►
From YouTube: IETF108-ACME-20200730-1410
Description
ACME meeting session at IETF108
2020/07/30 1410
https://datatracker.ietf.org/meeting/108/proceedings/
A
Okay,
it's
something
in
10
minutes
wherever
you
are,
which
means
the
meeting
is
supposed
to
start
right
now
and
we
still
need
a
minute
taker.
Otherwise
we
cannot
proceed.
A
A
Okay,
thank
you
with
that
said,
I
guess
we
can
begin.
A
And
so
here's
the
note
well,
I'm
sure
you've
seen
this
thing
before
and
right
now,
you're
all
sitting
about
one
or
two
feet
away
from
your
screen,
so
can't
complain
about
the
font
being
too
small.
A
So
since
we
last
met,
which
was
in
november,
we
had
four
rfcs
published:
that's
acme,
caa
acme,
tls,
lpn,
acme,
ip
and
acme
star.
A
We
also
had
new
versions
of
pretty
much
every
document
that
we
had
because,
of
course,
since
we
haven't
met,
met
for
eight
months,
then,
and
everything
that
wasn't
revised
is
already
expired
with
that
said,
there
are
also
some
related
draft
got
updated,
that's
acne,
subdomains,
acne,
onion,
dtn,
node
id
and,
in
fact,
they're
taking
quite
a
large
part
of
our
agenda.
This
time.
B
I'm
sorry
I
was
muted,
so
part
of
the
presentation
is
a
general
background
on
dtn
and
the
other
part
is
specific
to
acme.
So
we
can
move
on
to
the
next
slide.
Please,
for
those
not
familiar
the
concept
of
dtn
is
that
it
functions
as
an
overlay
network
on
top
of
some
transport
protocols,
and
this
is
similar
in
concept
to
the
operation
of
email
with
smtp.
B
There
are
other
options,
but
the
focus
for
this
acme
use
and
the
reason
is
as
we'll
discuss
on
the
next
slide,
the
tcp
convergence
layer.
So
we're
not
going
to
talk
about
how
bundles
move
around
the
network
just
know
that
they
move
from
hop
to
hop
between
bundle,
agents
and,
ultimately,
hopefully
end
up
at
their
destination.
B
Bundles
themselves
are,
and
a
bundle
starts
with
a
primary
block
that
has
addressing
information
and
some
metadata
about
the
bundle
and
then
has
a
series
of
canonical
blocks.
One
of
them
is
always
the
payload,
the
actual
thing
being
transported,
and
then
a
lot
of
them
are
dealing
with
processing
controls,
routing
controls,
security
services
and
things
like
that.
B
So
again,
we
don't
need
to
get
into
too
much
details
other
than
a
bundle
is
a
self-contained
unit
in
roughly
the
same
way
that
an
smtp
message
I'm
going
to
use
smtp
as
a
kind
of
a
touchstone
for
some
of
these
things,
because
the
concepts
are
are
similar,
so
smtp
individual
messages
hop
hop
through
the
network.
Looking
for
their
destinations
and
bundles
do
the
same.
B
The
protocols
are
different,
the
encodings
are
different,
but
the
concepts
are
similar,
so
we
can
go
to
the
next
slide
and
here
we're
getting
into
actually
what
we're
trying
to
do
here.
B
So
we
already
know
how
to
do
dns,
name,
validation
in
rfc,
6125
and
also
we
already
know
how
to
do
validation
in
the
sense
of
a
certificate
issuer
validating
that
I
own
a
dns
name.
So
that's
all
worked
out
and
taken
care
of,
but
the
question
came
up
is
how
do
I,
how
do
I,
as
a
ca,
validate
someone's,
claim
to
a
dtn
name?
Well,
a
node
id,
and
so
a
little
bit
of
research
was
done
and
acme
pre-existing.
Infrastructure
already
has
a
well-established
way
to
do
all
of
the
bookkeeping.
B
B
And
this
is
preferred
over
using
some
ad-hoc
mechanisms
that
that
are
manual
or
require
some
nuance
about.
