►
From YouTube: IETF108-LAKE-20200731-1100
Description
LAKE meeting session at IETF108
2020/07/31 1100
https://datatracker.ietf.org/meeting/108/proceedings/
A
A
A
All
right,
so,
let's
get
going
so
welcome
to
the
lake
working
group
meeting
of
ietf108s,
not
in
madrid.
Sadly,
but
hi.
I'm
steven
and.
A
Okay,
so
we
have
a
relatively
short
agenda.
I
don't
know
how
we'll
go
to
time,
but
we
have
like
an
hour
and
a
half,
or
so
you
can
see
the
various
links
you
can
see.
This
is
the
noteworld
that,
if
you've
been
at
other
meetings
during
the
ietf
week,
you
have
seen
it
you
need
to
understand
what
it
says
and
here's
our
agenda.
A
So
we
have
we're
in
the
middle
of
point
zero
agenda's
gone
then,
given
that
the
working
group
have
adopted
ad
hoc
we'll
have
a
introduction
to
that
which
is
some
of
which
was
repeated
previously,
but
some
of
which
has
changed
over
the
last
while
so
it's
it's
worth
doing
as
a
scene-setting
thing,
there's
a
few
open
issues,
we'd
like
more
and
then
there's
some
discussion
of
some
proofs
related
to
ad
hoc
and
aob.
So
does
anybody
want
to
bash
the
agenda
right
now.
A
Okay,
there
should
be
time
for
aob
at
the
end.
I
suspect
it
need
be,
otherwise
we
can
move
on
to
quran.
So
if
you
want
to
jump
in
the
queue
around
and
send
requests
to
be
sending
there,
you
go
okay,
so
the
so
manager
will
drive
the
slides,
if
you
just
say
next
slide
at
the
relevant
point
in
time.
That
would
be
great.
C
Yes,
so
just
a
background
here
we
have
been
adopted.
This
is
the
working
group
draft
which
we
will
adopt
it
in
late
june,
so
this
version
of
the
draft
is
essentially
identical
to
the
latest
individual
submission,
just
some
references,
updated
and
and
some
comments
on
the
test
vectors
in
the
appendix.
C
So
if
you've
read,
if
you
read
that
the
previous
version,
the
latest
individual
submission
there
is,
there
is
not
so
much
new
in
this,
but
then
again
the
protocol
has
been
changing
last
year
and
we
have
never
given
any
detailed
description
in
lake.
So
so
that's
why
we're
having
this
this
presentation
next
slide.
Please.
C
It's
really
really
small
font
here,
let's
see
if
we
can
get
read
everything
and
through
through
the
meat
echo
so,
but
there
are
two
background
slides
in
case
you
haven't
missed
the
discussion
the
last
half
year,
so
the
edoc
is
is
intended
to
be
like
a
lightweight
authenticated
key
exchange
to
match
the
lake
requirements
and
in
particular
there
are
some
challenging
performance
benchmarks
and
there
is
also
the
ambition
to
reuse
building
blocks
used
by
oscorp,
which
is
lacking
an
ache,
and
those
building
blocks
are
primarily
seaboard
for
encoding,
cosy
for
seaborne,
encoded,
crypto,
wrapping
and
co-op
for
default
transport
and
just
a
disclaimer
here.
C
C
These
type
of
variations
is
something
we
need
to
cater
for
in
the
problem.
Next
slide.
Please
so
now
this
from
from
here
on
to
to
the
end,
this
is
focusing
on
on
the
protocol.
So
let's
go
into
the
different
message
fields.
There
are
three
messages
and
an
additional
error
message,
and
each
each
message
is
a
sequence
of
seaborn
coded
data,
so
using
the
sibor
sequences,
which
is,
has
now
become
an
rfc
and
yeah
next
slide.
Please.
C
So,
on
a
high
level,
we
see
the
this
is
a
different
help,
diffie-hellman
key
exchange,
so
we
see
the
efmeryl
public
keys,
x,
gy
and
we
see
the
encrypted
blobs
here.
The
first
is
and
message
two:
there
is
an
xor
which
is
different
from
from
previous
version
of
the
protocol,
which
was
an
authenticated
algorithm.
C
Now
it's
changed
after
carefully
reading
the
sigma
sigma
analysis,
and
then
we
have
an
aad
in
the
third
message,
so
we'll
come
later
to
the
encryption
keys
and
the
identifiers,
but
just
for
no
now
we
note
that
there
is
this
signature
or
mac
structure,
which
is
either
a
mac,
then
sign
or
a
mac,
and
that
depends
on
the
authentication
method.
C
So
adhoc
specifies
four
authentication
methods
targeting
the
variety
of
it
use
cases
mentioned
before
so,
for
example,
the
initiated
responder
could
both
have
signature
public
keys
to
authenticate
with,
or
they
could
have
static,
helmet
keys
or
it
could
be
a
mix
and
yeah
I
mean
these.
The
setting
here
is,
I
mean
this
is
what
we
think
is
is
needed
by
the
scenarios.
This
is
something
we
could
could
re-evaluate,
but
but,
as
it
seems,
we
we
still
need
to
have
because
of
the
ecosystem
around
pki
for
authentication
and
the
tools
available.
C
But
on
the
other
hand,
if
you're
using
raw
public
keys,
then
you
you,
don't
necessarily
need
to
use
signature
public
keys,
but
you
could
get
much
lower
overhead
with
republic
with
the
static
divi
helmet
and
there
is
a
mix
of
raw
public
keys
and
certificates
which
leads
to
this
mix
up
of
credentials.
C
In
this
first
element
we
also
have
a
field
on
correlation,
which
is
the
an
encoding
of
what
what
correlation
is
provided
by
the
underlying
transport
and
that's
useful,
for
example,
for
for
the
connection
identifiers,
and
so
there
are
explicit
connection
identifiers
for
the
initiator
and
responder,
and
those
may
be
omitted
if,
if
the
underlying
transport
already
provides
that
information,
so,
for
example,
with
core
equals
one,
there
is
a
correlation.
C
C
C
So
this
brings
us
to
the
cypher
suites,
and
the
cypher
suites
is
an
a
cipher.
Suite
is
an
ordered
set
of
cosi
code
points,
both
cosy
algorithms
for
ad
hoc
and
also
for
the
application
in
this
case
auscore.
C
So
it's
a
seven
tuple.
The
five
first
are
are
the
algorithms
for
ad
hoc
and
the
two
last
are
for
for
the
application,
and
this
seven
tuple
is
then
identified
by
an
integer,
and
here
are
the
four
cipher
suites
which
are
defined
in
the
draft
next
slide.
Please.
C
So
each
each
suite
is
an
integer
and
the
protocol
field
suites.
I
is
an
ordered
set
of
suites,
starting
with
a
selected
suite
and
following
the
supported
suites,
which
are
the
cipher
suite
which
the
initiator
supports
in
order
of
preference
and
this
supported
suites
that
can
be
truncated
at
the
end
and
if
the
truncation
of
the
supported
suites
is
only
only
leaves
one
suite
coinciding
with
the
selected
suite,
then
you
can
just
use
that
suite
as
the
element
of
swede's
eye
next
slide.
Please.
C
So
here
here
is
an
example
of
how
cipher
suite
negotiation
works
and
it's
using
the
error
message.
