►
From YouTube: IETF108-LAKE-20200731-1100
Description
LAKE meeting session at IETF108
2020/07/31 1100
https://datatracker.ietf.org/meeting/108/proceedings/
A
A
A
A
Okay,
so
we
have
a
relatively
short
agenda.
I
don't
know
how
we'll
go
to
time,
but
we
have
like
an
hour
and
a
half,
or
so
you
can
see
the
various
links
you
can
see.
This
is
the
noteworld
that,
if
you've
been
at
other
meetings
during
the
ietf
week,
you
have
seen
it
you
need
to
understand
what
it
says
and
here's
our
agenda.
A
So
we
have
we're
in
the
middle
of
point
zero
agenda's
gone
then,
given
that
the
working
group
have
adopted
ad
hoc
we'll
have
a
introduction
to
that
which
is
some
of
which
was
repeated
previously,
but
some
of
which
has
changed
over
the
last
while
so
it's
it's
worth
doing
as
a
scene-setting
thing,
there's
a
few
open
issues,
we'd
like
more
and
then
there's
some
discussion
of
some
proofs
related
to
ad
hoc
and
aob.
So
does
anybody
want
to
bash
the
agenda
right
now.
A
Okay,
there
should
be
time
for
aob
at
the
end.
I
suspect
it
need
be,
otherwise
we
can
move
on
to
quran.
So
if
you
want
to
jump
in
the
queue
around
and
send
requests
to
be
sending
there,
you
go
okay,
so
the
so
manager
will
drive
the
slides,
if
you
just
say
next
slide
at
the
relevant
point
in
time.
That
would
be
great.
C
Yes,
so
just
a
background
here
we
have
been
adopted.
This
is
the
working
group
draft
which
we
will
adopt
it
in
late
june,
so
this
version
of
the
draft
is
essentially
identical
to
the
latest
individual
submission,
just
some
references,
updated
and
and
some
comments
on
the
test
vectors
in
the
appendix.
C
So
if
you've
read,
if
you
read
that
the
previous
version,
the
latest
individual
submission
there
is,
there
is
not
so
much
new
in
this,
but
then
again
the
protocol
has
been
changing
last
year
and
we
have
never
given
any
detailed
description
in
lake.
So
so
that's
why
we're
having
this
this
presentation
next
slide.
Please.
C
C
These
type
of
variations
is
something
we
need
to
cater
for
in
the
problem.
Next
slide.
Please
so
now
this
from
from
here
on
to
to
the
end,
this
is
focusing
on
on
the
protocol.
So
let's
go
into
the
different
message
fields.
There
are
three
messages
and
an
additional
error
message,
and
each
each
message
is
a
sequence
of
seaborn
coded
data,
so
using
the
sibor
sequences,
which
is,
has
now
become
an
rfc
and
yeah
next
slide.
Please.
C
So,
on
a
high
level,
we
see
the
this
is
a
different
help,
diffie-hellman
key
exchange,
so
we
see
the
efmeryl
public
keys,
x,
gy
and
we
see
the
encrypted
blobs
here.
The
first
is
and
message
two:
there
is
an
xor
which
is
different
from
from
previous
version
of
the
protocol,
which
was
an
authenticated
algorithm.
C
So
adhoc
specifies
four
authentication
methods
targeting
the
variety
of
it
use
cases
mentioned
before
so,
for
example,
the
initiated
responder
could
both
have
signature
public
keys
to
authenticate
with,
or
they
could
have
static,
helmet
keys
or
it
could
be
a
mix
and
yeah
I
mean
these.
The
setting
here
is,
I
mean
this
is
what
we
think
is
is
needed
by
the
scenarios.
This
is
something
we
could
could
re-evaluate,
but
but,
as
it
seems,
we
we
still
need
to
have
because
of
the
ecosystem
around
pki
for
authentication
and
the
tools
available.
C
C
C
C
C
So
each
each
suite
is
an
integer
and
the
protocol
field
suites.
I
is
an
ordered
set
of
suites,
starting
with
a
selected
suite
and
following
the
supported
suites,
which
are
the
cipher
suite
which
the
initiator
supports
in
order
of
preference
and
this
supported
suites
that
can
be
truncated
at
the
end
and
if
the
truncation
of
the
supported
suites
is
only
only
leaves
one
suite
coinciding
with
the
selected
suite,
then
you
can
just
use
that
suite
as
the
element
of
swede's
eye
next
slide.
Please.
C
So
here
here
is
an
example
of
how
cipher
suite
negotiation
works
and
it's
using
the
error
message.
So
the
error
message
in
general
has
potentially
three
fields:
it's
an
optional
connection,
identifier,
it's
an
error
message,
which
is
the
text
string
and
it's
optionally,
the
suites
r
containing
the
cipher
suites
in
suites,
I
supported
by
the
responder,
and
if
it's
only
one,
then
you
could
have
just
that
int.