How
do
you?
How
do
you
verify
security
all
the
things
that
acme
already
does
properly
so
next
slide?
B
B
So
the
concept
here
going
back
to
that
analogy
to
email,
the
concept
is,
is
very
similar
and
I
even
lifted
some
of
the
nomenclature
from
the
s
mime,
acme
validation
mechanism.
So
the
idea
here
is
that
the
the
bundle
protocol
has
two
different
top-level
types
of
bundles.
One
of
them
is
a
service
payload,
and
one
of
them
is
an
administrative
record.
B
B
Then
it
will
do
the
normal
processing
again,
the
same
concept
as
the
email
draft
to
generate
a
key
authorization,
and
it
sends
a
response
bundle
back
to
the
acme
server.
B
So
that's
the
the
core
of
the
situation
and
there's
also
some
information
in
the
draft
that
talks
about
using
bundle
integrity
to
sign
the
individual
bundles.
This
isn't
strictly
necessary
in
the
sense
of
making
sure
that
a
claim
can
be
validated,
but
it
is
useful
to
be
able
to
make
sure
that
bundles
pass
through.
Maybe
if
we're
talking
about
the
this
is
because
we're
talking
about
acme,
it
really
is
targeting
a
an
internet
type
open
network.
So
we
don't
want
to
have
implicitly
trusted
bundles.
B
So
all
that
being
said,
this
draft
is
marked
as
experimental,
because
not
that
dtn
itself
is
experimental,
but
the
use
of
acme
to
cover
this
use
case
is
new
territory
and
also,
although
uri
claims
in
certificates
and
certificate
requests
are
not
new.
B
The
use
of
acme
to
validate
a
uri
is
new
behavior
and
the
the
proposal
here
is
not
that
we
would
expect
all
acme
servers
to
be
able
to
do
dtn,
node
id
validation,
but
to
say
when
you
need
to
do
validation
of
a
node
id
for
security
purposes.
Here's
the
right
way
to
do
it.
C
Hi
hi
brian,
I
had
a
quick
question.
I
I
don't
know
if
I
understood
what
you
were
kind
of
saying
exactly
so
is
the
thinking
that
you
would
have
the
dtn
overlay
and
then
the
acme
servers
that
the
dtn
nodes
are
trying
to
reach
or
on
the
public
internet
versus
an
acme
server,
that's
somewhere
in
the
in
the
dtn
fabric,
but
that's
more
of
a
closed
network.
B
So
the
the
original
concept
was
that,
if,
if
you're
on
a
relatively
controlled
closed
network,
that
you
wouldn't
need
to
use
an
acme
type
mechanism
to
to
just
to
issue
and
distribute
certificates
that
on
a
on
a
tightly
controlled
network,
probably
the
certificate
authority
is
integrated
with
the
node
configurations
and
there's
some
back
channel
method
of
of
distributing
certificates.
B
The
the
rationale
for
using
acme
in
this
case
is
for
those
situations
where
the
certificate
authority
doesn't
have
that
back
channel
of
validating
things.
So
the
the
use
case
here
is
for
situations
where
there's
a
certificate
authority
that
is
issuing
certificates
to
you
can
think
of
them
as
gateway
nodes
that
operate
over
the
internet.
So
multiple
sites
have
gateway
nodes
and
these
sites
don't
have
necessarily
trust
channels
to
each
other.
B
So
the
intent
here
is
to
be
able
to
have
a
I'll
say
a
public
ca.
It
doesn't
necessarily
mean
a
public
in
the
sense
of
the
the
anybody
can
use
it,
but
just
that
it's
doing
validation
over
a
untrusted
channel.
A
A
D
Hi
rick
taylor,
so
I'm
actually
one
of
the
dtn
chairs.
My
question
really
to
brian
is:
what
is
your
intention
with
the
presentation
to
acme?
Is
that?
Are
you
offering
to
put
forward
this
draft
in
acme
as
a
experimental
or
informational
document?