So
the
error
message
in
general
has
potentially
three
fields:
it's
an
optional
connection,
identifier,
it's
an
error
message,
which
is
the
text
string
and
it's
optionally,
the
suites
r
containing
the
cipher
suites
in
suites,
I
supported
by
the
responder,
and
if
it's
only
one,
then
you
could
have
just
that
int.
C
So
here's
an
example
of
using
the
the
error
message:
suites
r
can
only
appear
in
responses
to
message
one-
and
this
is
the
case
here.
We
have
message
one
containing
it's
an
initiator
supporting
cypher,
suites,
five,
six
and
seven
select
suite
number
five.
Responder,
however,
does
not
support
suite
number
five,
but
suite
number
six,
so
it
responds
with
r
equals
six,
and
then
a
new
session
is
shown
here
where
the
initiator
is
selecting
suite
number
six
and
includes
a
truncated
list
of
supported,
cypher
suites
next
slide.
Please.
C
The
id
cred
is
encoded
as
a
cosy
header
map,
which
means
it's
a
seabor
map
and
it's
using
specific
cozy
header
parameters
from
from
a
certain
iana
register
and
out
of
this
register,
you
could
see
you
could,
for
example,
you
could
use.
Rpk
can
be
identified
with
a
kid
header
and
certificates,
which
kid
is
essentially
a
key
identifier,
and
a
certificate
x.
C
C
Yes,
so
that
brings
us
to
so.
These
identifiers
are
encrypted
as
well
as
signature
mac,
and
that
brings
us
to
the
to
the
key
hierarchy,
and
this
is
really
small
font
now,
but
fortunately
there
are
colors
here.
This
this
picture
is
inspired
from
the
from
the
tamarind
formal
verification
paper.
C
There's
a
question
in
the
in
the
chat
here:
what
does
rpk
mean?
That
means
raw
public
key,
but
apparently
he
left
the
room.
Maybe
he
got
the
message
before
leaving,
and
so
so
this
key,
as
I
said
this,
this
picture
was
taken
from
from
a
simpler
version
was
taken
from
the
formal
verification
paper.
Thank
you
very
much
for
that
and
I
tried
to
fill
in
the
details.
So
let's
use
the
colors.
C
So
in
red
we
see
the
different
helmets
shared
secrets
at
the
top.
Is
the
ephemeral
fml
shared
secret
and
on
the
left,
it's
the
ephemeral,
static,
shared
secrets,
and
this
is
their
input
and
the
output
here
on
the
right
hand,
side
in
blue
are
the
encryption
and
mac
keys.
C
So
a
little
bit
more
careful.
Look.
We
see
that
at
the
top
is
the
ephemeral,
ephemeral
key,
which
is
which
is
and
to
the
left.
We
have
the
female
static
keys,
which
are
used
together
with
hdadf
extract
green
box
to
get
the
pseudo-random
keys,
which
are
the
orange
boxes
and
and
there's
a
dependency
on
method
here.
C
So
just
for
example,
we
take
method
0,
which
is
the
zig
zig
both
have
signatures,
and
in
that
case
there
are
no
ephemeral,
static
keys,
so
the
input
from
the
left
is
omitted
and
the
the
pseudo-random
keys
are
all
the
same,
and
then
it's
only
differing
in
the
transcript
hashes.
C
In
this
case,
the
max
are
being
signed,
or,
as
another
example,
we
take
the
method
three,
which
is
the
static
diffie-hellman
static,
diffie-hellman
case
when
both
the
fml
static,
shared
secrets
are
involved
and
their
the
prks
are
all
different,
and
in
this
case
they're
the
max
are
not
signed
next
slide.
Please.
C
So
this
particular
example
here
is
showing
the
third
party
authorization
optimization,
so
instead
of
first
running
an
authentication
protocol,
this
is
a
device
now
joining
a
network,
a
device
on
the
on
the
left
hand,
side
a
domain
authenticator
in
the
middle
and
they
are
running
ad
hoc
and
then
there's
a
third-party
authorization
server
on
the
right.
C
Yes,
so
we're
done
with
going
through
the
protocol
fields.
There
are
two
slides
more
in
this
part.
One
is
about
this.
One
is
about
how
to
transport
ad
hoc
in
co-op
and
another
use
of
oscore.
C
C
So
this
is
a
one
and
a
half
round
trip
for
the
protocol,
and
if
you
want
to
use
oscore,
you
could
either
complete
the
two
round
trips
and
then
start
the
oscore
request
response
over
co-op
or
you
could
include
the
score
request
response
in
the
second
round
trip,
as
is
discussed
in
this
draft
referenced
here,
which
is
proposed
for
core,
and
that
basically
gives
you.
The
ad
hoc
authenticated
key
exchange
and
oscar
first
oscore
request
response
in
two
round
trips,
and
the
last
bullet
just
shows
how
you
get
the
oscar
security.
C
D
C
This
is
the
final
slide
here
and
then
you
can
take
questions,
so
there
is
a
as
was
announced
in
in
the
responses
to
the
adoption
call.
A
lot
of
people
are
working
on
implementations.
C
C
Stefan
ristisov
has
made
a
he
has
actually
implemented
all
methods
in
microcontrollers
and
also
some
different
implementations
using
armed
trust
zone,
and
it
has
made
some
performance
measurements
on
that
which
he's
working
on
publishing
and
also
his
code
is
planned
to
be
open
sourced,
but
I
yeah
we
have
to
ask
stefan
would
state
this
on
that
universe
of
mercy.
Mercia
have
been
doing
ad
hoc
implementations
for
a
long
time,
and
the
current
contact
point
is:
is
edward
ingles.
C
There
is
also
c
plus
programming
program
in
in
the
old
ad
hoc
repo
for
generating
test
vectors,
so
that
that
concludes
the
presentation.
Are
there
any
questions.
F
C
Let's
see
now,
the
the
additional
data
is
also
included
in
the
external
iad.
I
think
I
need
to
look
at
that.
I
don't
know
I
don't
off
the
top
of
my
head.
D
F
C
F
C
On
the
list
right,
but
basically
the
the
intent
here
is
the
security
guarantees
provided
for
the
additional
for
the
auxiliary
data
is
that
we
have
actually
no
guarantees
for
for
81
and
for
82.
We
we
don't
know
it's.
We
cannot
say
it's
confidential
because
it
depends
on.
I
mean
you,
don't
know
who
starts
this
protocol
or
who
is
involved
before
you
actually
get
to
message?
Three,
so
83
could
be
encrypted
and
and
integrity
protected,
but
82
doesn't
really
have
any
at
least
no
confidentiality
guarantees.
C
I
have
to
look
up
the
integrity,
okay
thanks
so
just
to
get
onto
that.
I
don't
know
that
particular
example
in
that
particular
example
in
the
draft
with
auxiliary
data
and
third
party
authorization.
In
that
case,
the
auxiliary
data
is
basically
a
a
mac.
So
it's
a
truncated
mac,
eight
bytes,
truncated
mac.
That's
the
content
in
that
example.
E
D
D
Yeah
there
is
a
transcript
hash.
There
you
go
yeah
that
one
the
the
float
right
there.
The
th2
should
include
the
hash
of
the
messages
which
should
include
the
the
additional
data.
If
that
makes
sense,.
F
B
A
G
Yeah
go
ahead.
Hi.
Can
you
hear
me?
Yes,
okay,
so
could
you
go
back
a
few
slides
where
there's
this
explanation
on
this
method,
car
or
like
what
happens,
the
the
initiator
is
suggesting,
like
I'm
trying
to
understand.
