►
From YouTube: IETF95-CURDLE-20160405-1620
Description
CURDLE meeting session at IETF95
2016/04/05 1620
A
C
D
B
B
C
B
D
B
F
B
G
H
C
B
C
I
B
J
K
K
K
B
L
B
B
B
Okay,
so
first
we
need
a
jabber
scribe
and
a
note-taker
to
note
takers,
I'm
sure
you
were
all
thinking
how
much
more
valuable
your
time
could
be
if
the
screen
one
flashing.
So
let's
make
it
more
bad,
but
everyone
else
any
O'gill
driver
scribe.
Okay,
thank
you,
kyle,
so
and
yeah,
oh
okay,
all
right!
Thank
you!
Karen.
M
N
M
M
I'm
andre
from
sizzling
this
is
just
short
presentation
what
to
do
next.
Fifty
a
dds,
a
Indiana,
SEC
X
next
line.
Please
we
have
two
drafts
there:
ed
255,
19
and
Ed
448
and
well
I'm
here,
basically
to
ask
the
booking
room
what
to
do
next,
because
we
have
free
option:
keep
them
separate,
just
drop
the
ed
448
or
merge
them.
So
if
you
have
an
opinion
on
that,
I
would
like
to
hear
it
or
we
can
just
come
so
anybody
with
opium.
M
P
P
H
M
H
S
Paul
Hoffman,
what
yo
upset
I,
don't
think
we
can
drop
it
and
some
I
think
it's
a
reasonable
thing,
as
a
fallback
I
mean
that
everyone
should
be
using
256,
but
if
something
happens,
10
20
years
from
now,
if
448
is
already
in
the
implementations,
that's
just
fine.
What
I
would
like
to
add
to
this,
though,
is
what
I
sent
to
the
mailing
list,
which
is.
I
would
like
you
to
take
out
the
descriptions
of
why
they
are
good
inside.
I
S
T
U
T
F
York,
I
would
say
I
would
not.
I
would
encourage
you
not
to
drop
for
this
ed
448,
for
the
simple
reason
that
it
will
take
us,
as
we
have
discussed
a
long
time
to
get
these
new
algorithms
out
into
the
provisioning
systems
and
other
pieces
that
are
there.
So
I
think
that
they
should
be
both
out
there.
I'd
encourage
both
choices
to
be
kept
and
to
be
kept
separate
as
they're,
so
that,
as
you
said,
we
can
begin
now
because
it
will
take
us
several
years
to
get
these
out
there.
Okay,.
M
H
R
B
F
Q
Hello
yeah
here
I
want
to
have
a
shortly
a
introduction
about
our
work
above
the
sea
for
syndication
using
ecs
RP
5
protocol.
This
work
is
mainly
be
dealt
with
in
the
zipcar,
but
I
want
to
present
here
to
draw
your
attention
and
to
collect
your
comments.
Okay,
please
next
slide
for
the
sieve,
which
is
a
popular
standard
protocol
in
which
is
used
for
the
VIP
who,
which
is
a
void
in
the
where
network
and
awareness
network
for
the
steepest
on
vacation.
Q
It
used
the
the
HTTP
digest,
authentication
as
one
option
for
users
on
occasions,
and
we
can
see
from
the
next
slides
next
slide.
Please,
and
that
is
a
short
description
about
it.
A
simple
syndication
based
on
the
HP
digest
and
we
can
see
there
is
a
challenge
and
the
response
about
HP,
digest,
authentication
and
for
the
next
slides,
the
dyson
authentication.
Then
we
can
see
the
server
will
verify
the
client
by
using
the
response,
harsh
81
82
and
the
h1.
The
most
important
key
is
the
password.
Q
So
so,
if
there
is
the
attacker,
the
attacker
can
get
the
password
just
a
bad
gastein.
So
the
next
slide
shows,
as
the
password
is
a
easy
to
use
and
low-cost,
but
but
the
most
weakness
is
that
the
passwords
not
so
secure
for
the
user
selected
password
from
from
the
88
principal
characters,
the
security
lnc.
It's
about
a
certain
bit
strings
so
would
be
correct
very
easily.
So,
based
on
that,
we
want
to
introduce
some
some
enhanced
password-based.
Q
The
authentications,
so
next
slide
shows
that
that
okay,
oh,
that
is
why
these
support
indications
now
we
can
is
because
the
the
attacker
can
just
trying
to
gasps
the
password.
So
next
slide
shows
that
there
in
the
2009
the
attribute
released
the
standard
that,
regarding
the
password
authentication
agreement,
/
coup,
which
can
can
be
divided
two
categories,
and
why
is
the
balance?
Q
B
We'll
cut
it
off
because
we
only
had
it.
We
only
had
a
couple
of
minutes.
