►
From YouTube: IETF108-EMU-20200731-1300
Description
EMU meeting session at IETF108
2020/07/31 1300
https://datatracker.ietf.org/meeting/108/proceedings/
A
All
right,
I
think
we
can
get
started.
This
is
the
emu
meeting
at
virtual
ietf
108.,
just
a
reminder
that
this
session
is
being
recorded.
A
B
Dan
has
a
question
about
driving
this
lights.
Indeed,
so,
to
save
time
we'll
be
driving
the
slides.
A
Yeah,
so
we
do
have
a
packed
agenda
today,
so
please
keep
your
presentations
on
track
and
comments
on
at
the
mic.
Kind
of
briefing
to
the
point
would
be
great.
Here's
the
note.
Well,
you
should
all
be
familiar
with
this
by
now,
but
we'll
put
it
up
here
for
just
another
10
seconds,
so
you
can
get
a
good
look
at
it
all
right.
A
So
for
the
agenda,
we'll
start
off
with
update
on
eep
noob
from
thomas
then
go
to
eptls
mohit
presents
then
alan
will
present
eep
types,
and
then
oleg
will
have
a
discussion
on
teep
errata.
A
A
C
C
Bit
well,
okay,
so
an
update
on
eep
noob,
which
is
kind
of
out
of
band
method
for
authentication
method
for
heap,
and
we
decided
to
jump
there
first
to
slide
eight
to
discuss
the
kind
of
one
big
open
issue
in
the
specification
or
what
was
brought
up
on
the
mailing
list,
which
is
the
message
encoding.
C
So
when
we
started
writing
this
first
version
of
the
specification
in
2016,
we
looked
at
the
json
c-bor,
which
was
relatively
new
at
the
time
and
asn
1
and
then
decided
to
go
with
json
because
of
the
availability
of
implementations,
basically
and
for
seabor.
At
the
time
there
were
not
so
many
implementations
and
the
specific
case
and
didn't
seem
to
cover
everything.
But
now
now
there
is
more
like
the
seabor
signatures
or
the
specification
which
has
the
max
hmax
as
well
so
kind
of
those
arguments
about
functionality
and
implementations
there.
C
They
don't
exist
anymore
when
it.
What
comes
to
the
efficiency
of
encoding?
We
don't
really
care
about
that,
because
this
is
a
bootstrapping
protocol
and
we're
not
sending
bulk
data
encoded.
C
So
one
reason
for
us
to
use
json
was
that
wpa's
applicant,
which
is
the
linux
implementation
of
the
that
has
a
json,
encoder
and
parser
built
in,
and
we
didn't
want
to
add
new
libraries
to
that.
So
try
to
suggest
new
libraries
to
wpa
supplicant,
okay.
So
now
there's
a
question
of
whether
the
seabor
is
the
new
big
thing
and-
and
everyone
should
jump
to
that
and.
C
Then
I
just
want
to
note
that
this
will
cause
a
major
delay
to
the
specific
case
and
which
is
kind
of
close
to
ready
and
and
there's
now.
As
far
as
you
know,
complete
implementation
of
the
current
specification,
it
would
require
updates
to
the
specification
and
lots
of
proofreading
and
implementation
and
testing.
C
There
is
one
aspect
that
I
just
today
posted
to
the
mailing
list.
That
has
been
my
kind
of
biggest
concern
about
these
encodings
and
it
is
the
lack
of
canonical
encoding,
which,
which
makes
it
difficult
to
verify.
Hmax
or
compute
them
create
an
unambiguous
input
to
an
hmac.
So
we
receive
some
messages
with
message
fields
we
want
to
take
some
of
those
fields,
combine
them
into
a
new
structure
that
is
then
of
which
we
compute
an
hmac
or
a
hash
function,
and
well
without
the
canonical
encoding.
C
So
that
is
the
problem
biggest
problem
that
I'm
facing
the
way
we
have
solved
it
is
we
have
you,
you
kind
of
looked
at
the
json
encoder
and
decoder
and
decided
that
we
to
use
one
that
allows
us
to
get
to
the
binary
representation
of
the
of
the
kind
of
sub
trees
of
the
document
structure?
