►
From YouTube: LAMPS Working Group IETF97
Description
LAMPS is the Limited Additional Mechanisms for PKIX and SMIME.
This is the working group meeting from LAMPS recorded at IETF 97 on November 16, 2016 in Seoul, Republic of Korea.
A
A
A
A
A
A
B
B
The
first
is,
there
was
a
couple:
people
who
wanted
to
list
aes
192
in
the
mandatory
well
in
in
the
in
the
explicit,
must
should
may
list.
I
think
that
I
saw
enough
people
who
were
against
that
position
to
say
that
the
consensus
of
the
mailing
list
was
not
to
do
so.
If
anyone
believes
that
is
wrong,
they
need
to.
Let
me
know
I.
B
A
A
C
C
D
I
guess
Shawn
Turner
I
guess
it
just
seems
odd
that
we
do
have
this
group
of
people
who
might
be
the
largest
users
of
this
and
you're
saying
now
like
don't
put
it
in
there.
It
just
seems
weird
I
mean
they've
got
a
profile.
So
technically
you
could
leave
it
out
and
say
yeah.
No,
we
don't.
You
know
it's
not
part
of
the
base
standard,
and
then
you
know
that
the
people
that
need
to
go
by
and
go
whack
them,
but
it
seems
really
weird
that,
like
I
mean
really,
it's
I
mean
it's
usg.
D
C
B
B
B
B
Okay,
so
work
left
I
need
to
add
a
really
short
paragraph
on
padding,
which
says
you
know
you
may
want
to
think
about
it,
but
it's
not
probably
a
huge
issue
for
us
mime
and
per
se,
and
I
need
to
regenerate
examples
and
try
to
get
some
verra
verification
of
them.
I'm
debating
just
stealing
some
Paul
Hoffman
examples
for
everything's
that
the
authenticated
date
is
so
that's
the
only
1i
have
to
generate
from
scratch.
B
C
F
F
Basically,
clarification
on
where
the
new
other
name
form
is
allowed
in
issuer
out
name,
so
it
is
allowed
without.
There
was
no
reason
to
disallow
it
disallow
wildcard
characters,
some
clarification
on
encoding,
byte
order,
mark
character,
unicode
characters,
disallowed
a
sin,
one
module
some
oils
for
temporarily
allocated
and
then
deallocate
it
and
that
TBD.
So
this
will
be
a
result
by
anna.
F
F
I
think
thank
you
for
that
I
did
it
explained
offline
to
a
way
that
I
on
allocations
typically
happens
later,
but
you
know
yeah
I
think
you
can
show
the
next
slide,
which
basically
says
I
think
we're
done.
I,
don't
know
of
any
open
issues.
There
is
no
TBD
in
the
document.
As
far
as
I
remember
does
anyone.
A
D
So
I
guess
just
for
completeness
I
guess
PhD
in
the
chatroom
did
say
that
he
thought
not
including
shot
three
and
the
S
Mon
specs
is
a
bad
idea,
so
this
one
day
he
thought
we
should
include
include
I,
think
what
he's
saying,
which
should
include
sha-3
so
right.
So
I
just
want
to
wait
that
out
with
which
signature
algorithm.
Okay,
all
right
hi.
My
name
is
Shawn
Turner
and
I'm
in
the
pink
box.
So
why
am
I
here?
I
asked
even
Farrell
280
sponsor
this
draft
and
he
said
that's
awesome.
D
D
The
joke
up
there.
Basically,
the
idea
is
to
allow
people
to
do
enrollment
and
get
certs,
and
you
know
server
generated
certificates
over
an
HTTPS
connection
and
it's
getting
posts,
and
it's
just
a
collection
of
this-
is
one
for
CA
certs.
There's
one
for
doing
simple
enrollment,
which
is
the
tens
and
sevens
simple
rien
rolls
the
same
thing.
Server
key
gen
allows
you
to
generate:
ask
the
server
to
generate
you
a
public/private
key
pair
full
CMC,
which
is
another
interface
to
do.
D
You
know
the
full
CMC
dance
that
you
could
do
and
then
there's
csr
attributes,
which
was
added
to
allow
the
the
EST
server
to
provide
something
to
the
client.
They
can
then
use
to
include
in
one
of
the
enrollment
requests.
So
an
example
of
essentially
is
https.
You
know
example.com
well
known,
/,
EST
and
then
like
this,
the
service
name.
So
what
do
I
want
to
do
stand
all
the
protocols
you
give
me
a
framework
and
I
do
some
stuff,
so
I
want
to
extend
it.