Is
there
any
requirement
on
the
initiator
to
know
what
kind
of
authentication
it
expects
from
the
responder,
especially
if
it
has
rpk
psk
certificates
like?
Could
you
explain
that
part
again?
I
wasn't
sure
like.
C
Yeah
currently,
there
is
no
no
negotiation
or
information
sharing
on
methods
here,
so
this
this
assumes
that
the
initiator
knows
whether
the
responder
is
going
to
use
a
signature
or
a
static
default
monkey.
That's
basically
what
it
needs
to
know
and-
and
there
is
an
option
if
we
want
and
that's
that
we
provide
use
the
same
type
of
error
flow
as
for
cypher
suites,
to
provide
further
information
about
methods,
but
that's
not
currently
included.
G
Yeah
yeah,
I
think
that's
that's
something
for
you
to
consider
if
it's
worth
adding
and
also
also
the
case
where
maybe
the
initiator
has
several
credentials,
especially
if
I
think
of
group
scenarios
where,
in
some
cases
you
might
want
to
like
identify
that
someone
is
a
member
of
the
group
or
then
individually
identify
that
initiator.
G
Then
you
might
want
to
like
have
some
kind
of
error
flow
for
con
cases
where,
like
you,
can
tell
the
initiator
that
maybe
psk
is
not
good
enough
and
you
need
to
use
certificate
based
authentication,
for
example,.
C
Yeah,
so
the
current
just
to
clarify
the
current
assumption
is
that
we
are
only
using
asymmetric
protocol
here,
so
so
psk
based
authentication
is
out
of
scope
for
for
for
the
initial
scope,
but
it
is
the
option
between
signature
and
diff
and
and
static
different
helmet,
that's
currently
unknown
to
the
initiator
when
it
comes
to
identification,
how
to
get
the
the
credential.
C
That's
that's
provided
in
the
id
cred
r,
so
that
that
should
be
the
either
the
raw
public
key
itself
or
an
identifier
to
something
that
you
could
fetch
the
public
key.
But
currently
there
is
only
the
case:
either
signature
or
static
difficult.
So
I
don't.
I
don't
know
if
the
what
the
group
setting
would
be.
C
G
Multiple,
I
guess,
if
you
don't
support
psk,
then
it
doesn't
really
make
a
difference,
but
in
in
case
there
was
this
psk,
then
it
might
be
the
case
that
for
certain
operations
you
just
want
to
verify
that
the
node
is
a
member
of
the
group
and
maybe
like
the
psk
that
is
configured
for
the
group
is
fine,
but
for
some
other
operations
you
want
to
identify
the
device
and
individually
and
want
to
use
certificates.
C
C
G
G
You
mentioned
that
the
device
or
the
initiator
can
use
a221ar
certificate,
yes,
as
authentication
credentials,
and
then
you
also
mentioned
later
on
in
this-
that
you
can
like
combine
the
enrollment
in
this
auxiliary
data.
So
I'm
wondering
like
is
the
goal
that
you
start
with
the
certificate
and
then
get
another
certificate
or
like
enroll
another
certificate
or.
C
Yes,
that's
one
one
scenario
that
you
start
with
say
that
the
manufacturer
built
in
credentials,
so
you
in
the
factory
you
provision
a
a.
I
think
it's
called
idev
id,
which
is
the
signed
by
the
manufacturer,
and
then
when
this
device
is
being
provisioned
and
being
commissioned
being
deployed
in
a
network,
then
you
want
to
enroll
a
an
operator
or
a
network,
a
network
operator
certificate.
C
So
then
you,
you
would
authenticate
with
one
certificate
and
you
would
for
the
purpose
of
enrolling
a
second
certificate
and
just
just
to
add
to
that
in
neither
of
those
certificates
need
to
be
transported
over
the
constrained
link.
C
So
you
could,
both
in
the
case
when
you
authenticate
you
could
provide
a
reference
and
the
result
of
the
enrollment
could
also
be
a
reference
going
back
to
the
device.
So
the
only
thing
you
have
is
your
pilot,
your
public
key.
Of
course
you
need
to
have
your
key
pair
on
the
device,
but
certificates
stay
out
of
the
constraint
links
and
that's
the
type
of
scenario
where
you
want
to
where
you
may
want
to
use
your
auxiliary
data
to
integrate
enrollment
with
authentication,
okay,
yeah.
Okay,
exactly.
F
Yeah
just
to
follow
up
on
the
latest
bit
so
when
you're,
using
a
reference
to
the
certificate,
would
that
be
possible
for
the
device
to
never
actually
have
to
de-reference
the
reference
to
its
own
certificate
and
just
sort
of
get
back.
So
it
gets
back
a
uri,
and
it
knows
that
that
uri
corresponds
to
its
own
certificate.
F
C
F
B
Okay,
so
I
guess
we
should.
We
are
a
bit
over
time,
so
I
guess
we
should
conclude
now
stephen.
What
do
you
think
one
more
in
the
queue?
Oh
there's
one
more!
Thank
you!
Yes,
okay!
Let's
take
that
one.
H
Hello,
can
you
hear
me?
Yes,
yesterday
hi,
I
have
a
question
I
think
regarding
the
previous
one
with
muay
thai
and
it's
a
it's
a
purely
a
deployment
scenario.
H
So
I
understand
that
you
know
it
could
be
a
manufacturer
signed
802.81
air
certificate,
but
you
know
many
practical
scenarios
right
say,
for
example,
I
may
buy
a
device.
Then
I
activate
that
after
one
year
and
if
the
certificate
is
invalid
is
that
that
protocol
there
is
any
way
before
the
you
know,
operator
certificate
is
assigned.
There
is
any
way
to
actually
verify
or
bootstrap
that
device.
C
C
That's
in
at
least
in
the
initial
scope,
and
I
I
don't
know
exactly-
I
don't
have
an
answer
to
your
question-
how
this
will
handle
it
specifically,
but
I
can
imagine
that
you
could
have
that
type
of
some
sort
of
revocation
related
information,
but
I
mean
it's
a
hard
question:
what
what
happens
to
the
device
if,
if
the
the
only
credential
assuming
this
is
the
only
credential
it's
using
and
it's
expired,
then
of
course
that's
a
problem
for
for
using
that
device
in
general
yeah.
H
Yeah
so
yeah,
I
understand,
I
think
it's
possibly.
I
was
just
curious
right
because
I
think
that
it's
not
that
it
may
not
be
expired
right,
but
you
know
that
there
are
lots
of
lots
of
you
know
companies
they
produce
the
device
manufacturer
and
then
companies
sold,
and
you
know
there
could
be
a
lot
of
other
things
right
so
from
a
consumer
perspective
right,
you
know
whether
there
will
be
a
way
to
actually
would
stop
that
device.
H
So
that's-
and
I
understand
that
these
are
the
scenarios
difficult
to
you
know,
cover
all
the
scenarios,
but
it
just
you
know,
I'm
curious
that
whether
you
thought
about
that.
C
No,
I
don't
have
any,
I
mean
I
don't
have
anything
more
than
than
you
know.
I
said
yes,
no,
so
sorry
good
thanks.
