►
From YouTube: IETF95-DPRIVE-20160406-1000
Description
DPRIVE meeting session at IETF95
2016/04/06 1000
A
So
keep
in
mind
we
ending
up
an
hour.
We
do
yeah
we're
sharing
that
slot
with
openpgp
I
didn't
know
that
yeah
so
good.
We
have
one
hour,
okay
and
we're
relatively
close,
yes
you're
having
that
full,
so
I
think
we're
skipping
the
zero
RTT
stuff
unless
there's
something
very
compelling
at
it.
Okay,
that's
that's
a
that's
funny,
but
it'll.
A
A
A
A
B
You
can
read
it
yourself,
I
think
the
one
that's
missing
is
the
there's
two
message
flow
to
drafts,
which
I
gotten
myself
confused
on
or
two
profiles.
B
A
F
G
Didn't
know
if
you
wanted
me
to
present
this
or
not,
but
yeah
this
yeah.
Let's
be
quick,
stand
in
the
pink
books
yeah
in
the
box
next
slide,
so
we
have
one
side:
incorporate
feedback
into
0506.
We
published
Monday
or
Tuesday
of
this
week,
and
then
it
incorporates
all
the
other
feedback
that
we
have
received
and
as
far
as
we're
concerned,
we're
ready
for
a
working
group.
Last
call
I,
like
these
make
sure
these
conditions.
B
A
H
H
I
think
I
have
I
think
it's
much
more
closely
aligned
to
doing
dinner,
so
the
tier
less
than
the
documents
in
flies
and
I.
Think,
given
that
we
have
a
document,
specifies
D&I,
Sarah,
TLS,
I,
think
a
little
more
alignment
would
help
implementers
see
they
see
the
commonality
between
them,
because
I
I
think
wasn't
just
flicking
a
switch
on
your
UDP
implementation,
but
it
is
actually
thinking
about
sessions,
thinking
about
managing
IDs
and
this
whole
number
of
things
that
need
to
be
taken
into
account
that
so
I'd
like
to
see
able
to
more
alignment
there.
H
G
H
I
H
Might
be
more
useful
for
implementers,
ok,
which
leads
me
on
to
my
second
comment,
which
is
because
of
the
uncertainty
around
that
I'm
wondering
where
the
implementation
status
stands,
because
my
feeling
is
I'd
like
to
see
an
implementation
of
this
before
the
draft
moves
forward,
because
there
are
us
any
questions
about.
How
is
this
dtls
message?
Flows
will
work
in
practice,
so
I,
don't
know
how
that
were.
Planes
were
going
to
a
working
group
last
call
if
we
have
no
implementations
so.
H
G
Id
for
a
decade,
if
we
don't
have
any
implementations
or
we
can
publish
it
as
now
I've
seen
and
expect
and
hope
that
vendors
implement
against
it.
My
company
doesn't
implement
much
against
internet
dress,
for
example,
other
companies
don't
either
so
yeah.
That's
that's
the
chicken
egg
problem
that
we've
been
stuck
with
an
idea
for
20
years.
H
J
We'll
so
you
asked
which
a
way
to
do
the
comparison,
absolutely
ordering
would
be
really
good,
I.
Think
I
section
trying
to
do
it
in
text
in
a
section
will
not
actually
hit
the
fact
that,
especially
in
the
last
two
drafts
of
the
TLS,
we
ended
up
having
to
add
a
lot
of
TCP
ish
stuff,
which
you
don't
have.
So
if
you
follow
the
same
order
saying
but
UDP
and
but
UDP
stuff,
I
think
it
would
be
a
lot
clearer.
I
will
disagree
with
Sarah
on
needing
implementations.
Ietf
normally
doesn't
do
that.
J
However,
I
would
hope
that
no
one
would
be
promoting
the
use
of
detail.
You
know
dns
/
dtls
if
we
had
no
implementations
simply
because,
quite
frankly,
we
don't
have
a
lot
of
foo
/
dtls
anywhere
and
when
the
few
cases
where
we
have
it,
there's
usually
been
abyss,
because
we
discovered
funny
things
of
dtls.
So
I'm
happy
to
see
one,
but
I
don't
feel
like
it
should
be
blocking
moving
to
RFC.
K
A
A
You
know
the
stuck
one
has
been
revised
a
few
times
and
we've
had
only
a
very
small
number
of
people
providing
comments,
but
in
other
working
group
showed
support
for
adopting
it
and
showed
support
for
working
on
it.
It's
just
there
when
the
rubber
hits
the
road
getting
people
to
provide
comments
has
been
very
difficult.
A
So
you
know
if
you'd
like
you
can
start
a
working
group
last
call
possibly
after
rearranging
would
you'll
be
okay
with
rearranging
okay.
So
after
rearranging
we
can
start
a
working
group
last
call
to
try
and
solicit
a
bunch,
more
review
and
feedback.
It's
a
little
sad
that
you
know
we
have
to
do
that
to
get
the
feedback,
but.
H
So
starting
the
recap
of
how
we
ended
up
here
with
the
drafts
that
we
haven't
moment,
we
have
the
two
drafts
that
have
been
going
through.
