Internet Engineering Task Force 113, 25 Mar 2022

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: IETF113-LAMPS-20220325-0900

Description

LAMPS meeting session at IETF113
2022/03/25 0900

https://datatracker.ietf.org/meeting/113/proceedings/

A

B

C

Good morning,.

C

All right, I think you could go ahead and get started.

C

So the uh alexi, thank you so much for running the slides. There are a bunch of them.

C

We have a pretty full agenda today.

C

So um I guess without further delay, let's go ahead and get started next slide, please by this point in the week. You should all be very familiar with the note well, but please make sure you're aware of your obligations before you contribute next slide.

C

uh Basically, this is the agenda. It's two pages full of stuff. um The first part is stuff. That needs the least discussion, and then we move into the stuff that needs more discussion, um and then we move into stuff. That's under consideration for adoption.

C

um Has anybody? uh Oh and there's uh one agenda bash?

C

The last presentation um renee reached out to me and said it was very unlikely that that is going to make it to that we're going to get through all of this. So he has withdrawn the request to speak and he will bring his topic to the mail list.

C

Are there any other agenda bashes.

D

Is there a scribe.

C

Oh thank you for keeping me straight.

D

Is somebody willing to take notes from the kodi md? I see a very shy hand awesome. Thank you very much.

C

C

So the uh first presentation is going to be from hendrick, I believe, he's the one going to be speaking.

C

Hendrick, would you come to the.

E

Okay, thanks for us.

F

E

Yep, um it's on the materials.

G

G

E

G

All through the.

E

First, three presentations: okay, next slide, please.

G

E

So um this is about the changes to cmp update since um itf 112.. um I managed to reach out to the authors of 4210 to remove the pre-work disclaimer. I did.

E

Do some checks to address nits from the nit checking tool with regard to outdated historic rfcs, we did clarify the reference to crl sources based on this thing, a distributed name and issue a general name.

E

We referenced fur to further documents with regard to random number generation. We did open the ca search, support message to also transfer trusted, root, ca certificates and addressed and security consideration with that regard, and we rolled back a change to the root ca updates support message to not to need to register new oids next slide. Please.

E

So we addressed all feedbacks from from roman from the area director review and um I guess there are two points for further discussion.

E

um I didn't get feedback yet from roman, whether the rest was was sufficiently addressed, but coming to the two open issues, roman suggested, to have a 42, 10 bis document, though the cmp updates offers quite a number of changes, so the authors are open to do so, but the working group back then decided to go with this cmp updates approach. And um finally, if not having the cmp updates approach, we would also probably need to do a 6712 bis, because there are also some updates of 60 20 712 in the cmp updates document.

E

So the the question is how to move forward. um With this point, I would would like to to get some feedback and guidance on on what to do next. So yet I didn't receive any concrete feedback from a roman or or.

C

Us well roman's ready to speak. So, let's let him do that. Oh sorry,.

E

Roman you're welcome.

H

Hey good morning, thanks for all the work and and all the different updates, so the one thing that would help me uh review all the changes that you made is if you could publish a new document that would be exceedingly helpful and as to the cnp updates versus kind of doing the best documents.

H

That's we don't need to make a change. We just need to explain our rationale and I believe the rationale is exactly what what you said and what we talked about in the in the email, which is historically, that's not how lamps has done. The updates and lamps is continuing to follow the the same path it's done before, and I can use that to discuss that in the isg.

H

I had just anticipated that this would be a bit of feedback on how the document would be done, and I wanted to make sure that we had appropriately kind of had that history documented.

C

uh Roman, the other thing is that we thought this was going to be much more modest when we started okay and it kind of grew um like we. We took the opposite um approach with logo types where we actually decided to do the bis, because we we wanted to merge two rfcs, so I mean I. I think this was um a reasonable decision at the time we made it right, and I think it's just a lot of work to to get from here to abyss.

C

H

I completely agree, I mean again in an.

C

H

World had we known this, it would have been much cleaner and kind of easier to do this, but that's not where we are now, and so that's right.

I

H

I you know just we're having the conversation with this good and for me you know the resolution of this. Let's just document it in the shepherd right up uh and I'll have this in my back pocket that we talked about this from the minutes and I'll use that when we ballot and I'll get the feedback of, why didn't you do the best.

C

Okay, um so do you want me to update the shepard write-up.

H

Could you do that? That would be very helpful. All right, because that'll indicate that the working group discussed that versus me saying the working group discussed that okay.

H

And then on, if I was being asked about feedback on the dot well known, I need to dive into that. I believe it was actually ben who brought that to the table.

E

It was ben. He brought that in the review of cmp over co-op in the ace working group, yeah he's probably right, um so we took the same approach than um est took just for for for being aligned and then not having different approach for different enrollment protocols.

E

But I see his point having a locally defined path segment in between or some two well-known segments is not what yeah the well-known was was built for.

H

Right I just found my.

E

Sticky note on.

H

On my desk, for when we talked about it,.

E

Yeah, I have some proposals on the next slide, but um yeah yeah.

J

You have yeah, given it so coming back to the updates and these documents we ended up in similar situation right pc. Maybe we started doing dc encapsulation guidelines and implementation notes and so on, and then we realized that you have to update and change things and then we decided it actually is easier to make a piece document, because it's actually it's much easier for implementation. Where everything is in one document, you don't have to go. Oh yes implement this, but you always have to implement everything in it here and and that's so.

J

It's very and also the other question is that my understanding cmp is already in use in lots of places where so should we actually start uh think about progressing it from proper? I think it's proper standard now right, so how about moving it to the.

I

J

Standard should we actually start doing that at some point, they're not doing that, I think would be much better to do in this documentary.

E

Yeah, so I had a, I had a look into the 4210 and 6712 and talked to the rfc editors and got some yeah some kind of xml version. So what what the authors think we could could offer is just providing an xml having all the changes done as discussed in cmp updates and that's it so that would be kind of a reasonable update or a reasonable effort going through. All of the sections in cmp updates is probably more that what we plan to do.

I

So I want to make tyro say that more slowly, what do you want to change the document to.

G

I

Internet standard, okay- I just couldn't like.

K

I mean this is very brave of you suggest this I mean not saying you know it's a bad thing, but.

C

Go ahead, michael sorry,.

L

Michael richardson, so um I think that's a great idea. The problem, I think I I understand is that I don't think that the work that we're doing here is simply uh um is simply removing things that we didn't implement before and the stuff that I think you are doing is new work that we won't have a. We won't be able to point to two years of interoperation or something like that to be able to get to that.

L

So it would be nice to go that direction, um but unless we want the document to sit around for two years, while people deploy it, um I I think it's probably gonna, be don't.

D

Think it's two years it I think it. If I remember correctly, it's like six months.

C

D

C

Do we wait and- and I don't see a reason we can advance later.

L

Yeah, so that that's all I mean we we could well anyway. I I think that that, as you said, we we thought this was a smaller effort when we started. um I think I agree with tarot that it may be. Is that easier to write this as a redo this as abyss? um But I I don't. I don't think you know I.

L

It would also be good that we could rip out stuff that we never used when we go to internet standard, and that would also be a good best thing if we can get rid of 20 of the document. That's stuff people don't have to review um so, but I don't think that we can do that. I just would be a lot nice. I just don't think we can get there.

L

Okay, roman, go tarot, says going to the abyss they're going to the internet, and- and I meant going to the internet standard yeah.

H

Right that was exactly what I was going to ask about. We're not talking about trying to do is for the cmp updates, because that's a no-go uh if we.

I

Want to make abyss.

H

We, which would be the only way we could do the is that's that's a whole new body of work, all right. Good thanks. I was just wondering whether we were trying to do something a lot harder.

C

I think churro was trying to get us to do something, a lot harder.

J

So so one more comment also, if I understand correctly, we can go to the enter standard later. If we have a beast document, if you actually do this document and then we have implementations and after two years we when we are ready- and we notice that nothing has to be changed, we can then go to data standard without making a new rfc at all.

D

Yeah, you can upgrade it to internet standard without changing the document.

E

Yeah, so with regard to readability for implementers with all the erratas and the changes implemented or proposed in cmp updates, it would definitely be much easier to have a best document, but yeah. As I said, my approach would be to really just just do the changes, as discussed in cmp, updates and and not like uh michael also said, um stripping off 20 of the text. That would be just resetting the effort and and kind of starting over again, and I yeah don't think that this is what is um yeah planned.

D

Yeah, I think yeah basically uh moving to internet standards. It's a lot of extra work for you. So understandably,.

C

Okay, so at this point uh I think the plan is to proceed with the document uh as an update, and if we want to advance we will do the viss at that time. Does that make sense?

C

Does anyone object to that way forward?.

E

Okay, thanks russ.

C

Okay, just checking the the chat to make sure no one's objecting.

E

C

E

So the second point, um as I said it came up, was brought up by ben during the cmp over co-op review and as as pointed out, the the past segment that is, implementation specific, pointing at a c certificate profile to be used for the enrollment or a ca to be addressed in the past. In between of the protocol portion and the operations portion like like. Here, we see the arbitrary label in between est and simple enroll or in the cmp example, between cmp and the initialization operation portion.

E

That was kind of addressed or criticized that this is not in alignment with the dot. Well-Known specification and um yeah ben clearly pointed out that this wouldn't work out. But then you're on the the cue. Please.

M

Go ahead yeah, uh I guess the the short explanation here is that the well-known path is designed so that there's parts of the uri namespace that are under the control of the protocol, because by default, the ui paths are in the control of the site operator and it's perfectly reasonable for us to say. Okay, we've got this well-known stuff, that's part of the protocol, but we want to redelegate some of that back to the operator.