D
C
A
third
option
that
that
just
occurred
to
me
is
that
if
we
had
this
nested
object
structures
we
could
possibly
use
that
now,
karsten
pointed
out
is
on
the
queue
like
you
see.
He
pointed
out
on
the
mailing
list
that
seabor
has
this
deterministic
encoding
rules
and
to
me
that
seems
more
like
a
tool
kit
that
I
can
use
to
define
my
own
deterministic
encoding
or
not.
It's
not
like
one
canonical
encoding
that
every
implementation
will
support.
So
I
just
wonder
if
that
actually
will
will
help
here.
C
D
Yeah,
so
if
I
can
make
a
comment,
as
you
said,
zebra
does
have
a
deterministic
encoding.
D
D
What
choice
should
be
taken
so,
but
for
many
applications,
the
the
the
whole
thing
reduces
to
pointing
to
these
rules
and
then
saying
do
that
and
then
we
have
it.
8152
actually
goes
one
step
further
and
avoids
maps
maps.
Have
this
ordering
ambiguity
so
they
have
a
even
simpler
form
of
deterministic
encoding.
They
need
fewer
rules,
but
you
don't
need
to
do
that.
D
So
you
can
keep
your
your
maps
if
you
like
them
or
the
things
are
called
json
objects
and
json.
But
I
think
everything
is
there
that
you
need.
You
just
need
to
point
to
it
and
make
this
this
pointing
normative.
C
Okay,
let
me
let
me
explain
a
little
bit
what
the
difficulty
is
that
we
have
left
in
the
specification
hooks
for
extending
the
data
structure.
So
there
are
parts
that
allow
us
to
take
the
the
whole,
let's,
let's
say
the
the
peer
info
and
server
info
objects.
C
C
In
that
case,
the
application
requirements
will
come
from
some
application
that
uses
eap
noob.
Nevertheless,
if
the
implementation
then
parses
those
parts
of
the
documents
and
then.
D
So
in
your
sibo
you,
you
have
a
place
where
you
say:
here's
a
byte
string
and
the
byte
that
byte
string
in
turn
is
sibo,
but
you
kind
of
delay
the
the
decoding
of
that
subpart
by
putting
it
into
a
byte
string.
So
your
application
gets
the
whole
byte
string
and
can
send
back
that
whole
byte
string
without
making
any
changes
to
the
encoding.
So
you
don't
need
deterministic
encoding
for
those
parts.
C
Okay,
I
didn't
realize
that's
what
you're
supposed
to
do,
because
there
kind
of
isn't
an
explicit
you
know
or
container
for
another
object,
but
maybe
that's
how
it's
intended
to
be
used.
B
D
Record
about
the
60-something
implementations
that
are
on
that
side.
On
the
slide
I
didn't
record,
which
part
of
canonical
they
they
are
implementing.
D
My
implementation
of
canonical
that
I
use
every
day
actually
works
by
rearranging
the
data
in
such
a
way
that
my
my
encoder
simply
produces
the
right
encoding.
That's,
of
course,
not
something
that
every
implementation
will
be
able
to
do,
because
your
platform
may
have
no
way
at
all
of
ordering
maps
so
yeah
you,
you
actually
have
to
look
for
an
implementation
that
can
does
that.
But
it's
it's
not
not
like
it's
right,
yeah,
impossible.
B
Right
elliot,
quick
comment:
we
are.
E
Short
on
time
yeah,
it
seems
to
me,
like
the
choice
here,
should
I'm
less
worried
about
deterministic,
encoding
and
more
worried
about
what
libraries
are
likely
to
be
in
the
device,
and
this
requires
a
different
crystal
ball,
and
so
the
advice
I
would
give
to
thomas
and
friends
is:
if
you're,
targeting
really
small
devices,
then
your
footprint
is
the
thing
you
need
to
worry
about.
C
Thank
you
thanks
yeah,
so
we
only.