The
working
group
DNS
over
TLS
is
now
approved
as
an
RFC
that
will
be
out
any
day,
and
we
also
have
the
Guinness
of
detail
I
staff
that
thumbs
just
talking
about
when
they
originally
came
out,
that
both
contain
descriptions
of
how
to
do
authentication-
and
there
was
some
overlap,
but
there
are
also
some
differences
between
them.
H
As
the
DNS
over
TLS
Jeff
progressed
and
went
to
work
in
Greek
last
call.
The
decision
was
to
retain
some
description
in
there.
How
to
do
authentication-
and
what's
in
that
off
today,
is
a
description
of
how
to
do
strict
authentication
using
spk
pin
sets
as
also
a
discussion
of
how
to
do
opportunistic
security.
H
But
it
was
a
discussion
in
Yokohama
about
the
fact
that
then
that
then
left
the
detail,
I
staffed
with
its
own
description
of
authentication
and
what
would
be
much
better
is
to
generate
a
combined
RAF
that
applied
to
both
protocols.
Equally,
so
this
drug
has
borne
the
authentication
sections
were
removed
from
the
DNS
over
dtls
draft,
and
we
also
incorporated
a
section
from
a
third
draft
relating
to
specifying
which
DT
license
here.
Les
extensions
should
be
used
when
doing
the
NSA
for
those
protocols.
H
H
H
What
we
doing
this
draft
is
we
take
the
approach
of
describing
usage
profiles
which
are
profiles
defined
just
by
their
security
properties
and
therefore
the
security
guarantees
that
they
can
deliver
to
the
user,
and
we
separate
that
concert
out
from
which
authentication
mechanism
is
actually
use
to
deliver
the
security.
So
we
talked
about
three
types
of
security
of
usage
profile,
so
no
privacy
sending
stuff
clear
text,
opportunistic
security
and
the
strict
security,
this
caused
of
confusion.
H
The
feedback
was
this
caused
a
bit
of
confusion,
because,
firstly,
that
separation
wasn't
as
clear
as
it
could
be
in
the
current
draft.
So
we're
going
to
address
that.
And
secondly,
because
when
you
read
this
draft
alongside
the
DNS
of
a
tearless
draft
in
the
dls
of
a
tearless
draft,
because
was
only
one
authentication
mechanism,
it
appeared
that
the
usage
profile
in
the
mechanism
of
a
tightly
coupled-
and
that
was
slightly
at
odds
with
the
description
here.
H
So,
just
to
slip
through
the
usage
profiles
and
some
of
the
other
feedback
we've
had
on
what
the
meaning
of
these
are
I'll
start
from
the
bottom
up.
We
stop
talking
about
no
privacy,
so
you're
sending
stuff
clear
text,
no
pretty
guarantees
and
the
next
one
we
discuss
this
opportunistic
and
one
piece
of
confusion.
I've
heard
them
a
lot
of
people
is
that
initially
they
think
that
this
means
requiring
a
shin
but
not
authentication,
and
that
isn't
the
case.
H
We
try
to
in
the
in
the
draft
we
created
a
table
where
we
try
to
illustrate
the
difference
in
the
usage
profiles
and
that
table
alone
cause
lot
confusion
as
well.
So
one
thing
I'm
proposing
is
that
for
the
next
version
we
extend
it
and
we
break
down
more
clearly
what
happens
in
the
opportunistic
case.
So
P
here
is
that
you
have
protection
and
is
that
you
have
no
protection
and
D
means
you're
able
to
detect
an
attack.
H
What
we
did
in
the
draft,
which
we
just
had
the
line
vulva
clear
text,
opportunistic,
which
is
of
course
the
worst
case
scenario,
which
is
what
the
user
has
to
assume
they
might
the
state
they
might
end
up
him,
but
because
we
didn't
the
table
in
clarified
pie,
that's
enough.
I
think
people
confused
so
I
hope
it's
represent
it
in
this
form.
It
will
resolve
that
problem.
K
It
also
causes
me
to
wonder,
however,
whether
maybe
a
upper
tuna
stick
is
covering
a
bit
too
much
ground
as
a
as
a
general
label
and
whether
we
ought
to
to
suggest
splitting
it
between
the
case
where
you
have
authentication
and
encryption
falling
back
to
encryption
without
authentication
from
the
case
where
encrypted
whether
authenticated
or
not,
falls
back
to
to
clear
text.
If
we
were
to
do
that,
I
think
we
would
actually
give
a
slightly
better
representation
to
the
folks
who
are
looking
at
these
labels
about
what
the
different
state
or
state
transitions
look
like.
K
H
I
have
slides
later
exactly
that
point,
because
the
question
is
how
much
brandy
larity
do
we
want
to
offer
and
to
another
concern:
is
that
the
more
granularly
make
it
more
likely,
a
user
in
step,
2,
Sinclair,
guessing
one
level
of
security
and
end
up
with
another,
and
we
we've
seen
this
in
practice.
If
is
when
we've
been
developing,
get
dns
we've
been
trying
to
specify
in
the
API
how
users
choose
what
what
they
want
and
the
confusion
around.