M

But my concern here is that we should not re-delegate all of it back to the operator, leaving us stuck without any path for expansion. If we need to make new parts of the protocol- and so I don't object to having this sort of arbitrary label or profile label present, I just think we need to make sure we do it in a way that we retain a scope for expansion in terms of parts of the path that are under the control of the protocol.

M

Still so the easiest way to do that would just be to add another sort of sub component that prefixes what these arbitrary labels will be, and we were sort of only delegating that subtree back to the site operator, but there's a bunch of other ways. We could imagine leaving us room for future protocol expansion.

E

Maybe next slide, so we discussed um with also some some ways to move forward here. So number one is, um as we specified it today. Number two is kind of if we move have to move away from that um to do it in the in the query um component of the uri to specify the certificate profile here this example shows if you want to enroll to a local domain, and you want to specify that you want to enroll the ldf id certificate profile, then you could could do it.

E

Yeah could use this label to to indicate that to differentiate to some application, specific certificates, they may need to be enrolled later on. So this is the second approach doing it with a with a query component.

E

The third approach is to switch the operations label and the profile label, but yeah. That seems not to be that the logical order and the fourth option is to to move away from that well known at all, but that is also something the authors would yeah did wouldn't like to do so. Yeah ben you proposed additional options. I didn't fully get them.

L

Michael richardson, I also didn't understand, ben what you proposed, which is why I put my my hand up.

M

uh So I guess my if you go back one.

G

M

G

One slide back much.

M

Like that, so my proposal, like currently we've got done. The bottom line is the well-known cmp profile label initialization, and I was saying that uh we could do like that. Well known, slash, dmp and then add a new path component, but call it p. So we would do well known cmp, slash, p, slash profile label, slash initialization and adding that extra like p path component or whatever. We want to call. It is a signal that the stuff after it is a protocol or is a profile label followed by the rest of the stuff. So.

L

So I think to be clear, heinrich on this slide. The word profile label is a label not a prefix. Okay,.

I

L

So just the the profile in this case is called profile label right. Just so everyone knows. That's not a literal and and ben is suggesting that it's a cnp, slash, p slash, you know profile label and then uh I don't understand how initialization is not the label myself. But I guess it's initialization. Oh, that's! That's.

E

The label- that's.

L

The verb yeah, okay, yeah.

E

The operation specified in the light by profile, in this case.

L

So I don't object to what he's suggesting I I I and- and it kind of is interesting to me that um that, particularly when it comes around to renewing things that it would be nice to say which thing you're trying to renew um ldev id versus some application uh thing, it would be good to be able to say that so there's no, no confusion.

L

uh I think we have a. We have we've discussed this a lot. We know we have a discovery problem here, um um but but we, but I think that in many cases that essentially someone else is going to say you know for for light, bulb systems that that the following profiles are in process and that there's no no discovery. You can go forward. One slide again.

L

So I don't like number two, I don't like queries, but other than that I have no particular choice. I just wanted to say that I think the query makes it more difficult than anything else and we can put the slash p or whatever it is we want to put in in their bin. I think that I think that's reasonable.

L

L

E

Suggestion: okay, thanks.

C

I think the decision is one with additional with a additional uh label.

E

Yep, a well-known label um that indicates the next label is or the next segment is a the profile name, yep right, okay, understood thanks thanks for the guidance next slide, please.

E

So coming to cmp algorithms, the authors addressed, I guess all of the feedback coming from the working group after um 112 and from the area director review. We mainly added um in section seven a table um showing all the algorithms um and sorted by by their cryptographic strength, and we got a very valuable feedback from quinn and his colleagues on the shake and kmac and yeah. Also on the table itself. We added some security considerations and I yeah and we managed to also remove the pre-work disclaimer.

E

So I I guess the cmp algorithms is is fine. Now, from from the editor's perspective, so just needing feedback from roman on yeah on the on the status of the changes.

H

Absolutely that's totally fair action caught I've been a little behind. I will re-review, that's re-review it and get it moving. I think, from all the conversation we had, we had a resolution actually take a look at the actual text. Thanks.

E

Okay thanks so next slide. Please.

E

Next slide is on the status of the lightweight cmp profile, so this was not yet reviewed by roman, as we were still discussing on cmp updates. So that is great. We will. We did some changes um to the lightweight profile since one one two, we did change to recommend it for implicit confirm um with enrollment. um We did a section on on conformance requirements in section 7., we added some clarifications and we aligned with the changes done in cmp updates.

E

So this is mainly it on lightweight profile. Next slide, please.

E

So next, so open points would be also to to address and implement the changes on the dot well known as discussed before and from um discussions with with implementers. We got some some feedbacks that clarification on error message, protection and the section 7, the um the the pki management operations support level would be required. So we would like to do that and yeah afterwards start into the the area directory view.

E

So next I think that's that's it.

C

Okay, so um with these, it looks like we'll be able to return uh once you make the changes that we just talked about with the label, uh it will. The next actions will be with the isg, and I will update the shepard write up for that.

C

The I think that puts these three documents back in the in the pile for the isg as soon as you have. That done any last comments on these all right. Thank you for, for this work hendrick.

E

Yeah, thank you for supporting.

C

And uh the next document is uh lamps samples. There are no slides for this. It is in auth, 48.

C

Is dkg in the room? Is there anything that you need to share with the group, or are we just waiting for the rfc editor to finish.

N

uh Your room- I don't know if you can hear me properly- I'm gonna be a little quiet. um Hopefully that's better um yeah, so it's in auth48 um there are a few minor editorial cleanups that uh auth40 has requested, and I've I'm a couple of cycles into that. um I suspect that it will be able to be published shortly.

N

The main changes that they're asking for are asking about rather are fairly small, just textual edits, but they also there were some errors introduced by the textual edits as well, so I'm just clarifying them right now. Okay, thank.

C

You the next uh that ends the first batch, those things that are with the isg or the rc editor. The next ones are the certificate, related documents and sean turner's up with the document signing eku.

O

One two three four all right, I think we're good um russ. Are you gonna share the slides or do you want me to.

D

Yeah, I I'm happy. I don't like mine.

C

H

Gotta sort it out.

O

All right I'll, let you do it it's one slide or two slides. I guess.

D

That'll be pretty quick.

O

No keep going, there's only two slides, so it's really good.

O

Yep hi this is, uh I guess I can need to update the the link there, but this is a working group draft for um a new extended key, so just for uh document signing next, the draft is in uh the o2 version was published. I think at the beginning of the month, then it's currently in working group last call: we've received some comments and we're going to address those before uh being done. What we need to do shocking that we defined an extension and didn't indicate the criticality.

O

um Obviously we need to do that. um We're going to make it optionally critical.

O

um There are some minor editorial issues that we need to fix, which we've got queued up and we need to add some acknowledgements and that's it at this point with respect to changes that we have uh lined up to make for the next version, which I hope will go to our responsible area director.

O

um It's in working group last call now it does not end until I think next week. So if you have comments send them on in, but otherwise let's yield some time back to the rest of the agenda.

C

uh Sean actually you're not defining a new extension you're, defining a new.

O

C

To be carried in extension, yes, so the definition of the extension, I believe, already says, optionally, critical.

M

You could restate.

C

That but it's not like you're defining a new extension.

O

Fair enough, we can do that. We'll just make sure we'll just make sure to reiterate that you know as.

N

O

The eku it is therefore, by definition, optionally, critical, all right thanks for that clarification.

G

Yes, he said it's almost like well.

C

So then, the next one has no slides, and it's me um we're in working group last call on rfc 3709 fists.

C

The big change in this document was to get rid of sha-1 and say where a hash is needed, use the same one that was used to sign the certificate. That way. We won't have to do this again for an algorithm change. um It is also in working group last call. We have no comments at this point, plus no slide, um so please uh take a look at it. Otherwise we're going to advance it to the isg next week and the next one is sean again for the uh clarifications on the missed curves.

O

Hey russ on the 3709 on the 3709 I did send in something, but did that get addressed before it went on to work last call.

C

um I'd have to take a minute to go through my mail and look. But if yes,.

O

I'll make sure so it's minor, I think I think the only thing is. uh I think there was some no, um the big one was about which asn 1 attacks to refer to in the title of one of the appendices. Oh.

C

No that got fixed that.

O

Got fixed okay! So if, if you fix those in great.

D

uh Russ sorry, I got a bit confused uh on agenda. Is header protection? Next I.

C

Think, no, I think it's uh 84 10 key usage clarifications.

C

Oh yeah, what happened uh was it was originally down in the under considerations section, but the working group adoption completed so I moved it up here.

C

Did I not repost the agenda?

C

K

uh Sorry, I'm struggling to find the slides. Let me tell you what the name of the slides are.

C

It's lamps clarifications for ed255, okay, fine, okay,.

I

Can I ask you before you start that is, did the draft change? Yes there? It is because you still haven't.

O

Yes, I um sneakily submitted. I sneakily. I submitted a working group draft uh last night at like three o'clock in the morning or I don't know what time zone that was, but yeah.

O

So hey thanks for adopting this draft um this. Basically, uh you just go to the next slide.

O

So, what's in this id right, so this um text that I'll look really really familiar to you. um It's basically uh another version of um the 5480 clarifications that was published in rc 8813, but this time it's for the edie um star, uh algorithms, the other draft or the other rfc that had um these define these key, that the keys which is defined for this particular set of algorithms, was to find an 8410.

O

uh They only specified um key agreement in cipher only in decipher only so. Basically, the only thing this does is basically said. You know all the other things that it's not supposed to include, and I think there might be one more slide or there are six slides.