C
More
minutes,
I'm
still
hesitant
about
them,
making
the
jump,
because
it's
like
a
major
project
that
I
didn't
expect
to
do
and-
and
I
don't
have
a
programmer
to
to
do
the
updates
at
the
moment.
So
so
maybe
we
should
leave
this
topic
and
go
to
slide
five
and
we'll
look
at
slides
five
and
six.
C
C
C
There
was
a
very
nice
review
by
dave
taylor,
where
he
really
kind
of
found
some
marginal
parts
of
the
specification
that
we're
not
clear,
and
we
added
some
explanations
and
then
also
change
some
maze
to
must
where
it
there
was
no
particular
reason
to
to.
You
know
kind
of
from
the
point
of
view
that
anything
that
is
me
or
just
recommended,
then
we
don't
expect
it
to
be
implemented
in
many
cases
and
also
like
character.
C
But
I
don't
want
to
include
in
this
specific
case
and
those
because
I
don't
want
to
speculate
at
this
time
about
who
will
use
eap
new
once
we
know
some
applications,
then
we
can
define
the
contents
of
those.
Otherwise,
we
would
be
writing
pages
and
pages
of
device
description
specifications
without
knowing
what,
whether
that
such
devices
will
ever
exist,
and
they
might
be
completely
the
wrong
type.
C
Okay
and
the
next
page.
So
hannes
also
did
a
review,
and
this
was
more
on
the
the
questions
may
on
the
level
of
what
is
the
purpose
of
the
documents.
What
assumptions
we
are
making
and
I've
tried
my
best
to
to
clarify
those
parts,
especially
the
discussion
on
cloning,
where
we
also
now
pointing
to
to
this
honesty's
token
specification
and
and
actually
also
dave's,.
C
That
is,
that
is,
I
think,
all
we
need
to
talk
about
here.
The
other
things
you
can
see
in
the
notes
about
the
implementation
that
we
now
have
max,
who
was
working
the
time
at
ericsson,
did
a
kind
of
more
complete
implementation
of
the
current
draft,
so
it
should
be
up
to
date,
and
we
have
managed
managed
to
compare
between
two
implementations
update
message.
Examples
in
the
draft
which
is
nice
to
know
that
they
are
correct
at
the
moment
and
possibly
will
I
hope,
to
merge
that
back
to
the
university.
A
Okay,
great,
I
think,
we'll
have
to
continue
the
discussion
on
the
encoding
on
the
list,
but
thanks
for
introducing
that
topic
all
right
next,
I
think
we
have
eptos
one
three.
B
Hi,
I
don't
know
if
you
can
open
the
google
doc
itself
and
I
can
just
start
by
saying
what's
the
problem
so
basically
the
heap
in
tls,
the
servers
can
send
any
number
of
both
handshake
messages,
and
this
is
this
is
where
they
send
resumption
psks
that
are
later
used
for
what
is
called
fast,
free
authentication
and,
and
the
problem
was
that
you
can
in
eep.
You
can't
leave
the
peer
in
this
unconditional
state
where
it
doesn't
really
know
like.
B
Are
there
going
to
be
more
post
handshake
messages,
because
the
tls
tunnel
is
eventually
torn
down,
unlike
the
web
use
of
of
tls,
and
we
had
early
on
in
the
draft
introduced
a
commitment
message
which
basically
allows
the
server
to
tell
that?
Okay,
I
am
done.
These
are
all
the
post
handshake
messages
I
wanted
to
send
and
it's
time
to
move
on,
and
and
basically
this
handshake
message
was
governed
based
on
on
what
the
libraries
currently
support,
specifically
open,
ssl
and,
as
you
see
on
in
the
text.
B
This
is
this
is
the
text
that
we
have
currently
in
the
draft,
but
this
caused
some
confusion
to
people
on
the
list,
including
hardness,
and
so
on
that
initially
it
felt
that
this
one
byte
of
application
data
was
unencrypted,
which
is
not
the
case.
So
it's
basically
when
you
encrypt
the
one
byte
of
zeros,
which
is
the
indication
of
this
commitment
message.
The
encrypted
data
is
obviously
larger.