H
That
has
convinced
me
that
that's
what
convinced
me
to
make
the
separation
between
usage
profile,
the
authentication
mechanism
the
first
place-
and
it
also
convinced
me
that
less
is
more,
which
so
the
store,
I'm
leaning
towards
the
story
is,
if
you
care
about
security
district,
don't
even
think
about
doing
anything
else.
If
you
really
care
otherwise,
opportunistic
you've
got
to
really
treat
that
as
clear-text
and
because,
ultimately,
you
might
end
up
there,
whether
there's
value
in
intermediate
case
of
wanting
encryption
but
not
authentication.
H
N
We
demand
for
Microsoft,
so
I
read
your
draft
and
I'm
a
little
bit
confused
about
the
user
model.
The
usermod'
arrived
in
mind
45.
Is
that
of
doing
a
VPN
to
your
first
speaker
series,
although
typically
when
you
do
you
do
an
activity
a
session
to
your
first,
because
if
it
is
all
well-
and
that
was
all
well
in
my
mind-
is
typically
configured
in
the
client
as
says
this
is
the
reservoir
I
trust
and
that
first
encompasses
things
like
is
not
going
to
lie
to
me.
N
It's
not
going
to
take
my
data
and
say
that
a
Kaiser,
it's
not
going
to
do
nasty
stuff
with
a
DN,
a--'s,
etc.
Now
that
means
something
which
is
largely
configuring.
The
client
like
I
want
to
use
I,
don't
know
verisign
services,
because
I
twas
very
site
for
some
reason,
so
I'm
going
to
use
them.
Okay,
and
in
that
case,
and
that's
my
main
usage
scenario,
I
will
not
categorize
that
in
doubles
twix
upper
hand
seek
or
whatever
I
would
say.
I
want
my
DNS
traffic
to
go
there.
N
Yeah,
but
at
the
same
time,
when
I
read
your
draft,
I
see
a
very
different
model
of
usage.
The
different
model
of
usage
is
all
I.
Have
a
DNS
query.
Let
me
pick
a
server
among
the
available
servers,
probably
from
the
NS
record,
something
like
that
and
then
try
to
dynamically
establish
a
clear
s,
connection
to
that
server
and
decide
what
I
do
that
or
not
and
and
then
my
fallback
cares
is
not
do
nothing.
Michael
Backus
might
be
off.
N
I
have
a
policy
that
I
sent
all
my
traffic
to
my
chakras
over
all
the
quizzes
in
some
of
my
traffic,
the
foster
preserver
and
maybe
I
send
some
also
if
it
is
secure
and
the
articulation
between
these
dynamic
discovery
of
silver
and
the
model
English
of
some
kind
of
a
subscription
to
a
first
rock
resort.
Well
is
not
clear
on
the
dwark
I,
don't
see
it
so.
H
The
intention
here
is
to
do
that.
There's
a
way
around.
Maybe
that's
why
tonight
come
across
to
say
you
choose
whether
to
do
strict
or
not,
and
then
how
you
choose
to
do
that,
to
what
kind
of
solver
is
the
secondary
consideration
and
that
might
be
through
a
trusted
relationship
with
spk
pins
Michael
through
dynamic
discovery.
But
what
you're
not
wanting
to
do
is
say
well
if
I
can
get
to
that
server.
N
Look
at
the
information
leak
I
mean
if
you
had
some
place.
The
reason
we
do
deprived
in
the
first
place
is
because
I
don't
want
the
guys
in
the
coffee
shop
to
know
which
DNS
names
are
resolving
right.
If
I
start
having
a
bunch
of
TRS
connection
to
a
variety
of
authoritative
servers,
then
it's
almost
as
good
as
disclosing
which
these
names
are
resolving.
N
H
N
Looking
at
what
is
the
usage
model
that
you're
securing
and
what
are
the
guarantee
is
ok,
I
aya
when
I
read
the
document,
I
have
the
impression
and
I
have
the
impression
in
the
document
that
the
body,
the
recursive
resolver,
is
in
the
client
itself,
and
that
is
trying
to
do
dynamically
clear
explanations
everywhere.
Well,
yeah,
when
I
see
you
shaking
your
head,
but
that's
my
impression,
and
you
cannot
deny
that
it's
my
impression.
Oh.
A
N
N
H
That,
and
maybe
what
we
should
discuss
offline
is
whether
you
think
that
usage
model
his
context-based.
Now
you
say
you
have
one
uses
modeling
and
enterprise
and
one
in
a
coffee
shop,
because
I
think
what
we
want
to
do
in
this
draft
is
saying
you
can
make
a
decision
that
your
Freight,
the
same
way
wherever
you
are
just
always
do
strict
and
how
you
get
to
being
straight
is
different.
So
you.
I
I
Ted
lemon
home,
so
I
heard
you
saying
that
there's
a
fair
amount
of
confusion
about
what
opportunistic
means
and
you
find
yourself
explaining
it
a
lot.
That
means
that
it's
broken
it
doesn't,
and
my
point
is
not
that
you
need
to
change
what
opportunistic
means,
but
rather
that
opportunistic
is,
is
actually
not
a
good
usage
profile.
What
you
actually
want
is
strict
or
no
privacy
or
actually
what
you
really
want
is
strict
or
there
might
be
privacy,
but
we
make
compromises.