I
C
If
it's
a
rob,
if
the
raw
public
key
may
either
be
a
public
signature,
key
in
which
it's
used
for
signing
or
it's
used,
is
it's
a
static,
diffie-hellman
key,
in
which
case
it's
used
to
generate
the
shared
secret
which
is
used
in
the
key
scheme,
this
colorful
picture,
key
hierarchy
and
and
to
create
the
keys,
derive
the
keys
used
for
encryption
and
mac.
B
Thanks,
okay,
so
let's
conclude
then
and
go
to
the
next
item
in
the
agenda,
which
is
the
open
issues
of
the
ad
hoc
draft,
so
I
will
switch
the
slides
joram.
You
are
again
the
presenter.
C
So,
yes,
we
have
started
to
compile
open
issues.
We
are
using
the
lake
repo,
the
lake
working
group,
github
repository,
which
you
see
the
link
here
and
the
currently.
It's
only
three
issues
based
on
the
comments
we've
got
so
far
and
yeah
and
then
there's
at
the
end
there's
some
next
steps
also,
but
let's
go
for
the
three
open
issues
next
slide,
please.
C
So
the
first
yellow
was
a
straightforward
comment
by
martin
dish.
He
thought
that
reading
cozy
was.
He
didn't
want
to
read
too
much
of
cozy
to
implement
ad
hoc,
and
we
have
already
subsection
in
appendix
a
speaking
about
cosy
and
we
can
definitely
expand
that
on
on
cosy,
sign
and
cosy
encrypt
without
duplicating
the
specifications.
So,
yes,
we
should
do
that
next
slide.
Please.
C
This
was
a
comment
by
rene
stroik
why
we
are
enforcing
both
shaft
iron
12
and
shaw
256.
So
the
setting
is
this
that
the
cipher
suite
zero
and
one
includes
ed25519,
which
specifies
shaw
512,
but
we
also
as
explicitly
the
hash
functions
used.
We
also
require
256,
because
that's
that's
typically
what
you
would
use
with
with
with
this
setup.
C
C
Would
make
it
look
like
a
less
of
a
requirement,
but
you
still
it
doesn't
really
solve
the
problem,
and
then
there
has
been
discussions
about
ed25509
with
shot
256
and
I'm
not
really
up
to
date
with
all
with.
What's
the
latest
date
there,
but
just
strictly
speaking
from
an
iot
point
of
view,
I
mean
this
type
of
implementation
and
constrained
device.
B
This
is
malicious
speaking,
so
most
of
the
hardware
I've
seen
implements
sha
256
and
I
think
it's
from
the
implementation
point
of
view.
It's
important
that
we
converge
on
a
single
algorithm
to
use
so
either
option
two
or
option.
Three,
I
think,
seems
the
most
feasible,
but
for
option
three,
I'm
not
familiar
with
the
current
state
of
the
development
of
the
documents,
so
maybe
someone
could
chime
in
there,
but
essentially
the
bottom
line
is.
I
would
like
to
see
a
single
algorithm
that
we
converge
in
a
single
algorithm,
hash
algorithm
to.
B
A
Okay,
so
I
guess
we're
resolving
this
issue,
or
it
probably
needs
some
some
discussion
on
the
mailing
list
and
maybe
checking
with
the
cforg,
particularly
if
option
three
was
ours.
No.
G
Yeah,
I
was
just
also
writing
in
in
the
java
chart,
so
this
is
something
we
encountered
a
while
back
in
six
law
and
thanks
to
renee.
I
think
we
have
solved
this
issue,
so
I
I
would
put
a
link
to
a
couple
of
drafts
on
on
how
we
have
done
it
in
six
low
working
groups.
So
basically
we
use
a
different
representation
convention
for
the
same
curve.
G
So
that
that's
the
plan
for
the
elvik
draft,
which
renee
has
written,
I
mean
it-
has
already
undergone
last
call
second
reviews
and
so
on,
but
we
agreed
with
the
a
ad
that,
when
the
idf
last
call
is
issued,
cfrg
would
would
also
be
informed
of
this,
and
this
is
something
again,
I'm
not
familiar
with
all
the
nist
specifications,
but
renee
seems
to
follow
them.
So
this
is
something
also
in
the
latest
nist
800,
something
something
I
can't
remember.
The
exact
document
number
sure,
but
I
mean.
A
I
I
think
people
should
be
aware:
there's
there's,
there's
probably
a
non-zero
probability
that
that
redefining
25519
with
chat256
is
something
that
does
not
turn
out
to
be
a
good
idea.
So
I
wouldn't
the
fact
that
something
is
in
a
flash
call.
That
assumes
that
does
not
necessarily
mean
it
will
happen.
I
think
that
that's
something
to
be
aware
of
and
the
discussion
with
cfrg
would
need
to
happen.
B
C
C
Right,
so
this
is
a
slide
with
too
much
text.
Unfortunately,
it
probably
complicates
the
issue
more
than
it
solves,
but
we
have
an
agreement
in
the
requirements
that
we
should
not
include
psk
ecdhe
in
the
initial
scope.
This
is
currently
in
the
draft,
but
we
need
to
take
it
out.
So
we
need
to
replace
that
and
I
think
we
need
to
first
discuss
a
little
bit
more
what
we
need
to
replace
it
with
and
that's
the
actions
there.
C
We
need
to
take
a
step
back
and
think
about
what
other
practical
attacks
on
iot
settings
that
we
need
to
handle
with
with,
for
example,
with
some
symmetric
key
scheme,
we
had
a
discussion
initially,
that's
a
mail
thread
reference
which
looked
at
how
to
provide
forward
secrecy
without
divi
helmet.
It
was
a
psk
symmetric,
key
based
scheme,
but
that
was
just
a
starting
point
and
it
didn't
really
look
at
at
the
problem.
It
looked
more
like
it.
C
C
I
mentioned
above
like,
for
example,
doing
key
rotation
within
the
session,
so
that
you
don't
need
to
take
down
a
session
to
to
change
keys,
because
you
could
do
it
if
it's
based
on
sequence
numbers
and
we
in
all
square,
for
example,
we
already
have
sequence
numbers,
then
the
client
and
server
knows
when
to
change
change
keys.
C
So
I
don't
I'm
not
sure,
I'm
making
this
very
clear
now,
but
I
think
we
need.
Basically,
we
need
to
restart.
We
need
to
take
out
the
pskhg,
that's
clear
from
the
requirements
and
exactly
what
we're
going
to
replace
it
with
needs
further
discussion
so
and
I'll
I'll
start
that
thread
again
on
the
email
list,
and
that
was
the
last
issue
next
slide.
Please.
C
So
next
steps
submitting
a
new
version
without
psk
is
esdt.
I
plan
to
do
that
on
my
plane
home
and
then
we
have
today
which
we
should
talk
about
now.
The
the
tamarind
verification
and
all
the
considerations
from
that
which
we
need
to
take
care
of
there
is
also
an
old
repo
with
issues
we
need
to
go
through
that
and
see
what
are
relevant
still
not
only
listing
issues.
We
need
to
fix
issues
too,
and
we
are
welcoming
more
reviews
and
at
some
point
we
should
should
plan
the
plug
tests
between
implementations.
B
Thanks
joran,
so
I
guess
so,
let's
write
down
in
the
minutes
that
the
action
point
for
you
is
to
start
the
discussion
on
the
on
this
issue.
Issue
number
three.
C
B
A
No,
but
I
would
encourage
people
to
open
issues
if
you're
opening
an
issue
on
github.
You
know
if
it's,
if
it's
an
editorial
or
a
name
or
something
then
just
doing
it
on
github
is
fine.