B
I
don't
know
if
someone
else
wants
to
chime
in
on
how
to
edit
this
text
to
make
it
more
clear
or
precise,
because
this
is
the
only
thing
that
kind
of
remains
otherwise.
The
document
has
passed
working
group
last
call
and
has
was
our
ad
roman
did
a
review
and
I
fixed
the
issue.
So
this
is
pretty
much
the
only
thing
that
is
now
blocking
it.
B
B
But
alan
go
ahead.
I
think
I
can
still
listen
to
yourself.
F
Okay,
yeah
we've
been
doing
some
interoperability
testing
between
free
radius
windows.
With
the
help
of
george
and
host
ap.
It
appears
that
yeah
sending
the
encrypted
plane
so
you're
sending
the
encrypted
byte
of
zero
works
for
everyone,
and
it's
pretty
straightforward.
F
So
I
think
the
text
is
mostly
okay
other
than
making
the
point
of
it
should
be
the
encrypted
data.
F
Yeah,
you
should
say
encrypted
tls
record
with
application
data
zero
and
that
should
that
should.
F
G
We
don't
hear
you,
I
know,
but
it
takes
forever
for
audio
to
catch
up
so
yeah.
So
I
guess
I
I
I'm
sorry
I'm
just
catching
up
here
but
like.
Why?
Are
you
not
sending
close
notify?
B
Sorry,
can
you
repeat,
why
are
we
not
are.
B
B
G
G
H
We
aren't
done
with
the
connection.
What
we
are
doing
is
we
are
moving
a
from
phase
one
to
phase
two
in
the
underlying
code,
but
we
keep
the
channel
up
to
send
encrypted
data
crosstalk.
G
Eric
so
I
just
typed
into
the
chat
yeah,
I
got
it
thanks.
A
E
Yeah,
but
I
mean
I
guess
talking
about
what
kind
of
messages
you're
not
prepared
to
handle
in
phase
two:
you
can
have
like
new
session
ticket
or
you
can
have
key
update,
or
you
can
have
anything
that
we
define
in
the
future
and
a
new
session
ticket.
You
can
just
drop,
but
a
key
update.
You
kind
of
can
also
drop,
but
it
may
not
be
a
good
idea
and
you
know
the
other
stuff
in
the
future.
Of
course
we
don't
know
about
yet.
H
H
E
A
B
It
would
just
have
required
and
like
because
now
we
are
sending
the
the
commitment
message
with
the
server
tls
finished
and
and
then
the
client
sends
the
tls
finished
and
and
then
we
send
the
success,
whereas
if
it
was
sent
after
the
client
tls
finished,
it
would
have
required
another
round
trip.
That's
what
I
remember
as
of
now,
but
I
am
happy
to
receive
more
feedback
on
this
from
maker
ben.
Please
do
that.
A
I
B
G
G
So
it's
like
ben
seems
definitely
concerned
about
this
specif
about
the
semantics.
The
message
like,
I
don't
understand
the
situation
enough
to
comment
on
the
semantics
of
the
message,
but
ben
says
just
concerns
about
that,
but
I
was
just
like
talking
about
like
which
bits
you
send.
So
I
agree
that
I
agree
that,
if
the
bit,
if
the
situation
is
as
jim
says
then
like
the
bits
I
suggested
won't
work
so
so
so
like.
I
A
F
Okay,
so
go
to
the
next
slide.
There's
just
one
one:
byte
of
content.
F
Here
so
I
pushed
out
a
dash
01
this
week.
Split
up
all
the
eep
types
into
different
subsections.
F
George
had
a
good
review
of
all
the
different
heap
types
and
I've
gone
over
his
comments
and
the
various
specifications
and
updated
the
document
to
address
those.
It
now
references
the
public,
microsoft
documentation
for
peep,
and
we
have
interoperability
between
a
number
of
implementations
for
tls,
ttls
and
peep,
not
so
much
for
fast
and
deep,
but
we're
hopeful
there.
B
Yeah,
do
you
think
it
should
be
in
the
in
the
document
at
all
because,
like
I,
I
think
like?