The
key
point
here
is
just
an
extension.
It's
not.
D
It
updates.
I,
don't
think
that
every
EST
server
that's
out
on
the
planet.
There
are
a
few
need
to
do
all
of
these
things.
It's
just
some
additional
services
and
some
people
could
adopt
them.
So
I
have
actually
talked
with
some
people.
Dan
Harkins
is
not
here.
He
he
thought
some
of
it
was
a
little
interesting,
some
of
it
actually
implemented
in
Yokohama
like
on
the
fly
fairly
quickly,
so
that
nice
and
panels
at
Cisco,
I,
guess
I
also
talks
to,
unfortunately,
I
butcher,
his
last
name,
so
I
won't
try
it.
D
He
said
some
of
it
was
good,
and
some
of
that
he
meant
me
so
I'm
completely
understand
that
not
all
the
services
are
universally
loved
by
everybody,
but
I
think
that
if
you
put
them
enough
of
them
together,
I
got
enough
use
cases
that
they
could
be
used.
So
next,
so
first
thing
I
want
to
do
is
extend
the
existing
server
key
gen
in
three
ways.
D
The
first
thing
I
want
to
do
is
that
there
are
some
additional
CMS
content
types
that
allow
you
to
return
that
allow
you
rap
rap
key
packages
in
additional
thing,
so
one
of
them
essentially
is
right.
Now
you
could
do
naked,
which
is
essentially
just
returned
a
naked
key
over
TLS,
which
is
good
for
most
scenarios,
but
not
for
those
that
are
slightly
more
paranoid.
The
next
thing
is
that
you
can
use
cryptid
dated
or
envelope
data.
Well,
there's
this
RC
760
32,
which
is
encrypted
key
package.
So
that's
useful.
D
If
you
want
to
do
this
thing,
called
CMS
content
constraints
which
you
can
put
in
a
certificate
to
limit
the
person,
that's
allowed
to
authorize
or
originate
these
packages
what
they
can
do.
So
the
idea
is
that
you
would
like
essentially
link
the
two.
The
next
thing
is
that
actually,
because
we
also
have
a
way
to
return
receipts
and
errors
we'd
like
to
have
the
ability
to
return
these
back
to
the
server.
D
So
the
idea
is
that
when
you
give
them
a
package
you
can
say
you
know,
please
return
this
receipt
with
an
attribute.
If
there's
an
error.
Okay,
guess
what
you
post
back
the
procedure,
air
and
you
do-
that
with
a
post
and
I-
had
to
figure
out
a
way
to
someplace.
To
put
this
so
essentially,
what
I
did
was
I
extended
the
syntax
from
server
key
gen
to
someplace
called
return.
So
it's
generic,
because
it's
post
receipts
and
errors.
I
could
have
had
one
for
each,
but
I
figured
since
it's
one
thing:
it's
a
post.
D
You
would
just
go
there
and
the
one
thing
that
both
I
think
dan
and
panels
like
was
actually
returning
at
the
kcs
12.
We
love
that
everyone
would
use
the
standard
formats
that
we
came
up
with,
but
keep
pkcs12
is
still
used
and
so
we're
just
going
with
the
flow.
It's
just
add
another
one
that
actually
be
used.
So
you
know
we
tried
our
best
and
everybody
was
like
hey,
that's
really
great,
but
p12
is
kind
of
what
gets
used
so
I'm,
giving
up
so
next
and
then
all
of
the
new
services.
D
So
the
idea,
essentially,
is
this
pal
thing,
and
this
is
where
I'm
going
to
duck
it's
an
XML
formatted
file
that
essentially
is
a
flat
file
with
a
bunch
of
entries
that
are
included.
There's
a
iono
registered
type,
there's
a
name
for
the
thing,
there's
a
pointer
in
it
and
a
date
and
a
size.
And
so
basically
you
have
this
file,
and
you
can
just
you
would
you
get
pointed
out
it
through
some
a
priori
syntax
and
you
would
essentially
just
walk
through
this
file
to
know
all
the
things
to
get
so.
D
The
first
thing
you
would
get
is
like
your
ca
certs.
Then
you
can
maybe
get
firmware
tamp
stuff.
If
that
wasn't
interested,
then
you
could
get
some
CR
l's
and
then
they
get
some
skit.
Do
your
enrollment
and
you
can
do
all
these
things
and
at
the
end
of
the
day
after
you've
walked
this
whole
file,
you're
ready
to
go
you're
pretty
much
ginned
up
and
you
can
start
communicating
your
flight
guess
what
the
next
step
is.
