►
From YouTube: IETF98-TRANS-20170328-1300
Description
TRANS meeting session at IETF98
2017/03/28 1300
A
F
G
D
D
The
agenda
for
today
first
thing
is
to
take
care
of
some
administrivia,
get
a
status
update
on
a
discussion
of
69-62
biss
and
obtaining
proofs,
because
there's
been
a
lot
of
discussion
of
that
recently.
I
named
redaction
and
privacy
also
going
to
be
a
long
discussion,
binaries
logging
and
a
log
monitoring
API,
which
that
discussion
may
or
may
not
happen,
so
you've
got
blue
sheets
out
on
then.
The
next
order
of
business
is
saying.
Thank
you
to
Steven,
we've
gotten
him
a
plaque
with
log
log
information
for
the
ietf
certificate.
D
Okay
status
update
no
changes
to
the
Charter;
all
you
know.
As
always,
we
are,
we
are
behind
schedule.
We
now
have
42
open
tickets,
so
thank
you
very
much
to
Richard
and
69-62
bits.
Working
group
last
call
did
not
complete
successfully.
So
that's
this
is
why
we're
here,
I
name
it
action.
We've
got
several
competing
proposals
that
will
be
talking
about
today
and
output
from
this
will
go
to
the
mailing
list
on
the
threat.
D
Analysis
is
stuck
and
we
don't
have
complete
agreement
about
why
we're
stuck,
but
we
really
need
to
shake
this
loose
over
the
next
month
or
so
and
get
this
out
so
I
we're
going
to
take
this
to
the
mailing
list
as
well.
If
anybody
has
strong
feelings
about
it,
that
they'd
like
to
share
here
that'd
be
helpful
as
well.
H
If
the
end
of
your
say
what
they
want,
I
volunteer
to
be
co-author
and
put
it
in
the
text.
Yeah.
D
Yeah
I
mean
we've
got
this
situation
with
the
editor
that
needs
to
be
resolved
as
well
yeah
it's
if
it
were
only
that
simple
okay.
So,
let's
see
the
CT
gossip
is
our
first
document
that
has
completed
working
group
last
call
and
has
been
sent
on
for
publication.
So
many
thanks
to
lena's
for
that
and
for
everybody,
who's
reviewed
it
and
done
implementation
on
CT
DNS
SEC.
We
have
no
no
update
on
that,
and
at
is
they're
interested
in
moving
this
forward.
D
Yes,
okay!
Well
as
usual,
the
way
to
do
to
do
that
is
to
update
drafts
to
submit
new
ones
on
CT
binaries.
There's
new
interested
in
picking
this
up
and
and
Frank
has
a
draft
that
he'll
be
talking
about
later.
D
In
addition,
my
understanding
is
that
there's
been
some
movement
on
this
outside
of
the
IETF
I
and
EKG
can
probably
speak
to
that,
but
we
would
like
an
update
on
it
when
we're
talking
about
that
topic
so
and
a
reminder
this
is
this:
is
a
big
deal
I
in
terms
of
moving
the
document
along
69-62.
This
needs
to
be
correct,
but
it
does
not
need
to
be
complete.
We
can
all
right,
we
can
always
publish
additional
documents,
providing
explanation,
additional
features
and
so
on.
J
A
D
E
Ok,
so
I'm
going
to
give
an
update
about
six
and
six
abyss
when
preparing
this
I
found.
The
slides
for
my
TF
91,
with
updates
about
cigna
6th
abyss
and
I,
really
really
hope
that
I
won't
be
standing
here
again
like
in
half
a
year
and
giving
like
another
update
but
I'm
very
confident
but
I'm,
very
confident
that
that
I
want
me
not
tell
you
why.
E
So
after
World
Cup
last
call,
we
get,
we've
got
a
significant
fidic
from
New
Zealand,
who
took
took
like
a
very
thorough
look
at
the
airport,
like
the
system
design
overall,
and
try
to
use
like
basically
provide
different
perspective
on
how
city
can
be
built
or
implemented
such
that
it
can
give
like
stronger
by
Ortiz
to
clients
and
generally
the
bits
in
66
to
this.
That
may
be
unfriendly
to
clients
or
implement
servers
in
general.
The
feedback
falls
roughly
into
one
of
these
four
categories
which
which
art
has
hopefully
filed
like
in
the
issue.
E
It
doesn't
sort
but
like
to
the
issues
right
now
currently
include
like
the
follow
up,
but
they
will
like,
after
that
ITF
meeting
and
then
what
I'll
do
I'll
just
go
over
them.
I'm
present.
So
for
our
say
that
for
I
think
almost
all
the
issues,
we
have
an
agreement
on
that
the
suggested
the
recommended
changes,
which
we
will
bring
back
again
to
the
world
group
for
approval
to
make
sure
we
have
consensus
on
them.
E
There
are
a
few
that
we
do
we
on
which
were
also
bring
to
the
world
group
like
for
the
discussion,
but
mostly
what
I'm
going
to
describe
now
is
things
that
is
other
issues.
What
what
was
this
of
the
original
intention
behind
each
of
those?
And
how
do
we
propose
to
resolve
that
so
that,
on
that
editorial
front,
there
was
description
of
the
log
parameters,
specifically
the
log
metadata
section?
E
That
was
either
think
relatively
late
in
the
process,
and
the
suggestion
was
to
move
that
the
sort
of
close
at
the
beginning
of
the
document
where
we
describe
an
actual
log
operation,
we
have
the
extension
types
defined
for
sats
in
the
stages.
These
are
currently
two
separate
extension
types.
The
suggestion
was
to
merge
them
to
a
single
extension
type,
because
right
now
no
extensor
define
it
seemed
sensible
to
me.
E
We
use
the
digitally
signed
notation
to
describe
what
the
signatures
in
six
and
six
two
bees
are
over,
and
the
suggestion
was
to
use
the
description
from
the
tailless
13
spec,
but
like
retain
the
encoding
of
the
structure,
is
it
including
the
signature
and
hash
algorithms?