O

Oh there are so go to the next one. So there's there's this. This draft is so short that I think I put the whole thing in these slides. So basically all we're saying is we added some text? You know the first two were already there. So basically, what we're adding is the block at the bottom, which basically says don't use any of the digital signature related ones.

O

um So we just made those must not kind of slam the door on those um and that's really it, because if we're using key agreement you don't use in you, don't use key and ciphermen or data and cipherman. So it's kind of just straightforward. Now, if you remember at the beginning, I asked simon why they did this and basically he said nobody asked for it. So this is just kind of like fully enumerating all of the possible options to make it clear to people the things they shouldn't do.

O

So it's basically removing ambiguity next, and you have to do that both for uh the the um the encryption algorithms, as well as the signature algorithms. So it's the 255 uh ones and the x448 or above and then you have to do it for the signature ones as well. So you have to do it for the ed255 and the ev448, and so then the only difference is you have to do it for the e certificates, which is what this says so um for e certificates.

O

Obviously, you can only do not repudiate your digital signature and you do may do a crl sign and then must not for all the other ones and then the next one is for the ca, and the only difference is that for a ca, you can also put ca. Keysearch sign.

O

C

O

C

I think I think the um you back up, one more.

C

Okay, when are you using a crl sign if you're not a ca,.

O

When you're, when you're on, uh like an ocsp responder, this mimics, exactly what's in 5480,.

O

Or was a union in 5480 and now in the in the 8813 update?

O

So an ee is allowed to set crl sign.

C

Oh, it's for the indirect cro, that's what yeah! Okay! Thank you.

O

I was having a hard time with ocs, because it's uh it's um 5 30 our time so.

C

Yeah no kidding thanks.

C

N

uh Sean just uh out of curiosity, have you reviewed these changes against the lamp sample draft, which has uh certificate authorities and and nc certificates in it? I.

J

Have not, but I will I.

O

Will definitely, I haven't tried.

N

To compare them.

O

I I'll look usually I mean to be honest, I think most people that are sane usually don't blow this, but there are people. I think that uh sometimes willfully try to misunderstand and make things difficult. So this is mostly just trying to slam the door on that, but I'll definitely take an action to review the examples. Draft.

N

I I think I I think I got it right, but it that that one is enough 48, and it would be ashamed to publish that shortly before uh declaring that we got it wrong. Can.

O

You shoot me that link if you shoot me the link for the off 48 thing. I can look at it like before the end of today. Yep we'll. Do thanks awesome thanks all right, so lexi. I think we're moving to the last slide, and so, since you guys have seen all this stuff- um and I know it's just an oo version- um I'm actually asking for a working group last call now. um I think that uh this shouldn't come as a surprise. It's pretty non-controversial and basically we're just aligning with the previously published rfc.

O

So I think that that's not an unreasonable request.

C

Thank you. So what I would like to do is, since we have two working group last calls that end next week is issue. The working group last call when those end totally.

P

B

Wonderful, okay,.

C

Any objections or concerns with that approach.

C

Okay, thank you now up next is header protection, alexi, okay,.

I

Can I sneak in.

C

I

Basically have a week to review this before you issue.

C

We will start working group last call in a week, so you'll have two weeks after that to review it's.

I

Three weeks to look at it.

C

N

Hey folks, uh daniel kahn gilmore, here um presenting about the header protection draft, um which is work with uh bernie and the lexi and myself, um where the the editors on it um just wanted to uh report back to where we are, um I'm gonna give a brief recap and then uh talk about some changes that have been made. We've made good progress on it, it's uh since the last weekend, so that's good.

N

So to recap: when we were defining this, there were two different schemes for header protection that is cryptographically: protecting the headers in either signed or encrypted and signed emails. The type that was specified way back in sm3.1 uh has not seen much uh deployment. That's the wrapped message that you see on the left there you take. The these things are the cryptographic payloads.

N

These are the the data that is within the layers of encryption in the message and in s mime 3.1, we said well just wrap it all in a message: rc8222 object, and then we have this other scheme which is injected headers, which just stuffs the headers that you're protecting directly on the cryptographic payload itself.

N

So next slide, please um the reason that we weren't really satisfied with the wrapped message is that for one thing it wasn't widely implemented. There were not a lot of senders that actually did this and when it did come out like this, a lot of the existing clients that were capable of decryption would present the message in a weird way. It might look like a forwarded message.

N

It might have some strange user interface elements, you might have to click it to save it and then reread it or something like that, or in some cases somebody's radians couldn't actually read it at all. The objective header, the injected headers variant.

N

Some of the obscured message- headers, that is when you have an encrypted message.

N

They would be invisible to the legacy clients um and we had a fix for that in the previous version that was called a legacy display mime part that stuffed a decorative representation of the message, headers that were obscured into the message body. So it changed around the the cryptographic payload to add this decorative part to unobscure to to to unhide those header fields for clients that don't know how to interpret this the.

N

Unfortunately, what we found was that the legacy display decorative mime part made the entire message unreadable in one significant mail user agent, which was outlook so that's sort of where things stood. As of the last meeting next slide,.

N

And the update is that we have changed the way the legacy display mechanism works for injected headers. Instead of inserting a mime part.

N

What we do is we modify the main main body part of the message, that is the text plain part or the text html part that is sort of the first leaf of the message itself, and you can see here how the this is a text plain example here, where you did we just uh dec? We just add this uh legacy display element directly into the text, plane, part next slide or if the main body part happens to be html, you can see, we add it in this particular way.

N

So these are both legacy display elements, a message that is multiple part alternative might have two different main parts: one text text plane and one text html in the situation where you have that both of them get this legacy display, element added and the rules for adding the legacy's legacy display element are pretty straightforward and they're designed so that when the legacy display element is present, you can tell that it's present and you can ensure that the legacy display element can be omitted by a client that knows about it.

N

So it's really there specifically for legacy cryptographic, decryption, capable clients to be able to render the user facing headers that that would otherwise be hidden.

N

Next slide, please um with that change the as the draft authors uh we've made some decisions, one of the biggest issues with the draft was that we still had these two schemes lying around in it. It wasn't clear what implementers should do, and here we're saying, we've made a decision with the legacy display element instead of legacy display mime part. We believe that injected headers is something that is going to be is going to work for pretty much all the legacy clients, so conformant muas must be able to generate injected headers.

N

We're also saying that conform and use may generate the wrapped message um and that all message, you know the receiving message, user agents or mail user agents must be able to consume and render both schemes. In practice. We have not seen much adoption of rendering the wrap message, but we think, with the legacy display and injected headers, that even male user agents that don't adopt know that, don't that don't handle the rendering uh in a deliberate way. We think the legacy ones will be able to at least show the user.

N

What they're looking at- and this gives them an incentive to step up their uh rendering and parsing, because they will now get some security advantages of the protected headers so must generate injected. They generate rap message next slide. Please alexa thanks. So the way that we got here was a meeting of the design team, uh which is the group of us who are listed as editors plus uh hernani from the pep group. We've been meeting about every two weeks we've been working with the git lab, so we've been.

B

N

Issue tracking and merge requests and things, and that has actually been pretty productive. uh We welcome anybody else, who's interested in participating to join these meetings. You can, let us know either directly on the lamps list and say you're interested or you can mail one of the authors directly. If there's anybody else, who's interested in joining we'd be happy to have you.

N

We are particularly looking for an implementer of a major mail user agent, in particular outlook or mail.app who's interested in this, because we think we are getting pretty close and we would love to have one of the major male user agents. um uh You know an implementer from their way in so if anybody who is currently in the meeting right now is an implementer of outlook or mail.app or knows somebody who is and wants to get in touch with us.

N

um You know we welcome your participation next slide um from the work group generally, even if you're not interested in uh joining us. As we sort of put the finishing touches on this draft, we have updated the test vectors.

N

This document has a bunch of test vectors and there's a pretty clear. There are different ways you can get access to them that are described at this link at the bottom header dash protection, dot cmrg.

N

If you can, we would love anybody in the lance working group to help us take a look at these again. Take a look at them with your mail user agent. Take the sample messages and route them through various mail. Transport agents see how they get mangled. What happens to them test uh automated systems if you've got things like mailing lists or bug, trackers or other systems, you know we'd love to try to.

G

N

Sure that these mechanisms, um we want to understand exactly how these mechanisms interact with those systems. Obviously we can't do that exhaustively, but we can be more exhausted with more help from the work next slide.

N

um So a couple questions for the working group- um a couple I think, there's five in this deck here. um You may recall that one of the definitions in this draft is the header confidentiality policy. So uh just a quick recap about what that is when you um are sending an encrypted email message and you want to do header protection, not every header is going to be uh secret.

N

The way that the content of the message is secret um and uh we define an abstraction here, uh called the header, confidentiality policy or hcp that describes how how the mail user agent that is composing decides which headers to protect.

N

We had a couple variants in the draft http minimal, which basically just says, protect the subject line and here's how you do it and http strong, which basically says protect everything, but by stripping it out everything but the from to cc date. We obscure the subject line with that and we put in new message: ids there, um uh the design team we have sort of feeling like we need to recommend one for initial implementers to do. We don't want people to have to make hard decisions when they're implementing this.

N

We want them to just have a a pretty straightforward roadmap and we are leaning towards recommending http minimal. As the um as the initial implementation, you can see, there's a link to a merge request that describes that change.

N

The reason we have this hdp abstraction is so that we hope in the future this will evolve, but we want people to have. You know something specific that they can do going forward um if you're going to go from no header protection at.

I

N

Predicting the subject we think is a win in terms of confidentiality next slide uh by the way. This is our. These are questions for the working group. We're just you know. In some cases we have some ideas about what we're going to do, but if you all have any particular comments that you want to make on these, you know I welcome comments. Now we could also have questions and suggestions afterwards and, of course, messages to the list would be great.