B
Where
we're
going
so
it's
it's
certainly
intended
to
be
kept
within
dtn.
The
the
use
of
the
uri
claim
is
new.
It
just
hasn't
been
exercised
before
in
any
acme
validation
mechanism.
D
Acme
server,
okay,
yeah
understood
because
I
know
we
have
iesg
discusses
on
the
the
tcp
convergence
layer
that
need
to
be
resolved
and
and
acme
is
a
good
way
to
resolve
that.
I
suppose
my
statement
to
the
chairs
is,
if
you
want
to
talk
to
the
dtn
chairs,
about
whether
we
keep
this
work
in
dtn
or
or
whether
you
want
to
generalize
it
and
adopt
it.
I'm
absolutely
open
to
having
that
conversation,
and
we
can
take
that
offline.
A
B
So
the
the
imp,
the
an
acme
server
that
would
implement
this
draft,
would
need
to
be
a
dtn
node
participating
in
a
dtn
network
and
have
have
yeah
all
of
the
things
in
the
same
way
as
an
acme
server.
Implementing
the
s.
Mime
draft
needs
to
be
a
trusted.
Smtp
server,
you
know
with
other
other
smtp
servers
using
it
as
a
an
s
mine,
I'm
not
familiar
with
the
exact
terminology,
but
it
needs
to
be
integrated
with
the
other
s.
Mime
servers
that
it's
trying
to
validate
domains
on.
C
A
Okay,
this
is
speaking
as
an
individual,
so
the
acme
servers
are
cas
and
the
cas
that
work
for
the
web.
The
public
web
have
usually
been
very
reluctant
to
provide
services
for
things
that
are
not
the
public
web.
You
know
it's
hard
to
even
get
smtp
certificates,
let
alone
user
certificates
or
and
pretty
much
nothing
for
any
other
use.
A
B
A
B
With
that,
and
that's
understood
in
this
and
that's
why
this
this
last
item
is
that
what's
being
proposed
here
is
the
mechanism
for
when
you
want
to
do
a
thing:
here's
how
to
do
it
and
not
an
expectation
that
there
will
be
uptake
on
those
web
focused
acme,
servers.
E
Yeah
we
have
the
the
tn
auth
tn
off
list
stuff,
which
is
unlikely
to
be
part,
hopefully
not
part
of
the
web
pki.
It
is
going
forward,
for
you
know
mobile
phones,
so
we
have.
We
definitely
have
precedent
within
the
working
group
and
you
know:
we've
expanded
the
charter
to
have
a
bunch
of
different
challenges.
E
My
inclination
would
be
that
if
you
know,
unless
dtn
strongly
wants
to
own
this,
you
know
we
collaborate,
but
I
think
it
makes
sense.
For
you
know
if
the
working
group
would
choose
acme
to
be
the
home
for
this.
D
B
A
C
A
A
A
A
Which
means
not
very
many
hand
and
or
not
very
loudly
so
with
that
I'm
kind
of
reluctant
to
ask
about
adoption,
and
so
I
guess
please
read
it
and
then
we'll
take
it
to
the
list.
Yes,
alexi
has
something
interesting
to
say.
So,
let's
see
yes,
alexey.
F
Yeah,
I'm
just
maybe
ask
who
is
willing
to
read
and
review
the
document.
Even
if
people
haven't
read
it.
A
Okay,
what
I
do
know
is
to
never
do
that
on
the
hum,
so
please
type
it
plus
one
in
the
chat
room
if
you're
willing
to
read
it
within
the
next.
I
don't
know
month
or
two
so
that
we
can
then
do,
and
I
see
one
two
three.
F
A
A
Anytime,
okay,
so
with
that,
the
next
thing
is
owen:
with
acne
subdomains:
let's
come
up
to
the
mic.
H
It's
just
a
summary
of
product
misadmins
is
about
the
baseline
acme
rfc
allows
an
acme
server
to
issue
search
for
a
given
identifier
for
a
subdomain
without
requiring
a
challenge
to
be
explicitly
fulfilled
against
an
identifier.