H
P
It
Stuart
cheshire
Apple,
very
quick
comment.
Listening
to
the
discussion
with
Christian.
It
has
echoes
of
things
that
I
hear
a
lot.
I
think
there's
a
big
confusion,
because
in
DNS
we
use
the
term
dns
server
to
mean
two
different
things:
the
recursive
and
the
authoritative,
which
I
think
is
just
a
historical
accidents,
because
name
d
implemented
both
in
the
same
piece
of
software.
I
was
understanding
this
to
me.
This
is
my
first
hop
to
my
recursive.
P
So
if
I've
configured
88888
using
google
dns,
then
I
have
privacy
to
that
and
I
trust,
google
and
everything
downstream
if
other
people
are
reading
it
differently,
that
this
is
privacy.
For
this
hop
to
the
authoritative
server,
I
mean
ICC
you're
shaking
your
head
and
I
agree
with
that.
But
it
seems
like
the
some
miscommunication
going
on
and
some
people.
H
P
O
N
Christian
Rita
ma
from
Microsoft
again
on
the
use
of
decision
I
mean
there
currently
is
very
little
user
interface
to
dns
resolution.
It's
typically
done
by
a
call
to
get
host
by
name
or
something
equivalent
in
the
bowl
of
some
haagen
somewhere
and
so
I
don't
see
how
users
will
make
this
mean.
We
have
to
have
a
usage
model
there
to
say
how
will
use
our
make
the
decision
to
say
oh
I
want
to
use
it
or
not,
and
and
what
is
the
full-back
I
mean.
H
It's
not
dissimilar
somewhere
today.
That's
set
in
that
respect,
but
you
know
it's
not
even
build
since
the
low
versus
their
users.
Don't
often
make
that
explicit
decision
for
things
that
they
do
so
I
think
we
have
some
of
the
same
challenges.
Oh
and
that's
one
of
the
reasons
we've
been
focusing
on
getting
NS
as
a
way
to
expose
that
more
up
to
the
to
the
application
and
user
level,
but
I
agree
that
when
you
get
a
run,
your
laptop,
you
don't
need
the
have
a
little
check
box.
N
Q
High
standards,
mail,
I'm,
not
sure,
I,
understood
the
Christians
concern
about
usage
models,
but
if
I
understood
I
disagree
because
I
think
there
are
many,
many
usage
matters,
a
lot
android
of
them
and
it's
simply
not
possible
to
enumerate
them
all.
So
I,
like
the
idea
of
having
whew
profiles
in
the
current
God,
are
not
enough
in
this
slide,
maybe
a
bit
too
many
but
I
like
the
ID,
because
it's
could
be
realistic.
Q
The
decreasing
the
number
to
need
to
strike
and
no
progress
is
not
realistic
because
we
have.
We
have
a
lot
of
experience
with
x509
authentication
authentication
of
TLS
lesson
with
the
web,
and
we
know
it's
too
simple.
So
we
need
something
in
between,
even
if
it's
I
agree
not
easy
to
describe
it
now
for
the
user
interface
issue,
there
are
few
user
interface
points
in
the
draft,
such
as
a
son
son
warning
should
be
sent
to
the
user,
so
she
should
be
logged,
but
we
it's
not.
Q
It's
typically,
not
our
business,
because
there
are
many
many
possible
ways
to
interact
with
the
user.
We
don't
know
all
of
them
on.
It
seems
to
me
that,
as
a
general
rule,
it's
not
a
good
idea
to
turn
us
into
user
interface
experts
and
to
try
to
conspire
so
we
what
we
should
do
is
document
a
few
profiles
with
clear
privacy
properties
on
a
table
like
this.
Q
H
H
H
Goodbye,
please
avoid
testing
then
take
one
thing
that
is
West
munching
on
this
slide
is
that
when
we
talk
about
strict,
it
is
a
authenticate
or
fail
model
with
regard
to
doing
your
dns
lookups,
but
we
have,
in
the
most
recent
version,
qualified
that
certain
meta
queries
that
you
need
in
order
to
bootstrap
your
authenticator
connection
kengo
opportunity,
clearing
the
clear
and
they're
really,
but
they
must
be
doing
a
sec.
Validated
on
slide
shows
that's
right,
better
dale
road-
and
this
was
just
raised.
The
question
is:
should
there.
H
O
H
Where
you
have
an
out-of-band,
spk
I
and
you
Oh
art
the
old
sides,
one
sorry
there's
couple
mistakes
on
these,
where
you
have
the
outer
phone
case,
and
that's
that
left
hand
side
where
you
can
do
a
tap
and
I
speak
spk.
Opening.
What
we
talk
about
in
this
draft
are
these
two
options
here,
where
you
can
either
directly
configure
a
name,
a
domain
name
get
to
the
IP
address
through
an
opportunistic
SLV.
H
H
H
H
Just
an
x.509
surf,
but
just
to
server
credentials,
there's
a
third
case
that
we
talked
about,
and
this
is
one
of
the
ones
who
would
like
to
promote,
which,
once
you
know
the
domain
name
of
the
server
you
could
choose
to
use
the
proposed
TLS
DNS
SEC
extension.
