►
From YouTube: IETF94-TLS-20151105-1740.webm
Description
TLS meeting session at IETF94
2015/11/05 1740
A
A
B
A
B
B
I'm,
the
last
person
to
recommend
6919
section
1
as
a
tool
that
we
want
to
use
in
this
context,
but
the
basic
choice
we
have
here.
So
the
problem
is
you've
got
you
got
a
show
on
signature
in
the
chain.
How
do
we
ensure
that
that
doesn't
hang
around
indefinitely?
How
do
you
signal
to
the
server
that
you're
not
willing
to
accept
that
and
the
suggestion
was
to
use
signature
algorithms
and
since
we
aren't
actually
using
it
for
TLS
itself,
we
could
sort
of
just
say
well
put
in
signature
algorithms.
B
If
she'll
one
isn't
there,
then
it's
not
cool
to
have
a
show
on
cert,
otherwise,
I
guess.
If
it
is,
there
then
go
up
your
lives
and,
at
some
point
clients
can
remove
their
signal
of
support
for
sha-1
and
servers
would
then
know
that
they're
not
going
to
make
any
progress
if
they
have
sha-1
in
this
earth.
Of
course,
the
alternative
view
that
Victor
has
put
out
there
is
that
signature
algorithm
should
not
dictate
the
chain
that
you
advertise
the
whole
business
of
very
validating
the
chain.
B
Is
someone
else's
problem
and
servers
just
in
what
they've
got
anyway
and
we
should
just
bout
a
reality
as
Sean
pointed
out
and
stop
trying
to
fix
this
problem?
So
that's
the
two
choices
we
have
I,
don't
know
if
this
is
going
to
reopen
that
whole
kettle
of
fish
I'll,
let
the
chairs
sort
of
decide
whether
it's
opened
or
not.
D
So
I
it's
worth
observing
that
you
were
that
if
the
first
proposal
would
represent
a
special
case
for
sha-1
in
the
sense
that
the
rest
of
specification
says
that
that,
if
you
have
you
know,
if
you
say,
if
you
see
you
I
shot
256
certificate
and
the
signature
was
only
says
ID
for
three
to
four.
You
still
send
it.
So
what
you're
suggesting
here
is
that
shot?
One
is
a
special
case.
Answer
sha-1.
D
B
No
one.
We
also
wanted
to
point
out
that
I
put
this
helmet
this
ad
on
the
list
and
there
were
huge
numbers
of
people
saying
yeah,
yeah,
yeah
and
the
victor
said.
No,
that's
my
read
of
it.
I
don't
know
if
there's
anyone
willing
to
speak
for
Victor
at
this
point
in
time,
but
I'd
like
for
someone
to
do
that,
so
that
we
can
at
least
have
a
discussion
so.
D
E
Yeah
rich
sauce,
I
think
Victor
was
concerned
about
new
existing
programs
dropping
in
a
new
library
and
all
of
a
sudden,
their
existing
sir
author,
authentic
authorization
change
they'll
just
realize
that
can
be
solved
by
making
sure
you
install
a
version
of
the
library
that
changes
what
the
default
behavior
is
to
always
send.
You
know
the
new
extension
so
that
you
can
be
insecure
by
default
with
absolutely
no
software
change
just
the
way
you
install
the
library,
so
you
lose
the
light
and
do
it.
B
Yeah
so
Martin
Thompson
again,
I,
think
the
the
point
of
our
trust
anchors
is
a
good
one
and
probably
should
look
at
addressing
that.
We
have
trust
anchors
in
the
Firefox
trust
store
that
have
md5
signatures
on
them.
They're
they're
really
just
containers
for
four
keys.
When
it
comes
right
down
to
it,
it
doesn't
really
matter
much
what
they
say
so
I
think
we
have
fingerprints
from
them
in
certain
places
so
that
you
can
check
that
the
whole
thing
is
has
integrity,
but
otherwise
it's
it's
just
a
for
the
purposes
of
chain
validation.
B
It's
just
a
container
for
a
public
key
and
same
applies
to
trust
anchors
in
general
and
if
you're
doing
self
signed
cert,
then
you're
going
to
be
using
some
other
way
of
working
out,
whether
whether
you
trust
that
that
particular
cert
so
having
some
sort
of
text
in
there
that
covers
that
would
would
be
nice
because
I
think
we
could
exempt
all
trust
anchors
from
all
of
these
requirements.
