployment, you could say just require this, and then you don't care about the legacy case.

X

If you have an existing deployment, then you can still get some benefits here, because the average load will decrease if many peers support it and under load. When you're doing the Austin have to decide which piers to which requests to like throw away, you can preferentially serve the basketball ones since they're much cheaper and I've been essentially saying, piers and everything, because this applies symmetrically on client or server, although usually the dose concerns are on the server side.

X

Some details, the domain separation of the inputs is preserved because we don't throw away the contact string. The signature on the root has its own context string so that can't be mixed up with non batch signatures, since presumably your client, it's your your key is going to be servicing both kinds of clients, the blinding nodes which may not actually be necessary, but since in yes and I, the signing the assigning payload is secret.

X

And if you look at the tree, the first know you would get is the sibling the bottom node in the path would be the sibling. It would be the hash of a sibling in your tree, then, in order to not have to think about it or like well, it will just cost you to pay one extra level of the tree to just put some randomness in there and all the other nodes will have randomness merged into it doesn't actually leak the information.

X

What else do we have at some point? Unicode pad stuff? It's not a power of two, so just copy of them from other nodes of the tree levels, and then some information is revealed about signing loads. Sorry, oh yes, sorry there are details on this slide. They're not super important and there's a draft. Are there questions hey.

G

This is cool Merkle. Trees are always fun.

L

G

On Omar Eric was crawling little trees got a blanket moment, is always cool. Obviously, um can you control contrast' on this design against issuing jutsu DC with a very fast algorithm for this use case, yeah.

X

So I think the the main thing is that this will work with like without change. Like the DC thing, you have to go, build some infrastructure to go and and like deploy new news new certificate. New DC is regularly. You need to deal with the DC's only work if these are only useful if the lifetime is bounded by something relatively short, and so that means the verifier needs to have working clocks.

X

But yes, it's true that, like, if you do this, since, if you, if you do DC's instead than like that, will also get you some of the alike offsetting of things, because then you can punch some of the protections on the long-lived key that you would otherwise have had I'm.

G

German supporter of this I just wanted one I didn't wanted hear from you. You thought this is worthwhile doing. If you had DC's yeah.

X

They're definitely addressing very similar scenarios. There are some snares that we're interested in we're shipping short-lived starts for weird. We like, apparently that's difficult for some reason. Think.

I

All right, so we have five minutes left, so I'm clipping the line all right.

F

Thompson to birthing z' I think you can avoid the extra full hash for the blinding I think that was discussed briefly on the list, but I.

X

F

We can talk about that later and because this is so clearly orthogonal did you consider minting a different type of certificate verify in order to avoid having to define an entire new axis for the signature schemes. I'm.

X

Not sure I'm, following if.

F

If you were to signal this is a separate extension and that caused you to generate a different certificate, verify message that had all the additional information in it I think it would both be more efficient and yeah.

S

F

Easier to manage long term so that it don't give me an answer right now, because I.

X

Did consider that the main reason was just so that, like this, this was slightly different constraints on the hash, and this way we didn't have to think about that Daniel.

Q

Con Gilmore I'm supported this work. You mentioned that it may leak some information about the server load. I, don't think you need to do that. The signer can always sign a tree of arbitrary depths and it's going to be cheap when, especially when you're not under load, which is when you need to extend the size of the tree so yeah well,.

J

Q

And thank you for including the binding, I think it's you know it's right to not want to have to think about that.

B

Rich Souls, Akamai yeah I support this stuff. You had me it when you're signing thread falls behind.

H

Ben Schwartz, if this seems like it, could be good for slow post quantum signing. Is that a? Is that a consideration so.

X

My understanding is, a lot of them are batched to begin with, but I haven't looked at it looked at that space too much. Maybe okay, thanks.

L

Christianity mom, that's, we could walk, but it kind of makes me sad, and the reason it makes me sad is that it makes the big servers more efficient. And thus it reinforces the advantage of the big servers above the small ones, and it pushes towards ever more concentration on the market in the internet. And that's what makes me sad and.

X

Also, the big server I guess so yeah. If the big servers are also putting everything on one key, then yeah you can batch more but I yes, I understand.

L

Economies, Law &, Order, yes, but I, mean and and Eric was asking the contrast, wisdom in the DC solution and a DC solution as the property of also making it better for small guys which, which is an advantage I, think.

I

I've cut the line guys because we have like two minutes to do this and I want to I've. Seen I've heard a lot of support for this. So.

J

This is a good idea, because I essentially changes the cost of handshake from owing, where n is the conditions, 201 and I, really like it from a toast activation perspective. So.

I

At the last hour here, we think when indulge hopefully you'll indulge me and stick around for the last two minutes, so we can do these requests. There are a number of requests, or a number of people study that they were in support of this draft. So I would also like to do or can group adoption hums for this draft. So two questions yes or no, basically. Well, let's start off without other people interested in working in this draft. If you are interested in working in this draft, please home now.

I

Show of hands and people that would be willing to contribute like five six seven hands. So let's do the formal home. If you would like to adopt this as a working group item, please hum now, if you would not like to adopt this as a working group, I didn't please hum now.

I

Great thanks for take it to list. Oh yes, for the minute taker, it was yes.

I

A

I

Tweaks to the CTLs, if you just read that real, quick and I can send it.