What
that
does
it's
actually
a
tearless
extension?
H
It's
in
the
TLS
layer
and
the
client
can
request
that
the
server
provide
all
its
dane
records
in
client,
hello,
because
the
server
knows
who
it
is,
and
it
should
be
able
to
provide
full
chain
of
records
to
allow
a
validating
stub
to
fully
validate
using
Dennis
that
those
dane
records.
And
when
you
do
that
and
then
also
in
that
handshake,
you
obviously
get
the
server
credentials,
be
that
certificate
all
the
keys
and
then
the
authentication
is
self
contained
within
that
TLS
handshake
transaction.
H
One
of
the
reasons
we
really
like
this
is
it's
a
few
restrict
the
deign
to
that
should
say
if
you
strict
it
to
using
EE
and
spk
I,
then
in
principle
you
can
actually
take
certificate
cas
out
of
the
chain
entirely,
and
you
can
go
to
this
mechanism.
The
only
piece
of
information
you
leak
is
which
server
your
connectivity
and
I
know
there's
more
thoughts
about
this
going
on
in
the
audience
so,
but
this
seems
like
the
way
we
would
like
to
do
it.
If
we
had
all
pieces
in
place.
H
Very
last
quick
word
on
implementation.
As
I've
mentioned,
get
C&S
does
quite
a
chunk
of
the
specified
authentication,
intensive
servers
and
bounds.
We
all
know
that's
going
to
tell
us
for
a
while,
but
I
wanted
to
quickly
mention
some
great
work.
That's
done
at
the
hackathon
over
the
weekend,
which
is
that
the
not
resolver
as
of
Sunday
evening
can
now
also
act
as
a
DNS
previous
enabling
server.
So
we've
got
TLS
in
the
not
resolver,
that's
coming
out,
which
I
think
is
great
news
all
right.
That's
how
we
thank
you
very
much.
Any
more
questions.
J
Two
quick
ones
that
are
related
first,
was
that
you
had
put.
You
had
said
that
authentication
by
domain
name
only
yeah,
it's
in
scope,
I
think
that's
a
big
mistake,
given
that
current
dhcp
gives
you
out
an
address
for
your
server
and
related
to
that,
the
question
of,
should
we,
you
know,
go
here.
Yes,
please
do,
but.
J
J
H
J
J
H
J
N
Christian
Rita,
my
Microsoft,
the
the
dhcp
option
is
one
potential
response
to
a
problem
that
is
not
discussed
yet
in
the
draft,
but
should
be
my
opinion,
which
is
a
what
happened
if
you
are
not
requires
network
in
which,
when
you
are
in
the
enterprise
network,
you
really
want
to
use
the
enterprise
server,
because
otherwise
you
are
not
conforming
to
the
enterprise
policy.
You
don't
get
that
your
vest,
dns
and
all
that
versus
when
you
are
in
the
coffee
shop.
N
H
H
H
N
It's
a
question
of
configuration,
modern,
the
question
of
authentication:
if
your
draft
only
covers
how
to
authenticate,
but
I
am
indeed
using
the
seller
that
I
have
burned,
then
no
es
of
the
question
is
no.
If
the
purpose
of
the
graph
is
to
look
at
management
options
for
dns
or
TLS,
then
that
is
different
in
scope,
and
we
have
to
look
at
that.
H
N
A
N
A
Q
Q
By
IEP,
add-ons
I
have
a
question
for
the
people
who
know
about
the
certificate.
Also,
it
is.
Is
it
possible
difficult,
CA
to
get
sort
of
certain
IP
address,
and
how
does
that
check
that
I'm
interested?
Because
otherwise
it
means
that
the
option
would
be
useless,
because
if
we
walk
on
leave,
there
is
a
pre-configure
CA
in
the
client.
It's.
R
That's
what
I
was
coming
up
to
toggle?
The
answer
is,
yes,
you
could?
No,
you
can't,
because
I'd
have
to
check
I'm
pretty
sure.
This
is
one
of
the
things
that
was
taken
out
in
the
dr's
yeah
d.
Now,
if
I
TF
asked
and
said,
we
really
want
to
have
those
IP
addresses
in
I'm
pretty
sure
that
cap
or
you
know,
but
I
I,
don't
think
that
you
want
to
I
think
that
every
internet
service,
including
private
dns,
should
be
accessed
from
the
domain
name
and
okay.
R
S
This
is
dkg
I
want
to
agree
with
Phil
there
that
if,
if
what
we're
talking
about
here
is
helping
people
get
the
strict
authentication
case
when
they
need
to
be
authenticating
to
a
server
that
they
know
what
it
is
and
well
maybe
everybody
in
this
room
knows
that
the
name
is
google.
I
doubt
that
there's
any
other
IP
address
that
everyone
in
this
room
knows
and
it
does
I.
A
T
Separately,
right,
I'm,
not
dkg,
but
I
largest,
a
crude
EKG,
so
first
I
mean
it
really
matter
with
the
BR
say
it
sprout,
not
dkj.
Does
it
really
matter
what
the
browser's,
without
what
the
cat
with
the
BR
say,
because
browsers
have
no
interest
whatsoever
in
accepting
IP
address
certificates,
and
so
you
know
some.