On
that
basis,
of
course,
it's
different
for
self
signed,
cert.
B
F
B
So
I
think
I
think
russ's
suggestion
there
was
pretty
solid.
I
like
that
so
so
the
suggestion
was.
The
suggestion
was
that
the
signature
on
a
trust
anchor
or
a
self-signed
certain
poor,
t'en
right.
You
don't
check
it.
Therefore,
it
doesn't
matter
what
algorithm
it
uses
it
could
use
rot13
signing
whatever.
That
is.
B
F
F
G
You
have
mail
and
I
kind
of
object
to
protocol
documents
making
requirements
about
how
the
same
client
should
act
when
it
is
in
the
role
of
relying
party
in
with
as
a
relying
party
that
the
client
can
decide
that
it
doesn't
trust
shall
want
signatures
or
md5
signatures
that
should
be
separate
from
whatever
signatures.
The
the
client
accepts
within
certificate
verify.
D
G
Yeah,
but
we're
telling
the
server
not
to
send
such
certificates
on
the
assumption
that
the
client
won't
accept
them,
because
if
the
client
is
fine
with
this
certificate
and
there's
no
reason
for
the
server
not
to
not
to
send
it
we're
using
the
signature.
Algorithms
in
the
client,
hello,
as
well
as
an
indication
of
what
algorithms
the
client
is
going
to
accept
in
certificates
as
well
and
certificate,
verify
and
I
think
that's
the
wrong
approach.
But
to
feel
that
everybody
else
is
okay
with
it.
So.
B
B
But
yaff
has
pointed
out
that
there
are
multiple
places
where
signature
algorithms
are
used
some
of
the
chain,
some
in
the
protocol
itself,
I'm
personally
personally
perfectly
comfortable
in
conflating
the
two
of
them.
I
get
the
sense
that
a
number
of
people
out
our
and
some
few
people
are
not
so
that
that
is
why
we
have
this
consensus
process.
D
This
is
the
min
the
semantics
of
this
extension
since
cells
from
point
is
the
50
or
40
secs,
and
then
we
had
weird
consensus
to
relax
those
semantics
slightly
to
say
that
you
could
send
non-performing
things
if
you
you
can
non-conforming
if
and
only
if
you
couldn't
send
the
conformant
thing
but
like
this
has
been
where
I'm
done
we're
talking
about
well
we're
talking
about
here
is
is,
is
removing
that
exception?
For
this
one
case,.
F
A
H
But
yeah
it's
worth
it.
It's
awesome
all
right,
disclaimer
yeah,
so
so
the
pointers
here
that
I'm
going
to
describe
need
more
analysis,
I'm
hoping
that
by
describing
them
I
can
encourage
you
to
give
them
analysis
and
get
feedback
either
in
the
room
or
on
the
list
or
both
so
x.
Slide,
please
so:
okay,
actually,
okay!
H
H
So
so,
when
we're
talking
about
these
I
want
to
it's
worthwhile
to
think
about
the
scenario
that
you
have
the
client
and
you
have
the
origin
that
they
want
to
talk
to
and
that
the
origin
and
that
you
have
a
third
party
that
may
be
caught,
that
will
call
it
the
gateway
or
the
cover
that
provides
this.
This
other
identity
that
the
network
traffic,
someone
who's
monitoring
the
network
can
can
think
is
what
you're
doing
so.
H
This
is
not
something
is
going
to
be
on
by
default,
something's
going
to
be
optional,
and
there
will
have
to
probably
be
a
relationship
between
the
cover,
the
Gateway
and
the
origin
server.
In
order
for
this
to
work
and
the
client
will
know
about
this
relationship,
so
that's
the
that's
the
sort
of
architecture
that
we're
talking
about,
and
so,
if
the
client
is
connecting
to
the
origin
without
using
the
cover
you'd
like
to
be
able
to,
I
would
like
to
be
able
to
figure
out
that
a
cover
is
available
for
this
particular
site.
H
If
I
visit,
so
if
I
visit
eckhart
github
com,
then
ecker
than
the
server
and
I
and
I,
you
know
expose
myself
to
the
network
once
that
that
I'm
going
there
and
I
do
go
there.