But
if
it's
a
substantive
issue,
please
also
send
the
mail
to
the
list
and
yeah
we'll
have
to
watch
where
this
question
happens,
on
github
or
and
or
on
the
mailing
list.
A
But
I
would
encourage
people
to
use
the
issue
tracker
and
get
up
and
create
issues
there
and
then
start
related
list.
Discussion
for
non-trivial
ones
does
does
any.
Has
anybody
who's
read?
The
draft
got
any
other
issues
that
they
might
want
to
not
formally
raise
now,
but
bring
up
in
audio
at
the
moment.
A
D
A
B
So
with
that,
let's
conclude
that
agenda
item
and
let's
skip
to
the
last
slot
before
I
before
any
other
business,
which
is
the
formal
analysis
of
ad
hoc
by
carl
carl,
can
do
you
hear
us
yeah
and
we
we
see
you
hi.
Can
you
hear
me
yeah
yeah?
We
hear
you
and
let's
just
say
next
slide
when
you
want
me
to
flip,
please:
oh
yes,.
J
Thanks,
okay,
so
this
is
a
sort
of
progress
report
on
the
formal
analysis
of
ethel
that
we
have
been
working
on
and
we
fixed
the
version
from
1st
of
march.
J
J
So
first
I
give
a
quick
overview
of
for
analysis
and
the
tamarind
tool.
Just
in
case
there
is
someone
who
is
not
sort
of
in
blood
and
then
I'll
give
a
quick
overview
of
the
framework,
as
we
view
it
and
what
we
have
analyzed
and
then
I'll
go
into
the
analysis
itself
give
an
overview.
And
then
I
will
dig
into
two
technical
details
which
I
think
might
be
the
most
interesting.
J
In
some
logic,
and
then
you
try
to
prove
them
for
that
model,
and
preferably
you
do
it
with
some
tool
that
can
help
check,
checking
your
thinking
so
that
you
don't
make
mistakes,
and
this
is
a
useful
process
to
do
at
least,
I
believe,
because
the
modeling
itself
and
and
the
sort
of
proving
the
work
you
do
with
a
lot
of
hidden
assumptions
and
inconsistencies
and
complete
requirements
and
vulnerabilities
and
so
on.
As
you
move
along
the
proof
that
you
end
up
in
the
end
with
is
maybe
not
so
interesting
in
itself.
J
But
the
sort
of
process
will
read
a
lot
of
interesting
stuff
along
the
way
and
it
forces
you
to
really
consider
what
type
of
attacker
are
you
trying
to
protect
against
and
also
just
again
specifying
things
clarify
what
you're
talking
about
when
you
write
sort
of
protocol
specifications
in
prose?
It's
very
sort
of
easy
to
to
imagine
that
that
you
have
the
same
understanding
within
a
group
but
about
how
it
works.
But
what
actually
you
might
have
different
ideas
and
the
more
precisely
the
better.
J
Of
course
what
it
does
not
do,
and
this
is
that
it
will
never
be
sort
of
a
proof
that
the
protocol
is
secure,
because
it's
not
even
clear
what
is
secure
means.
J
So
so
what
it
does
is
that
it
sort
of
splits
things
up
in
smaller
properties
and
show
that
some
certain
property
hold
in
that
model
of,
but
also
it
is
need
to
understand
that
there's
a
huge
difference
between
the
model
and
the
actual
protocol.
The
model
might
have
missed
stuff
that
that
the
protocol
is
not
is
doing.
It
might
have
sort
of
missed
the
attacker
capabilities
that
you
later
find
interesting
to
cover.
J
You
might
have
missed
properties
you
want
to
show,
or
while
you're
doing
the
modeling
you
might
abstract
away.
The
details
of
the
port
code
are
actually
important.
So
so
that
means
that
you
cannot
just
get
the
sort
of
stamp
saying
is
secured
when
you're
done,
but
you
get
more
detailed
knowledge
and
higher
assurance
level
of
the
protocol.
J
So
the
tamarind
tool
itself-
this
is
a
very
super,
simplified
view
of
what
it
does,
but
essentially
you
define
the
the
the
protocol
as
a
kind
of
description
of
the
the
roles
the
initiation
responder.
Then
you
sort
of
describe
what
the
attacker
can.
J
Do
you
put
that
into
some
into
a
modern
definition,
which
is
a
kind
of
a
parallel
function
program
if
you
like,
and
from
that
time,
tamarind
will
regenerate
conceptually
all
possible
executions,
all
of
these
agents
and
attackers
and
and
then
you,
you
define
the
properties
in
intel
style,
logic
and
and
you
sort
of
very
tamarind
will
help
you
prove
that,
where
these
properties
hold
overall
choices
or
not
or
whether
you
exist
to
certain
traits
with
some
property
that
you're
interested
in
yeah.
J
So
the
other
framework,
so
essentially,
there
are
many
way
different
ways
to
look
at
it.
J
But
essentially,
I
think
we
can
view
it
as
a
sort
of
it
follows
the
noise
framework,
with
addition
that
you
know
also
the
possibility
to
use
signatures
for
authentication
which
is
not
yet
supported
in
the
noise
framework
as
not
the
version
I
I
found
on
the
noise
homepage,
and
this
means
that
we
get
when
both
parts
use
and
signatures
means
as
we
get
into
a
sigma
style
protocol,
and
it's
very
very
close
to
to
see
my
but
not
exactly
the
same,
and
then,
of
course
also
advocates
these
encodings,
like
course,
and
sql
all
those
kind
of
things.
J
Erdog
also
reduces
this
challenge,
response,
signature,
sort
of
way
of
working
for
the
stat
methods
and
the
stat
methods,
or
just
did
this
static,
different
monkey
things
that
euron
talked
about
earlier
and
it
uses
this
transcript
hash,
where
we
are
working
like
the
glasses
and
uses
d
to
the
x
y
as
the
session
key
material,
essentially
not
really
because
ad
hoc
sort
of
outputs,
the
the
state
which
the
hkdf
can
then
use
to
extract
session
keys
from,
but
what
gives
sort
of
the
secrecy
and
the
authentication
properties,
or
is
this
d
to
the
x
y
or
d
to
the
I
y
or
little
r
x,
if
you're,
using
the
stat
based
methods?
J
Instead,
this
message
looks
like
opti-less,
we'll
see
more
about
that
later
on
and
so
forth.
It's
a
bit
unclear
whether
it's
an
exact
mapping
to
noise
extended
with
the
signatures.
It's
a
bit
sort
of
both
the
noise
specification
and
the
error
specification
are
very
pro
slides.
So
it's
difficult
to
see
exactly
whether
the
correct
parameters
goes
where
they
should.
J
J
I've
got
to
all
know
that
the
sort
of
cryptographic
course
that
occurs
is
well
understood
constructions,
and
if
we
sort
of
look
at
what
are
the
main
methods
that
would
be
of
interest,
I
believe
there
might
be
some
solutions
with
this
start
saying
and
saying
start
methods,
and
that
is
where
one
part
is
using
static.
Different
monkey
and
the
other
part
is
using
a
signature,
because
this
is
kind
of
a
mix
of
or
existing
things.
J
J
So
if
we
simplify
the
adhoc
framework
enormously,
we
end
up
with
something
like
this.