The
intent
was
just
to
make
people
in
this
working
group
aware
that
this
other
crypto
work
was
going
on
in
the
SIP
core
working
group.
We
only
had
a
few
minutes
allocated
for
it,
so
is
it
one
more
slide
you
want
to.
Is
it
one
last
one
you
want
to
met,
bring
up.
Q
Q
That's
by
using
the
same
person,
the
client
sends
to
the
cpri
to
the
server
and
the
server
will
made
will
look
after
the
vs
DC
I
and
then
by
using
the
eche
mess
method
2
to
generate
the
pre-shared
to
generate
the
share
secrets
lay
between
the
client
and
the
server,
so
the
client
server
will
will
be.
A
client
could
be
authenticated
by
the
servers.
Ok
for
the
time
limit
in
limitations,
there
are
some
security
considerations
that
we
can.
Finally,
in
the
draft
and
I
think
ok.
O
B
Okay,
I'm
presenting
for
mark
next
alright
a
little
more
readable
than
the
note.
Well
flickering
it's
got
product.
Can
you
blow
it
up
a
bit?
I
guess
the
short
answers.
Look
at
the
slides.
There
is
a
proposal.
Oh
there
we
go
a
number
about
doing
a
new
elliptic
curve.
Key
exchange
for
ssh
number
of
proposals
of
this
slide
does
is
list
all
the
proposals
that
were
reviewed,
discussed
and
considered
in
a
group
that
included
the
implementers
and
other
interested
parties
and
I
guess.
The
question
is,
you
know
to.
B
Okay,
we
should
fix
that
number.
How
many
people
will
try
to
read
the
spec
comment
on
the
mailing
list?
Great
okay,
so
almost
a
dozen!
This
is
sort
of
the
first
concrete
use
case
of
you
know
new
elliptic
curves
in
working
group
in
one
cycle
in
cryptography
that
don't
doesn't
have
a
home
elsewhere.
So
it's
sort
of
like
right
in
our
ballpark.
Oh
this.
J
H
U
U
You
know
10
minute,
10,
minutes
or
subtract
that
if
the
server
or
client
proposes
you
a
group
that
you
don't
know
anything
about,
are
you
going
to
accept
it
or
are
you
do
know
just
to
go
on
to
say
that
okay
I've
run
this
10
minutes
and
verified
that
your
group
is
fine
and
then
evaluating
it's
okay
to
have
her?
You
know
groups
that
if
you
have,
you
know
group
that
in
your
organization
that
you
have
generated,
you
know
that
they
are
safe.
U
You
can
distribute
them
and
use
them
as
this
development
group
XD
a
spell.
But
if
you
want
to
have
you
know,
random
servers
and
quiet
talking,
I
think
it's
better
to
have
a
fixed
groups
that
are
generated
in
a
way
that
is
standardized
and-
and
you
know
you
know
that
they're
safe.
So
that's
why,
for
example,
ipsec
and
so
on,
uses
these
fixed
crews
and
the
fixed
groups
are
there?
Is
you
know
if
the
groups
are
long
enough?
There
is
no
problem
of
you
know
using
fixed
group.
U
Yes,
attacker
can
do
the
you
know,
precalculus
and
with
species
with
the
problem.
It
does
a
bit
group.
People
say
that
okay
in
couple
of
years,
they
could
do
enough,
you
know
precalculus
and
that
the
garbage
and
break
it
in
a
few
months,
but
I
mean
yeah.
If
you
can
use
the
lower
longer
groups,
okay
in
couple
of
thousand
years
they
can
do,
then
you
know
they
enough
the
pre
calculation
to
break
it
in
a
couple
of
hundred
years.
U
So
it's
not
an
issue,
so
I,
don't
think
it's
an
issue
of
using
same
groups
in
every
but
I
think
it's
actually
bad
idea
to
assume
that
the
group
that
the
other
ants
gives
you
is
safe,
always
and
I.
Assume
these
groups
14
so
on
are
actually
the
same
groups
that
I
used
to
not
be
sick
numbers
will
look
very
familiar.
R
This
is
daniel,
can
go
more
so
one
of
the
counter-arguments
servers
if
I
agree
with
Tara.
This
is
the
right
thing
to
do.
One
of
the
counter
organs
that
is
usually
given
is
a
is
a
concern
that
that
a
particular
group
might
be
compromised,
perhaps
because
of
those
because
of
these
attacks
or
that
could
be
used
across
protocols.
I
would
be
happier
if
people
were
using
distinct
groups
or
distinct
protocols.
S
No
slide
in
and
very
little
content,
so
my
the
concern
I
brought
up
on
the
list
about
this
of.
Why
are
we
having
two
sizes
of
grew,
two
sizes
of
elliptic
curves
again,
this
is
just
talking
about
the
elliptic
curve
stuff.