Even
though
this
is
metadata
that
the
client
should
know
about
the
log,
because
the
client
already
knows
the
logs
public
key
just
to
make
it
simply
simpler
to
implement.
E
So
the
steps
that
are
needed
water,
like
the
data
structure,
that
needs
to
be
reconstructed
and
how
it
could
be,
how
it
should
be
validated
which
are
again
like
sort
of
implied
in
the
spec
but
I-
think
a
better
explanation
with
would
actually
make
it
simpler
to
implement,
because
we
have
seen
people
both
for
60
and
62
and
choose
the
base
somewhat
struggling
to
to
do
that
correctly.
I
think
so
far,
more
editorial
staff.
E
So
the
of
the
miracle
tree
data
formats,
the
data
structures
that
are
actually
used
like
stored
in
the
tree
they're
spread
all
over,
should
probably
be
consolidated
and
grouped
into
one
section
or
taste
a
few
sections
one
after
yet
one
after
the
other.
A
great
I
would
say
like
bike-sharing
opportunity
is
the
notation
for
the
miracle
tree
section.
How
do
you
denote
like
the
tree
of
a
given
size
or
an
entry
at
this
index?
I?
Think
when
Robin
I
tried
finding
like
standard
notations,
we
couldn't
find
any.
E
So
if
anybody
has
suggestion
do
let
us
know
there
was.
There
is
a
section
about
all
codes,
so
some
error
codes
are
common.
Some
error
codes
are
specific
to
a
1
like
1
IP,
a
function
call
and
the
suggestion
there
was
to
clarify
exactly
what
are
the
common
ones
and
say
like
there
is
no
reuse
of
error
codes
beyond
the
common
ones.
So,
each
if
an
error
code
repeats
in
some,
but
not
all
of
the
API
of
them
hcp
cause.
E
J
Think
that's
Richard
parts.
I
think
that's
a
little
different
than
what
I
thought
we
discussed
yesterday.
I
was
thinking
that
incorporate
an
entry
would
be
incorporated
into
a
log
when
a
sign
tree
had
exists
that
covers
that
entry.
Yes,
ok,
so
that's
that's.
Why
agree?
Yes,
I
think
we
should
just
like.
J
I
mean
it's
meaningful
right,
because
it's
that's
how
you
interpret
the
MMD
right
right,
so
it's
important
to
have
like
an
actual
definition
for
this.
What
to,
but
you
know
with
the
MMD,
is
a
delta
between
to
events
like
what's
the
incorporation
event,
so
it
was
like
defining
that
as
the
time
step
of
sth
I
think
the
issuance
when
sth
seemed
like
an
appropriate
thing
to
you.
E
I
think
that
that's
what
I
guess,
what
triggered
this
this
issue
in
the
first
place,
it's
not
entirely
clear
but,
broadly
speaking,
I
think
a
log
entry
can't
really
exist
unless
they're
like
what
it
can
exist
without
having
like
an
sth
covering
it.
But
clients
see
that
it
exists.
One
stage
covering
it
is
published,
so
we'll
do
that
data
structures.
E
So
the
few
data
structures
we've
specified
that
I
think
we
can
like
simplifies
11
was
the
suggestion
to
get
rid
of
the
SCT
with
proof
data
be
to
the
structure
I
named
the
trolls
of
the
time
very
easily.
Obviously,
that
was
more
useful
when
we
thought
that
will
support
reduction
either
by
allowing
logging
of
intermediate
certificates
and
then
having
one
data
structure
that
contains
like
the
ICT.
They
proved
sth
for
this
intermediate
embedded
in
there
or
medicine,
where
else
would
have
made
more
sense,
but
that
isn't
like
strictly
necessary.
E
It
just
means
that
client,
but
clients
will
just
have
to
figure
out
which
initial
inclusion
proof
and
sth,
whether
they
sort
of
belong
to
removal
of
the
time
stem
from
the
st
ages.
So
this
is
actually,
I
think,
it's
a
good
ticket,
because
it's
sort
of
exposed,
like
some
underlying
assumption,
so
you
do
need
the
timestamp
in
the
sth
to
basically
show
that
the
log
has
up,
like
has
upheld,
like
the
maximum
urged
elaine,
to
show
that
indeed
the
certificate,
luck
or
submission
was
incorporated
within
a
given
time
period.
E
But
if
you
want
to
use
the
sth
is
a
proof
of
liveliness
from
the
log,
then
it
becomes
more
tricky
because
nothing
so
like
you
can
call.
I
get
sth
analog
and
get
in
a
stage.
That's
eight
hours
old.
What
does
that
say
about
the
log
I,
don't
know
so,
I
think
and
I
think
this
is
an
actual
issue
that
came
up.
E
I
think
when
we
monitored
one
of
the
recent
one
on
one
log
which
incorporates
so
decades
and
did
so
within
the
MMD,
but
we
weren't
able
to
observe
the
sth
that
the
chose
they
were
incorporated
until
several
hours
later
so
I
think
this
is
a
discussion
that
should
be
like
brought
up
on
the
list
because
I'm
again,
I
gotta.
Have
it
like
an
answer
here.
E
Removal
of
these
these
angry
types.
So
this
is
these
are
date.
These
are
data
structures
for
staff,
returned
by
the
gate,
increase,
call
and
general
I
think
it's
very
sensible
to
make
sure
that
whatever
is
returned
by
the
gate.
Entry
school
is
the
same
format
that
was
submitted
in
the
ED
chain
method.
Just.
J
E
E
And
this
is
a
good
point.
I
think
I'll
is
part
of
the
editorial
work,
I'll
go
and
clean
it
up
and
make
sure
that
the
data
structure
that
has
entering
the
name
is
the
thing
that
is
in
the
log
like
is
the
log
entry
and
not
and
not
something
else,
and
the
next
one
was
about
indication
of
certificate
/
certificate
in
the
entry
and
nset.