J
Essentially,
we
have
the
initiator
and
responder
and
in
the
message
number
one,
the
ancient
initiator
sends
g
to
the
x
to
the
responder
and
the
responder
uses
its
credential
credit
r
to
authenticate
itself
towards
the
initiator,
and
it
also
includes
d
to
the
I
d
to
the
y
sorry
for
to
generate
the
session
key
and
then
the
session
key
is
some
kdf
for
odt
to
the
xy
and
possibly
something
more
and
then
a
heads
up
here
is
that
that
I
have
simplified
things.
J
J
So
one
could
and
you
can
take
the
next
also,
maybe
at
the
same
time,
so
one
could
view
it
as
the
first
flight,
m1
and
m2
is
sort
of
the
authentication
of
the
responded
towards
the
initiator.
But
then
you
can
also
imagine
that
message.
Number
two
is
the
first
message
of
the
second
round
where
it's,
the
purpose
is
to
in
to
authenticate
the
initiator
towards
the
responder
using
the
blue
credit
credential.
J
So
so,
in
a
sense
that
middle
message
is
sort
of
serving
both
as
the
last
message
of
one
protocol
and
the
first
message
of
the
second
protocol,
which
is
also
kind
of
following
that,
the
noise
by
your
thinking
and
the
only
difference
in
what
so
is
the
key
session
key
material
or
what
so
we
will
contribute
to
the
secrecy
of
the
session.
J
Key
material
is
that
in
the
stat
based
method,
with
one
of
the
boxes
using
static
development
key,
then
then
the
session
key
will
also
depend
on
the
credential
of
that
party
and
and
again,
if
we
think
about
old
elasticity,
it
would
essentially
be
since
let's
just
have
mutual
authentication,
it
will
be
that
the
responders
static
key
would
be
included
into
the
sort
of
sequencing
here
components
of
the
session
key,
but
but
for
all
other
methods.
It's
just
gtx
y.
That's
the
session
key
material.
J
For
instance,
you
have
access
to
a
sim
card
tpm,
but
it
doesn't
actually
read
the
long-term
credential
and
the
attacker
is
of
course,
able
to
attack
all
session
keys
generated
from
that
as
long
as
his
access
to
the
dpm.
But
when
that
access
is
revoked,
then
the
future
session
keys
are
still
secure.
So
that's
the
weak
version-
and
I
am
pretty
sure
that
holds
the
strong
pcs
will,
of
course
not
told,
and
the
next
thing
we're
trying
to
look
into
is
kci
resistance.
J
J
We
also
during
this
work.
We
identified
some
some
missing
considerations
in
in
the
draft,
for
instance,
non-repudiation
aspects
and
and
so
sort
of
whether
you
should
think
about
teas
and
and
session
key
reveal,
queries
and
stuff,
like
that.
We
also
run
into
one
one,
the
unintended
authentication
confusion
which
is
sort
of
a
not
so
much
problem
with
airdrop,
but
it's
not
sufficiently
explored
relation
between
advocate
and
its
application.
That's
using
adhoc
so
so
that
the
api
kind
of
needs
to
be
a
bit
more
looked
into
it.
J
And
then
also
what
is
the
actual?
What
should
constitute
the
session
key?
The
definition
of
that
is
also
something
that
we
believe
should
be.
I
must
get
more
now
come
back
to
that.
So
the
conclusion
is
that
that'll
build
on
on
well-established
components,
and
it
seemed
to
behave
as
as
one
could
expect.
J
Also
all
these
different
methods,
though,
have
quite
different
security
guarantees.
So
so,
depending
on
which
credential
you
choose,
you
will
get
sort
of
a
different
properties
of
the
protocol
and
then
one
could
sort
of
perhaps
wish
that
that
would
be
some
baseline.
That
all
method
has
these
sort
of
basic
properties,
and
then
you
might
get
something
in
addition,
where
one
uses
others
and
so
on.
But
then
we
need
to
define
exactly
what
would
that
that
base
set
of
properties
be.
J
It
should
establish
an
oscar
security
context,
but
it
sort
of
does
that
and
see
how
good
can
you
make
that
given
some
restrictions,
but
but
then
the
actual
use
of
the
protocol
is
less
well
explored,
which
means
that
it's
not
so
clear
exactly
which
properties
are
the
most
ones
that
are
important
to
to
verify
or
check,
and
then
we
believe
that
if
you're
looking
into
like
user
stories
or
use
cases
or
something
try,
try
to
to
extract
would
be
the
most
common
and
most
important
properties
that
that
would
sort
of
guide
both
the
design
of
the
protocol
and
the
sort
of
what
book.
J
So
before
digging
into
to
this
session
key
authentication
property,
which
we
think
was
perhaps
the
most
interesting
finding
just
brief
overview
of
the
attacker
model
that
we
have
considered
so
so
we
consider
like
a
standalone
attacker
model.
So
the
attacker
can
read
all
mysteries
that
are
sent
deconstruct
them
into
their
components,
compose
that
into
new
messages
and
insert
that
and
can
delete
messages
and
do
all
those
kind
of
things
and
run
an
unlimited
number
of
sessions.
J
And
it
also
means
that
the
we
make
sort
of
a
perfect
cryptography
assumption
that
that
encryption
algorithm,
for
instance,
is
not
possible
to
reverse.
Unless
you
actually
know
the
key.
J
So
if
you
look
at
message
number
two,
for
instance,
this
encryption
operation
would
mean
that
attacking
would
not
be
able
to
get
hold
of
credit
or
unless
he
actually
has
the
key
used
to
encrypt
that
so
yeah
that
the
next
piece-
and
that's
that's
a
well-known
thing
and
the
attack
loss
has
the
possibility
to
compromise
parties
after-
and
this
is
the
model
perfect
for
secrecy.
So
after
the
session
is
complete,
complete
the
attacker
can
can
compromise
the
long-term
key
and
there's
a
mistake
in
the
slide.
J
This
sense
that
you
also
can
completely
compromise
the
session
state,
but
we
don't
have
sessions
stage,
reveal
queries,
but
we
do
have
a
session
key
reveal
queries,
that's
also
to
be
able
to
model
pfs
and.
J
Just
basic,
we
are
working
in
the
pre-specified
peer
model,
and
that
means
that
both
parties
knows
right
around
the
protocol.
Who
would
I
want
to
talk
to
that's
a
fairly
stumbled
simplification?
J
We
also
assume
that
there
is
a
one-to-one
correspondence
between
the
identity
of
the
party
and
its
public
key
or
its
and
his
private
key.
So
that
means
that
the
attacker
cannot
register
a
new
public
key
for
a
a
given
identity.
J
That
would
already
exist,
and
this
is
in
line
with
that
obvious
assumption
is
assuming
itself
in
the
draft
and
it
also
simplify
things
we're
using
a
symbolic
drivability
based
notion
of
secrecy,
so
you're
not
looking
at
any
type
of
observation,
equivalence
or
distinguishability
based
security
notions.
So
basically
can
the
secrecy
that
depends
on
whether
the
attacker
can
actually
derive
a
certain
torment
down
the
line
term
algebra,
rather
than
trying
to
see
what
he
can
differentiate
between
different
things,
and
we
also
use
getting
load
style,
authentication
based
on
the
corresponding
correspondence
properties,
so
over
the
traces.
J
J
So
if
we
then
look
at
what
mean
which
version
of
session
key
the
authentication
we
use,
so
we
went
for
the
something
called
injected
agreement,
and
here
it's
going
to
be
described
in
the
sync
method.