Some
other
CA
could
of
course
stand
up
an
IP
address
CA,
but
why
would
one
want
to
I
have
no
idea
the
missing
to
me
that
there
are
exactly
two
scenarios.
T
One
scenario
is
the
scenario
where
you
have
a
human
energy
analyst
EKG
said
that
contains
a
human
infant
name,
which
then
somehow
has
to
be
mapped
in
some
other
way
to
a
piece
of
key
material
and
naturally,
as
we
done
mapping
domain
names
to
certificates
in
the
classic
way,
whether
it's,
whether
it's
via
PGI
or
dns,
f
and
in
other
situations
we
have
machine
enter,
do
dad
that
came
from
somewhere
and
somewhere
else
and
while
it
might
seem
attractive
to
say
when
we're
going
to
have
an
IP
address
and
then
we'll
have
some
look
up
procedure
to
find
the
appropriate
piece
of
key
material
on
the
because
you
don't
want
to
screw
with,
like
whatever
they
do,
dad
delivered
that
on
that
information,
so
that
I'm,
you
know,
that's
actually
not
going
to
work
out
very
well
and
you
better
off
either
delivering
the
main
name
view
that
scheme
or
delivering
the
pair
of
an
address
and
a
piece
of
key
imagery
all
to
look
at.
R
We
want
to
have
labels,
and
also
I
would
like
to
have
the
paradigm
be
right.
This
is
something
you
only
need
to
do
this
binding
once
per
machine.
This
doesn't
need
to
be
I
open
up
my
laptop
every
time
and
I
acquire
the
dns
address
of
the
server
every
time
those
servers
should
not
be
moving.
A
resolver
should
not
be
moving
around
too
great
rate
of
knots,
so
this
is
something
where
you
should
be
able
to
do.
A
binding
and
it'd
be
good
for
a
year
or
more
unless
it
gets
blocked.
Yeah.
A
Yeah
I
mean
we're
potentially
going
down
a
huge
dhcp
type
rat
hole,
but
in
some
places
you
know
you
first
need
to
use
the
local
coffee
shops,
untrusted,
unsecured
resolver,
so
you
could
do
the
whole
captive
portal
thing,
but
then,
once
you've
managed
to
reach,
you
know
the
internet.
Whenever
that's
defined
as
then
you
can
okay.
So
do
you
have
any
questions
and
answers
to
the
group?
Great
okay.
Thank
you.
I
believe
that
that
was
everything
major
on
the
agenda.
I
wanted
to
mention
something.
A
Okay,
so
let
me
quickly
do
my
thing
and
then
we'll
have
dkg.
Do
a
quick
update
on
you
know
potential
of
this
and
TLS
1.3.
So
I've
got
a
few
questions
from
people
on.
What's
with
this
google
dns
over
https
thing,
that's
not
intended
to
compete
with
us
at
all.
It's
a
no
way
intended
to
be
used.
You
know
for
a
system
resolver
or
anything
that
was
a
if
I've
got
a
web
app
and
I
want
to
make
some
dns
call
or
my
piece
javascript
would
like
to
be
able
to
look
up
a
name.
A
It's
designed
for
something
like
that.
When
I
send
the
developers
you
know
people
might
try
and
use
it
for
this,
there
was
a
third
deer-in-the-headlights
look,
and,
oh
my
god.
No
so
you
know
just
to
calm
people
down.
It's
not
intended
to
be
a
replacement
for
the
private
compete
with
deprived
would
be
used
for
anything
like
deprived.
Okay,
that's
my
little
disclaimer
out
of
the
way
and
we
have
15
minutes
for
EKG
I.
Don't
think
you
had
any
slides
correct!
That's
perfectly!
A
S
Hi
I'm
Daniel
Congo
more
so
I
wanted
to
talk
a
little
bit
about
the
relationship
between
the
DNS
over
TLS
work
and
the
upcoming
TLS
1.3,
with
a
particular
focus
on
the
zero
round
trip
mode
of
TOS
1.3.
Yes,
folks
were
asking
about
what
are
the
potential
advantages
in
one
of
the
potential
risks
of
using
zero
round
trip
mode?
So
I
don't
know
how
much
people
have
been
following
the
zero
round
trip
discussion.
It
turns
out.
S
So
the
goal
of
the
zero
on
trip
mode
for
TLS
1.3
is
that
you
should
be
able
to
if
you've
already
made
a
connection
to
a
server
in
the
past.
You
want
to
be
able
to
make
your
next
connection
with
data
on
the
first
flow,
so
the
kind
can
send
it
on
the
first
blow,
because
that
makes
things
nice
and
fast
and
everybody
looks
past.
S
So,
if
you've
all
questions,
please
just
come
up
to
Mike.
So
as
far
as
I
can
see,
if
there
are
at
least
four
security
properties
that
are
different
about
the
funds
in
the
0
RT
t
in
that
first
flight
of
the
0
RT
t,
so
those
for
differences
are
I'm
going
to
put
my
crib
sheet
nine,
so
the
four
differences
are
one
is
that
we
don't
believe
you
can
do
quiet,
authentication
in
a
sane
or
safeway
0
RT
t
that
is
TLS
based,
client
authentication.