C
So
here's
an
example
of
using
the
the
error
message:
suites
r
can
only
appear
in
responses
to
message
one-
and
this
is
the
case
here.
We
have
message
one
containing
it's
an
initiator
supporting
cypher,
suites,
five,
six
and
seven
select
suite
number
five.
Responder,
however,
does
not
support
suite
number
five,
but
suite
number
six,
so
it
responds
with
r
equals
six,
and
then
a
new
session
is
shown
here
where
the
initiator
is
selecting
suite
number
six
and
includes
a
truncated
list
of
supported,
cypher
suites
next
slide.
Please.
C
The
id
cred
is
encoded
as
a
cosy
header
map,
which
means
it's
a
seabor
map
and
it's
using
specific
cozy
header
parameters
from
from
a
certain
iana
register
and
out
of
this
register,
you
could
see
you
could,
for
example,
you
could
use.
Rpk
can
be
identified
with
a
kid
header
and
certificates,
which
kid
is
essentially
a
key
identifier,
and
a
certificate
x.
C
C
C
There's
a
question
in
the
in
the
chat
here:
what
does
rpk
mean?
That
means
raw
public
key,
but
apparently
he
left
the
room.
Maybe
he
got
the
message
before
leaving,
and
so
so
this
key,
as
I
said
this,
this
picture
was
taken
from
from
a
simpler
version
was
taken
from
the
formal
verification
paper.
Thank
you
very
much
for
that
and
I
tried
to
fill
in
the
details.
So
let's
use
the
colors.
C
C
So
a
little
bit
more
careful.
Look.
We
see
that
at
the
top
is
the
ephemeral,
ephemeral
key,
which
is
which
is
and
to
the
left.
We
have
the
female
static
keys,
which
are
used
together
with
hdadf
extract
green
box
to
get
the
pseudo-random
keys,
which
are
the
orange
boxes
and
and
there's
a
dependency
on
method
here.
C
In
this
case,
the
max
are
being
signed,
or,
as
another
example,
we
take
the
method
three,
which
is
the
static
diffie-hellman
static,
diffie-hellman
case
when
both
the
fml
static,
shared
secrets
are
involved
and
their
the
prks
are
all
different,
and
in
this
case
they're
the
max
are
not
signed
next
slide.
Please.
C
C
So
this
is
a
one
and
a
half
round
trip
for
the
protocol,
and
if
you
want
to
use
oscore,
you
could
either
complete
the
two
round
trips
and
then
start
the
oscore
request
response
over
co-op
or
you
could
include
the
score
request
response
in
the
second
round
trip,
as
is
discussed
in
this
draft
referenced
here,
which
is
proposed
for
core,
and
that
basically
gives
you.
The
ad
hoc
authenticated
key
exchange
and
oscar
first
oscore
request
response
in
two
round
trips,
and
the
last
bullet
just
shows
how
you
get
the
oscar
security.
C
D
C
C
C
Stefan
ristisov
has
made
a
he
has
actually
implemented
all
methods
in
microcontrollers
and
also
some
different
implementations
using
armed
trust
zone,
and
it
has
made
some
performance
measurements
on
that
which
he's
working
on
publishing
and
also
his
code
is
planned
to
be
open
sourced,
but
I
yeah
we
have
to
ask
stefan
would
state
this
on
that
universe
of
mercy.
Mercia
have
been
doing
ad
hoc
implementations
for
a
long
time,
and
the
current
contact
point
is:
is
edward
ingles.
C
C
D
F
C
On
the
list
right,
but
basically
the
the
intent
here
is
the
security
guarantees
provided
for
the
additional
for
the
auxiliary
data
is
that
we
have
actually
no
guarantees
for
for
81
and
for
82.
We
we
don't
know
it's.
We
cannot
say
it's
confidential
because
it
depends
on.
I
mean
you,
don't
know
who
starts
this
protocol
or
who
is
involved
before
you
actually
get
to
message?
Three,
so
83
could
be
encrypted
and
and
integrity
protected,
but
82
doesn't
really
have
any
at
least
no
confidentiality
guarantees.
C
I
have
to
look
up
the
integrity,
okay
thanks
so
just
to
get
onto
that.
I
don't
know
that
particular
example
in
that
particular
example
in
the
draft
with
auxiliary
data
and
third
party
authorization.
In
that
case,
the
auxiliary
data
is
basically
a
a
mac.
So
it's
a
truncated
mac,
eight
bytes,
truncated
mac.
That's
the
content
in
that
example.
E
D
D
F
B
A
G
Yeah
go
ahead.
Hi.
Can
you
hear
me?
Yes,
okay,
so
could
you
go
back
a
few
slides
where
there's
this
explanation
on
this
method,
car
or
like
what
happens,
the
the
initiator
is
suggesting,
like
I'm
trying
to
understand.