So
there
might
be
some
other
way
to
do
this,
but
this
is
the
part.
D
The
dan
implemented
kind
of
on
the
fly
fairly
quickly,
so
distribute
I
have
some
slides
later.
If
we
have
time
which
we
might
or
if
you're
bored,
we
can
just
skip
them
and
you
can
read
them
later,
distribute
certs.
So
this
this
service
would
allow
you
to
essentially
say:
hey
I
know
that
these
devices
are
really
only
to
talk
to
a
couple
of
people,
so
just
distribute
certs
that
you
know
that
the
device
is
actually
going
to
talk.
To
so
say,
you're
setting
up
a
thing
in
a.
C
D
Or
something-
and
it's
only
going
to
talk
to
for
other
things-
you
could
give
it
those
for
cert,
so
it
doesn't
have
to
go
just
go
find
them
later.
It's
just
already
got
them
so
when
it
goes
to
communicate,
it
can
use
that
it
can
use
them
to
just
verify
or
decrypt
stuff
crl
zan
day
or
else
I
know,
there's
a
way
that
you
can
do
that
that
you
can
just
straight
up
pull
the
CR
l's
and
arrows
from
cas,
but
you
could
also
just
use
this
mechanism
to
distribute
symmetric
keys
again.
D
It's
another
key
format
that
we
defined
in
the
IHF
and
the
idea
is
that
hey,
it
might
be
good
to
actually
you
be
able
to
use
this
est
thing
to
distribute
them.
So
the
idea
is
that
essentially,
the
the
client
would
connect
to
the
server
and
the
server
would
say:
hey
look
here.
All
these
symmetric
keys
that
you
could
use
in
bama
would
download
them
and
again
it's
CMS
wrap.
Then
you
can
encrypt
sign.
There's
a
whole
bunch
of
you
know
various
ways
that
you
can
wrap
these
things
to
provide
various
levels
of
security.
D
None
if
you
want
or
a
whole
bunch
and
then
we
get
into
more
fun
ones
like
firm
or
it
is
an
RFC
standard.
There
are
acts,
people
that
use
it
so,
with
the
ideas
that
we'd
like
to
be
able
to
support
those
people
that
could
use
it
tamps
another
one
and
then,
of
course,
all
of
these
things
that
we,
you
know
require
that
my
ITF
protocols
do
like
return,
receipts
and
errors.
We
included
those
and
for
completeness
we're
like
all
right.
So
we
need
to
be
able
to
support
returning
those.
D
A
A
D
Could
be
used
so
the
idea
is
if
they
were
to
set
up
their
servers
to
be
able
to
go
pull
this
thing
you
could
you
could
see
that
that
could
be
a
solution,
interesting
and
back
up,
and
this
is
just
kind
of
more
if
you
want
to
go
to
the
next
slide.
It
just
shows
you
the
format
of
the
pal
and
again
I
duck
because
it's
XML,
but
it's
basically
you
know
it's
a
pal
with
a
bunch
of
messages.
D
It's
got
a
type
and
it's
from
an
eye
on
a
registered
thing,
which
is
we
have
on
the
right
and
there's
a
whole
bunch
of
them.
So
we
kind
of
broke
it
down
the
ones
that
I've
been
using.
You
know
because
the
PAL
could
be
like
a
million
long.
Maybe
you
don't
want
it
a
million
long.
You
can
clip
it
and
make
it
short.
D
D
D
D
So
I
need
you
say
so.
I
knew
somebody
was
gonna.
Ask
me
that
yeah
and
that's
where
all
the
cool
kids
are
doing
now:
I'm,
not
apparently
I'm.
Not
she
bore
and
again
I'm,
not
cool
and
I'm.
Getting
older
did
it
in
XML.
This
is
obviously
not
his
thing
on
the
planet,
and
my
kind
of
theory
is
that
I
need
to
do
XML,
and
so,
if
other
people
want
to
do
JSON,
that's
great.
D
If
somebody
can
tell
me
how
to
allow
both
but
not
require
one
and
allow
the
client
to
request
what
they
get
returned
would
be
great.
But
if
we
get
into
this
MTI
thing,
I'm
gonna
lose
my
mind,
because
I
just
need
to
return
this
format
and
if
it's
JSON
or
XML
I,
really
just
don't
care
or
the
next
thing.
I
just
need
I
need
XML
there.
Other
people
might
like
JSON.
Is
there
see?