H
So
in
principle
an
acme
server
could
issue
a
search
for
a
sub.domain.com
where
the
acme
client
has
only
to
fill
the
challenge
for
the
parent's
domain
and
an
acme
server
could
issue
search
for
a
large
number
of
subdum
inserts
and
only
require
a
single
charge
to
be
fulfilled
against
apparent
domains.
This
is
nothing
new
here.
This
hasn't
changed
since
it
of
106..
So
next.
H
H
H
It
sends
in
a
new
authorization
request.
Domain.Com
gets
back
to
list
of
authorization,
challenges
and
fulfills
the
dns
text
and
challenge
and
then
pull
pulse
to
challenge
response
and
verifies
that
that's
verified
with
acting
server.
H
Then
after
this
pre-authorization
has
taken
place,
then
it
illustrates
the
client
on
the
right-hand
side
and
step
two
placing
an
order
for
a
sub-domain
of
that
parent
domain,
and
the
illustration
here
is
just
doing
getting
a
cert
for
one
sub-domain,
but
there's
no
reason
why
a
client
couldn't
continue
and
request
certificates
from
multiple
different
sub-domains
after
appearing
to
men,
while
only
completing
one
pre-authorization
for
the
parent
main
next
slide.
H
So
what's
changed
since
106
and
draft
zero
one
and
there's
some
my
comments
that
I
and
there's
some
chatter
on
the
mirror
since
then
as
well-
and
those
three
comments
have
been
addressed.
First
is
what
this
drafter
2
defines.
Is
a
base
domain
boolean
field
in
the
authorization
object
to
explicitly
differentiate
between
an
authorization
for
a
apparent
domain
versus
an
authorization
for
a
wildcard.
H
H
This
works
for
the
pre-authorization
and
explicit
authorization
inbound
as
well,
and
finally,
there's
a
bit
of
confusion
as
well
in
the
matters
as
to
whether
this
was
just
applicable
to
see
a
browser
forum
or
based
on
requirements,
and
it's
not
is
generally
applicable
to
acme
and
similar
to
the
acme
based
rfc.
H
The
draft
doesn't
really
state
anything
explicitly
about
ca
policy,
so
it
could
be
applicable
to
cas
that
confirmed
to
see
a
browser
forum
baseline
requirements,
but
it
doesn't
necessarily
have
to
be
used
by
those
servers.
It
could
be
used
by
different
cas
that
have
their
own
policies
or
could
in
fact
be
used
by
private
cas
or
iotcas.
H
I
think
next
slide.
That's
it.
H
So
next
slide
what's
missing.
Is
security
considerations
has
been
missing
for
a
while
almost
chased
tim
hollaback
on
this,
but
he
had
agreed
to
write
this
at
one
of
the
last
itfs
and
that's
the
only
update
the
update
was
just
to
address
your
comments
from
the
last
time
around.
H
So
is
there
any
interesting
going
next
steps
here?
Is
you're
interested
in
an
adoption
call
or
any
other
open
questions
around
the
other?
Well,
first
is
standing
on
red
draft
two
that
have
tried
to
address
the
three.
The
three
major
comments
at
itf
iqf106.
So
any.
E
E
So
there
are
two
questions
I
guess
has
any
how
many
people
you
know
who
has
read
the
draft
who
is
interested
in
progressing
it
working
on
it,
and
then
we
should
this
time
for
real.
Do
the
call
for
adoption
and
confirm
on
the.
G
E
A
H
H
So
what
this
does
it
just
describes.
What
this
informational
draft
does
just
describe
how
acme,
based
on
acme,
can
be
integrated
with
multiple
different,
existing
client
or
device
certain
mechanisms
without
requiring
any
changes
to
the
baseline
acne
specification
whatsoever.
It
just
outlines
some
informational
use
cases
where
acme
is
really
really
useful.
So
next
slide.
H
H
Ask
integration
our
acme
integration
with
a
brisket
cloud
registrar,
which
is
it's
risky
cloud
registrar?