Is
there
any
requirement
on
the
initiator
to
know
what
kind
of
authentication
it
expects
from
the
responder,
especially
if
it
has
rpk
psk
certificates
like?
Could
you
explain
that
part
again?
I
wasn't
sure
like.
C
Yeah
currently,
there
is
no
no
negotiation
or
information
sharing
on
methods
here,
so
this
this
assumes
that
the
initiator
knows
whether
the
responder
is
going
to
use
a
signature
or
a
static
default
monkey.
That's
basically
what
it
needs
to
know
and-
and
there
is
an
option
if
we
want
and
that's
that
we
provide
use
the
same
type
of
error
flow
as
for
cypher
suites,
to
provide
further
information
about
methods,
but
that's
not
currently
included.
C
That's
that's
provided
in
the
id
cred
r,
so
that
that
should
be
the
either
the
raw
public
key
itself
or
an
identifier
to
something
that
you
could
fetch
the
public
key.
But
currently
there
is
only
the
case:
either
signature
or
static
difficult.
So
I
don't.
I
don't
know
if
the
what
the
group
setting
would
be.
C
C
C
G
G
You
mentioned
that
the
device
or
the
initiator
can
use
a221ar
certificate,
yes,
as
authentication
credentials,
and
then
you
also
mentioned
later
on
in
this-
that
you
can
like
combine
the
enrollment
in
this
auxiliary
data.
So
I'm
wondering
like
is
the
goal
that
you
start
with
the
certificate
and
then
get
another
certificate
or
like
enroll
another
certificate
or.
C
Yes,
that's
one
one
scenario
that
you
start
with
say
that
the
manufacturer
built
in
credentials,
so
you
in
the
factory
you
provision
a
a.
I
think
it's
called
idev
id,
which
is
the
signed
by
the
manufacturer,
and
then
when
this
device
is
being
provisioned
and
being
commissioned
being
deployed
in
a
network,
then
you
want
to
enroll
a
an
operator
or
a
network,
a
network
operator
certificate.
C
So
you
could,
both
in
the
case
when
you
authenticate
you
could
provide
a
reference
and
the
result
of
the
enrollment
could
also
be
a
reference
going
back
to
the
device.
So
the
only
thing
you
have
is
your
pilot,
your
public
key.
Of
course
you
need
to
have
your
key
pair
on
the
device,
but
certificates
stay
out
of
the
constraint
links
and
that's
the
type
of
scenario
where
you
want
to
where
you
may
want
to
use
your
auxiliary
data
to
integrate
enrollment
with
authentication,
okay,
yeah.
Okay,
exactly.
F
Yeah
just
to
follow
up
on
the
latest
bit
so
when
you're,
using
a
reference
to
the
certificate,
would
that
be
possible
for
the
device
to
never
actually
have
to
de-reference
the
reference
to
its
own
certificate
and
just
sort
of
get
back.
So
it
gets
back
a
uri,
and
it
knows
that
that
uri
corresponds
to
its
own
certificate.
C
F
B
H
H
So
I
understand
that
you
know
it
could
be
a
manufacturer
signed
802.81
air
certificate,
but
you
know
many
practical
scenarios
right
say,
for
example,
I
may
buy
a
device.
Then
I
activate
that
after
one
year
and
if
the
certificate
is
invalid
is
that
that
protocol
there
is
any
way
before
the
you
know,
operator
certificate
is
assigned.
There
is
any
way
to
actually
verify
or
bootstrap
that
device.
C
H
Yeah
so
yeah,
I
understand,
I
think
it's
possibly.
I
was
just
curious
right
because
I
think
that
it's
not
that
it
may
not
be
expired
right,
but
you
know
that
there
are
lots
of
lots
of
you
know
companies
they
produce
the
device
manufacturer
and
then
companies
sold,
and
you
know
there
could
be
a
lot
of
other
things
right
so
from
a
consumer
perspective
right,
you
know
whether
there
will
be
a
way
to
actually
would
stop
that
device.
C
I
B
C
So,
yes,
we
have
started
to
compile
open
issues.
We
are
using
the
lake
repo,
the
lake
working
group,
github
repository,
which
you
see
the
link
here
and
the
currently.
It's
only
three
issues
based
on
the
comments
we've
got
so
far
and
yeah
and
then
there's
at
the
end
there's
some
next
steps
also,
but
let's
go
for
the
three
open
issues
next
slide,
please.
C
So
the
first
yellow
was
a
straightforward
comment
by
martin
dish.
He
thought
that
reading
cozy
was.
He
didn't
want
to
read
too
much
of
cozy
to
implement
ad
hoc,
and
we
have
already
subsection
in
appendix
a
speaking
about
cosy
and
we
can
definitely
expand
that
on
on
cosy,
sign
and
cosy
encrypt
without
duplicating
the
specifications.