So
right
now
we
have
the
trans
item,
which
can
embed
all
the
other
data
structures
in
a
document
and
this
part
of
the
type
in
the
trans
item.
E
There
is
an
indication
of
whether
this
the
trans
item
contains
the
necessity
for
put
certificate
or
necessity
for
next
5
a-9
certificate,
and
the
suggestion
here
was
to
move
that
indication
into
the
city
and
not
have
two
separate
transaction
types
for
these
two
cities,
which
I
think
is
sensible,
we'll
just
have
to
make
sure
that
there
are
no
implications
beyond
that,
because
well
that
I
think
logically
means
it.
When
that's
implemented,
the
SCT
stock
gets
passed
around
whether
the
trans
item
struck.
E
J
E
I
agree:
okay,
so
common
thread
is
the
HTTP
or
like
the
API.
In
general,
we
had
a
few
calls
where
we've
added
the
sth
is
an
output
parameter
in
case
the
the
log
doesn't
know
about
the
tree
size
that
the
client
is
crowing
about.
So,
for
example,
if
the
client
asks
for
an
sth
possess
approved
between
two
three
sizes,
but
that
particular
front
end
of
the
log
knows
about
only
knows
about
the
smaller
precise
because
they
didn't
like
that
front
and
didn't
get
to
see
the
latest
one.
E
Then
that
front
end
could
return
a
consistency.
Proof
between
the
sth,
the
client
requested
and
sth.
The
latest
stage
it
knows
about,
and
the
lightest
st
agent
knows
about.
So
the
client
can
sort
of
have
a
smaller
delta
to
check
consistency
for,
but
it
actually
complicates
the
client
implementation
and
the
benefits
I
think
isn't
entirely
clear.
So
because
that's
something
that
the
client
can
do
themselves
right
like
that,
they
don't
get
they
can
just
like
retry.
So
these
were
these
suggestions
to
remove
the
sth
from
from
these
missed
calls
and
I.
E
Consolidation
of
the
two
separate
endpoints
which,
like
this
just
like
two
separate
luck,
HTTP
calls
right
now
or
methods,
and
there
is
already
like
a
different
parameter
that
says
if
it's
a
pretty
certificate
or
so
difficult
being
submitted,
so
I
think
that's
very
sensible.
The
last
one
about
the
best
when
practice
is
190,
which
I
think
as
far
as
I
understand
says,
you
should
advertise
the
your
eyes
in
the
directory.
So
there
is
like
one
endpoint.
E
The
client
for
is
to
get
directory
design
is
which
each
service,
what
the
the
was
right
here,
all
right
and
I,
think
that
it
is
not
lickable
for
six
and
six
degrees,
because
the
client
already
has
a
decent
amount
of
metadata
about.
The
look
like
the
contest
to
know
like
the
looks
URL
the
key
and
a
bunch
of
other
parameters,
so
service
discovery,
I
think,
is-
is
of
limited
utility
in
that
case,.
M
Thompson
I
think
I
raised
this
originally
now
I
think
you're
interpreting
the
app
basically
one,
not
in
a
very
pessimistic
way,
so
a
potential
way
to
interpret
190
is
to
say
that
you
have
configuration
for
each
one
of
these
endpoints
that
you've
described.
That
would
work
perfectly
well.
You
could
say
simply
say
that
the
configuration
is
required
to
identify
all
of
the
different
your
eyes
that
are
used.
There's
like
five
of
them
or
something
like
that.
M
Yeah
get
away
with
that,
and
then
you
don't
have
to
worry
about
basically
190
the
way
the
document
is
currently
structured.
It
says:
/,
trans
/,
v,
1
is
or
p2
is
a
particular
thing,
and
that
says
to
people
operating
these
servers
that
they
have
to
put
these
resources
in
those
locations
and
that's
massively
inconvenient
for
that
could
be
massively
inconvenient
for
some
people.
L
M
E
M
Much
a
problem:
okay
and
so
and
they've
the
resistance
of
doing
a
directory,
which
is
what
a
number
of
other
protocols
do,
is
that
that
extra
level
of
interaction
means
that
you
have
the
extra
latency
involved
with
using
that
love.
You
know,
I,
don't
actually
subscribe
to
that
notion,
particularly
well,
because
caching
and
various
other
things
and
you've
got
a
lot
of
extra
latency
anyway.
But
if
that
is
a
concern,
then
you
can
simply
take
the
other
part
that
I
suggested
okay.
G
D
It's
sort
taking
my
half
I'm,
not
a
fan
of
bcp
190
in
general.
I
mean
this.
You
know
I.
This
is
not
a
web
application.
I'm
not
concerned
about
namespace
collisions
I
am
concerned
about
latency,
but
on
the
other
hand,
I
don't
feel
that
strongly
about
it.
I
mean
it's
about
it.
You
know
it's.
You
said
it's
massively
inconvenient,
I.
Think
it's
a
lot.
D
M
D
N
Andrew
airfare
speaking
as
a
client
implementing
life,
the
clap
doing
what
Martin
suggests
would
impose
a
lot
of
burden
on
us
and
one
of
the
reasons
that
would
have
long
said
changes
the
URLs
I
uses.
How
does
how
does
the
log
you
know,
notify
monitors
auditors
people
participate
participating
in
gossip
that
they
need
to
use
a
different
URLs.
M
Yeah,
so
so
my
response
to
that
would
be
if
it
hurts
do
that
and
I
can't
imagine
someone
who's
deployed
a
public
blog
that
has
numerous
people
depending
on
them
is
going
to
change
where
things
can
be
accessed,
but
I
just
ridiculous.
You.
B
F
O
B
J
Was
going
to
also
suggest
that
this
is
maybe
something
you
should
be
shipped
and
iterate
on
speaking?