If
you
know,
if
you
know,
as
an
art
guy,
you
can
tell
me
what
the
right
way
to
do.
F
D
The
way
I
wrote
it
since
there's
none
of
them
are
required,
so
they're
all
optional.
So
the
idea
is
that
if
you,
if
you
didn't
want
to
do
the
pal,
you
could
just
skip
the
pally.
You
just
want
to
do
the
e
search.
You
just
add
it.
So
you
as
a
client
which
is
know
if
you
were
to
go,
go
to
connect
to
it.
If
you
didn't,
if
you
didn't
get
to
that
thing,
you
get
an
error.
Basically,
so
there's.
D
I
get
an
air
flow
yeah,
it's
not
awesome,
I
mean
so
there.
There
is
some
grander
schemes
where
we
could
do
some
like
service
discovery,
kind
of
thing
in
a
lot
stuff.
That's
just
a
bridge
too
far.
I
think
for
basically
what
I
need
to
do,
which
is
like
here's,
some
more
stuff.
You
could
get
here's
a
list
of
things
point
to
it,
go
get
it.
D
B
D
D
B
D
B
D
Them
xml.
Well,
that's
fine!
So
my
theory
is
that
I
don't
so
the
PAL
is
the
only
one.
That's
XML
right,
the
rest
of
rattle
CMS
blobs
and
if
again,
you
can
tell
me
how
I
can
query
and
get
xml
and
they
can
query
and
get
json
not
to
be
great
and
I.
Don't
know
if
you
do
that,
based
on
some,
oh,
you
can
ask
for
cut.
You
can't
undo
pal
one.
Do
pal.
D
B
E
Shot
Sean
Leonard,
so
yeah
just
too,
although
it
sounds
like
some
of
this
XML
versus
JSON,
vs
zebra
or
whatever
was
a
little
facetious.
This
exact
same
issue
of
type
negotiation
has
come
up
in
net
comp
and
yang
and
they
have
an
approach
of
negotiating
internet
media
type.
So
I
would
say
that
so.
But
you
know
whether.
D
D
F
D
A
D
It's
the
next
slide
is
kind
of
more
of
a.
This
is
all
on
the
draft
right,
so
it's
an
eye
chart.
So
basically
this
is
you
know
what
you
could
do
if
you
have
the
pile.
So
essentially
you
do
a
get
to
get
the
PAL,
and
then
you
would
just
like
I
said:
walk
through
the
whole
thing,
so
I
just
provides
you
more
information
about.
You
know.
What's
in
the
get
and
all
the
fields,
and
it's
it's
basically
like
an
eye
chart
and
it's
in
the
draft,
so
all
of
this
stuff
is
already
registered.
D
Wasn't
clear
to
me
whether
I
had
to
do
that
via
standards
track
or
informational,
so
I
just
kind
of
did
it
and
put
it
in
a
Standish
track
and
said
man
cuz
I'm,
not
updating
the
draft
I
mean
obviously
I
would
prefer
to
go
standards
track.
Everyone
loves
to
go
standards
track.
If
you
tell
me,
I,
don't
actually
have
to,
and
I
can
go
informational,
not
probably
located
I.
D
D
F
D
A
D
So
one
of
the
points
I
guess
is
that
like,
if
you
think
that
I'm
with
them,
the
biggest
idiot
on
the
planet
like
now,
would
be
a
good
time
to
hear
that,
because
I
think
the
problem
with
a
lot
of
times
with
a
be
sponsored
drafts
is
right,
is
that
Steven
goes
great.
I'm
going
to
sponsor
this.
Is
there
any
discussion
right
and
like
do
you
want
to
know
like?
Is
it
like
this?
The
stupidest
thing
on
the
planet?
D
A
Ok,
we
went
through
that
very
quickly
again.
Working
group
last
call
on
the
eai
document
will
start
this
week.
I
was
planning
to
do
a
two
week.
Working
group
last
call
and
even
have
objections
to
a
two
week.
Working
group
last
call
okay,
Jim.
When
you
said
you
have
one
thing
to
discuss
on
the
list
and
then
update
your
doc
HUMINT.
A
D
Afterwards,
so
I'm
just
going
to
suggest
that
I
know
that
we
probably
shouldn't
do
this,
but
there
is
a
thanksgiving
holiday
in
the
US
and
the
vast
majority
of
people
won't
be
working
that
week.
So
can
you
just
if
you're
going
to
start
one
this
week?
Can
you
just
make
it
three
weeks?
I
can
do
that.
Okay,.