Is
it's
a
it's
a
subset
of
brewski
that
what
the
cloud
register
defines
is
how
how
the
default
mode
of
risk
operation
when
it
comes
across
for
a
network
does
not
have
a
register
register
deployed
in
the
local
network.
A
device
can
fall
back
to
a
cloud
register
and
what
risky
cloud
register
does
is
fill
out
some
details
that
are
missing
from
the
baseline
risky
draft
and
finally
tip
tunnel
deep
tunneled
extent,
extensible,
authentication
protocol.
H
What
I
have
here
as
well:
I've
referenced
both
t4
of
c7170
and
a
draft
that
elliot
lear,
and
I
are
working
on
a
an
emu
draft
clearly
brisky.
Well.
Actually,
if
you
go
on
to
the
next
slide,
explains
this
a
little
bit
more
detail.
H
So,
what's
changed
inside
tf
106
is
the
deep
and
two
brisket
sections
of
acme
integrations
have
been
collapsed
into
one
section,
because
what
baseline
cheap?
H
If
you
read
baseline
tape
in
detail,
it's
missing
some
very
important
search,
enrollment
capabilities
that
that
eric
and
I
have
worked
to
introduce
and
draft
layer,
ept
briskey,
so
we're
actually
refactoring
the
t-pop
that
draft
a
little
bit
to
focus
less
on
the
risky
part
and
more
on
the
certain
enrollment
parts
and
two
key
things
that
that
draft
clear
et
briskey
defines
is
csr
attributes
tlv,
which
allows
a
team
server
to
give
instructions
to
a
client
and
what
attributes
it
expects
that
client
to
include
in
the
certificate
enrollment
request
similar
to
est,
and
the
second
thing
that
the
update
does.
H
H
So
so
these
two
attributes
are
missing
from
baseline
t
and
they're,
pretty
much
essential
for
doing
an
integration
with
acme,
and
so
that's
one
of
the
reasons
why
I've
slightly
refactored
this
informational
draft
to
collapse,
the
tape
and
the
tip
update
or
the
deep
risky
sections
into
one
section,
and
I
it
probably
does
not
make
sense
to
try
attempt
to
integrate
acme
with
baseline,
keep
at
all,
because
I
think
we
need
the
csr
attributes
glv
and
to
retry
tlv
for
active
integrations
to
be
successful
like,
for
example,
if
the
acme
server
replies
with
some
kind
of
timeout
saying
your
certificate
enrollment
is
pending,
there's
no
way
for
a
cheap
server
to
turn
around
and
tell
a
client
that
your
significant
romance
is
bending.
H
So
that's
the
that's
the
major
dra
major
change
to
the
draft.
Since
106,
we
just
simplified
a
little
bit
and
collapsed
two
sections
together.
So
next
next
slide.
Please.
H
The
security
sections
secure
consideration
is
still
to
do,
but
this
will
be
as
this
is
informational
and
we're
not
making
any
changes
to
any
of
the
the
drafts
we're
referencing
it
all.
We
don't
expect
this
to
be
controversial
at
all
and
we're
certainly
making
no
changes
at
all
to
the
reference
security
consideration,
sections
in
est,
brewski
or
team.
H
The
the
two
other
drafts
will
reference
the
deep
update
draft,
the
draft
lear,
ept
brewski
and
the
risky
cloud
draft
as
well
either
the
security
sections
for
those
are
either
not
complete
or
they
have
not
been
formally
reviewed
yet,
and
so
I
think,
we're
in
our
minds
we'd
like
to
wait
until
the
security
considerations
and
those
two
drafts
have
been
finalized
and
reviewed
before
we
just
write
and
complete
the
security
consideration
sections
on
this
information
draft,
but
even
saying
that
we
don't
expect
any
controversial
here,
we're
not
changing
the
behavior
of
any
of
the
reference
protocols,
we're
just
stitching
them
together.
H
So
we
expect
the
security
consideration
sections
just
to
be
a
short
summary
of
the
of
the
sections
from
the
other
drafts
next
slide.
Please.