If
it
hurts,
don't
do
it
like
we
don't
we
have
some
operational
experience
with
CT
now
nobody
has
said
it
hurts.
Maybe
we
continue
to
believe
it
doesn't
hurt,
and
then
you
know
fix
our
bcp
compliance
later.
If
they're
can
extend
the
protocol
to
add
some
discovery
mechanism,
if
it
turns
out
to
be
necessary
for
a
server
Kate.
E
Was
so
intent
on
I'll
definitely
follow
up
on
that
later.
Okay,
the
architecture
architecture,
changes,
I
think
these
were
like
the
like.
The
meatiest
suggestions.
Some
of
the
Matisse
additions
are
the
one
of
them
was
a
long
separation
for
ICT
and
sth
keys,
so
I
mean
now
like
general,
like
in
theory
the
as
far
as
I
understand
like
the
protocol,
doesn't
really
require
like
using
the
same
key,
and
you
can
definitely
use
different
keys
for
verifying
OCT
one
lender.
E
A
city's
get
moved
around
between
data
same
centers,
so
it's
not
like
they
are
tied
to
a
specific,
a
gsm
and
and
there's
like
the
signer
sequencer
jobs,
the
ones
that
actually
generate
and
grow
the
tree
also
move
around
between
data
centers
again,
because
we
don't
want
like
a
single
point
of
failure,
so
they
are
not
tied
doing
hsm
as
well.
So,
like
the
it,
there
is
no
like
a
benefit
to
isolating
one
key,
but
not
the
other.
So
it's
something
we
should.
J
This
feels
a
little
bit
like
saying
you
know.
You're
worried
about
sharing
he's
around
is
a
big
deal,
because
everyone
sharing
keys
around
already
yeah.
I
still
feel
like
a
little
sketchy
about
making
that
assumption
into
the
into
the
protocol,
but
I'm,
okay
like
letting
this
be
for
now,
because
it
seems
like
again
if
we
want
to
address
this
concern
later.
J
E
I'm
looking
at
this
yeah
yeah,
I
mean-
I
think
I
like
maybe
like
a
better
way
to
put,
it
would
be
to
say,
like
the
keys
for
cities
and
st
agencies.
Shame
share
the
same
properties.
I
mean.
I
agree
that
you
don't
want
them
like
these
keys
like
distributed
like
to
idly,
and
you
want
to
like
keep
careful,
keep
track
of
how
they're
on
how
they're
being
used,
but
separating
them
is
like,
maybe
not
beneficial,
because
they
sort
of
ultimately
dissolution
the
same
properties,
ok
and
then
removing
unnecessary
restrictions
on
logs.
E
So
there
are
two
restrictions
that
were
mentioned
in
this
ticket.
One
of
them
is
about
not
imposing
any
conditions
on
retrieving
or
sharing
data
from
locks,
which
was
is
actually
like,
a
policy
measure
to
make
sure
that
data
from
box
can
always
be
obtained,
not
necessarily
necessary
from
a
standard
perspective.
So
the
suggestion
was
to
change
that
must
we
should
such
that
implementations,
that,
under
some
circumstances,
want
to
prevent
data
from
acknowledged,
can
do
that.
But
then
the
policy
for
the
user
agents
for
including
these
locks
could
say.
No.
E
The
signature
audacity
covers
the
TBS
certificate
portion
of
the
submission
and
the
issuer
key
hush,
so
that
client
sort
of
that.
The
implication
is
that
the
log
verified
the
submission,
makes
sense
and
then,
and
then
like
sign,
only
the
bits
that
that
are
interesting.
In
that
perspective,
it
may
still
be
okay
to
change
the
two
issued,
but
but
at
the
very
least,
we
should
I
to
explain
like
whites
there
and
why
it's
like
what
are
the?
What
are
the
reasons
for
keeping
in
there
and
yeah?
Maybe
change
it
to
shoot.
E
Incorporating
new
protocol
mechanisms
in
Utila
client
section,
so
this
was
about
so
the
right
now.
Sequences
to
this
is
very
heavy
on
unless
it
is
right,
it
says
like
when
you
should
validate
as
it
is,
but
actually
we
can
ship
embedded
inclusion,
proofs
and
the
protocol
should
say
that
if
you
have
like
an
embedded
inclusion,
proof
and
an
sth,
then
you
might
as
well
verify
the
whole
thing.
So
I
think
this
perspective
should
also
be
provided
like
threaded
throughout
the
document.
E
Now
two
more
issues
around
architecture.
One
of
them
is
having
the
entire
stages
of
story
of
the
log
accessible
to
clients
so
similar
to
get
entries
or
you
can
just
get
all
the
entries
from
the
log
have
guetta
stages
and
it
guided
allows
you
to
get
all
the
stages
from
the
log.
And
then,
if
you
had
a
signal
sequence
number
20
stages,
you
can,
you
can
always
like
know
which,
like
which
st
edges
sort
of
you
need
right,
which
is
the
edges.
E
You
can
request
so
that
I
think,
would
simplify
al
such
like
such
a
method
and
would
still
allow
so.
The
importance
of
this
is
that,
if
monitors
in
particular
can
download
all
of
the
entries
using
the
attend
trees
and
keep
in
mind
that
each
entry
contains
the
timestamp
of
when
it
was
incorporated
and
then
can
download
all
the
st
edges
using
guetta
stages,
then
each
monitor
can
verify
that
each
entry
was
incorporated
within
the
MMD,
so
having
a
record
of
both
is
is
very
useful
for
investigating.
E
Actually
that
was
one
thing
that
we
were
missing
when
invade
investigating
an
incident
with
one
of
the
city
logs.
That
was
I
think
he
should
like
a
stages
for
entries
with
slightly
different
order,
which
means
basically
different
trees,
and
you
couldn't
get
like
the
historic
st
edges
to
know
exactly
sort
of
when
that
and
it
started
the
last
one
about
binding
the
set
of
artifacts.
The
log
is
expected
to
produce.