N

um When you are composing a message using injected headers, you need to decide whether to put the legacy display element in the main body parts as described earlier or not. um We would love it in some future world, where all male user agents that are decryption capable are capable of actually dealing with protective headers. Like this, we would love to abandon the injection of legacy. Display elements, that's the goal, because it makes things much simpler. You have to think about them, but the question is how how do we get there?

N

um If I'm composing a message, how do I decide whether I need to put in a legacy to play or not? um The draft? Currently is silent on how you make this decision. It just says the mail user agent, you know, sets a boolean flag when it's doing message, composition uh do. I include legacy or not, um and the guidance in the draft I think currently says you know if you don't know, just set it to true and carry on um so there's a couple different ways that we could get rid of legacy display elements.

N

One of them is that male user agents could respond to a general ecosystem survey. That says: hey every client, that's capable! You know.

N

If we at some point in the future, we just do a survey of all the decryption capable clients and we say um you know: can they render injected headers correctly without dealing with legacy display? We don't need the legacy to play for them and if enough of them say yes, then we update all the clients in one more round and we set legacy display to false.

N

Alternately, each recipient could try to sort of somehow signal uh that they can, that their email, user agents can render obscured injected headers and don't need the lexi display um in that case, but figuring out how to signal what specifically the signal is pretty tricky and if you look at the link at the bottom of the page here that url uh points to some discussion that we've had about what what would be some of the drawbacks of signaling? uh What are some of the things we could try to signal ways.

N

We could signal what the semantics are, um so we don't know whether this draft will contain signaling or not it will. Certainly, um it could mention that we need signaling without defining it, um but we're we haven't, made a decision within design team about how to do that.

N

N

um So one of our concerns about the legacy display elements is that we're not sure how they will interfere if they would interfere with systems that do command processing now remember legacy. Display elements only show up in encrypted messages, so this might only be relevant for an automated mail system that uses encrypted messages uh for its control channel. um That might get confused if it sees a legacy display element uh present.

N

um There are not a lot of systems that we're aware of that are out there that do this, that use email as a control channel. But if there are, you know we want to know in particular, the schloer mailing list is an encrypted mailing list that uses pgp mime, not s mime, but the systems that are described here are probably relevant for both. um So we've done some outreach to the folks who maintain uh mailing lists like schleter and mailman um bug, trackers and looking at.

N

If there's anything else, I looked at joker.com, which has an email interface control channel for the dns, but they don't actually use um any mime based encryption scheme. They just use pgp signatures inside the message body, which has all kinds of other problems, but we can't really uh solve that here anyway, folks know of automated mail systems. It would be great, as I mentioned earlier, with the test vectors to test this stuff out.

N

We're particularly concerned about legacy display elements, but we, you know we'd also like to know whether um injected headers would cause problems um on their own with any of these automated mail systems. So something worth taking a look at next slide.

N

um So for a legacy display element in text html, um the uh the definition of the legacy display element is basically that it's a div with this special class header dash protection dash legacy dash display.

N

uh We think this is relatively straightforward for composing male user agent to insert uh that is, if you're making the message and you recognize that you've got a main body- part that is of type text, html pretty straightforward, to put it in there, um and we think it's actually pretty easy for a rendering male user agent to omit this. If it needs to. We have an example of some.

N

You know, css snippet, that you could slap into your local css file for rendering uh mine parts if they are tagged appropriately, but we also are aware that you know html and emails may have some issues and if you are concerned that this, uh this div being injected might cause a problem we'd like to know about it, we haven't found any case where it does, but it doesn't mean there isn't so. We'd love any feedback from your working group on if they see this as an issue, next message: okay, so this is.

N

uh I think this is the final question that we have for the working group that is pretty tricky. This is.

N

Part of this is an issue about user interface and how we represent message headers to the user, so um the mock-up you see in this slide is a terrible user interface, but it's uh an attempt at representing some of the information that we think value vehicles will have so currently male user agents don't uh mention any um any levels of cryptographic: protection for message, headers, because there are no levels in quicker graphic protection for message headers before this draft other than the the s9 3.1, which was uh not widely implemented.

N

um We think that a male user agent may want to render and they need to know even if it doesn't render it the cryptographic status of each particular header field. That's used um so in this message. This is an example. Here you could imagine that this message was sent and the entire message all of the headers are protected by the cryptographic.

N

Signature of the message that's represented by the check mark at the top, but the subject field as with hcp minimal, uh was obscured going forward by you know so that the subject doesn't appear on the outside of the message.

N

um So you can see that in this mock-up, that's drawn with a little gold box around it with the with the the lock just like the message body itself has the the gold box in the box.

N

The question is: how does the rendering male user agent know that the header field which header fields were encrypted or which ones weren't? How does it uh does it just compare them with the outside uh message or um or do we need something else? The current text in the draft says that we mark that header field, where the cryptographic status that includes encrypted when the protected copy of the field doesn't match the unprotected copy.

N

But, as we all know, the unprotected copy of these message, header fields um can change in transit. That's why we want these cryptographic header protections and we haven't really defined what counts as a match. So, for instance, if white space changes does it count, does it mean now they're different and we should treat it as encrypted uh michael, I see you in the queue.

L

uh Michael richardson, so I I it's a your ui is not terrible. I was gonna say your example would be actually good if alice was emailing. Bob and frank and frank wasn't someone who uh knew how to validate the um the do any of this stuff right and so the subject is that frank sees is, of course, friday's dinner plans and thinks, oh, I won't go on thursday I'll go on friday um and some you know attack on him, um and so I think that's.

N

That that would be that would be an attack on the on the signature status right, which is different here, we're talking specifically about whether the header field has been successfully obscured or not. But but but I agree with you that there is a separate attack on the message. Signature and bob uh frank would need to update his mail user agent to be able to get the verification on the headers.

L

So so, but the point is I'm trying to say is that bob would get a a notice that says that the subject does not match right. That's the goal here, because bob's actually done um bob's actually done done, is validating all of this and realizes that there's something going on. Frank, of course, is oblivious to this because he's just using you know his uh some old web mail system.

L

You know from 1972 right, um but um maybe not that early, um so, but uh um so, but I was just saying that that's that's the kind of attack that you're talking about right. As you say, the unprotected copy can change.

I

L

And so you want to know what kind of what kind you say what is a match, and what are you going to do with that? If it's, if, if it just differs by some spaces, which I don't know someone some system put in in the way right.

N

Well, let me let me let me you're raising, I think, a different concern. Okay,.

L

It's a different concern all right. Thank you. That's.

N

L

N

Yeah, so the concern that you're raising says um we want to know whether the message headers uh were tampered. The outside message. Headers were tampered with, because we want to make sure that we're you know, we've got the right ones, but we want to know if the one outside was tampered with. We currently don't have any cryptographic status. That indicates that and the reason we don't have it is um because if your mail user agent can show you the correctly signed message, then it including the correctly signed headers, then it will and.

I

N

And doing the kind of debugging that says, hey somebody filled with the thing on the outside is not, I think, for normal users to to worry about right, um like if you, if you say, hey, warning this thing changed. It makes the message look even worse, when in fact you have better security properties um and people, you don't want when you're sending a message it just show up flagged just because somebody filled with it going through. The issue that this is trying to raise here is specifically about obscured headers during message description.

N

So when your message is encrypted, you might not be obscuring out the the to and the from or the date, but you are obscuring the subject so.

L

There is no, there is no, there is no, there is no clear text version of of it that that was going to see anyway, because it's obscured right. I get it. Okay,.

N

Right and in particular the um the concern here is, if the sender obscures the subject by replacing it with the square bracket, dot dot square bracket, which is the recommended, you know http minimal mechanism, then obviously the subject has actually been protected, because the only thing on the outside of the message is a dot dot dot, but it could be that the sender did not obscure the subject at all. Maybe they used some sort of hcp null. That's like hey we're.

N

You know we're going to protect everything from signature wise, but we're not going to bother obscuring anything but some outside male user agent injected. You know star star spam, star star in the subject line, and now they differ right or it re-wrapped the subject line now they differ. Do we claim, then, that it changed um that that, because those things differ, it must be encrypted. You know, technically it's not a match anymore deb. I see you in the land.

I

Yeah, I know I'm in real life now, because I have to stand on my tiptoes to get to the mic again anyway. So can you re-explain what protection is on which part of the is like not not long and drawn out, but just little so the whole header is integrity. Protected, signed.

N

That's correct the way this the way this draft is specified. Basically, every single header will be wrapped by the signature layer and, of course, also wrapped by the encryption layer, but some headers may have the same value on the outside of the encryption layer as they do on the inside, but.

I

In this case, not the subject line.

N

Right and that's the that's, the recommended header confidentiality policy right. We have this header configuration this. The http in the draft says when you're composing a message. You need to decide what to do on the outside of the message. Based on what what the original message headers would have been.

I

So your question is: what happens when the unencrypted, but previously obscured, subject line does not match the original.

N

Well so in particular we're saying look when you're rendering the male user agent probably wants to know which message headers were protected with what kinds of protection they should all be signed, and some of them could be encrypted and signed, and how do you tell which ones were encrypted and signed when some of them have? I mean obviously they've all been encrypted, but some of them have also been copied to the outside. It doesn't have the same confidentiality guarantees that people expect.

I

Right so yeah, so I'm going to make a comment and then I'm going to walk away um so comment. Is that I'll tell you that, having dealt with smi messages on a daily basis that most users aren't smart enough to know the difference between signed and signed and encrypted, let alone with this sort of level of detail that we're talking about? I.