H
So
we've
had
limited
reviewers
on
this.
Yet
but
again
it
is
just
information,
stitching
existing
specifications
together
and
not
changing
them
at
all,
and
so
what
we
would
like
is
if
anyone
on
the
list
is
willing
to
review
this
running
on.
The
list
is
willing
to
provide
feedback
on
this
draft
and
then
michael
and
rifa,
and
I
will
gladly
incorporate
that
feedback.
H
H
E
Oh
and
I
assume,
through
participation
or
your
your
author
participation
and
have
you
actually,
you
participated
with
the
other
groups,
but
have
you
also
reached
out
to
them
and
got
feedback
besides,
just
your
sort
of
authors.
H
Yeah
we've
we
have
presented
this
at
emu
as
well,
and
they
we
presented
this
emu.
We
didn't
didn't
presented
this
time
around,
but
we
presented
our
eu
106
and
we
got
some
feedback
for
well.
Actually,
when
we
presented
redeem
is
one
of
the
reasons
why
mike
brickson
is
now
a
co-author,
because
he
was
very
interested
in
participating
best
in
singing
and
we've
had
some
feedback
from
elliot
lear
and
some
feedback
from
dan
harkins
out
of
emu
as
well.
On.
B
H
E
Okay,
that's
good,
so
it
sounds
like
you're.
Not.
I
don't
think
it's
ready
for
adoption
yet,
but
it
occurs
to
me
that
if
we
do
adopt
this
information,
would
I
think,
it'd
be
the
first
published
informational
document
and
that
we
would
make
a
point
of
reaching
out
to
the
others
working
groups
and
asking
them
to
review
it
too.
H
H
E
Yes,
thanks
for
the
remind
the
reminder:
yeah,
okay,
so
could
people
any
folks
who
have
read
this?
Could
you
please
do
a
plus
one
in
the
chat,
we'll
do
the
same
thing
with
this,
as
we
did
with
the
previous
one.
H
E
All
right,
so
we
do
have
some
interest,
and
you
have
mentioned
that
the
other
groups
have
been
looking
at
this.
Maybe
we
do
time
to
review
call
for
adoption.
A
A
So
if
there's
nothing
more,
I
think
we
can
move
on
to
onion
routing
and
roland.
Thank
you.
I
So
this
draft
was
mainly
instigated
by
the
fact
that
the
ca
browser
forum
has
recently
changed.
The
validation
rules
for
onion
addresses,
so
previously,
onion
addresses
were
only
allowed
in
ev
certificates,
which
meant
that
there
was
very
little
interest
to
have
any
kind
of
validation
mechanism
in
acme,
since
otherwise
ev
certificates
basically
impossible
to
do
via
acme.
Currently
so
now
that
they
can
be
included
in
domain
validated
certificates,
it
seems
like
there
is
some
interest,
speaking
as
a
representative
of
a
public
ca
to
issue
dv
certificates
containing
onion
addresses.
I
So
this
is
basically
the
the
draft
currently
includes
a
validation
mechanism.
That,
basically,
is
a
mirror
of
the
existing
cab
forum,
validation
mechanism
and
a
quick
explanation
of
that
mechanism
is
basically
that
the
v3
onion
addresses
are
essentially
just
encoded.
I
Ed
255
19
keep
public
keys,
so
the
the
mechanism
is
quite
simple:
you
you
create
a
csr
that
contains
a
nonce
provided
by
the
ca
announced
provided
by
the
non-provided
by
the
client,
and
you
sign
that
csr
using
the
the
private
key
and
then
the
ca
simply
verifies
the
csr
using
the
public
key
and
the
address,
and
the
document
has
has
left
out.
You
can
also
do
validation
simply
using
the
existing
change
tool
website
website.
I
Validation
mechanism,
which
is
in
in
8555,
is
http
01..
I
haven't
specified
usage
of
that
mechanism
simply
because
again
speaking
as
a
representative
of
public
ca,
we
don't
really
have
any
interest
in
running
a
tour
stack
in
our
or
anywhere
near
rca.