We
didn't
get
around
to
triaging
yet
which
I
don't
quickly
like
to
briefly
describe
the
motivation.
N
J
Idea
here
is
that,
right
now
we
you
know
a
log
is
expected
to
produce
and
an
inclusion
proof,
but
consistency
proofs
between
any
two
country,
heads
and
inclusion
proofs
from
any
entry
to
any
tree
head,
and
the
observation
here
is
just
that.
That
latter
part
introduces
an
unnecessary
degree
of
freedom
which
greatly
expands
the
set
of
artifacts
long
as
expected
to
produce
which
greatly
reduces
the
cash
ability
of
the
system.
J
They
like
cash
abilities,
important
both
for
scalability
reasons,
but
also
for
privacy
reasons,
because
if
you
look
at
things
like
the
CT
/
DNS
proposals
that
have
been
made,
those
are
relying
on
cash
hits
for
the
privacy
properties
they're
giving
so
so
the
degree
that
we
can
reduce
the
variation
in
what
a
log
effective
produce
and
what
clients
are
expected
to
query
for
you
get
a
better
cache
hit
rate
in
a
better
privacy
currency,
so
I
think.
The
the
upshot
on
the
document,
for
this
is
probably
going
to
be,
is
I
expected.
J
What
we
would
get
to
is
to
say
that
a
log,
instead
of
producing
being
required
to
produce
a
an
included
improved
from
any
entry
to
it
to
any
tree
head,
would
be
required
to
produce
an
inclusion
proof
from
an
entry
to
a
tree
head
of
its
choice
and
then
a
consistency.
Proof
from
the
tree
head
of
its
choice
to
the
tree.
Had
the
client
likes.
M
P
President,
the
client
has
some
has
some
tree
had
that
it
knows
about,
and
it
wants
to
meet
inclusion
group
to
that,
and
so
your
and
surprisingly
require
you
to
produce
the
log
to
produce
inclusion
group
that
tree
head
and
what
you're
saying
instead
is
to
produce
a
to
produce
a
two-piece
proof.
12
sthu,
this
choice
in
a
second
and
a
sec.
This
is
you
proof
to
another
sset
of
the
client
requested
correct.
That's
me
reasonably
mate,
I.
J
Think
they're,
basically
to
relying
party
models
on
the
table,
one
in
which
you
maintain
one
SCT
and
what
you
cash,
a
bunch
of
s.
Cts
aren't
sorry,
my
s.
Th
s,
basically
try
and
catch
the
entire
sth
history
of
the
log.
In
that
light,
in
the
latter
model,
all
you
care
about
is
the
inclusion
proof
and
purifying
that's
in
your
in
your
history.
In
the
latter,
mutton
in
the
former
model,
where
you
catch
one
as
th,
you
care
about
getting
consistency
and
so
I
think
the
yep
in.
P
B
People
try
and
talk
more
into
the
mic
resurface
to
remote
participation.
02
I,
don't
mind
me
I'm,
just
trying
to
confirm
my
and
sunny
as
well.
This
is
a
compatible
superset
right
now,
because
right
now,
but
the
server
could
say
here's
an
inclusion
proof
up.
Yes,
but
your
sisters
and
the
client
doesn't
ask
about
any
particular.
No,
it
does
so.
The
server
can
say:
here's
an
inclusion
proof
up
to
the
sth
that
you
said
and
therefore
the
sth
consistency.
Proof
is
not
yes,
yes,
okay,
rizal
worth.
Q
P
P
I
guess
I'm
not
sure
if
this
is
in
the
air
out
of
this.
I'm
not
sure
if
this
is
in
the
agenda
at
some
point,
but
at
one
point
we
talked
about
the
the
people
who
are
producing
this
skip
list
would
like
to
know
which
one
the
lord
with
like
is
there
some
description?
Is
there
some,
because
that
happens?
Work
well
on
requires
that
the
people
produce
the
people
disseminating.
The
sth
is
to
trust
the
clients
knowing
which
one's
the
law
would
prefer
to
produce
to.
So
is
that
somehow
cover
here,
yeah.
J
L
J
It
just
it
that
at
least
limits
the
space
to
say
these
are
the
tree
heads
you
need
to
care
about.
If
you
want
to
address
the
history
of
the
law
so
yeah,
if
you
want
to
address
the
make,
it
predicts
what
we
just
th
the
log
them
like
forgiven
certificate.
That
would
need
something
else.
That's
not
covered
in
this
change
that
I'm.
P
Just
trying
to
fact
that
the
model
I
think
people
are
their
heads,
which
is
some
people
have,
which
is
that
the
the
there's
some
mechanism
for
getting
a
set
of
blessed
sths,
which
you
out
of
bamboo,
lemur,
cool
and
and
then
you're,
going
to
go
with
your
the
datas
mechanism
and
say
please
feed
me
a
proof
after
one
of
those
right
and
I'm
just
trying
to
make
sure
like
it.
That
has
to
be
how
that
happen
efficiently.
Be
nice.
P
J
E
Yes,
I
think
I
think
it's
useful
to
describe
these
this
the
system,
but
it's
which
I
don't
mind
like
one
of
the
things
I
mean
for
is
to
make
sure
that
six
and
six
TB
scan
can
be
used
to
implement
like
City
logs,
with
the
same
like
mindset
or
same
approach
that
six
and
six
to
currently
allows
you
and
enable
that
as
well,
so
I
think.
E
Ideally,
the
protocol
will
allow
you
will
have
like
the
knobs
to
20
you
to
do
both
and
then
describe
that
particular
approach
like
how
to
how
to
select
or
how
to
bless
st
edges
right
and
then
the
requirement
for
for
inclusion,
proof
soft
up
to
one
of
these
blessed
stages
and
other
considerations
about
cashing
in
I.
Think
it's
like
documented
wheels.
On
top
of
this.
B
Ad
online,
google,
so
eka
I
think
I.