N

I

N

So so the re yes, uh so the reason that we want male user agents to be able to reason about these message. Headers this way is that when so one of them is, you could imagine some. You know expert mode thing, but we're not going to get into the expert mode thing right where, where you really do want to show this a user wants to inspect it right, you could imagine that most people will never use it. As you described.

I

There's three of them by the way people.

N

Sorry uh there might be four, you know there might even.

L

I

I don't know awesome.

D

Devil in this room and.

N

N

But the mail user agent might want to know which message headers uh had this kind of protection, because it might be relevant for uh for dealing with the message. For example, when I reply it might be worthwhile for somebody who's implementing a message- a male user agent, to know that when they're replying, these headers had been obscured previously, and we would like to keep obscuring them.

I

Yeah I agree. I just think this is um mostly ridiculously complicated for the regular user.

N

Note I totally agree the only reason that I I've presented this in the user interface here, uh so people can see the kind of thing that we're talking about, but I generally agree that we do not want to present this to the to the regular user, but we do think that male user agents need to be able to reason about which headers had what level of protection yeah, and so this is so.

N

The question here is when the mail user agent is reasoning about the header fields, how does it determine that this header field was encrypted? That is actually confidential or not, and the text currently says when it doesn't match the unprotected copy, but the trouble is. We know that the outside copy can change in transit, go ahead, aaron.

Q

uh Hi aaron, um why? If, if this is intended for machine, why don't we put it into the encrypted header into like a signaling mechanism or something like? Why don't we just say I don't know encrypted subject, even just true or one actually.

D

To what uh is in the draft, there is a record of which header fields were obscured and which one wore yeah. You know preserve.

E

Q

D

I think part of the question is there: is this extra complexity that goes into you know the an extra side, a couple of headers that will go uh into the encrypted part and you know, will people implement? I think that's kind of where dkj was going with this I mean.

Q

Yeah really, the extra complexity adds, adds complexity on the center side, but this makes it so much easier for like machines to reason about it because, like the using untrusted data, I'm not the biggest fan of this idea. Yeah right.

N

Yep, so if you take a look at the git lab issues, 25 and 26, there's actually a proposal, that's very much along the lines of what you're recommending aaron. So I appreciate you taking a look at that and see um if you think it makes sense for you, that's sort of the conclusion I came to as well, but I wanted to raise it to the group. So we could hear your suggestions.

N

J

So one of the things we were actually pointing out there saying that it's actually for the many users email uh application to know which headers are you know encrypted, and so is that you were saying. Okay, if somebody something was like the subject, header was obscured with not with the dot dot dot, but nothing here and you are replying it. Do you actually want to keep the you know the previous unobscured version that that was clear or do you actually want to?

J

You know, uh create a new one or do you want to, and you of course, don't want to take the real subject here or encrypted subject here I put in outside so.

I

J

I think actually and of course we're talking about. Yes, we don't not talk about user interfaces, but we actually are talking about to the implementers who are implementing these things and if we don't give a clear instructions to the implementer saying that don't do this, do that and follow these rules. They are not going to be they're going to be inventing their owns and which means we're probably going to have a mixed issues again when somebody says something else, and somebody does some other male implementation that then we have a legacy legacy legacy display.

J

That shows you that the subject that was in legacy display because somebody did implemented it wrong. So I think we have to be very you know strict on rules. How do we actually say we are talking about now with everything trying to get new implementations to follow our rules, so let's make them very strict on what they say that do this? Don't try to do anything else.

D

I I think, if I can interject this discussion also makes me think that yeah, if we, we probably should just decide on rules and make make them clear, and if we do clear rules, then people will implement them correctly. If we'll allow a lot of leeway, then they will be secondary, interesting side effects and bugs. So actually, I think dkg. This discussion just convinced me that your proposal is right.

J

And completely unrelated to this issue, but actually more generic on this area. There isn't this group of mob, which is a messaging multiverb or whatever it has a joke.

I

J

Fail wrecking- and I think this is something that would be probably more- you know in scope with their stuff what they are doing. There's lots of you know: mail, vendors, there's there's you know this kind of uh people who actually write the mail clients and actually write the uh mass mail, mailing software and probably sending encrypted stuff banks and so on. So I would actually recommend actually taking some of these things and try to get it in present in the air or something like that.

J

I think the next meeting is in london in june, or something like that.

D

Well, that's very convenient considering that I'm local um yeah, that's a good point really.

N

Thank you for that suggestion. I think that's a good one that we should definitely give the mog folks a heads up, at least that that something like this might be coming um so that you know we can see how to work with them.

N

um So yeah uh feedback on uh on the mailing list, feedback on the get lab issues uh with these things would be would be great. I think there's one more slide, but I think it just says questions on it. So um I appreciate the engagement and and discussion from the group here.

C

N

C

Design team for for really digging into this over the last uh meeting cycle looks like we have. uh The ask at itf. 112 was give the group a straw man to shoot at you've done just that. So thank you very much and I'm looking forward to a robust discussion on the mail list. At this point.

C

E

C

Questions before we move to the next presentation.

C

um I believe you're not going to talk about the eda email guidance.

N

There, so I I'll give you just a brief overview. I don't have slides for the e2 email guidance. There's been one update since the last one, which was just uh defining a set of headers as being user facing which just lists things like subject from to date cc, which are typically presented to the user, as opposed to the other message. Headers um that that definition of uh you know what is presented to the users directly is useful, turns out to be useful in the cryptographic in the header protection document. We haven't done much else.

N

um I am actively reaching out to mail user agents and systems that are used to doing uh you know cryptographic end-to-end protection in particular. um Well, different values are different implementers, I'm reaching out to them privately to ask them for their feedback and thoughts on the end-to-end male guidance. So hopefully we'll see some more action on that on the next cycle, but that's it for that draft. Unless anybody has any comments on it,.

C

Okay, thank you. um Thanks now we're moving to the uh under consideration for adoption discussion. There's a lot here. um The first one is uh michael richardson with the rfc uh 70 30 csr adders.

D

This microphone is.

L

Actually kind of yeah, we should switch them for you. You do you want to give me. uh Do you want to give me that um you want to try that see if it works this time?

L

Probably not you, okay and you find my name and click on it and hover and whole hover you the whole hover interface is really ridiculous.

L

No there we go yeah, okay, so um yeah, so it's a terrible name, so please suggest a better name, um and uh that would be that's the most important ask right now um so uh story so far, so uh we had a conversation, probably last summer, probably at the this meeting last uh summer we wound up with a virtual interim meeting at the end of august to talk about this problem um and I put the links there. If you don't know about it, they're recorded um the uh and we formed a design team.

L

We'll tell you a little bit what the problem is there, but that's the story so far, um and we don't have a lot of progress in this, but I'm going to talk about what what we we have uh done. um So the fundamental problem does that work, yeah, okay, so this is your viewer viewer caution thing uh there. um The fundamental problem is that it turns out that a number of us, uh particularly in the animal working group, uh made a red rfc 7030. We thought.

L

Oh, this is uh some asn1 that we don't quite understand so, we'll just we think it means this, and so we proceeded on that. That uh that basis, um max pritikin, who is one of the authors of rc8995 and of 70 30, um was among those who believed that we were correct and and behold we were not correct.

L

um The sn1 did not do what we thought it did um and so now they're having a conversation of what's going on fundamentally what we need to be able to do as a an est client in anima, but in other things as well is we need to be have the the registration authority say- and this is the subject- alt name that you shall use and any other name that you use will be uh stricken from the record. Okay, so please request it.

L

Please put it in the in your csr request and that that's how it's going to work, um and it turns out that we can't do that. We can say things. Things like um please use uh curve123 without specifying the actual value of the public key and we can say a whole bunch of things like that about that kind of thing. But we can't actually say- and you will put this value in the attribute you request.

L

So how are we going to do that? So one way is the the kind of simplest way right now we have a a sequence of attribute or oid, and you get this choice, o id or attribute, and uh this part in the middle here I don't want to use my hand because people remotely won't see it, but the part in black in the middle. That's, what's there right now.

L

I renamed that x, type and x attribute simply because uh in this slide to to make it uh less confusing, to repeat the same words um and that's what we have right now and we seem to believe you see it's it's it's non-trivial amount of asn 1. um and we seem to believe that the x x attribute actually would allow us to put a value in there and we actually wrote code that did that and well it interoperated, but it's wrong. Okay.

L

So this is the simplest version. The simplest version, I think, is that we add a new choice, the top which has a value, and then we have this new structure at the bottom, which you see now has three three elements in it and uh there's a thing in the bottom, which is put the value that you want and I think that's an octet string in the end. But uh I am not qualified to say that for sure.

L

um So that's one version. Okay- and this is this- is essentially um a conversation. Another mailing list is whether it was upwards compatible or backwards compatible. But uh what I know is that if you, if you, if you ask for if someone comes along and asks for uh the expects, the old response and gets this, that they will be successfully able to skip it and ignore it and not understand it, which may make them fail to interoperate to accomplish their goals, but they shouldn't blow up. um So that's that's uh uh one part of it.

L

So this is option a okay, and this would make this essentially uh is a superset of what we do now. So everything that's out there deployed right now would continue to be compliant to this without having to do any other other changes.

L

For me, what oh sean go ahead, yeah.

O

The end I just I just want to say that I think we're putting a lot of stock in the rationale that you have and the example in 70 30 did not include a value in the attribute. I think we should. I think we should just fix that. If you look at the the thing where you can put a value in where the x, the uh attribute thing that you have like, there's csr, adders, adder or oid or attribute what we didn't do to the example was a value for the for the attribute.

O

We should just fix that example and call it a day.