So,
yes,
we
should
do
that
next
slide.
Please.
C
This
was
a
comment
by
rene
stroik
why
we
are
enforcing
both
shaft
iron
12
and
shaw
256.
So
the
setting
is
this
that
the
cipher
suite
zero
and
one
includes
ed25519,
which
specifies
shaw
512,
but
we
also
as
explicitly
the
hash
functions
used.
We
also
require
256,
because
that's
that's
typically
what
you
would
use
with
with
with
this
setup.
C
C
Would
make
it
look
like
a
less
of
a
requirement,
but
you
still
it
doesn't
really
solve
the
problem,
and
then
there
has
been
discussions
about
ed25509
with
shot
256
and
I'm
not
really
up
to
date
with
all
with.
What's
the
latest
date
there,
but
just
strictly
speaking
from
an
iot
point
of
view,
I
mean
this
type
of
implementation
and
constrained
device.
B
This
is
malicious
speaking,
so
most
of
the
hardware
I've
seen
implements
sha
256
and
I
think
it's
from
the
implementation
point
of
view.
It's
important
that
we
converge
on
a
single
algorithm
to
use
so
either
option
two
or
option.
Three,
I
think,
seems
the
most
feasible,
but
for
option
three,
I'm
not
familiar
with
the
current
state
of
the
development
of
the
documents,
so
maybe
someone
could
chime
in
there,
but
essentially
the
bottom
line
is.
I
would
like
to
see
a
single
algorithm
that
we
converge
in
a
single
algorithm,
hash
algorithm
to.
B
A
G
Yeah,
I
was
just
also
writing
in
in
the
java
chart,
so
this
is
something
we
encountered
a
while
back
in
six
law
and
thanks
to
renee.
I
think
we
have
solved
this
issue,
so
I
I
would
put
a
link
to
a
couple
of
drafts
on
on
how
we
have
done
it
in
six
low
working
groups.
So
basically
we
use
a
different
representation
convention
for
the
same
curve.
G
So
that
that's
the
plan
for
the
elvik
draft,
which
renee
has
written,
I
mean
it-
has
already
undergone
last
call
second
reviews
and
so
on,
but
we
agreed
with
the
a
ad
that,
when
the
idf
last
call
is
issued,
cfrg
would
would
also
be
informed
of
this,
and
this
is
something
again,
I'm
not
familiar
with
all
the
nist
specifications,
but
renee
seems
to
follow
them.
So
this
is
something
also
in
the
latest
nist
800,
something
something
I
can't
remember.
The
exact
document
number
sure,
but
I
mean.
A
I
I
think
people
should
be
aware:
there's
there's,
there's
probably
a
non-zero
probability
that
that
redefining
25519
with
chat256
is
something
that
does
not
turn
out
to
be
a
good
idea.
So
I
wouldn't
the
fact
that
something
is
in
a
flash
call.
That
assumes
that
does
not
necessarily
mean
it
will
happen.
I
think
that
that's
something
to
be
aware
of
and
the
discussion
with
cfrg
would
need
to
happen.
B
C
C
Right,
so
this
is
a
slide
with
too
much
text.
Unfortunately,
it
probably
complicates
the
issue
more
than
it
solves,
but
we
have
an
agreement
in
the
requirements
that
we
should
not
include
psk
ecdhe
in
the
initial
scope.
This
is
currently
in
the
draft,
but
we
need
to
take
it
out.
So
we
need
to
replace
that
and
I
think
we
need
to
first
discuss
a
little
bit
more
what
we
need
to
replace
it
with
and
that's
the
actions
there.
C
We
need
to
take
a
step
back
and
think
about
what
other
practical
attacks
on
iot
settings
that
we
need
to
handle
with
with,
for
example,
with
some
symmetric
key
scheme,
we
had
a
discussion
initially,
that's
a
mail
thread
reference
which
looked
at
how
to
provide
forward
secrecy
without
divi
helmet.
It
was
a
psk
symmetric,
key
based
scheme,
but
that
was
just
a
starting
point
and
it
didn't
really
look
at
at
the
problem.
It
looked
more
like
it.
C
So
I
don't
I'm
not
sure,
I'm
making
this
very
clear
now,
but
I
think
we
need.
Basically,
we
need
to
restart.
We
need
to
take
out
the
pskhg,
that's
clear
from
the
requirements
and
exactly
what
we're
going
to
replace
it
with
needs
further
discussion
so
and
I'll
I'll
start
that
thread
again
on
the
email
list,
and
that
was
the
last
issue
next
slide.
Please.
C
So
next
steps
submitting
a
new
version
without
psk
is
esdt.
I
plan
to
do
that
on
my
plane
home
and
then
we
have
today
which
we
should
talk
about
now.