Don't
think
we
need
in
the
protocol
to
come
up
with
like
a
way
to
distinguish
some
subset
of
tree
heads
if
the
clients
just
ask
for
inclusion
proofs
to
the
like
the
closest
tree
head
afterwards,
then
the
server
just
like
with
caching
and
so
forth
can
figure
this
out,
and
so
it
just
should
naturally
work
well
I'm.
P
I'm
not
sure
so
I
guess
say
that
let
it
let's
assume
the
sth,
is
our
number
by
integers,
and
so
what
happens?
If
so,
I
guess
what
happens
if
on
firefox
decides
to
do
the
New
York
to
see
all
1000
and
chrome
besides
that
he'll
see
what
1,000
before
then
we
will
disagree
about
those
and
you
won't
get
one
right.
I.
B
P
Might
be
okay
on
our
now
I
guess
this,
maybe
I
think
that
the
real
problem
is
that
what's
motivating
this
from
our
perspective
is
a
desire
to
eventually
all
the
servers
to
feed
a
complete
inclusion
to
clients
and
for
that
every
quiet,
houston-base
ever
accept
the
same
house.
It
has
to
check
whether
the
same
place.
P
B
P
No,
no
I
think
it
has
to
be
coupled
with
the
fetch
mechanism
arm,
but
there
I
ain't
it.
The
there
are
reasons
to
believe
that
the
knees
mechanism
may
not
provide
exactly
what
you
want
in
and
out
friday.
Zakat.
Is
that
the
properties
you
want
in
various
ways
and
and
certainly
the
performance
impacts
on,
if
you
don't
do
that,
of
course
about
it
for
the
dns
mechanism.
D
Yeah
I
mean,
I
think
one
of
the
reasons
is
this
is
a
this
is
a
hairball
discussion,
because
this
represents
a
substantial
change
in
the
goals
of
what
we're
trying
to
do
here,
and
so
it
needs
substantial
discussion
that
I
am
a
little
concerned
about
the
time,
and
I
want
to
make
sure
that
we've
laid
sufficient
groundwork
to
be
able
to
take
a
smart
discussion
to
the
mailing
list.
I
think.
J
J
E
Okay,
so
that
I
think
that's
almost
at
the
end,
there
are
two
issues
which
were
on
which
we
didn't
have
a
consensus:
I
stopped
short
of
putting
like
photo
of
bike
in
a
shed
here,
use
of
like
low
godÃs
should
use
Y
Diez
or
in
32
we
and
separately
the
IDS
specified
that
refer
the
identified
extensions
which,
which
should
have
come
from
an
animated
registry,
or
are
they
once
the
current
evar?
Okay,
I'll
just
leave
it
at
that,
and.
E
E
So
yes,
under
the
assumption,
will
probably
like
right
up
Laura
fication
suggestions
for
the
things
we
think
is
a
good
idea
and
bring
it
up
like
each
of
them
to
the
list
to
make
sure
that
there
is
consensus
and
then
hash
out,
like
the
few
remaining
disagreements
and
I
said,
like
my
suggest
needs
to
have
like
am
a
separate
document
describes
like
the
different
of
city
that
provides
extra.
No
guarantees
describes
exactly
how
you
choose
stages.
What
the
comments
from
the
servers
are,
and
this
sort
of
thing,
but
I
guess
we'll
see
about
that.
D
Okay,
thank
you
very
much.
I
mean
I
know,
that's
been
a
tremendous
amount
of
work
over
the
past
few
weeks
and
it's
much
appreciated,
but
there's
more
work,
tremendous
amount
of
work
yet
to
be
done.
Okay,
I
Sabbah
here
yeah,
okay,
great
you're,
up
I
weren't,
oh
right,
right,
we're
moving
on
to
the
privacy
and
redaction
section
on
saavn
scott,
another
close
one.
There.
A
R
So
I
should
book
it
all
right,
so
hi
guys
I'm,
Saba
I
want
to
talk
to
you
guys
about
some.
R
Some
work
I
did
with
the
the
applied
crypto
group
at
Stanford
recently,
and
so
what
I'm
going
to
talk
about
you
can
read
about
in
our
paper.
It's
on
the
archive
I
think
I
sent
a
link
to
it
to
the
mailing
list,
but
so
the
things
that
the
paper
includes
on
the
next
slide-
and
we
have
some
ideas
for
redaction
how
we
can
get
private
sub
domains
in
CT
and
then
some
ideas
about
privacy,
preserving
proofs,
that
a
log
has
excluded
an
SCT.
R
And
then
we
have
some
other
discussions
about
privacy,
compromises
and
ideas
about
how
CT
and
portlet
certificates
can
be
made
to
work
together,
but
I'm
only
going
to
focus
on
the
the
first
couple
things
a
light
on
the
next
slide
yeah.
So
if
you
want
to
read
more
about
this
or
about
the
other
things,
you
can
look
at
the
paper,
so
I'll
jump
right
into
the
the
redaction
idea,
so
yeah.
So
the
problem
of
reduction
I
think
we're
all
familiar
with.
R
We
don't
want
to
have
private
domain
names
on
the
wall,
so
ideally
any
any
secret.
Facebook
com
type
domain
wouldn't
appear
on
the
log.
So
on
the
next
slide
we
have
a
example
of
what
you
want.
We
want
this
to
be
hidden
or
I,
think
we
would
content
ourselves
if,
on
the
next
slide,
we
just
redact
the
the
secret
portion.
R
R
So
when
you
have
like
some
number
or
some
information
that
you
commit
to,
and
then
you
send
it
off
to
some
other
party,
the
other
party's
not
able
to
see
what
it
is
that
you've
committed
to,
but
later
on,
when
you
reveal
the
commitment
you
have
no
option
but
to
reveal
what
you
originally
committed
to
so
in
this
sense
the
commitment
has
a
hiding
property
that,
what's
in
a
commitment,
is,
is
hidden
from
whoever
looks
at
the
commitment,
but
it
also
has
a
binding
property
that,
once
you
commit
to
something
you
can't
equivocate
later
and
change
your
mind
and
say
no
I
commit
to
something
else,
you're
kind
of
forced
to
to
commit
to
what
you
to
reveal
what
you
committed
to
I
said
that
quickly
other
any
questions
about
what
a
commitment
is
no
great.