L

Go back for a moment. I think that what you're saying is that our interpretation of the asn1 was maybe correct, and that we just is that that what you're saying.

O

I'm thinking it's right, we just the example was just wrong because it's got an at so you have for the oid. Obviously you just include the oid for the attribute. What you're saying is you want to provide an attribute value back to the client to use right the example of 70 30 for the attribute just included in the light, and not the value which is incorrect asm1.

O

So the example is wrong. Okay,.

L

So you're saying that okay, uh this is also a good, a good result. I'm perfectly happy with that. It's not.

O

Right because because because technically, if you look at it, you set the type the value. If you define an attribute that has no value, you would just send an oid, but most attributes have some kind of value. So you would include the actual value so.

L

um Here's here's the, I believe the example that may contradict what you're saying, um which is that you, the type might be the algorithm yeah. The value now is the name of the algorithm, like you know, uh esd, cdsa or es256 right. But at no point do you include the public key, which is the value of that thing.

O

Right well, if you need to do that, then, if you needed, if you need to include um something, that's not defined, you define a new attribute and use that okay, so.

L

If you want to, if you.

O

Want to yeah, if you want to slam a subject public key in there define an attribute that is subject: public key and slam it in there and there you go.

L

Okay, so that would be the solution if you needed to do that, that's not what we need to do, but but.

O

L

Yeah? Okay, I guess yeah.

O

L

uh uh uh So I I'm gonna engage you on the list with with the example that I have for my code. Okay- and I I'd really appreciate it. If you could, you could say that you in fact believe it follows this. The a I.

O

Mean it's there. It does because in fact there is another rfc that is defined. That is used this way um it, which is you know, rfc 8295. So it's it's. I wanted to provide an entire pki data back to the um client using est and I define it there's an attribute, that's defined for that and pkcs whatever it is. I can't remember the value it's like a pks pdu, so you can slam the whole thing in there and you can include whatever values you you want. You can actually give the whole csr.

O

You want the client to fire back to you.

L

Okay, dan did you want to add something here at this point and.

O

I see I see that dan is there, so I just want to make sure that you know, because he was one of the authors.

P

Yeah thanks so sean. You said that the example is wrong. So can you explain why they what's what's wrong? In the example, let me get the.

O

Let me get to that draft. If you look at.

P

The example has an order for challenge password and then it has an attribute of extension request and it's requesting the mac address of the client and then an attribute of of ec public key and it says, use p384.

L

But at no point does it provide the challenge password, no right which is which is, which would be something that maybe someone wants to do. But s tells you what the challenge password should be. It's the it's important yeah, it's the something else, the tls so.

O

What I'm saying is that, in the examples that are in section four, whatever that there's there's one for just an oid and so you're right, you just provide the challenge password, but that's the only order, you're just providing an oid which is saying I'm not giving you the value. If you want to provide the the value, you would send the challenge password attribute type where the value.

O

I think that the examples in the draft and that asn 1 sequence blob, if you decode that I think it doesn't actually include the value for like mac address, that's correct.

O

Right so I think what that example needs to have some value set for mac address and whether it's a dummy value actually included value for shipping it back. I think that's what should happen as opposed to going off and defining another choice.

C

I think sean needs to join the design team. I I would agree.

O

Okay, all right I've been volunteered and I'm willing to do that. All right.

L

So so I'm just going to skip through the next slide, to tell you what I think, we've just decided not to do okay, um so the other choice was to basically make do something new, maybe even put it at a new end, a new uh uh end point, so you wouldn't say slash csr attributes, but csr, better attributes or whatever, and we would return a completely different thing and uh the suggestion we had was actually that you know.

L

Maybe these are the three things that we care about, having values for and that if there were more, they would be added later with a new document, not necessarily by uh by an ayanna or anything. So I think we've just decided that we're not doing this. Does anyone disagree with that?

L

I'm very happy not to do this, so that means less. I think my code may require no changes, which is even makes me even more happy there, and that was it. So that was the discussion. This is a squirrel. I saw last summer all running any other comments.

L

No okay, sean! You will receive email about this, so you gave him the bag I'll.

O

I'll be there I'm just saying if I get donuts from tim hortons.

L

I did not give this girl the bag. The squirrel in fact stood in the line and got his own stuff, just just to clarify that you know.

C

Okay, great, uh I will.

L

I will bring, I will bring sean donuts in july. There you go.

I

I'm not in the queue sean did you throw out 82.95.

G

Q

Good, I know what that is.

C

Great uh glad to see we're making progress, uh although it's uh it seems like you might be changing directions a little bit. The next uh presentation is about post quantum keys or quantum safe keys and I'm not sure who's, doing the presentation of the of the people on the draft.

D

This is the right route. This is the nist one. The lamps nest.

C

Because, oh okay, it's mike osborne who's gonna! Do it.

D

Sorry I was just trying to get because the the list of documents doesn't have titles from the documents, and them it has. File names which is this was, is a quantum safe keys.

C

Okay, uh I thought I saw there, he is.

R

C

Everyone, this is my.

R

First, ietf meeting, so it's a pleasure to meet everybody and um unless I understand a bit, how things work here closer to the mic? Okay, okay, just uh um just to say it was it's my first, uh my first meeting here so we um we've been working in this area for a while, um it's going to go into, um let's say: maybe we go to the first slide essentially, so this is a piece of collaborative work. um Around post-quantum crypto we've been very active in this domain uh with with some uh collaborators.

R

um The challenge that we've seen is that the um nist, when they were looking at standardizing this and the round three or the fine this should be announced this week. Is they really haven't looked very much into how keys are serialized for the competition? It was just required to have a a single blob. That was what the api required, and so there wasn't really much thought put into um managing.

R

um You know how keys are serialized and identified, and things like this. um It's kind of a lot of people have picked up on it to say: okay, for example, you can I um not having to look at the keys and just identify it with oit. It's very nice. You know there's no more passing of keys. It's simple, um however. The there are problems with that. Sound sounds really nice in theory, but I'll come on to why? That's! That's! uh That's not not a very good practice.

R

um If we look at the structures of keys, so keys um they're, it's an implicit structure. Now um that's going to depend on whichever of the algorithm strengths is selected, which uh version of their algorithm have been lots of versions already going through the different rounds, um and there are a number of hardware related um alternatives proposed. So you can as a there's a lot of um just a lot of different algorithms that you would have different ids.

R

That will need to be tied to some form of keef key format, um so lots of variants, if you start tying those variants to hybrid schemes, it's just a combinatorial explosion. So we also look at open quantum safe. We have a test server up with over a thousand hybrid uh quantum, safe and and classical key formats, and that's only a fraction of the ones we could have implemented so um and we have lots of problems with interrupt testing just because these things are evolving.

R

These things are in the field and we just need to figure out how to manage the complexity. You can go to the next slide. Please, as I mentioned it's nice in theory, to have uh an implicit key format tied to an oid, um because um people who design algorithms that they they're all security, then they say: okay, there's no passing involved. You remove all of the passing um vulnerabilities that you can build in um you know in practice, as I mentioned, these algorithms are deployed, we've been deploying quantum safe algorithms for over three four years.

R

Now we see that legacy systems simply do not support the size of the keys for many of the new schemes. This is for. In our example, I work for a large, um ibm, large machine manufacturer. Our largest platform cannot support this, even the smaller sets of keys for um for a lot of the algorithms.

R

So, there's a lot a lot of legacy out there, which is just gonna struggle, so um so, and it's this aspect of getting keys safely to algorithm engines, which is kind of not really looked at from an algorithm design perspective, but from a secure implementation.

R

Perspective is really important and that's where most of the problems are so actually most of the schemes proposed and this they they detail compression schemes so in a very unstructured way, um and we've just found in practice that these schemes are required, so um so we're trying to avoid a bit the mistakes in in the past. I understand it's very compelling oid key format very simple, but we know that we're going to have to compress keys.

R

We know that they're going to be evolutions of algorithms, and so what we're trying to do is design a format that that handles that complexity in the future. Rather than take the simple option and then just add, then these exceptions as and when they come. That's a bit. The problem- that's happened in the past, with with other algorithms, you can go to the next slide. Please yeah.

D

Would you like to take questions now or by the end? Well,.

R

However, however, it works process-wise. This is my first meeting, so it's.

D

Your choice basically.

R

D

To take you now, there are four people in the queue.

R

L

Michael richardson here so um so you're telling me that, basically um you, if I, if I, if I present a certificate to some systems that they just blow up, because it's just too big for them, is that what you said.

R

Actually more on the private key side, so probably.

L

R

Some there are some compression schemes for the public key, but absolutely yeah.

L

Okay, I wonder if we should just start issuing certificates. You know with some bogus extension that has a megabyte of random data in it. Just just to kind of you know.

D

To test out something to.

L

Grease out the systems and see who's going to blow up and kind of.

I

Present some stuff.

L

Like that, that would that would break some things intentionally. That's exactly.

R

What some experiments have been done by certain companies? They have, actually, you know, just put some junk in it exactly to.

L

R

Things in the internet break exactly.

L

But that you're talking about private keys- and I think that you're now, as I understand you're now really talking about about hosts or systems talking to their cryptographic engines their physical hardware engines, they can't even get the private key across that interface. Well,.

R

Essentially, if you want safe algorithms, you need to get the keys safely to them right.

I

R

Essentially, so there's no point having very strong algorithms. Unless you you manage the key and.

L

Those interfaces which I think are somewhat hardware, are breaking as well as what I think you said absolutely.

R

Okay, so also lots of protocols any any protocol where you need to transport keys, any any kind of like internal framing mechanisms for key movements anytime, you want to use uh okay, whatever this.