B
If,
if
if,
if
some
implementation
of
team
is
going
to
move
to
tls
1.3,
it's
not
just
the
key
derivations
that
is
going
to
change
like
how
is
the
pack
sent
for
assumption,
and
then
there
are
various
places
in
the
deep
specification,
for
example
like
you're
supposed
to
do
something
after
this
server
finish
handshake
message
so
so
on
and
so
on
in
phase
two,
how
about
all
those
changes?
So
it
would
be
the
case
that
we
are
defining
the
key
derivation
here,
but
then
leaving
out
a
lot
of
things
which
are
kind
of
unknown.
F
Yeah,
that's
an
open
question.
I'm
I'm
happy
with
it
either
way.
If,
if
we
are
publishing
updates
to
teep
to
address
uni
millinin's
interoperability
comments,
then
these
issues
these
these
updates-
could
go
there.
E
Sense,
hi
hi
again,
hey
hi
alan
thanks
for
the
update
the
my
thinking
about
the
the
chief
work
is,
first
of
all,
it's
really
slow
going
like
literally
I'm
slogging
through
a
bunch
of
stuff.
We
have
a
guy
who's
working
on
it
on
our
side
and
and
oleg
is
going
to
speak
to
this
later
too.
The
reason
to
not
mention
heat
in
that
draft
other
than
to
say
something
like
teep
is
going.
It
will
be
covered
elsewhere.
You
just
don't
want
to
create
a
normative
block
on
it.
E
That's
all
so
just
I
wouldn't
normatively
block
your
draft
on
that.
If
you're
going
to
move
the
t,
if
you're
going
to
push
the
tv
stuff
to
the
stuff
that
we're
doing-
and
you
know
it's
going
to
be
a
while-
I
think
before
a
real,
full
teep
update-
is
done.
Like
there's
a
lot
of
work
to
be
done.
I
think
okay.
E
J
So,
as
we
said
before,
tls
1.3
is
not
covered
in
this
errata
and
also
in
this
presentation,
for
the
reasons
that
were
mentioned
before.
J
J
B
J
Yeah,
there
are
consequences
possible
consequences,
authority,
tv
authority,
idtl
serves
for
identifying
the
the
server
towards
its
peer,
and
if
the
peer
has
several
pre-cached
data,
like
several
packs
from
different
chip
servers,
it
can
select
the
corresponding
pack
by
the
authority
id.
J
Right,
maybe,
in
addition
to
several
packs,
maybe
some
other
pre-cached
data,
like
whatever,
whatever
client
wants
to
keep
together
with
the
with
the
server
like
bound
to
the
specific
chip
server.
J
J
J
J
J
Maybe
it's
worth
to
add
that,
after
together
with
sending
intermediate
results,
you'll
be
after
basic
password
authentication,
we
also
must
send
crypto
binding
tlb.
Nevertheless,
it
only
can
use
the
zero
msk,
because
there
is
no.
It
is
not
an
inner
method.
So
there
is
no
inner
methods,
cryptographic
material
to
derive
keys
from.
B
All
right
just
to
so
I
I
agree
with
the
change
of
adding
this
crypto
binding
tlv.
In
addition
to
the
intermediate
result,
tlv
that
makes
sense
this
basic
password
authentication.
Is
it?
Do
I
understand
correctly
that
if
no
msk
is
exported,
you
are
setting
the
msk
to
zeros.
B
B
Isn't
it
the
case
that
eep
methods
that
use
password
authentication
also
export
msk,
or
is
this
basic
password
authentication
without
e
password
or
what
kind
of
password
authentication
is
this.
J
J
J
Okay,
this
is
just
a
clarification
about
sending
that
sending
intermediate
results
you'll
be
in
basic
password
authentication
is
must
so.
This
is
just
adding
a
few
words
that
we
have
to
send
intermediate
result
till
the
after
basic
password
authentication,
and
whenever
inner
method
is
mentioned,
we
are
just
adding
mentioning
also
basic
password
authentication,
because
it
it
is
under
the
same
rules
as
the
inner.