R
So
the
way
that
we
build
these
yeah
you
can
just
skip
through
all
of
those.
Okay,
maybe
want
that.
The
way
that
we
build
these
is
is
straightforward.
It's
just
like
you
can
do
this
with
hashes,
so
the
idea
is
to
build.
The
commitment
is,
if
you
have
a
message:
do
you
want
to
commit?
Then
you
take
some
randomness,
that's
like
the
commitment,
the
key
equivalent
and
then
you
hash
the
the
message
concatenated
with
the
randomness
and
then
the
output
is
the
commitment.
R
This
gets
around
the
problem
of
like
a
dictionary
attack
on
just
hashing,
because
now
to
do
a
dictionary
attack,
you
not
only
need
to
guess
the
input,
but
you
need
to
guess
all
the
randomness
as
well.
So
the
way
that
we're
going
to
use
this
to
do
redaction
is
when
a
domain
owner
issues
a
request
for
certificate
to
the
CA.
R
It's
going
to
send
the
all
the
information
needed
to
make
the
certificate,
but
it's
also
going
to
send
a
version
of
the
domain
name
with
the
secret
components
redacted
by
using
a
commitment,
as
well
as
the
randomness
that
you
need
for
the
commitment
and
then
when
the
CA
sends
a
message
to
the
log
on
the
next
slide.
All
it
sends
is
the
pre
certificate
with
the
domain
name,
that's
the
redacted
version,
so
we
get
on
vlog.
R
Eventually,
if
you
go
to
the
next
slide,
is
just
the
the
redacted
version
with
the
secret
sub
domain
hidden
and
then
the
the
domain
owners
name
listed
publicly
and
the
SCT
would
get
the
that
that
same
information,
so
just
have
the
redacted
domain
in
it.
So,
finally,
when
you
get
to
the
certificate
on
the
next
slide,
the
certificate
is
going
to
include
the
actual
domain
name
as
well
as
the
redacted
SCT
and
the
opening
of
the
SCT.
R
R
Slide
the
they
just
need
to
verify
that
the
commitment
component
of
the
SCT
actually
corresponds
to
the
the
the
thing
that
the
certificate
is
purportedly
for.
So
if
you
have
some
commitment
to
secret
facebook
com,
you
need
to
make
sure
that
the
sut
included
is
actually
for
secret
facebook
com
and
not
for
some
other
some
other
site.
That's
somewhat
trying
to
pass
off
as
being
for
secret
facebook
com.
So
on
the
next
slide.
We
briefly
discussed
security
of
this.
R
So
the
those
two
questions
that
come
to
mind
for
security,
one
is:
how
is
a
monitor,
still
going
to
do
its
job
if
we
have
redaction
I
think
this
is
a
kind
of
a
general
reduction
question,
but
the
idea
here
would
be
that
if
you
know
how
many
entries
there
are
from
like
Facebook,
you
can
look
and
see
hey
there's.
You
know
we
thought
there
would
be
16
entries
for
facebook.
There
are
17
entries
from
facebook.
Something
is
clearly
wrong
here
or
I
mean
if
you
have
knowledge
of
the
individual
s
cts
you
could.
R
If
you
know
the
randomness,
you
can
kind
of
check
them
one
by
one
as
well.
Also,
the
another
natural
question
is:
why
can't
a
malicious
site
or
CA,
using
that
we
use
an
SCT,
that's
already
on
the
log,
and
this
is
prevented
by
the
hiding
for
the
binding
property
of
the
commitment
yeah.
So.
P
P
We
discovered
so
the
set
operator.
You
know:
I
have
five
fifty
thousand
certificates
to
my
site,
which
is
not
like
crazy,
pants
right
and
now
I
discover
that
their
50001
certificates
and
now
what
I
did
because
my
problem
is
that
I
don't
know
whether
there's
some
suction,
my
organization,
which,
like
is
issuing
certificates
on
boats
to
me,
which
is
actually
quite
likely
or
whether
it's
or
weather
like
this,
is
this
an
attack.
So
how
do
I
resolve
that
problem?
I
see
so.
R
I
guess
one
way
to
do
it
is
if
you,
if
you're
concerned
about
segments
of
the
organization,
we
could
have
more
granularity
in
terms
of
like
what
what
levels
of
sub
domain
is
a
secret
and
what
level
is
not.
But
that's
not
a
that's,
not
a
complete
solution
either
right.
P
I
have
basically
its
food
up,
Missoula
or
barred
on
the
solar
or
gossip
is
all
that
org
and
you
know
so
the
region
I
have
right
as
I've
got
like.
Basically,
you
know
you
know
like
most.
The
organization
is
like
like
doing
with
both
of
you
and
I
got
some
support
organization
which
getting
stiff
Achatz
for
those
of
the
mains
and
I'm
somewhere.
That
fact
right.
R
S
Don't
think
it's
about
parity
or
even
about
count
right
if
you're
actually
doing
a
proper
monitoring,
Eugene
need
to
know
the
certificates.
Your
organization
has
actually
issued
all
of
them
and
your
Union
look
at
the
stuff.
That's
in
the
logs
and
compare
what's
in
the
logs
with
all
of
us
or
search
the
Domino
I
think.
P
I
know
all
and
then,
when
I
see
a
new
one
right,
disco
I
see
a
new
one
and
it's
surprising
and
then
what
I
do
is
I
go
on
and
try
to
investigate
it
and
I
say
oh
this
is
you
know
this?
This
is
damn
dummies,
Oh,
Lord,
right
92.