S

R

A whole just a whole lot of legacy, which is going to be very challenged purely with quantum safety, let alone hybrid, related things. Okay, sean.

O

Okay, so one of the problems that uh ended up happening with compressed keys before was that there was ipr. I assume that there is no ipr with respect to any of the schemes that you're proposing.

R

So um let's say we we're contributing to some of the candidates and most of the candidates. Certainly the ones we propose to are all ipr free. So it's less about the compression schemes, it's more about marking uh or, let's say the the framing of keys or let's say the the um you know being able to identify when you have a compressed key and things like this. It's not not how these things are compressed more, how they are communicated that we're concentrated on, but certainly what the the the key compression.

R

I think that's a that's a decision for nist at the end of the day which, um in terms of.

O

R

O

I think I think I think nist is. I just want to say that the last time that this came out was for elliptic curve stuff and one of the reasons why no one would touch it was because we couldn't get good terms, and so I think, if we're going to adopt a scheme, we just have to make sure that we understand that there is. There isn't, and I think what you're saying is: it's not my problem, it's whatever.

O

Whatever agreement, this comes up with the competitors and that's great thanks.

R

Actually, what I'm saying is important to be able to manage compressed keys. You know whether or not um which which schemes and which compression techniques are used. That's something else.

S

Yeah, I'm not sure this is the right way to go. um The most of the schemes that have some compressed alternative are different schemes. They are not compatible with the uncompressed version. You can sometimes do all sorts of things with secret keys, where you pre-compute some stuff. You can expand the lithium's matrix, but that's all on the secret key side, and I don't see why you would need that for public key representation.

S

R

So there's a couple of there are a couple of schemes that have public.

S

R

But this is more essentially about from uh more related to the private key and being able to identify essentially what key um yeah. So it's more than about the management of the private keys that this is.

S

Okay, then, you also still need to be careful that, like uh the compressed variants of rainbow, I mean rainbow's dead now, but the compressed variants are not the same scheme as the.

R

Yes, of course, but the schemes which currently look- and this are looking at the compressed alternatives to those what exception of rainbow is. They are just artifacts of how you can compress the keys in in a way that is compatible with an uncompressed one. So you have a trade, a trade-off with key expansion versus um key size.

S

uh And then the other thing I expect all the non-uh sha-3 variants to be murdered by nist. Very soon I have the understanding that none of the um submitters intended for any of the aes or shadow variants to actually get standardized.

R

um There's two things: one's being standardized ones being used, so there are a lot of schemes, including rainbow, for example, was already being used, but and also dilithium and kaiba. They are used already in a number of industries things. This is a bit the problem that you have with anything that's about to be standardized, because standardization takes a long time. They still they start to be used.

R

You start creating legacy, then, in order to manage complexity, you you end up with standards which are very, um very evolve very awkwardly. So what we're trying to do here is let's say for this aspect. Look at. We know. What's coming that, we will need to use these compressed keys which take out of the equation. It's really about how to manage those appropriately and and safely.

S

R

S

Yeah one last question with regards to: if you, the symmetric, primitive, that use inside really makes obviously all the test sectors difference, etc. So that's a different algorithm. What is the problem with just assigning more oids.

R

The size, the size purely in size, even it's it's uh so one- is managing the um the uh what the no id actually references to um the other one is, then, how you handle and manage um non-expanded key formats, how you actually manage and understand what you have?

R

Okay by the way we just want to, let's say, reduce complexity, around passing of um of private keys.

N

uh So thanks for bringing us to the group, this is daniel gilmore. um So it sounds to me like this is just about private keys right, we're you're in this presentation. You are not talking about trying to represent public keys at all here that the main concern you have here is about private key representation. Is that right.

R

Exactly it's more so the focus is really on managing complexity and it's really uh focus exactly more on the private key side of things. Yeah right.

N

So so yeah it's useful to have that clear, because otherwise we're going to have people going off about public keys.

I

As well, okay, maybe.

N

An issue, but we can, we can tackle it separately. So my question, for you is this: if an implementation is choking on, uh seek private keys that are too large, presumably that implementation doesn't even have an implementation for uh private key for that algorithm because it can't because the key is too large.

N

So where is the issue with just saying when you know, when you're ready to handle keys of algorithm x, make sure you can handle keys of the appropriate size for algorithm x.

N

As long as there's an upgrade to handle algorithm x, presumably that upgrade, you also tackle the parsing structures that have hard-coded limits and extend those hard-coded limits. What why is that.

R

Because there's a lot of legacy.

N

R

Able to handle the the uncompressed keys.

N

So you're saying that there's like a part you're concerned about parsing layers that are uh algorithm agnostic.

R

N

The identification.

R

And management thereof, so at the end of the day, one of the goals is, is essentially to provide the smoothest path for a transition to a quantum safe future, and that essentially means um in some ways it's also the widest adoption.

R

And if I look on the systems that we've, we that we have worked on is essentially there are the there are limits which make it very difficult to expand certain system parameters to handle private keys. So it means, if you can't do that, then um you are, you are, was maybe one um of the nist alternative.

R

Quantum safe algorithms will be used, but it will prevent a a lot of systems from being able to use um quantum safe, crypto.

N

Can you identify the specific parsing layer uh limits that you guys have run into? I mean it sounds like that you're talking about a parsing layer that is independent of the algorithm implementation.

R

Yeah, it's less the passing layer. So essentially, if you need to transport a key to to an algorithm engine, somehow I mean yeah at some point.

I

R

Have to it's, it's any framing any protocol where you're actually moving that key, essentially wrapped or unwrapped or whatever it's.

N

um Can you identify one of the implementations that has these limits just so I can get a better sense of the kind of limit you're talking about like. Is this like open, ssl issue? Is it a uh nss issue.

R

um It's it's anywhere, where you're kind of using slightly slightly more secure methods when you're not just using a file to save the key somewhere, so um um yeah, it's any um without going to.

R

Maybe we can respond with a list of systems that we've come across. That.

N

Would be great, I think I think, having a concrete list to look at would would help to characterize this, because I I don't fully understand the problem without looking at some examples. I think.

G

B

P

uh You said that you were worried about legacy systems not being able to handle these keys, but legacy systems aren't going to be speaking a pqc algorithm anyway. So why? Why do you care that they can't get well.

R

Legacy platforms, I mean legacy platforms, not systems, so so, essentially any uh if you build platforms or you build, you know systems that actually you can't actually um manage keys just, but just because, um because they're too large for the parameters of of the systems and the protocols you've used um I'll give you an example: I've got a mainframe platform. Yeah sounds like a very large platform. um So um there's a lot of keys. You just can't use just because you can't transport them securely, they're too large, outside of the design characteristics.

R

So if you want for an existing platform or or or that's a um edi system, or something like this, where you do need to transport keys around and um isn't that platform, gonna have to be changed to.

P

R

That's the point: no, not if you use compressed keys, if you use compressed keys, then you trade off the size of the key with the ability to actually uh uncompress it or regenerate it.

R

So it just means that you're able to a lot of legacy a lot of systems where you, where the uncompressed keys you can't fit you could, then you can use quantum quantum safe algorithms.

R

All right, we have any more questions. Oh.

D

No nobody in the queue at the moment, so, okay, yeah.

R

R

Yeah, so that's the goal. Essentially, I mean we've seen how difficult it is in in in applications, and it's really about making sure that um the pqc or quantum safe algorithms can be used by the largest number of applications, and um that's a very gonna mean a lot of them are going to need to use either schemes with very small keys and there's only really one and or use compressed keys.

R

um The other thing is a lot of this or, as part of this nccoe effort to sort of facilitate the migration to quantum safe schemes.

R

um If we, if things tend to happen, sequentially and in an uncontrolled way, so um actually the more that we kind of experience what we've been doing essentially experimenting with interoperability and understanding how to use these things in real systems, the more we can do in parallel, which is why we kind of it's a bit early.

R

A lot of people said why don't you wait until the to the final in this selection and then and then work on this, and that's because actually there are some things um that have fed back into the the different schemes so, for example, uh in in this piece of work.

R

um So it's it's really just about make widening the aperture for for four systems to become quantum safe. Actually, um the approach is really just to think about the complexity ahead of time, not go for the easy case and then add stuff on when when things don't fit um the um so it's really about um also, there are various ways to actually um to come up with oids, for uh so how you create oids.

R

So so, in terms of you know whether the whole parameter set gets represented by a key or not, I mean with these uh with with certain of the lattice schemes. They are that they are matrix, so you can actually put the matrix sizes in the in the oids and things to simplify, um essentially just to simplify stuff um and then um the so. This is the identification algorithm approach and then the high level um just the high level api considerations.

R

Essentially the optional choices recommendations for when you would want to use a compressed key format and when, when, when not what the trade-offs are stuff like this. So so generally, a kind of like a guideline for um the the usage of of of private keys in um in in in a kind of a future-proof way for for for next generation. um Algorithms.

R

Go to the next slide, please.

R

I think this just kind of like says how or suggests how we think we can arrive at such a scheme, so it's kind of whether this is in informatory or whatever.

R

Just I think um it's not something that that there's a got a lot of wide uh visibility just because a lot of companies have been waiting for some fine on this standards, essentially so the problems around private keys, um this thing with interoperability and stuff, so we've already had some new numerous interoperability challenges because as algorithm evolves, obviously the private key formats evolve and if you can't manage the transition so so say we have to tweak a parameter because of a security breakthrough, for example, in rainbow, then we we have to sort of tweak the keys, uh the algorithm a bit, which means the keys change so yeah in some systems.