S
The
next
one
is
that
the
forward
is
secretly
the
forward
secrecy
guarantees
are
different
and
less.
The
third
is
that
there
is
no
replay
protection
that
we
can
make
a
good
argument
about,
and
the
fourth
is
that
there
is
additional
client
link
ability.
It's
like
a
document,
each
of
those
how
they
relate
to
Guinness
and
I
Roger
we're
going
to
expand
on
those.
So
maybe
else
yeah.
T
S
Can
weaken
the
pics
and
first
up
for
the
client
authentication
I,
really
don't
care
I,
don't
think
that's
relevant
for
us
in
the
DNS
case.
So
don't
worry
about
that.
The
kind
of
indication
at
yeah,
I,
just
I,
don't
think
that's
relevant
DNS
has
never
officially
didn't
client
authenticated
and
we're
not
going
to
make
it
plan
to
medicated.
For
this
case,
the
limited
forward
secrecy
concerns
I,
actually
don't
think
our
much
of
a
concern.
The
forward
secrecy
that
is
provided
sorry,
machine,
I'm,
shanker,
so
just
to.
S
S
So
ok,
but
by
the
way
0
RT
t
is
effectively
session
resumption,
which
means
that,
if
you
did,
if
you,
if
you
believe
that
your
semantics
of
client
authentication
carry
across
a
resume
session-
and
this
is
a
semantic
question-
not
an
election
protocol
design-
then
you
could
do
a
one-hour,
TT
or
two
RTT
handshake.
That
includes
client
authentication
that
establishes
a
session,
and
then
you
could
resume
that
session
and
your
server
could
say
Oh
line
every.
That
is
awesome,
so
the
planet
that.
S
There
man
upright,
but
you,
but
the
answer
is
don't
do
it
in
gr
rtt,
so
so
for
the
forward.
Secrecy
concerns
the
forward.
Secrecy
is
different
because,
because
you're
not
doing
in
a
diff
email,
Minh
handshake
over
that
particular
data,
but
it
turns
out
that
the
Ford
secret
to
concerns
are
no
different
than
normal
session.
Resumption
port
secrecy
concerns
they
tend
to
be
constrained
by
whatever
the
state
is
being
kept
on
the
server
which
is
different
from
the
long-term
secret
key
for
the
server,
so
I
actually
don't
think
ports.
T
Either
yeah
I
would
agree
with
that.
I
guess
I
would
say
two
things.
One
is
that
the
Ford
secrecy
concerns
of
1.3
are
strictly
better
strictly
better
than
those
are
for
some
ordinary
resumption
in
1.2
yep,
and
that,
unlike
one
point
unlike
in
many
GS
that
configuration
DNS
configuration
is
because
you
actually
are
you're
actually
running
one
server
as
opposed
to
50
or
or
you
have
some
sort
of
locality
of
reference.
You
know
you
could
run
a
state
form
assumption
scheme
and
use
the
kind
of
PFF
style
things
Bill
Glasson
talking
about
MLS.
T
S
S
We
don't
believe
we
have
a
story
for
how
to
defend
against
a
replay
attack
of
zero
RTT
data
for
DNS
SEC
for
dana's
privacy.
The
reap
the
one
of
the
concerns
the
network
attacker,
who
sits
and
observes
the
resolver
and
sees
what
queries
that
resolver
mixed,
authoritative
servers
as
a
result
of
an
incoming
query.
So,
even
though
the
stub
to
recursive
is
encrypted,
you
can
observe
the
traffic
on
the
resolver
and
see
what
it
does.
K
There
does
seem
to
be
a
configuration
mechanism
for
mitigating
this
attack
and
that's
specifically
that
the
resolver
should
allow
a
particular
session
resumption
ticket
to
be
used
for
a
particular
period
of
time
or
for
a
particular
number
of
cases
and
in
in
the
case
where
the
it
refuses
0r
TTD.
After
the
session
resumption
ticket
has
been
overused.
S
I
I
S
K
No,
no
I,
just
noting
that
this
isn't
an
issue
I'm,
saying
that
there
are
configuration
mechanisms
that
would
limit
or
mitigate
this
and
I
believe
that
in
the
case
where
you're
talking
about
any
cast,
it's
also
entirely
possible
that
you
might
have
a
situation
where
you're
0
RT
t
resumption
was
actually
only
valid
for
the
anycast
result
of
you.
First
tall
short
time.
K
J
S
L
S
So
so
the
client
likability
is.
That
is
a
concern
that
I
wanted
to
raise
here,
so
so,
for,
if
you're
doing
a
bunch
of
queries
over
a
single
TLS
session,
then
clearly
the
DNS
record
can
tell
that
you
are
the
same
plan
because
you're
using
the
same
TLS
session,
so
that
link
ability
already
exists
exists
for
Janice
over
TCP
as
well.
S
So
that
means
that,
if
I
resume,
if
I
one
network
a
and
I
turn
down
my
connection,
I
moved
to
net
would
be
and
I
spin
up
in
a
connection
and
I
resume
using
zero
RTT.
Now
the
recursive
resolver
can
identify
me
as
the
same
party.