Then
eckert
okeydoke
com
can
say,
oh
by
the
way,
if
you
prefer,
you
can
visit
kitten
more
that
github
doc.
You
can,
you
can
say,
you're
visiting
kitten,
Mourdock,
github
com
to
the
network
and
and
but
you
can
still
reach
me
if
you
connect
to
the
so
in
that
case,
kitten
work
is
the
is
the
cover.
H
If
you
connect
to
the
cover,
then
you
can't
tell
just
because
you
connected
to
the
cover
that
anybody
is
behind
it
right.
You
can't
say
to
the
cover,
give
me
a
list
of
all
of
the
sites
that
you're
covering
for
because
that
would
be
problematic,
because
then
a
sensor
or
some
of
you
wants
to
surveil
who's
visiting
bad
stuff
could
just
go
to
any
arbitrary
site
and
said:
hey
who
are
you
covering
for
and
then
they
could
use
that
to
figure
out
what
everybody
else
is
doing.
H
On
the
other
hand,
given
that
the
client
want
the
client
basically
needs
to
be
able
to
say
to
the
to
the
Gateway
that
they're
going
to
somewhere
that
they're
actually
using
a
different
site,
anybody
could
be
that
client.
So
you
sort
of
expect
that
the
anyone,
including
a
network
adversary,
could
probe
and
say,
do
you
cover
for
X
and
the
Gateway
would
be
able
to
say
yes
I
cover
for
X
or
it
would.
It
would
end
up
validating.
So
it's
that's
hard.
That's
something
that
we're
not
trying
to
defend
against.
H
H
H
H
G
H
D
Some
more
sore
sore
properly.
The
way
to
think
about
this
is
this
proposal
depends
on
having
some
priming
information
about
how
to
interact
with
the
covering
site
and
that
you
have
to
learn
that
finding
information
somehow
and
if
you
have
another
band
way
of
learning
yet
then
you're
fine,
but
otherwise
you
only
get.
If
I
connect
to
the
site
and
having
it
tell
you
and
that's
the
best
way,
and
that's
the
only
thing
we
not
a
deal
I
mean
the
bottom
line
is
you're
going
to
be
connecting
this
guy.
F
D
C
Tonight
so
when
you
see
the
coveting
site,
is
that
actually
something
that
kitten?
What
is
that
nice
keys
at
the
regular,
listen
I
like
everything
else,
just
a
hidden
one,
yeah.
H
H
H
You
need
to
either
omit
the
s
and
I
entirely,
which
potentially
identifies
you
as
someone
who's
doing
something
unusual
or
you
need
to
be
able
to
choose
an
S
and
I
to
expose
their
that's
the
top
two
options:
they're,
actually
the
same
the
same
scenario
and
I,
don't
I,
don't
believe
the
bullet
there
I
just
didn't,
have
a
chance
to
fix
it
before
the
sides.
Sorry
yeah
I,
don't
think
they're
different
anymore,
okay,
so
the
last.
So
then
the
tricky
part
is
this
scenario
where
you
say:
look:
I
want
to
have
a
gateway
arrangement.
H
The
hidden
service
says
I'm,
going
to
make
an
arrangement
with
a
gateway
with
a
cover.
Server,
that's
going
to
act
as
a
gateway
and
the
cover
server
provides
other
websites
that
are
legitimate,
but
I
don't,
but
they
shouldn't
get
access
to
my
traffic
just
because
they're
acting
is
my
cover
right,
the
simpler
scenario:
it's
the
same
server,
that's
doing
the
operation,
it
gets
access
to
all
of
the
traffic,
but
if
you're
a
sensitive
site,
you
may
want
to
say
look
I'm
happy
to
get
cover
from
new
york
times,
but
I'm
not,
but
I.
H
Don't
really
want
the
new
york
times
to
see
all
the
information
that
flows
through
the
HTTP
connection,
so
that's
the
slightly
more
tricky
one
that
requires
a
little
bit
more
than
just
an
sn2
know
what
what
to
put
in
on
an
encrypted
sni.
So
I
I
want
to
just
make
sure
that
people
understand
if
you
wanted
to
do
this
with
encrypted
S&I
and
one
of
those
top
two
cases
that
all
we
need
for
that
is
a
client
is
an
encrypted
client
extension
just
says:
sni
for
real.