The
the
tamarind
verification
and
all
the
considerations
from
that
which
we
need
to
take
care
of
there
is
also
an
old
repo
with
issues
we
need
to
go
through
that
and
see
what
are
relevant
still
not
only
listing
issues.
We
need
to
fix
issues
too,
and
we
are
welcoming
more
reviews
and
at
some
point
we
should
should
plan
the
plug
tests
between
implementations.
B
C
B
A
No,
but
I
would
encourage
people
to
open
issues
if
you're
opening
an
issue
on
github.
You
know
if
it's,
if
it's
an
editorial
or
a
name
or
something
then
just
doing
it
on
github
is
fine.
But
if
it's
a
substantive
issue,
please
also
send
the
mail
to
the
list
and
yeah
we'll
have
to
watch
where
this
question
happens,
on
github
or
and
or
on
the
mailing
list.
A
But
I
would
encourage
people
to
use
the
issue
tracker
and
get
up
and
create
issues
there
and
then
start
related
list.
Discussion
for
non-trivial
ones
does
does
any.
Has
anybody
who's
read?
The
draft
got
any
other
issues
that
they
might
want
to
not
formally
raise
now,
but
bring
up
in
audio
at
the
moment.
A
D
A
B
So
with
that,
let's
conclude
that
agenda
item
and
let's
skip
to
the
last
slot
before
I
before
any
other
business,
which
is
the
formal
analysis
of
ad
hoc
by
carl
carl,
can
do
you
hear
us
yeah
and
we
we
see
you
hi.
Can
you
hear
me
yeah
yeah?
We
hear
you
and
let's
just
say
next
slide
when
you
want
me
to
flip,
please:
oh
yes,.
J
J
So
first
I
give
a
quick
overview
of
for
analysis
and
the
tamarind
tool.
Just
in
case
there
is
someone
who
is
not
sort
of
in
blood
and
then
I'll
give
a
quick
overview
of
the
framework,
as
we
view
it
and
what
we
have
analyzed
and
then
I'll
go
into
the
analysis
itself
give
an
overview.
And
then
I
will
dig
into
two
technical
details
which
I
think
might
be
the
most
interesting.
J
In
some
logic,
and
then
you
try
to
prove
them
for
that
model,
and
preferably
you
do
it
with
some
tool
that
can
help
check,
checking
your
thinking
so
that
you
don't
make
mistakes,
and
this
is
a
useful
process
to
do
at
least,
I
believe,
because
the
modeling
itself
and
and
the
sort
of
proving
the
work
you
do
with
a
lot
of
hidden
assumptions
and
inconsistencies
and
complete
requirements
and
vulnerabilities
and
so
on.
As
you
move
along
the
proof
that
you
end
up
in
the
end
with
is
maybe
not
so
interesting
in
itself.
J
But
the
sort
of
process
will
read
a
lot
of
interesting
stuff
along
the
way
and
it
forces
you
to
really
consider
what
type
of
attacker
are
you
trying
to
protect
against
and
also
just
again
specifying
things
clarify
what
you're
talking
about
when
you
write
sort
of
protocol
specifications
in
prose?
It's
very
sort
of
easy
to
to
imagine
that
that
you
have
the
same
understanding
within
a
group
but
about
how
it
works.
But
what
actually
you
might
have
different
ideas
and
the
more
precisely
the
better.
J
So
so
what
it
does
is
that
it
sort
of
splits
things
up
in
smaller
properties
and
show
that
some
certain
property
hold
in
that
model
of,
but
also
it
is
need
to
understand
that
there's
a
huge
difference
between
the
model
and
the
actual
protocol.
The
model
might
have
missed
stuff
that
that
the
protocol
is
not
is
doing.
It
might
have
sort
of
missed
the
attacker
capabilities
that
you
later
find
interesting
to
cover.
J
You
might
have
missed
properties
you
want
to
show,
or
while
you're
doing
the
modeling
you
might
abstract
away.
The
details
of
the
port
code
are
actually
important.
So
so
that
means
that
you
cannot
just
get
the
sort
of
stamp
saying
is
secured
when
you're
done,
but
you
get
more
detailed
knowledge
and
higher
assurance
level
of
the
protocol.
J
J
Instead,
this
message
looks
like
opti-less,
we'll
see
more
about
that
later
on
and
so
forth.
It's
a
bit
unclear
whether
it's
an
exact
mapping
to
noise
extended
with
the
signatures.
It's
a
bit
sort
of
both
the
noise
specification
and
the
error
specification
are
very
pro
slides.
So
it's
difficult
to
see
exactly
whether
the
correct
parameters
goes
where
they
should.