So
it
means
that
the
initiator
is
on
using
standard
signatures
to
authenticate
themselves
to
each
other,
and
in
this
case,
if
you
take
next
piece,
we
can
see
that
what
that
means
is
that
if
the
initiator
receives
message
number
two,
then
he
can
derive
the
session
key
as
some
function
of
g
to
x
y.
J
But
if
that
happens,
he
also
knows
that
at
some
point
in
time,
during
this
protocol
run,
the
responder
also
is
able
to
drive
d
to
the
x
y
and
there's
exactly
one
instance
of
that
event
that
the
responder
derives
d3xy.
J
So
it
means
that
both
parties
are,
they
agree
on
which
key
they
have
derived
each
of
xy,
but
they,
but
the
initiator
also
knows
that
there
is
exactly
one
instance
of
the
responder
running
that
runs.
It
cannot
be
the
case.
The
attacker
has
fooled
the
responder,
for
instance,
into
to
running
believing
that
it
has
around
two
sessions
or
three
sessions,
which
is
not
not
the
case
that
the
attacker
fully
responded
into,
believing
that
the
session
gives
t
to
the
x
cell
for
some
said,
for
instance.
J
So
so
this
is
the
injector
agreement
thing
and,
of
course
you
can
prove
this
also
for
other
important,
not
only
the
session
key,
but
for
for,
like
for
algorithm
choices
and
at
the
adm,
81
and
82,
and
so
on,
but
not
81,
but
for
for
82.
J
and
so
on.
But
we
have
not
modeled
that
yet,
due
to
some
problems,
we've
been
getting
tamarind
to
terminate
and
then
this
this
property
that
then,
of
course
holds
in
the
other
direction
as
well.
So
the
responder,
when,
if
you
look
at
the
blow
flow,
when
the
responder
authenticates
initiator,
what
would
happen
is
that
when
the
responder
gets
the
third
message,
it
would
know
that
there
is
a
corresponding
event
on
the
initiative.
J
J
And
this,
if
you
take
the
next
slide-
and
I
will
explain
why
this
is-
is
the
case,
and
the
reason
is
that
the
session
key
material
is
defined
as
c
to
the
x
y
and
t
to
the
I
y.
So
basically,
there
is
a
dependence.
The
key
material
sashing
material
depends
on
the.
D
J
J
So
the
next
place
there
are
so
yeah
and
next
so
that
we
don't
have
that.
But
what
we
proved
instead
is
that
you
can
have
an
implicit
key
authentication,
and
that
means
basically
that
if
the
initiator
sends
message
number
three,
it
knows
that
if
the
responder
sees
message
number
three,
it's
only
the
responder
that
can
compute
the
session
key
and
no
one
else
can
do
it.
J
And
what
this
gives
us
is
essentially
that
the
key
key
is
we.
The
key
will
receive
it,
but
there
is
no
confirmation
from
the
initiator
that
the
responder
actually
has
computed
this
key,
which
would
be
the
case
in
the
injective
agreement
property
and
whether
that
is
needed
or
not.
This
depends
on
what
the
portal
is
going
to
be
used
for
next
piece,
so
we
have
come
up
with
four
alternatives:
how
to
fix
this,
and
there
is
probably
more,
if
you
put
your
mind
to
it,
one
would
be
to
sort
of
accept
this
fact.
J
So
you
do
include
the
dependencies
on
on
the
initiator's
private
key,
and
then
you
would
accept
that
you
have
different
authentication
properties
for
for
the
different
methods
that
feels
a
bit
unsatisfying,
because
I
think
that's
a
kind
of
a
fundamental
thing.
If,
if
you
need
key
confirmation
that
that
should
not
really
depend
on
which
credential
you
use,
that
that
feels
a
bit
unsettling
two,
on
the
other
hand,
say:
okay,
let's
exclude
that
that
dependency
and
just
run
g
to
x
y,
also
in
this
case,
but
then
that
is
different.
J
It's
differing
from
from
what
else
is
doing
and
if
you
look
at
the
the
simultaneous
it's
really
carefully
designed
for
for
for
for
ck
style
model,
wherever
you
have
session
state
tricky,
repeat,
queries,
and
I
mean
it.
It
feels
unnecessary
to
slope
that
property
away
just
to
get
to
harmonize
across
all
the
ad-hoc
methods,
so
this
one
doesn't
either
feel
very
nice.
J
The
third
one
we
need
to
include
a
fourth
message
from
r2i
include
a
mac
based
on
a
key
derived
from
the
key
material,
but
it
can't
be
from
the
same
branch
as
the
actual
session
key,
because
the
mirrors
key
in
distinguishability,
if
one
would
like
to
prove
that
in
some
computation
model
later
on-
and
this
of
course
is
not
so
nice
either
for
the
applications,
because
now
they
would
need
a
fourth
message,
which
is
not
preferable,
which
leaves
us
with
the
fourth
message
method.
J
Our
fourth
idea
would
be
to
include
the
initiator's
id
in
message
number
one,
and
what
happens
then
is
that
that
removes
identity,
protection
for
the
initiator,
and
that
is
not
so
nice
either.
But
one
could
also
consider
that
there
is
discussion
in
the
eric
drafter
that
sort
of
the
roles
can
be
reversed.
J
So
so,
if
there
is
some
entry
that
that
really
should
have
identity
protection,
one
could
consider
reversing
the
rules
and
having
that
role,
necessarily
that
that
entity
acting
as
respondents
instead
of
initiator,
there
could
be
situations
without
diplomatic
also,
though,
because
it
might
require,
like
an
initial
trigger
message,
just
to
kick
off
the
protocol.
So
it's
not
clear.
That's
a
perfect
solution
either,
which
brings
us
to
the
post
two
bullets
and
the
first
one,
which
is
unfortunately
cut
a
bit
short.
Is
that
without
better
understanding
the
protocol
goes?
J
J
If
you
consider
this
to
be
a
very
important
property,
so
that
I
think
is
one
thing
that
could
be
discussed
as
an
issue
and
this
also
sort
of
connects
to
to
both
sort
of
how
to
which
how
to
select
the
key
material
but
also
which
kind
of
properties
do
we
want
to
have
and
how
will
harmonize
between
methods,
and
I
believe
that
this
will
lie
up.
J
So
if
you
have
any
questions,
I
I've
seen
that
scrolling
a
few
questions
on
this
chat,
but
I
haven't
been
able
to
follow
that.
Unfortunately,.
A
There's
a
bunch
of
chad
and
jabber,
but
apparently
not
resulting
in
audio
questions
I'll
give
them
a
minute.
So
I
have
a
question
carol.
Is
there
a
kind
of
a
plan
for
how
to
wrap
up
this
kind
of
excellent
kind
of
theory,
work
and
and
proofs,
and
so
on,
in
terms
of
getting
published,
getting
peer
reviewed
having
other
teams
that
we
know
of
doing
the
same
thing?
How
long
might
it
all
take?
A
J
We
put
it
on
on
archive
and
then
of
course
we
are
very
thankful
if
anyone
has
time
to
review
anything
there
and
the
link
is
on
the
first
slide,
but
then
we
are
planning
to
submit
it
to
the
conference,
which
I
the
deadlines
in
august.
D
J
Property
step
that
we
were
want
to
look
at
and
then
I
guess
it
would
also
be
interesting
to
start
looking
into
computational
proofs
as
well.