H
B
B
Going
to
show
it
and
you
can
end
up
in
a
situation
up
if
it's
not
supported
where
the
service
going
to
rat
you
back
to
the
to
the
cover
yeah.
This
is
over.
Heston
has
to
know
yeah,
and
if
you,
if
you,
if
you
are
mistaken
in
your
belief
that
the
cover
is
actually
actively
covering
for
anyone,
then
you
will
end
up
going
to
the
cover.
Yes,
yes,.
D
More
specifically,
what
will
happen
is
that
on
it,
what
will
happen
in
the
first
degree?
I
distinguish
these
cases
in
the
first
case.
What
will
happen
actually,
the
first
case.
It
may
simply
work
right
in
the
first
case,
you'll
get
a
certificate
and
if
they
only
write
an
HTP,
Hostetter
you're
like
actually
totally
fine
in
the
arm.
In
the
second
case,
in
the
episode
on
in
this
it,
the
cases
are
the.
D
D
No
because
because
many
things
many
servers
actually
have,
they
have
a
very
large
such
certificates,
and
they
have
a
a
series
of
a
series
of
specific
is
the
only
cover
some
portions
of
the
space
and,
depending
on
the
SN
I
did
exchange
with
different
once
and
so
in
the
so.
The
first
case
will
happen.
Is
it
may
in
fact,
totally
totally
stinking
work
in
the
second
case?
What
may
happen
is
you
may
get
the
wrong
certificate
and
then
you
will
get
a
validation
error.
That's
that's
why
they're
different
cases
so.
H
Yeah,
so
so
sorry,
let
me
take
it
back
they're
different,
because
I
was
miss
reading.
What
that?
What
that
one?
Was
you
just
skipped
ahead
of
the
of
the
but
yeah?
Let's,
let's
skip
to
this
I.
Do
you
guys
mind
if
we
move
to
actually
looking
at
some
flows?
First,
do
you
have
points
that
need
to
be
helped?
Yeah?
Sorry,
good,
good
good.
H
So
this
is
the
cotentin
flow
right
where
this
is
where
the,
where
the
that
it's
the
same
machine,
its
operating
both
the
cover
and
the
and
the
sensitive
site,
the
cover
and
the
hidden
site,
and
there's
no
attempt
to
to
protect
information
between
the
two
realms.
So
in
this
case
we
just
send
our
innocuous
at
example.com.
H
That's
our
cover
and
and
then
in
the
encrypted
extensions
we
send
our
real
sni,
the
hidden
server
responds
and
it
responds
with
a
certificate
and
their
certificate
is
for
hidden,
example.com
right
and
now
in
the
event
that
this
is
that
the
hidden
server
has
multiple
certificates
and
multiple
secret
keys.
It
needs
to
know
the
certificate
to
send
back
down
here,
but
needs
to
be
able
to
decrypt
the
clients.
H
B
G
H
H
Would
be
good,
know
the
clients
not
going
to
distinguish
between
this
case
and
the
tenant
end
the
end
the
end,
the
Gateway
case.
The
point
here
is
to
design
one
mechanism
that
works
for
both
of
them
and
the
and
the
and
the
server
operator
can
decide,
but
we're
not
going
to
have
to
separate
mechanisms
here.
So
so
so.
H
The
key
point
here
is
that
the
the
certificate
that's
used
to
to
calculate
the
handshake
keys
in
order
to
decrypt
the
encrypted
extensions
belongs
to
the
cover
and
the
certificate
that
sent
back
belongs
to
the
hidden
server
and
the
signature
over.
That
certificate
comes
from
the
hidden
server
certificate.
Signature
right,
that's
a
that's
a
hidden
server,
so
III.
D
Don't
want
to
let
it
you
move
on,
but
I
want
a
new
pic,
this
very
slightly
just
so
people
out
of
their
heads.
It
is
not
necessarily
the
case
is
desirable
not
to
the
client
bill.
Distinguished
let
this
to
Kate
the
case
in
the
case
following,
and
the
reason
is
because
that
the
client
with
the
client
would
like
to
be
able
to
send
0
RT
g
data
and
in
the
in
the
case
following
the
client,
cannot
censor
RTG
data,
and
in
this
case
it
will
be
okay
if
the
client
could
and
so
on.