Is
that
pretty
much
every
single
cryptographer
will
agree
that
128-bit
strength,
equivalent
strength
is
good
enough
for
everybody,
and
that
would
be
like
the
255
19.
Some
people
get
a
bit
confused
because
the
NSA
for
certain
things,
like
top
secret,
require
higher
bits.
S
Although
the
NSA
has
never
said
that,
there's
a
direct
correlation
to
the
higher
strength,
it
just
puts
them
into
a
different
security
group
and
that's
a
security
group.
They
already
had
so
my
preference,
if
we're
going
to
do
anything
about
suggesting
the
use
of
256
bit
versus
448,
is
that
we
keep
it.
We
stay
out
of
that
completely
and
we
keep
448
as
conceptually
as
a
fallback
in
case
in
the
future.
S
Elliptic
curves
in
general
start
losing
some
strength
until
then,
ever
if
we're
going
to
make
a
recommendation,
everyone
should
be
using
the
128-bit
strength
ones
and
it
might
even
be
better
again
not
to
suggest
if
both
of
them
are
mandatory
to
implement,
but
one
of
them
is
mandatory
to
use,
namely
the
one
that
is
going
to
be
sufficient
for
everyone.
That's
just
fine
I'm,
specifically
concerned
in
the
DNS
SEC
space,
where
it's
signatures,
we're
signing
something,
especially
a
long
term
sign
you
have
a
long
term
key
such
as
a
trust
anchor.
S
Those
are
very
hard
to
change,
and
if
everyone
goes
to
the
stronger
one,
we're
going
to
lose
a
lot
of
benefit,
so
that
was
just
it
I
think
we're
fine
as
we
are
now,
especially
for
the
the
DNS
SEC
one,
if
we're
combining
them
and
that
we're
going
to
have
the
448
size
key
available.
So
just
a
thought,
I'm
sure
we
can
discuss
this
more
on
the
list.
Just.
O
S
Certainly,
sighs
you
know
on
it
as
well
as
time,
although
I
think
time
is
less
important
than
the
size.
S
S
R
I
S
R
I
R
S
It
should
be
relatively
cheap,
so
I
wasn't,
I
didn't
to
be
clear:
I
didn't
want
to
actively
discourage
the
use.
I
wanted
it
as
a
fallback
which
is
different,
so
I
want
it
there
and
I
wanted
available,
but
I
wanted
as
a
fallback.
Do
you
feel
like
that?
That's
inappropriate
you
would
like
us
just
to
start
using
for
48,
or
you
know
from
what
you
just
said
about
why.
R
T
You're,
looking
at
RSA
versus
elliptic
curve,
as
far
as
the
number
of
qubits
yep
you're
not
going
to
be
doing,
index
calculus
or
anything
like
it
in
quantum
mechanics,
it's
just
a
is
a
different
approach,
and
so
you
know,
256
bits
of
elliptic
curve
are
about
the
same
as
number
of
qubits
as
256
bits
of
RSA,
and
so
it
really
is
a
big
reduction
in
the
work
factor.
You
might
have
to
go
to
a
huge.
S
J
Q
J
S
T
T
S
I
O
So
now,
let's
go
to
the
discussion,
so
the
big
question
we
have
is
curtilage
is
designer
initially
only
to
extend
different
Crypt
different
protocols
with
the
two
elliptic
curves,
and
it
happens
that
we
we
hosted
some
of
the
ssh
work.
So
it
extends
a
little
bit
more
disco
pup
to
working
group
initial
working
group.
So
we
have
two
questions
so
do
we
need
to
reach
outer
and
if
people
agree
or
disagree
on
hosting
ssh
word
comment
on
the
mic:
Jim.
D
Shot
I
actually
was
really
rather
interested
in
all
that
he
kicks
stuff
that
were
documents.
Is
that
a
reason
why
bathe
those
documents
didn't
show
up
I.
I
Steam
power,
I
guess
this
time
wearing
an
Eddie
hat
yeah
I
mean
this.
The
Charter
mentions
a
bunch
of
things.
I
would
be
much
much
happier
that
you
do
those
first
for
extending
or
thinking
even
having
a
big
debate
about
extending
to
do
SSH
protocol
work
and
even
then
I'm,
not
sure
so
I
would
I
unless
there's
like
a
whole
bunch
of
people
that
are
going
to
line
up
here
and
I'm
kind
of
unconvinced
that
this
group
should
recharter
before
having
some
of
the
you
know,
quite
small
and
well
worthwhile
pieces
of
work
done.
O
I
Mean
yeah
I
mean
there's,
there
are
a
bunch
of
drafts,
I
mean
progressing
them
is,
is
not
going
to
be
necessarily
very
hard.