I
I
I
think
that
there
are
two
kind
of
big
open
questions
with
the
the
document
as
it
is
written.
The
current
validation
mechanism
is
rather
complicated.
You
know
the
use
of
a
csr
is.
This
is
an
artifact
from
the
previous
version
of
onion
addresses
where
which
were
used
essentially
using
rsa,
1024
keys
and
and
truncated
sha-1
hashes.
I
So
the
the
validation
mechanism
was
kind
of
over
constructed
to
try
and
get
around
some
slightly
dodgy
security
properties
and
using
those
keys,
and
that,
as
was
discussed
on
the
list
previously,
it
turns
out
that
actually,
the
attempt
at
performing
hash
strengthening
actually
doesn't
work,
because
the
way
the
two
server
and
client
provided
nonsense
end
up
being
ordered
the
the
server
nonce
always
ends
up
being
the
prefix.
So
there
is
still
some
weakness
there.
I
If
we
were
still
using
rsa
1024
keys,
I
you
know,
I
think
it
would
be
nice
to
try
and
define
a
slightly
more
simple
mechanism
that
doesn't
have
these
kind
of
workarounds
for
security
issues
that
no
longer
exist
with
ed
225.19
keys.
I
But
it's
it's
not
strictly
necessary
in
order
to
get
a
validation
mechanism
that
is
cap
forum,
approved
and
then
the
other
question
is
right.
Do
we
want
to
specify
usage
with
http
01?
You
know,
I
think,
if
we
did
that
you
know
it
would
probably
warrant
some
discussion
of
a
security
consideration.
Section
of
you
know
how
closely
you
want
your
your
validation
stack
to
be
to
a
tall
stack,
but
right.
This
is
probably
more
of
a
policy
question
for
a
ca.
Then
it
is
something
we
can
strictly
specify.
I
Would
be
interested.
I
Think
there's
been
a
bit
of
discussion
on
the
list,
but
right.
I
think
that
the
only
interest
from
from
cas
that
I've
heard
is
is
from
lexicrit,
so
interest
from
others
would
be
yeah.
A
A
F
C
A
A
So,
while
we're
doing
that,
okay
and
just
repeat
what
has
been
said
in
jabber-
that
which
got
it
wrong
and
the
integrations
draft
is
already
about
working
documents.
So
there's
no
need
to
do
a
call
for
adoption,
just
read
it
and
then
we'll
decide
if
it's
ready
for
working
with
plastic.
A
Okay,
let's
do
part
of
that.
This
is
really
all
we
had
planned
for
this
meeting.
I
I
guess
just
to
kind
of
give
an
an
example
of
what
this
likely
would
be
used
for,
I
think
in
the
current
current
ca
ecosystem.
The
most
common
use
case
is
that
you
would
create
a
certificate
containing
both
a
dns
name
and
an
onion
name.
I
So
one
very
popular
example
of
this
is
that
for
the
facebook
hidden
service
they
have
a
certificate
that
contains
both
facebook.com
and
the
hidden
service
address,
and
there's
been
some
discussion
within
the
tor
browser
community
about
trying
to
use
this
as
a
way
to
essentially
bind
these
two
names
together,
so
that
you
could
be
connected
to
the
hidden
service,
but
the
the
url
bar
might
actually
show
the
dns
name
rather
than
the
hidden
service
address
and
rich.
I
I
I
the
name
sounds
familiar,
but
I
I
don't
think
I
have
talked
to
him
specifically
about
this.
I
think
that
would
be
a
good
idea
to
reach
out.
A
The
question
is
alex
muffet,
which
is
suggesting
that
we
reach
out
to
you
and
he'll
send
an
email,
okay,
and
if
that's
all,
we
have
then.
A
Okay-
and
I
guess
we
all-
got
almost
50
minutes
of
our
lives
back.
A
Hey,
thank
you
all
for
coming
and
hopefully
next
time
we
can
meet
closer
together.
Well,
not
next
time,
but
the
time
after
that,
hey.
Thank
you.