D
D
That
mate,
that
may-
and
that
may
be
the
most
desirable
set
of
arrangements,
I'm
merely
saying
that
in
principle
this
system
can
be
made
to
work.
While
still
doing
is
your
GT
where's,
the
others
apology
cannot,
that
is
yes,
it
this
Center,
the
other
version
hijack
0
rtz
to
carry.
They
carry
the
carrier.
Let's
get.
H
Mean
it
is,
it
is
the
same
server
in
this
scenario.
So,
let's,
let's,
let's
look
at
the
next
flow
and
then
we
can
reason
about
it
a
little
bit
more
clearly
right.
So
that's
just
so
here's
so
here's
this
flow.
Some
of
these
arrows
should
go
further
across
but
I
don't
know
my
la
tech
well
enough
to
get
them
there.
H
Okay,
so
so
so
the
same
flow
from
the
client
right.
These
come
through
to
the
Gateway.
The
Gateway
can
decrypt
this,
so
the
Gateway
gets
the
encrypted
extensions,
decrypt
sit
and
says:
oh,
this
is
going
to
this
other
server.
That
I
actually
have
a
relationship
with
already
that
I'm
offering
cover
for
I,
don't
want
to
be
responsible
for
being
able
to
see
any
of
the
traffic
that
goes
through,
but
I
do
know
that
it
goes
to
this
to
this
hidden
server.
H
So
I'm
going
to
take
this
flight
here
and
I'm
going
to
just
bump
it
over
to
the
hidden
server
and
via
some
other
mechanism
that
might
be
a
separate
established
relationship
between
the
cover
and
the
hidden
server
I'll
make
sure
that
they're
able
to
actually
decrypt
this
this
encrypted
extensions.
This
has
it
in
the
clear
here
to
indicate
that
this
guy
won't
be
able
to
do
that
decryption.
H
So
the
hidden
server
gets
this
based
on
its
relationship
with
the
Gateway
and
then
turns
around
and
sends
back
a
server,
hello
and
it's
encrypted,
and
these
are
the
arrows
that
really
should
go
all
the
way
through
to
the
client.
The
Gateway
at
this
point
is
that
is
actually
just
doing
opaque
traffic
forwarding
once
it's
once.
It's
done
its
initial
decryption
and
intend
on
yeah.
D
So
what
what?
What
is
the
purpose
of
doing
that?
The
deep
know,
the
nice
thing,
the
nice
thing
about
the
very
nice
thing
about
this
by
the
design
about
their
design,
is
your
T
in
this
case?
Is
that
is
it?
Is
it?
Is
it
the
if
you're,
if
you're
doing
failed,
0
RT?
It
bears
no
relation
with
the
hanting
use
if
we
skip
over
it,
so
all
in
so
the
so,
if
you
want
to
send
in
Christian
extensions,
merely
to
have
garbage
for
the
garbage
for
the
server's
algorithm
to
skip
over
then
fine.
D
But
the
entire
point
is
that
this
is
no
relationship
between.
Can
you
breathe
out
the
slides,
there's
no
relationship
between
the
between
between
the
0
T
flight,
which
is
being
consumed
by
the
Gateway
and
the
rest
of
the
handshake
of
being
consumed
by
the
terminal
server
that
that
day
is
simply
a
necessary
in
notice,
w
consumed
at
all
yeah.
B
So
this
forces
the
hidden
server
to
have
exactly
one
certificate.
H
D
It
absolutely
does
the
the
if
you
if
you
simply,
if
you
simply
do
it
this
way,
then
the
only
this
happened
is
that
is.
Is
it
the
is
it
the
client
the
client
can
sit?
The
client
can
sorry,
the
hidden
server
can
simply
behave
like
any
other
tll
server
and
simply
known
as
we
ignore
that
failed,
0t
handshake.
If
we
do,
as
you
suggest
then
then
actually
a
special
case
logic
to
process
Velma
encrypted
extensions,
which
is
not
occur
with
any
key,
recognizes.
B
D
H
There's
there's
there's
two
there's
two
keys
that
are
involved
here
right,
there's
the
there's,
the
secret
key,
that's
held
by
the
cover
server
that
corresponds
to
the
server
config,
that's
in
use
in
the
0
RT
t
case
and
that's
non
key,
and
that
cannot
be
provided
server.