That
was
this
is
the
the
inverse
problem
of
the
no
client
of
the
mutation
right,
which
is
that
your
inadvertent
kind
of
medication
until
has
1.2
and
ER
and
all
previous
versions
of
TLS.
This
is
true
not
just
for
the
recursive
resolver,
but
for
any
network
observer.
S
The
network
observer
can
monitor
the
TLS
session
IDs
that
are
granted
by
the
server
and
sent
back
by
the
client
on
the
subsequent
connections
and
tie
those
sessions
together.
So
there's
an
issue
that
your
your
DNS
queries
can
be
used
as
a
mechanism
to
track
you
across
the
network.
If
you
continue
to
do
session
resumption,
so
I
think
it's
important
that
if
we're
talking
about
DNS
privacy,
that
we
say
clearly
that
when
you
move
sessions,
when
you
move
network
connections,
you
should
avoid
session
resumption
and
that
inherently
means
avoiding
0r,
TT
and
I.
U
S
L
A
really
good
fem
analysis
to
do
and
like
to
see
it
I
hope
other
foo
over
TLS
protocols
do
the
same
kind
of
thing
just
as
well,
so
it's
really
good.
So
if
that's
imagine
the
outcome
here
was
something
like
and
you
don't
need
be:
playable
0
TT
data
between
struggle
recursive,
but
maybe
you
want
it
between
recursive
and
reparative.
So,
let's
just
imagine
that
might
be
an
epiphone
I
I
have
no
clue
as
to
how
feasible
it
would
be
to
implement
to
deploy
that
in
DNS.
Servers
can
I
turn
on
that
kind
of
distinction.
L
S
So
I
also
wanted
to
be
clear
that
the
client
has
the
option
in
terms
of
client
link
ability.
There
is
a
way
to
construct
a
TLS
client
profile
that
that
avoids
4
tails
1.3
when
the
server
gives
a
session
ticket
they
give
the
session
ticket
under
encryption.
So
a
network
network
observer
can't
observe
the
session
ID
when
it
goes
from
the
server
to
the
client.
N
N
S
K
S
K
To
pull
out
something
you
said
and
make
sure
I
understood
it
correctly,
because
I
think
it
actually
makes
one
of
the
problems
like,
but
you
were
raising
a
far
more
tractable,
and
that
is
this.
If
I
get
this
session
resumption
ticket
on-
let's
say
my
wired
network
or
let's
say
a
Wi-Fi
network
and
I
lose
connection
to
the
server,
because
I
have
now
transitioned
to
a
cellular
network.
K
K
K
You
have
already
used
on
a
new
network
and
that's
far
more
tractable,
because
one
of
the
problems
we're
dealing
with
here
is
the
the
correct
answer
on
different
networks
that
you
would
get
from
recursive
resolver
may
change
right,
because
it's
geo
location
of
you
has
changed
or
some
other
answer
exchange
if
it
is
possible
to
use
it
on
a
new
network,
provided
it
is
for
the
first
time
it's
a
far
more
tractable
problem
from
the
DNS
perspective.
In
my
opinion,
so
I
think
it's
important.
S
To
call
out
that
difference
so
I
think
we
need
to
keep
the
link
ability
question
in
mind
both
for
the
network
observer,
which
is
quite
bad,
in
which
case
your
thing
addresses
it,
but
also
for
the
resolver,
if
I'm,
if
I'm
talking
to
a
public
dns
resolver
I,
don't
necessarily
want
them
to
know
that
the
set
of
bear
is
coming
from
this
IP
address
at
time.
T
plus
1
is
coming
from
the
same
client
that
had
this
other
set
of
queries
at
time.
T
so
I
think.
K
T
That
does
not
work.
What
does
not
involve
creating
network
visible
linkages
between
interconnections,
I
career,
that
and
so
on,
and
so
on?
Princess
I
understand
it
in
1.2.
You
know
if
you
wish
to
have
if
you
wish
to
have
on
you
know,
if
you
wish
to
have
multiple
connections
that
are
I'm
linkable,
you
must
initiate
complete
doing
it
takes
every
single
time.
That's.
S
T
S
Going
in
right
now,
yes,
they're.
T
Very
sharp,
quite
right,
I
mean
because
the
real
reason
is
because
it
is
because
it
means
that,
because
it
means
it,
that's
a
that's
a
case
where
the
very
very
different
properties
between
these
two
protocols
and-
and
you
wouldn't
want
to
do
something.
You
thought
was
safe
on
13
and
then
have
it
be
disasterous
a
crappy
1.2
right.
O
M
R
Thanks,
yes,
so
sorry,
I
I
wasn't
following
the
conversations
I
I
think
I
think
there
are
I,
don't
think
I
guess
quite
right.
There
are
ways
that
you
can
do
it
if
you
allow
either
service
state
and
have
a
counter
in
the
protocol
or,
alternatively,
you
have
some
sort
of
time
bass
track
ship
because
you're
talking
about
the
cash,
the
staleness
issue.
So
if
you
had
a
mechanism
that
guaranteed
that,
when
you're
making
the
request,
if
the
request
is
sufficiently
out
of
time,
that
you
know
that
your.