R

If you're using the older keys, you might want the ability to migrate to the using the new algorithm, but with the old key. That's that's very difficult. It's very messy and complicated if it's just an in an implicit serialized blob. um We have shared this with the cryptographic community. We have um received feedback from a lot of the ski mortars.

R

We are ourselves authors of some schemes um and the approach has already um identified a number of challenges or caused actually some of the specifications to be updated because they weren't particularly clear in um in in in the formats of private keys. So it's it's already a couple of years old, this this work and I think we're just looking for the best uh place to give it to to sort of help help the community with awareness in this area.

R

um I think next slide, please, and so um in terms of what, if you need a structure to be able to manage things like uncompressed and uncompressed? It's what does that structure? Look like what? What are the trade-offs when it comes to complexity in passing, obviously we want anything that needs to be specified needs to reduce any uh potential vulnerabilities.

R

um So that's a debate because there's many ways to do that. um There is complexity, it's just a question. At the end of the day where you want to manage it, um you can't ignore it. It's a lot of alignment with other activities.

R

The whole set of separate questions around hybrid, which just amplifies the problem, essentially um um yeah and then um there's things like, as I mentioned, scope adjustment as soon as we've we've.

R

Originally, we created a document for all of the nist round three finalists and all the alternatives and um happy to debate what scope or what what else should be in there in terms of there will likely be um schemes which drop out um when things are announced next week there will be alternate schemes brought forward for round four, so um all things are happy to discuss what makes sense what what what best serves industry in terms of having some clarity going forward about how how keys should be managed private keys, private keys should be managed.

R

That was all I wanted to say. I think that was the last slide.

R

And let's see as a question, I guess.

N

I think uh I'm in the key here this is daniel, um so uh I had one other question that I think wasn't actually covered here, which is whether you are looking at stateful signature schemes as well.

N

It seems to me that stateful signature schemes would require even more infrastructural overhaul than just expanding key fields. uh Key sizes right are: are we excluding stateful schemes from this? Because, if staples are included, then it seems like there's gonna, whatever transport, uh uh you know, plug-in mechanisms we're talking about are going to need an overhaul anyway, right.

R

That's correct: that's a scope question! So again, that's up for up for debate or discussion. uh It's um there are a lot of complexities because of you know the feedback mechanism when keys are used uh you're, absolutely right. um It is another layer of com, complexity, state we're using stateful um um hash based signatures, but really open to whether if they should be in here or not, it's kind.

N

Of uh so so, my observation is just that if you're gonna be dealing with a system overhaul for stateful signatures, then surely that happens at the same layer that widening the field for secret keys or private keys would be done, and this strikes me as injecting a fair amount of complexity into the overall interoperable ecosystem.

N

For the sake of not touching a few uh uh implementation layers um just to widen, to widen the width of whatever you know, wherever those limits happen to be, and if you're going to have to why you know tamper with those infrastructure layers to handle stateful keys as well, then I I would prefer to have less complexity in the interop part of the systems. That's just my observation.

R

Yeah, yes, yeah complexity will come like I said the aim is, is to manage it, you can't ignore it and it's a very good point with the stateful hash it, because this is um this adds a really very different level of complexity. So this again is a scope thing very, very happy to sort of um have that debate. What what you think makes sense, but you will not get away from complexity, because systems will need compressed keys.

R

It's really that simple question is when you, when you, when you face the problem, whether you're trying to manage um manage it up front how it should evolve or or you kind of evolve, as as these things come up. That's all it is that discussion.

C

F

Yes, uh hello, everybody, so maybe that's my first attendance to the meeting so hello, everybody, I'm julian pratt, I'm working for kryptonite security, so dealing mainly with quantum safe algorithms, and my question is about um the opportunity of defining all the compression formats because I get. I think that there are as many compression as there are implementations.

F

So isn't it a little bit tricky to try to be exhaustive and to define the parameters?

F

Well, as you made in your draft rfc, I mean with many details uh because I think that there will be more tricks that will come later and I think it's more a kind of the work of nice to define the key format than our work. I guess.

R

No, actually, we spoke to this and they suggested here.

R

Yeah but it's again a scope thing, so we also believe that compression mechanisms parameters will evolve.

R

So how are you going to manage that you, just at the end of the day, with that, with a million oids and and sort of a million different um specifications to go and look at that's one way of doing it, but if you don't think it's a good way yeah, so you've got to start somewhere, it's just again, so just how how you want to manage the complexity going forward for something that is complex just because things are much larger things um are evolving.

R

You know that's how it's just an attempt to help um manage that journey going forward and what you're talking about is scope. So, in terms of when things change, what to do when things change, I mean the point is that round two algorithms around three algorithms are already in the field and being used. So so it's kind of these things already need to be managed by the organizations that have rolled these out so um then comes along a a kind of the nist standard.

R

Then they'll, be probably, uh I suspect, there'll be some changes in the parameters, so that'll be another one and it's kind of, and I suspect after that, all you need is a is something like a breakthrough on rainbow where the lower parameter, lower strength, algorithms get broken, and then you need to ratchet things up so they'll change and that's kind of um just gonna, just gonna amp. Unless you manage it, it's gonna be difficult. That's all. I think we're trying to communicate.

C

Okay, uh scott.

T

uh Okay, okay uh about stateful: this is scott floor. uh About stateful base uh uh is a moving key uh private keys for stateful based signatures. uh That requires a and a whole bunch of other problems which need be addressed. I believe this is way out of scope for this draft. It would actually somebody would have to sit down and work out all those issues uh separately, totally independent work. Thank you.

R

Yeah, I I believe you, you need a protocol, you need to define protocols to manage, stateful, have signatures properly and securely, and that is not really what that is a different scope than that, at least the simple cases for the um for for the stateless themes we're looking at I I agree, but.

C

Okay, I I'm closed the queue so we're going to wrap up this presentation, continue the discussion on the mail list and try and squeeze in one more presentation in the remaining five minutes, which is sean who's, going to talk about how to put post quantum keys into certificates.

C

The it's very clear to me at this point that uh we're not going to get any further in the agenda and we'll have to schedule a virtual interim, so tim and I will uh put together some kind of a a poll to figure out when to do that and.

O

Sean over to you, so all right so hey. So this is an individual draft that I'm requesting the working group to adopt. There may be one or more of these, because this is specifying the algorithms for our sorry, the an rfc 5480 like our uh internet draft that hopefully will move to rc status, which specifies how to put um post quantum uh chem certificates uh keys in certificates. Next.

O

And so what's in this right, basically, just it's actually pretty short, um there's not a whole lot in there, because, basically, all it's specifying for the pq kim stuff is the format for the subject public key. So it says you know what oids are we're going to put in there we're not defining any we're going to take what this gives us parameters. None we're just going to use an oid to specify whatever the two security levels are. Leave it at that we're trying to learn from the complexity.

O

That was, um I think, hampered the deployment of elliptic curve, with all the options that we had we're just trying to keep it simple, um the key format, just a bit string again, if you remember the elliptic curve, had the first byte had some weird values to tell whether it was compressed or hybrid or whatever we're just gonna not expose that. Let the crypto let the crypto standard, specify that and let the crypto engine deal with it.

O

um Key usages just set one: it's only one that really applies uh get rid of everything else and again in this in this format. This is uh this: is the one key one certificate option? Next uh we got a couple of questions whether to do one or all. When I was writing this, the idea was that we were going to put all the pq chem candidates and then the last time we talked it was like.

O

Well what about all the signature candidates too panos asked me he's now, one of my co-authors, I guess that's something else I should mention is that uh I got co-authors that actually implement stuff. So it's not just me, writing it so um panos and uh jake from aws and baz from cloudflare to uh look at this stuff. um So we I we could put all of them in there. We could put one and panos is like.

O

Why did you do that, and I said well, that's kind of what we did and like one stop shop is really nice and but that's not really the the strongest of recommendations, so I think we can kind of take it to the list to decide whether we want to have one draft with all of it or multiple drafts. That would allow things to progress differently.

O

Panos has a bunch of reasons for why we might want to split them so right now it just has one and luckily missed- hopefully he's going to pick next week or by the end of next week, and we can just rev a version and put put some values quote unquote in there and we want to prohibit some key usages.

O

That's it next.

O

Next, I guess I double up the slides.

O

What do we want working group adoption? Thank you. I know that was super fast. Hopefully, deb got some of that.

C

uh So um I'm glad to to hear the use one away to define the algorithm and parameter set uh and then just put an octet string with the key in it that seems straightforward and is going to eliminate a lot of the silliness that we had um with. You know signed bits for dsa and so on um this. This, I think, is a good good thing um mike. You have uh some comments.

E

C

We're not hearing you.

C

Mike still not hearing you mike all right, so let's go to panos and see if mike can figure out his microphone problems.

U

Yeah, can you hear me okay,.

S

U

I just wanted to make the the point that you know for for one scheme per draft, because I think you know it's easier for an implementer to follow and comply. You know it's easier to review in the in the list and also you know. Camps and signatures have different uses right. So probably it's cleaner to have them separate that these were my basic arguments for cleaner one. One draft for cam one draft for signatures thanks.

C

Okay, mike we're out of time, is, did your? Does your mic work.

C

Not hearing you.

O

I should say that I know that um mike's got some other drafts in flight and flight two. We are working together to make sure that we provide uh the same answer so that what his draft specifies and what this draft specifies at least line up from.

C

We we are out of time, like I said, we'll schedule virtual interim to uh hit the rest of the agenda.

C

Thank you very much and uh clearly we have a lot more to do coming and this is expected to make their announcements by the end of the month. So we should know in the next week or so thank you very much and for those of you in vienna, safe journey home.

C

Thank you, alexi for punching the slide buttons.

F

Thank you, bye.

B

B

I have no idea.

V

S