The
hidden
server
doesn't
know
it,
and
and
the
cover
server
wouldn't
want
to
give
it
to
the
hidden
server.
Because
then
the
hidden
server
could
decrypt
traffic
that
with
zero
rgt
traffic
that
was
sent
as.
C
Clarification
question,
and
maybe
this
is
what
martin
was
saying,
but
the
SMI
growth
is
going
from
the
get
rid
of
the
hidden
server.
Is
that
supposed
to
be
innocuous?
And
it's
not
supposed
to
be
hidden.
D
In
this
perspective,
with,
unless
you
have
a
side
channel,
is
that
the
end
server
do
not
learn
the
truss
and
I,
so
Chester
assume
that
the
s
and
I
is
so.
We
can
busy
busy
ssl
alice
and
an
accountant,
so
the
hidden
server,
and
so,
if
you
want
to
have
the
hidden
server,
wants
to
switch
it.
You
have
the
IP
if
the
IP
switch
hit
or
if
the
side,
shell.
F
H
D
D
D
D
So
so
the
hidden
server
should
actually
say
the
hidden
server
should
pretend
that
this
is
actually
a
failed.
02,
the
handshake
or
or
we
should
put
early
data
indication
in
the
in
the
in
the
cipher
I
mean
that
the
the
point
is
that
the
clot,
with
the
that
I
mean
this,
is
because
0
TT,
0,
m1
or
T
are
separated
right
and
Zuri
like
an
email.
It
doesn't
matter
whether
you
processing
the
rest,
a
handshake,
doesn't
matter
with
you,
pasta,
0,
TT
data,
so.
H
I
actually
don't
sorry
I
didn't
take
the
back.
I
don't
think
that
the
that
we
can
have
the
hidden
server
truth.
This
is
a
failed
0,
RT
t,
because
the
result
of
that
is
that
it
will
send
back
a
the
message
that
comes
that
would
come
back
through
would
be
a
pointer
to
a
new
server
config
and
the
server
config
needs
to
stay
the
same
between
the
client
and
the
gate.
Ray
know.
D
D
So
and
besides,
that's
an
orthogonal
question,
which
is
in
about
what
you
said:
whether
it's
a
fail
or
successful
as
our
GD
handshake,
the
only
the
failed
vs
s
blizzard
to
the
engine
only
is
I
consume
this
data
or
throw
it
away,
and
so
so
I
mean
that
so
the
point
I'm
making
is,
if
you,
if
you
as
Martin,
suggests,
take
those
in
cryptic
extensions
and
and
give
them
with
the
server
in
insight
for
attention
on
plain
text
right,
then
the
server
can
simply
skip
pass
on
the
way.
D
F
H
What
there
is
is
there's
an
established
relationship
between
the
two
so
that
the
Gateway
knows
that
it
should
forward
things
on
if
it
gets
encrypted
S&I
to
the
to
the
back
end
and
the
back
end
server
knows
that
when
it
receives
messages
from
the
Gateway
that
have
the
gateways
sni
in
it,
that
it
should
go
ahead
and
process
them
in
this
fashion.
So
does
that
mean
there's
an
established
relationship?
That's
not
in
TLS,
so.
H
F
F
B
F
H
F
E
B
H
F
F
H
H
H
H
F
H
B
B
It
just
connects
to
the
cover
and
and
then
finds
that
I,
don't
know,
there's
a
bunch
of
there's
a
bunch
of
a
bunch
of
options
later
in
the
slide
there
cumshaw,
then
it
conducts
at
a
normal
handshake
that
adds
an
encrypted
extension
in
at
zero
RTT
flight.
That
says
this
is
the
one
I
really
want?
That's
correct
right,
that's
that's!
All
the
client
really
needs
to
do.
It
does
need
to
identify
the
fact
that
the
server
configuration
doesn't
allow
for
data,
because
if
it
has
early
data
allowed
in
it
and
that's
probably
a
right
or.
H
H
B
B
B
No
touching
of
the
client,
hello
and
then
once
it's
done,
that
it
just
forwards
the
entire
handshake
to
the
back
end,
it's
got
no
more
responsibilities
that
distress
the
hidden
server
just
needs
to
ignore
SNI.