At
some
point
great
yeah,
okay,.
K
They
have
to
buy
us
hello
device
come
in
here.
Can
you
hear
me?
Yes
got
it?
Okay,
I
have
questions
on
slides,
19.
K
K
Do
you,
like
you,
say
if
m3
reaches
responder,
only
the
responder
session
will
be
able
to
complete
session
key?
Do
you
want
to
say
only
if
m3
image
has
been
responding.
J
K
Right,
yes,
that
one,
I'm
I'm
not
100
sure.
If
I
understand
what
you're
saying
there,
though,
if
m3
reaches
the
responder,
only
the
responder
will
complete
the
session
key.
Or
do
you
actually
want
to
say
only
if
m3
reaches
the
responder
the
responder
session.
J
Oh,
it's
actually
actually
both.
So
what
one
is
like,
if
I
understand
your
question
correctly,
one
one
is
the
sort
of
security
part
that
that
it's
only
a
respondent
can
compute
it
and
no
one
else,
so
so
that
that
is
true.
But
it's
also,
of
course,
true
that
that,
if
the
message
doesn't
really
respond,
reach
to
respond,
the
respondent
will
not
be
able
to
compute.
A
A
Okay,
any
other
questions
on
this
presentation.
A
And
okay,
thanks
carl
thanks
for
cutting's
work,
and
I
guess
at
some
point
somebody
will
try
and
translate
some
of
these
issues.
You
found
into
issues
in
github
and
we
can
process
them
there.
So
yeah
that'll
be
great.
C
Yeah,
yes,
just
confirming
yes,
I'm
gonna
go
through
the
paper
and
and
make
issues
out
of
the
comments
and
feedback
we
got
there.
A
Okay,
thanks
carl,
I
guess
we
can
move
to
the
any
other
business
part
and
somebody
wants
to
go
back
and
ask
questions
about
this.
That's
just
fine
too!
We
can
kick
you
off
to
video
for
now.
Okay,
so
we're
now
at
the
any
other
business
part
of
the
agenda.
F
Yes,
then
I'll
just
repeat
my
usual
plug
that
we
do
have
this
gather
dot,
town
sort
of
informal,
hallway
environment
that
people
could
migrate
to
after
the
session
and
have
any
conversations
that
she
would
have
had
in
the
hallway.
If
we
were
in
person
in
madrid,
so
it
would
be
good
to
get
a
lot
of
people
there
sort
of
have
the
critical
mass
going
and
you
can
say
hi
to
the
friends
you
haven't
caught
up
with
yet
or
that
sort
of
thing.
A
Great
thanks,
I
did
have
one
one
piece
of
other
business
which
I
put
in
the
chat
earlier
is:
how
have
people
got
thoughts
as
to
how
they
want
to
proceed
from
here?
Virtual
meetings,
wait
until
there's
enough
issues
in
the
issue.
Tracker
do
something
in
september.
A
C
Correct
yeah
you're
on
here
yeah.
I
think
I
think
the
virtual
meeting
would
be
great.
I
mean
we
have
seen
some
ideas
coming
out
here
from
on
the
in
the
chat
and
I
think
we'll
have
some
more
input
on
after
the
the
issues
are
are
more
tracked,
so
yeah
how
about
mid-september
or
late
september.
Would
that
be
a
good
time
for
for
an
interim.
C
Right
yeah
so
well,
my
proposal
was
just
yes,
yes,
virtual
interim.
That
was
what
I
wanted
to
say
and,
and
the
date
we
can
discuss
but
september
is
good
not
in
the
beginning,
but
in
the
end
or
in
the
middle,
and
I
see
michael,
have
some
input
as
well
on
the
on
the
jabber.
A
Yeah
so
michael
basically
is
also
suggesting
meeting
in
september
virtual
interest
but
and
also
said
consider
a
hackathon
online.
A
So
you
mentioned,
there
are
multiple
implementations.
Is
there?
Are
people
able
to
interrupt
on
tests
with
one
another?
Are
they
doing
that
already
do?
They
would
organizing
an
event
like
a
hackathon
or
something
help
them
do
that
and
when
so,
when.
C
Yeah,
I
I
don't
know
I
mean
there
are
a
number
of
implementations
which
are,
are,
I
suppose,
almost
ready
for
that,
but
I
we
have
to
check
with
the
other
implementers
and
see
what
what's
going
on.
I
don't
know
at
least
for
progressing
the
spec.
I
think
we
need
to
have
a
virtual
meeting
at
some
point
before
the
next
itf.
A
C
Yeah,
I
I
assume
that
we
have
some
some
new
proposals
on
the
table
based
on
the
discussion
we
had
today
and
and
what's
going
to
happen
in
the
next
month,
or
at
least
I
mean
what
will
happen
in
the
beginning
of
september-
probably
first
half
of
september.
So
if
we
have
something
in
the
end
of
september,
I
think
we'll
have
we
have
material
to
discuss
and
how
we
do
with
implementations
is
perhaps
independent
of
that.
So
I
think
we
could
have
a
separate
sec
sort
of
a
discussion
on
that
independently.
A
Okay
and
then
so,
if
we're
talking
about
late
september,
then
you're
going
to
your
plan
is
to
reist.
You
know
to
put
out
a
new
draft
that
takes
out
the
the
psk
ecbh
option
and
that
that'll
be
in
the
next
short.
While
I
guess
right.
C
That
should
happen
soon.
That
will
happen
soon,
but
then
we
need
to
add
something
instead
and
that's
that's
still
to
be
discussed,
and
then
we
have
some
other
feedbacks
from
from
from
carl
here
and
and
and
his
team
and
yeah
we're
also
expecting
something
from
the
the
other
formal
verification
team
which
kartik
announced,
but
I
don't
know
when
so
that's
also
something
that
might
come
in
here.
C
A
So
we
can
follow
that,
and
so
I
guess
the
implicit
in
that
is
we're
asking
other
participants
in
the
working
group
to
kind
of.
Maybe
you
know
don't
bother
with
the
zero
zero
draft
for
now,
but
there'll
be
a
zero
one
very
shortly,
and
please
read
that
and
raise
issues
based
on
that.
I
think
that's
what
we're
asking
right.
Yes,
yes,
yeah!
Okay!
A
So
when
you
get
that
to
the
list,
then
we
can
make
that
ass
explicitly
and
then
maybe
encourage
people
to
try
and
raise
issues
between
now
and
and
a
couple
of
weeks
before
the
virtual
interim-
and
we
send
a
poll
for
that
in
the
next
one.
A
A
If
not
ben
has
posted
the
gather
town
link
into
the
java
room
and
you
can
head
off
there
or
after
you've
gotten
a
coffee
or
something,
and
so
thanks
scott.
Yes,.
A
A
oh
god
has
left
the
room.
Okay,
I
think
that
means
that
we're
we're
done
for
today,
thanks
to
all
the
presenters
thanks
people
for
all
the
chat
and
jabber,
which
is
good
to
send
out
the
minutes.
We'll
set
up
a
poll-
and
I
guess
we'll
talk
next
time
sometime
in
sometime
late
in
september,
wish
you
anything
else.
Sorry,
no!
Nothing!
On
my
side,
I
guess
that
concludes
the
meeting
great
thanks
all
and
see
you
at
the
next
virtual
effort,
whatever
that
is,
which
could
be
this
gallery
term.
Thanks,
bye,.