J
I've
got
to
all
know
that
the
sort
of
cryptographic
course
that
occurs
is
well
understood
constructions,
and
if
we
sort
of
look
at
what
are
the
main
methods
that
would
be
of
interest,
I
believe
there
might
be
some
solutions
with
this
start
saying
and
saying
start
methods,
and
that
is
where
one
part
is
using
static.
Different
monkey
and
the
other
part
is
using
a
signature,
because
this
is
kind
of
a
mix
of
or
existing
things.
J
J
J
So
one
could
and
you
can
take
the
next
also,
maybe
at
the
same
time,
so
one
could
view
it
as
the
first
flight,
m1
and
m2
is
sort
of
the
authentication
of
the
responded
towards
the
initiator.
But
then
you
can
also
imagine
that
message.
Number
two
is
the
first
message
of
the
second
round
where
it's,
the
purpose
is
to
in
to
authenticate
the
initiator
towards
the
responder
using
the
blue
credit
credential.
J
Key
material
is
that
in
the
stat
based
method,
with
one
of
the
boxes
using
static
development
key,
then
then
the
session
key
will
also
depend
on
the
credential
of
that
party
and
and
again,
if
we
think
about
old
elasticity,
it
would
essentially
be
since
let's
just
have
mutual
authentication,
it
will
be
that
the
responders
static
key
would
be
included
into
the
sort
of
sequencing
here
components
of
the
session
key,
but
but
for
all
other
methods.
It's
just
gtx
y.
That's
the
session
key
material.
J
For
instance,
you
have
access
to
a
sim
card
tpm,
but
it
doesn't
actually
read
the
long-term
credential
and
the
attacker
is
of
course,
able
to
attack
all
session
keys
generated
from
that
as
long
as
his
access
to
the
dpm.
But
when
that
access
is
revoked,
then
the
future
session
keys
are
still
secure.
So
that's
the
weak
version-
and
I
am
pretty
sure
that
holds
the
strong
pcs
will,
of
course
not
told,
and
the
next
thing
we're
trying
to
look
into
is
kci
resistance.
J
J
We
also
during
this
work.
We
identified
some
some
missing
considerations
in
in
the
draft,
for
instance,
non-repudiation
aspects
and
and
so
sort
of
whether
you
should
think
about
teas
and
and
session
key
reveal,
queries
and
stuff,
like
that.
We
also
run
into
one
one,
the
unintended
authentication
confusion
which
is
sort
of
a
not
so
much
problem
with
airdrop,
but
it's
not
sufficiently
explored
relation
between
advocate
and
its
application.
That's
using
adhoc
so
so
that
the
api
kind
of
needs
to
be
a
bit
more
looked
into
it.
J
And
then
also
what
is
the
actual?
What
should
constitute
the
session
key?
The
definition
of
that
is
also
something
that
we
believe
should
be.
I
must
get
more
now
come
back
to
that.
So
the
conclusion
is
that
that'll
build
on
on
well-established
components,
and
it
seemed
to
behave
as
as
one
could
expect.
J
Also
all
these
different
methods,
though,
have
quite
different
security
guarantees.
So
so,
depending
on
which
credential
you
choose,
you
will
get
sort
of
a
different
properties
of
the
protocol
and
then
one
could
sort
of
perhaps
wish
that
that
would
be
some
baseline.
That
all
method
has
these
sort
of
basic
properties,
and
then
you
might
get
something
in
addition,
where
one
uses
others
and
so
on.
But
then
we
need
to
define
exactly
what
would
that
that
base
set
of
properties
be.
J
So
before
digging
into
to
this
session
key
authentication
property,
which
we
think
was
perhaps
the
most
interesting
finding
just
brief
overview
of
the
attacker
model
that
we
have
considered
so
so
we
consider
like
a
standalone
attacker
model.
So
the
attacker
can
read
all
mysteries
that
are
sent
deconstruct
them
into
their
components,
compose
that
into
new
messages
and
insert
that
and
can
delete
messages
and
do
all
those
kind
of
things
and
run
an
unlimited
number
of
sessions.
J
J
So
if
you
look
at
message
number
two,
for
instance,
this
encryption
operation
would
mean
that
attacking
would
not
be
able
to
get
hold
of
credit
or
unless
he
actually
has
the
key
used
to
encrypt
that
so
yeah
that
the
next
piece-
and
that's
that's
a
well-known
thing
and
the
attack
loss
has
the
possibility
to
compromise
parties
after-
and
this
is
the
model
perfect
for
secrecy.
So
after
the
session
is
complete,
complete
the
attacker
can
can
compromise
the
long-term
key
and
there's
a
mistake
in
the
slide.
J
J
J
That
would
already
exist,
and
this
is
in
line
with
that
obvious
assumption
is
assuming
itself
in
the
draft
and
it
also
simplify
things
we're
using
a
symbolic
drivability
based
notion
of
secrecy,
so
you're
not
looking
at
any
type
of
observation,
equivalence
or
distinguishability
based
security
notions.