That's
all
it
needs
to
do
in
order
to
get
this
to
work
and
use
the
server
configuration
for
the
Gateway
when
it
went
ask
for.
H
B
D
D
That
means
it's
really
true,
that
in
the
previous,
like
two
slides
that
that's
really
the
change
right,
because
really
you're
talkin
to
the
same
guy
and
all
you're
doing
is
giving
it
a
hint
of
the
right
s,
an
eye
on
and
there's
no
new
semantics.
I
mean
the
semantics
are
always
the
same
you're
talking
to
one
person.
This
is
different
into
the
semantics.
D
Are
now
split,
you're,
talking
to
you're,
saying
half
your
stuff,
the
one
guy
in
half
the
stuff,
the
other,
so
they
are
semantically
quite
different,
even
though
the
wire
particles
act,
the
same
on
and
I
mean
why
possibly
the
same
otherwise
I
otherwise
is
not
stink.
Worship
is
distinguishable,
but
I
mean
just
could
just
be
like
abusing
the
bits
in
different
ways
doesn't
meet,
doesn't
mean
that
white
is
the
same
semantics.
So,
what's.
F
Can
you
just
clarify
one
thing?
Obviously,
there's
a
TCP
connection
from
client
to
gateway,
there's
a
connection
from
gateway
to
the
hidden
server
is
the
gateway,
then
stuck
forwarding
data
for
the
hidden
server
for
ever
after.
On
that
connection?
Yes,
okay,
that's
a
big
job
for
the
Gateway
to
sign
up
well,.
F
H
C
Jenna
angle,
I,
don't
think
it
has
to
be,
but
that's
a
matter
of
how
it
can
the
network
that
can
be
architected
between
the
gate
me
and
the
hidden
server.
That
can
be
forwarding.
That's
done
in
the
infrastructure.
The
load
balancer
knows
to
ship
these
packets
out
to
the
hidden
server,
typically
in
so
shipping
to
the
gate
right.
H
C
H
H
Not
because
then,
because
the
server
config
ID
is
shared
on
the
network
like
a
server
config
ID
is
visible,
so
you'd
have
to
have
the
same
server,
config,
ID
and
and
then
the
Gateway
itself
has
to
be
able
to
decrypt
the
real
s
and
I,
and
it
the
only
way
that
it
can
do.
The
decryption
is
by
looking
at
the
server
config,
ID
and.
C
H
C
H
C
C
D
D
C
C
H
H
F
A
H
F
Had
the
same
comment,
because
I
think
he
may
have
an
issue
here,
you
sent
depending
on
how
the
back
it
looks
like
so
initially
the
client
addresses
the
packet
to
the
gateway
and
would
have
those
I
I
dresses.
H
H
F
H
Career
I
mean
you
could
do
a
timing
attack
on
this.
If
you
have,
you
can
monitor
all
the
traffic
coming
out,
the
gateway.
Okay
for
sure,
do
you
so
either
the
either
the
hidden
server
can't
do
S&I
or
you
have
some
additional
side
channel
between
the
gateway
and
they
didn't
server
that
we're
not
specifying
here
as
part
of
TLS.
All.
F
H
F
H
H
F
H
H
D
C
D
D
Is
you
know
all
I
want
to
do
is
hide
the
crowd
there,
and
I
trust
those
guys
that
basically,
we
supposed
to
hang
together
anyway
on
and
so
all
I'm
trying
to
do
is
hide
that
and
we
can
get
that
and
and
that's
going
a
lot
of
people
and
we
can
get
that
with
essentially
no
violence,
the
protocol
whatsoever
and
no
complicated
reasoning
about
the
world
whatsoever
and
then
on,
and
then
we
have
the
system.
D
Don't
trust
this
guy
and
but
I'm
gonna
make
this
guy
go
through
a
jump
through
bunch
of
contortions
anyway
on
and
so
and
I
feel
like
in
most
circumstances
like
I'm,
going
to
ask
that
guy
to
decrypt
as
well
and
so
and
and
I
mean
that
I'm
trying
to
think
that's
where
we
should
cut
this
should
cut
this
and
say
look
I
supported
co-tenant
case
is
worth
doing
and
supporting
the
Gateway
case
of
specialty
logic
does
not
work
doing
so.