J
This
is
continuation
of
the
previous
rata
item.
We
also
need
to
fix
the
example
of
basic
password
authentication
with
two
examples
of
successful
and
failed
basic
password
authentication.
They
currently
don't
have
intermediate
results
early,
so
we
just
add
in
the
intermediate
results:
we
send
them
in
both
of
them
in
the
appendix
section.
J
J
So
it
was
decided
to
specify
exactly
the
the
one
byte
chip
type
just
to
make
it
clear
and
avoid
confusion,
and
I
also
suggest
to
put
the
explanation
that
we
got
in
our
discussions
why
this
is
present
here,
because
it
helps
to
protect
against
cross-protocol
attacks.
If
cryptobinding
tv
was
reused,
means
crypto,
binary
was
reused
from
it
fast
protocol
or
maybe
p
protocol.
So
if
we
put
exactly
the
chip
type
here,
we
are
just
preventing
the
reusing
of
cryptobiontilly
from
other
protocols.
B
B
Every
time
you
calculate
this
compound
mac,
I
guess
you
can
run
several
leap
methods
inside
and
every
time
you're
calculating
this
compound
mac,
and
I
thought
it
was
the
e
type
of
whatever
was
running
inside
that
was
being
included
in
this
calculation.
But
I'm
not
deep
expert,
so
just
trying
to
make
sure
that
indeed
it
was
the
case
that
it
it
was
trying
to
refer
to
the
type
of
the
outer
method
and
not
the
inner
methods
that
were
then
going
to
run.
J
Right
so
it
was
present
in
the
original
rfc,
so
maybe
maybe
joe
can
step
in
here
and
at
the
explanation.
Why
why
this
byte
is
present
here,
but
that's
what
what
we
discussed
with
this
job?
I
mean
this
is
a
simple.
A
So
my
memory
right
now
is
that
it
was
the
outer
plv.
But
let's,
let's
just
go
back
and
and
try
to
verify
that,
because
it
is
it's
it's
ambiguous,
and
so
we
need
to
decide
one
way
or
the
other.
J
Yeah
so
during
discussions
of
this
specific
item
it
was
this-
was
there
were
several
options
to
put
the
inner
method
type
here.
That
was
that
is
bound
to
this
cryptobinding
tv.
There
were
no
opinions
to
remove
this
at
all,
but
I
think
we
can
still
discuss
all
three
options.
J
J
Next
slide,
please:
okay.
This
is
to
make
a
more
to
bring
more
structure
to
calculation
of
all
the
key
chains
derived
from
the
inner
method,
msk
and
emsk,
because
of
there
is
a
negotiation
if
there
are
both
msk
and
msk
provided
by
the
inner
method.
J
So
we
need
to
keep
all
the
key
derivation
for
boss
in
their
method,
msk
and
emsk,
and
then
after
we
all
know
what
was
selected
msk
as
a
source
of
all
the
key
derivation
or
msk.
We
use
the
specific
keys,
the
cmk
derived
from
msk
and
cmk
drive
from
msk,
and
so
on.
This
this
makes
makes
the
fix
like
on
the
slide,
makes
this
very
clear.
B
I
think
we
need
to
stop
here.
We
are
already
over
time
and
apologies
again
as
cheers
not
requesting
for
a
longer
slot.
It's
already
two
minutes
past
the
time.
I
guess
we
will
try
to
have
an
entire
meeting
and
sorry
to
the
presenters
who
we
couldn't
cover
today.
B
I
guess
we
can
joe
and
I
can
send
out
a
doodle
poll
and
see
whether
to
do
an
interim
meeting
or
we
wait
and
see
what
that
bangkok,
sorry
for
not
requesting
a
longer
session.
A
Yeah
and
I
I
I
think
we
should
try
to
have
an
interim
just
to
try
to
put
these
cheap
issues
to
to
rest
and
then,
if,
if
people
they
can
didn't
get
a
chance
to
present
here,
can
decide
whether
they
want
to
use
the
inner
room
or
or
wait
till
the
next
main
meeting.