So
basically
can
the
secrecy
that
depends
on
whether
the
attacker
can
actually
derive
a
certain
torment
down
the
line
term
algebra,
rather
than
trying
to
see
what
he
can
differentiate
between
different
things,
and
we
also
use
getting
load
style,
authentication
based
on
the
corresponding
correspondence
properties,
so
over
the
traces.
J
J
So
if
we
then
look
at
what
mean
which
version
of
session
key
the
authentication
we
use,
so
we
went
for
the
something
called
injected
agreement,
and
here
it's
going
to
be
described
in
the
sync
method.
So
it
means
that
the
initiator
is
on
using
standard
signatures
to
authenticate
themselves
to
each
other,
and
in
this
case,
if
you
take
next
piece,
we
can
see
that
what
that
means
is
that
if
the
initiator
receives
message
number
two,
then
he
can
derive
the
session
key
as
some
function
of
g
to
x
y.
J
So
it
means
that
both
parties
are,
they
agree
on
which
key
they
have
derived
each
of
xy,
but
they,
but
the
initiator
also
knows
that
there
is
exactly
one
instance
of
the
responder
running
that
runs.
It
cannot
be
the
case.
The
attacker
has
fooled
the
responder,
for
instance,
into
to
running
believing
that
it
has
around
two
sessions
or
three
sessions,
which
is
not
not
the
case
that
the
attacker
fully
responded
into,
believing
that
the
session
gives
t
to
the
x
cell
for
some
said,
for
instance.
J
and
so
on.
But
we
have
not
modeled
that
yet,
due
to
some
problems,
we've
been
getting
tamarind
to
terminate
and
then
this
this
property
that
then,
of
course
holds
in
the
other
direction
as
well.
So
the
responder,
when,
if
you
look
at
the
blow
flow,
when
the
responder
authenticates
initiator,
what
would
happen
is
that
when
the
responder
gets
the
third
message,
it
would
know
that
there
is
a
corresponding
event
on
the
initiative.
J
J
D
J
J
So
the
next
place
there
are
so
yeah
and
next
so
that
we
don't
have
that.
But
what
we
proved
instead
is
that
you
can
have
an
implicit
key
authentication,
and
that
means
basically
that
if
the
initiator
sends
message
number
three,
it
knows
that
if
the
responder
sees
message
number
three,
it's
only
the
responder
that
can
compute
the
session
key
and
no
one
else
can
do
it.
J
And
what
this
gives
us
is
essentially
that
the
key
key
is
we.
The
key
will
receive
it,
but
there
is
no
confirmation
from
the
initiator
that
the
responder
actually
has
computed
this
key,
which
would
be
the
case
in
the
injective
agreement
property
and
whether
that
is
needed
or
not.
This
depends
on
what
the
portal
is
going
to
be
used
for
next
piece,
so
we
have
come
up
with
four
alternatives:
how
to
fix
this,
and
there
is
probably
more,
if
you
put
your
mind
to
it,
one
would
be
to
sort
of
accept
this
fact.
J
So
you
do
include
the
dependencies
on
on
the
initiator's
private
key,
and
then
you
would
accept
that
you
have
different
authentication
properties
for
for
the
different
methods
that
feels
a
bit
unsatisfying,
because
I
think
that's
a
kind
of
a
fundamental
thing.
If,
if
you
need
key
confirmation
that
that
should
not
really
depend
on
which
credential
you
use,
that
that
feels
a
bit
unsettling
two,
on
the
other
hand,
say:
okay,
let's
exclude
that
that
dependency
and
just
run
g
to
x
y,
also
in
this
case,
but
then
that
is
different.
J
It's
differing
from
from
what
else
is
doing
and
if
you
look
at
the
the
simultaneous
it's
really
carefully
designed
for
for
for
for
ck
style
model,
wherever
you
have
session
state
tricky,
repeat,
queries,
and
I
mean
it.
It
feels
unnecessary
to
slope
that
property
away
just
to
get
to
harmonize
across
all
the
ad-hoc
methods,
so
this
one
doesn't
either
feel
very
nice.
J
Our
fourth
idea
would
be
to
include
the
initiator's
id
in
message
number
one,
and
what
happens
then
is
that
that
removes
identity,
protection
for
the
initiator,
and
that
is
not
so
nice
either.
But
one
could
also
consider
that
there
is
discussion
in
the
eric
drafter
that
sort
of
the
roles
can
be
reversed.
J
So
so,
if
there
is
some
entry
that
that
really
should
have
identity
protection,
one
could
consider
reversing
the
rules
and
having
that
role,
necessarily
that
that
entity
acting
as
respondents
instead
of
initiator,
there
could
be
situations
without
diplomatic
also,
though,
because
it
might
require,
like
an
initial
trigger
message,
just
to
kick
off
the
protocol.