Now
we
charted
this
group
saying
there
might
even
never
be
need
to
meet,
so
I
think
getting
getting
some
of
the
bits
and
pieces
done
is
from
my
point
of
view
on
you
know.
I
remain
to
be
convinced
that
this
working
group
to
do
anything
else.
R
S
Certain
we
already
actually
have
a
draft
in
the
working
group.
It
just
wasn't
presented
here.
Simon
wrote
it
up
very
simple,
two
pages
or
Pete
I'm,
sorry
for
P
kicks
not
for
CMS,
but
I'm,
not
sure
that
we
needed
anything
for
incorporating
that
with
me
with
CMS,
but
we
at
least
have
the
peak.
It's
one
already
yeah.
D
Jim
trial
I
actually
sent
this
to
the
mailing
list
and
hip
not
seen
in
response
from
them,
but
one
of
the
drug,
the
two
drafts
actually
don't
say
the
same
thing
they
actually
conflict
in
terms
of
how
aids
are
set
up.
How
to
have
structures
are
set
up.
So
you
know
right
now,
I
one
of
them
kind
of
makes
sense
and
the
other
one
makes
no
sense
at
all.
But
there's
a
common
author
on
both
of
them.
So
that's
kind
of
problematic
or
symptomatic.
B
Yeah
come.
D
And
if
curdle
doesn't
actually
get
this
done
at
some
sort
of
reasonable
time,
I
would
not
be
surprised
if
there
isn't
we're
in
the
process
of
potentially
spending
up
a
new
working
group
to
deal
with
s,
prime
fixes.
If
it
doesn't
get
done
here,
then
I
would
expect
us
to
just
go
ahead
and
grab
it
there
and
do
it
don't.
B
D
B
D
I
mean
here's
how
to
carry
a
public
key.
There
is
a
piece
of
mail
that
just
came
out.
It
turns
out
the
rust
housley
hadn't
actually
seen
the
draft,
so
he
actually
circulated
about
private
draft
to
a
couple.
People-
and
we
said
I'll
look
over
here,
there's
some
oils
and
he
would
like
to
actually
see
some
name
changes,
but
then
too,
but
the
basic
structure
was
fine.
Okay,.
B
Alright,
so
we
should
direct
Simon
to
fix
those
and
update
the
things.
I
encourage
people
yet
to
look
at
Jim's
note,
which
I
was
forgotten
on
the
list
and
Russ
how's.
This
note,
which
just
came
out
a
couple
of
hours
ago
about
the
naming
of
things
as
we
know
when
security
naming
of
things
is
really
important
and
I
think
on
the
mailing
list,
will
call
for
consensus,
consensus
or
ask
for
consensus
are
making
those
two
sets
of
changes
before
the
next
trial
and
then
resubmit.
B
I
C
B
B
I
I
mean,
if
you
have
what
you
do
best
call
then
we'll
have
an
ietf
last
call
anyway
right
so,
and
I
assume
that
people
who
write
there's
a
whole
bunch
of
people
want
to
use
these
things
in
TLS
and
elsewhere.
So
I
think
you'll
get
the
eyeballs
at
that
point.
Okay,
if
not
before
so
it
mean.
Is
that
correct
or.
S
See
it
before
you
go
so
a
part.
The
issue
with
the
P
kicks
ones
is
that
they
have
both
the
unprepared
general
feeling
if
I
got
rectly,
which
I
didn't
seem
to
get
right
about
quantum
in
CF
RG
about
that.
No
one
liked
the
pre
hash
one
that
they
wanted
the
plane.
Should
we
take
at
least
take
those
out
before
a
working
group
last
call
or
you
think,
I
got
reverse
they
like
the
pre
hash.
D
P
B
D
However,
I
think
that
we
need
to
be
able
to
have
pre
hash
keys
with
separate
oils,
so
they
are
explicitly
distinguished
in
the
document,
so
they
can
be
distributed
for
any
protocol
that
does
use
them,
because
there
were
a
lot
of
people
in
CR
fargy
who
were
very
vocal
that
they
needed
to
have
pre
hash.
Even
though
a
lot
of
people
really
didn't
like
him,
I
mean
that's
I
know
otherwise
the
FRG.
Would
it
not
done
the
pre
hash
version
right.
B
B
B
So
you
want
to
see
another
draft.
Okay,
all
right,
salt
yack,
how
many
people,
how
many
people,
the
questions
are,
how
many
people
want
see
changes
before
there's
a
working
group
last
call
are
accepted.
They
are
willing
to
go
into
last
call
with
these
changes
in
essence
pending
or
don't
have
an
opinion.
Don't
need
don't
know
enough,
so
the
first
one
is
how
many
people
are
willing
to
enter
last
call
with
these
changes
pending
come
now.