We're
really
optimizing
for
is
him
not
having
to
for
the
packet
center
correct.
E
Hi
rich,
solve
Akamai,
so
I
think
this
is
sort
of
backwards.
Comment
from
what
we
usually
hear.
I
think
the
technique
is
really
good
and
appropriate
and
it
doesn't
change
any
of
the
protocol
flows,
which
is
I.
Think
then
the
problem
that's
killed
encrypted
S&I,
all
the
time
we've
looked
at
it
in
the
past,
I
think
we
frankly,
the
slides
in
the
presentation
have
done
a
real
disservice,
made
it
sound
a
little
more
complicate
money
than
it
really
is.
E
In
this
case,
you
know
in
some
cases
gives
the
cover
some
deniability,
maybe
not
complete,
and
also
allows
passive
observers
on
the
outside
to
not
know
that
this
is
going
on
leveraging
other
aspects
of
the
protocol.
So
it's
kind
of
weird
but
the
protocol
flow
say
the
same.
There's
one
like
you
said:
there's
one
little
bit
that's
different
and
maybe
seeing
it
written
out
and
some
better
diagrams
would
help
people
feel
uncomfortable
with
it.
But
I
do
think
we
should
do
this.
F
Into
it
from
google
so
to
to
push
back
on
on
Eric
a
little
bit,
this
is
totally
complex,
sounding
and
I
can't
say:
I
actually
think
that
I
have
an
obvious
UK's
for
this.
The
second
gateway
server
flow,
so
I'm
I'm
kind
of
totally
happy
to
to
not
have
it
from
a
personal
perspective,
but
when
I
think
about
it,
it
seems
like
either
way.
F
As
you
said
on
the
wire,
the
only
change
is
the
RS
and
I,
and
you
need
that
for
both
flows,
and
so
this
seems
like
a
total,
optional
implementation
that
someone
could
implement
if
they
wanted
to
and
actually
cared
about
and
would
not
necessarily
need
to
be
in
a
standard,
ssl
implementation,
and
so
I
guess
I
see
no
reason
why
you
couldn't
use
this
as
an
illustrative
case.
But
you
know
I
have
no
expectation
that,
like
openness,
seller,
something
is
going
to
support
any
craziness
like
this.
So
I.
H
F
H
F
What
I
think
we're
getting?
It
would
last
one
all
right,
quick,
Mike,
Bishop,
so
going
back
to
the
question
of
whether
it's
valuable
to
be
able
to
get
out
of
the
way
of
decryption.
We
had
presentations
at
the
HP
workshop
in
munster,
from
devs
on
both
varnish
and
h.
Epoxy,
saying
that
the
requirement
to
do
encryption
on
both
sides
for
HTTP
to
was
killing
the
perf,
so
I
think
there
is
value
in
the
Gateway
being
able
to
get
out
very
early
on
the
conversation.
If
these
are
two
separate
machines,
Thank
You,
Gwen,
I.
C
So
for
the
future
communication
between
the
client
and
hidden
server,
it
is
possible
to
do
0
RT
t
if
you
can
add
more
because
after
that
first
you
know
communication.
You
got
the
hidden
servers
a
share.
So
so
then,
in
the
future
possible
you
can
do
0
RT
t
by
adding
more
data
and
that's
what
the
hidden
servos
share.
This.
H
C
C
C
F
H
You
can
you
can
get
this
to
work
without
priming
in
bendel.
The
only
thing
I
would
like
to
say
is:
if,
if
we're
gonna,
if
we
want
to
preserve
the
ability
to
prime
in
band,
I
see
no
way
to
do
it
unless
the
server
is
allowed
to
send
something
without
it's
an
extension
without
the
client
having
sent
the
extension
in
the
past.
Okay.
F
A
Guys
do
your
design
team
thing
you
go
off
to
do
it
then
we
can
set
up
like
an
interim
we'd
like
I
know
it's
like
a
weeks
notice
or
something,
and
then
we
get
on
the
phone
like
for
two
hours
injured
again,
and
you
can
explain
what
you
think
it's
better
with
slides
that
are
better
hung
together
or
whatever
it
is.
So
we
can
do
that
so
I'm
touch
shoot
for
like
mid-december
sometime
right.
So
when
we
should
bring
or
earlier
yeah.