So
it's
not
clear.
That's
a
perfect
solution
either,
which
brings
us
to
the
post
two
bullets
and
the
first
one,
which
is
unfortunately
cut
a
bit
short.
Is
that
without
better
understanding
the
protocol
goes?
J
J
A
There's
a
bunch
of
chad
and
jabber,
but
apparently
not
resulting
in
audio
questions
I'll
give
them
a
minute.
So
I
have
a
question
carol.
Is
there
a
kind
of
a
plan
for
how
to
wrap
up
this
kind
of
excellent
kind
of
theory,
work
and
and
proofs,
and
so
on,
in
terms
of
getting
published,
getting
peer
reviewed
having
other
teams
that
we
know
of
doing
the
same
thing?
How
long
might
it
all
take?
D
J
K
K
K
J
K
J
Oh,
it's
actually
actually
both.
So
what
one
is
like,
if
I
understand
your
question
correctly,
one
one
is
the
sort
of
security
part
that
that
it's
only
a
respondent
can
compute
it
and
no
one
else,
so
so
that
that
is
true.
But
it's
also,
of
course,
true
that
that,
if
the
message
doesn't
really
respond,
reach
to
respond,
the
respondent
will
not
be
able
to
compute.
A
A
A
A
F
Yes,
then
I'll
just
repeat
my
usual
plug
that
we
do
have
this
gather
dot,
town
sort
of
informal,
hallway
environment
that
people
could
migrate
to
after
the
session
and
have
any
conversations
that
she
would
have
had
in
the
hallway.
If
we
were
in
person
in
madrid,
so
it
would
be
good
to
get
a
lot
of
people
there
sort
of
have
the
critical
mass
going
and
you
can
say
hi
to
the
friends
you
haven't
caught
up
with
yet
or
that
sort
of
thing.
A
A
C
Correct
yeah
you're
on
here
yeah.
I
think
I
think
the
virtual
meeting
would
be
great.
I
mean
we
have
seen
some
ideas
coming
out
here
from
on
the
in
the
chat
and
I
think
we'll
have
some
more
input
on
after
the
the
issues
are
are
more
tracked,
so
yeah
how
about
mid-september
or
late
september.
Would
that
be
a
good
time
for
for
an
interim.
C
A
C
Yeah,
I
I
don't
know
I
mean
there
are
a
number
of
implementations
which
are,
are,
I
suppose,
almost
ready
for
that,
but
I
we
have
to
check
with
the
other
implementers
and
see
what
what's
going
on.
I
don't
know
at
least
for
progressing
the
spec.
I
think
we
need
to
have
a
virtual
meeting
at
some
point
before
the
next
itf.
A
C
Yeah,
I
I
assume
that
we
have
some
some
new
proposals
on
the
table
based
on
the
discussion
we
had
today
and
and
what's
going
to
happen
in
the
next
month,
or
at
least
I
mean
what
will
happen
in
the
beginning
of
september-
probably
first
half
of
september.
So
if
we
have
something
in
the
end
of
september,
I
think
we'll
have
we
have
material
to
discuss
and
how
we
do
with
implementations
is
perhaps
independent
of
that.
So
I
think
we
could
have
a
separate
sec
sort
of
a
discussion
on
that
independently.
A
C
That
should
happen
soon.
That
will
happen
soon,
but
then
we
need
to
add
something
instead
and
that's
that's
still
to
be
discussed,
and
then
we
have
some
other
feedbacks
from
from
from
carl
here
and
and
and
his
team
and
yeah
we're
also
expecting
something
from
the
the
other
formal
verification
team
which
kartik
announced,
but
I
don't
know
when
so
that's
also
something
that
might
come
in
here.
C
A
So
we
can
follow
that,
and
so
I
guess
the
implicit
in
that
is
we're
asking
other
participants
in
the
working
group
to
kind
of.
Maybe
you
know
don't
bother
with
the
zero
zero
draft
for
now,
but
there'll
be
a
zero
one
very
shortly,
and
please
read
that
and
raise
issues
based
on
that.
I
think
that's
what
we're
asking
right.
Yes,
yes,
yeah!
Okay!
A
A
A
A
oh
god
has
left
the
room.
Okay,
I
think
that
means
that
we're
we're
done
for
today,
thanks
to
all
the
presenters
thanks
people
for
all
the
chat
and
jabber,
which
is
good
to
send
out
the
minutes.
We'll
set
up
a
poll-
and
I
guess
we'll
talk
next
time
sometime
in
sometime
late
in
september,
wish
you
anything
else.
Sorry,
no!
Nothing!
On
my
side,
I
guess
that
concludes
the
meeting
great
thanks
all
and
see
you
at
the
next
virtual
effort,
whatever
that
is,
which
could
be
this
gallery
term.
Thanks,
bye,.