Why
Carl
and
I
say
you
really
issue
this
resist
attack,
but
this
is
I
say
this
is.
A
R
P
P
R
The
if
we
go
back
a
couple
of
slides
the
the
key
for
the
the
commitment
is
going
to
be
held
by
the
site
as
well
as
by
this
yay,
so
they
can
be
put
in
the
certificate.
If
you
want,
so
you
could
I
guess
you
could
call
this
day
and
you
commit,
but
also
like
Facebook
would
have
the
should
have
the
D
commitment
yeah,
the
zinger.
P
Of
misunderstandings,
I,
usually
uncooperative
or
in
some
organizations
issued
certificates
of
my
name.
It's
actually
totally
happens
so,
like
you
know
so,
I
don't
know
my
problem
is
I.
Have
you
know
ten
divisions
and
I,
don't
know
which
division
miss
issued
or
actually
properly
issued?
And
so
how
do
I
go
ask
them.
This
is
a
real
certificate
or
not
so.
P
S
P
Or
it's
not
and
eventually
I
say
like
well,
then
muscling
this
issue
right.
So
really
it's
like
really
kind
of
very
painful,
not
have
any
idea
who
it
is
so
I
mean
I'm,
not
saying
this
is
a
non-starter,
but
I'm
saying
it's
like
not
awesome
is,
though
I.
S
Mean
couldn't,
if
that's
your
organizational
policy
and
you
don't
plan
on
doing
redactions,
then
you
could
just
say
if
it's
redacted,
but
you
could.
This
is
an
Orion,
no
choice
right.
Are
we
willing
to
open
ourselves
up
internally
to
this
thing
or
are
we
going
to
say
no
one
should
be
issuing
redacted
certs
or
than
our
condition,
because
we
do
because
we
don't
have
the
capacity
to
track
people
that.
S
No,
but
what
I'm
saying
is
as
an
organization,
you
have
an
opportunity,
you
can
say
no
one
in
our
organization
should
issue
protected
starts
and
if
you
do
issue
redacted
and
she
starts
with
redacted
s,
cts
then
something's
wrong,
you're
out
of
company
policy
anyway
and
ever
like
yeah,
then
you,
then
you
revoke
those
circus
right.
I
mean
they
never
found
out
of
this
issue
an.
P
Offensive
position,
which
means
our
pub,
which
means
have
a
CA
recourse
problem
and
so
I
mean
I,
guess,
look
I'm,
not
I'm.
Sorry
I'd
like
this
is
like
like
like
I,
was
asking
a
simple
question:
I
have
gotten
out
of
hand
like
you
know,
I
think
I
understand
poverty.
Is
the
system
I'm
not
saying.
Please
continue,
yeah.
H
H
E
O
M
R
T
Ben
Schwartz
jigsaw,
so
is
there
a
what
happens
if
the
unredacted
certificate
leaks,
and,
in
particular,
does
that
create
a
problem
for
a
CA
who's
committed
to
who's
publicly
stated
that
they
will
put
all
of
their
certificates
into
certificate
transparency
or
is
there
how
do
we?
How
do
we
combine
this
idea
that
all
certificates
generated
go
into
the
CT
logs
with
this
idea
that
that
now,
actually
only
in
this
case,
half
of
them
go
into
the
CT
box?
T
R
I'm
not
sure
if
I
fully
understood
your
question
but
I
guess
the
idea
is
how,
if
so,
if
is
certificate
that
has
an
SCT,
that's
committed
is
leaked
publicly.
Then.
Clearly,
everybody
in
the
world
knows
that
this
redacted
SCT
is
connected
with
this
certificate,
because
they've
shown
up
together,
yeah
and
I
think
this
is
a
problem
with
redaction,
also
in
general,
like
it
when
you
get.
If
you
know,
if
you
get
this
SCT
from
the
site
and
it's
it's
redacted,
then
you
can
always
go
go
public
with
it
sure.
R
T
I'm,
a
customer
of
a
CA
and
that
CA
has
publicly
committed
to
log
all
the
certificates
that
it
generates
into
the
CT
logs.
How
do
I
tell
it?
Please
generate
this
certificate
for
me,
but
don't
put
it
into
the
logs
and
in
violation
of
your
public
commitment,
I
promise
that
I'm
also
going
to
register
a
commitment
to
this
name,
and
you
will
be
able
to
log
that
and
does
not
violate
your
commitment.
T
So
the
order
that
you
had
them
in
here,
I'm
not
sure,
but
if
I'm
a
customer
of
a
CA
yeah,
it
seems
to
me
there's
a
point
at
which
I
have
to
ask
the
ca
to
sign
a
certificate
and
not
put
that
certificate
into
a
certificate.
Transparency
log.
If
they've
issued
a
press
release
that
says
I'm
going
to
put
every
certificate
into
the
log.
L
R
U
Okay,
so
we
obviously
already
have
a
lot
of
discussion
topics,
I'm
going
to
go
through
this
as
quickly
as
possible,
so
we
can
get
to
the
good
stuff.
This
is
basically
just
supposed
to
provide
a
background
to
make
sure
that
we're
kind
of
all
on
the
same
page
as
far
as
where
redactions
at
where
it's
come
from.
So
we
have
kind
of
two
general
reasons
for
redaction
that
have
been
discussed
in
the
past.
Going
back
to
my
2014
1
is
for
privacy,
one
is
for
secrecy.
The
topics
we've
just
discussed
today.
U
It
been
folks
around
secrecy,
so
privacy
is
something
that
has
to
do
with
kind
of
removing
data
from
a
log.
So
it's
already
been
entered
into
the
log
all
of
a
sudden
Nick.
It
contains.
You
know
PII
and
you
get
a
court
order
to
remove
it.
Do
we
need
to
solve
that
technologically?
Do
we
need
to
have
a
something
that
can
actually
remove
an
entry
from
the
log
or
replace
an
entry
in
a
log
while
still
allowing
that
log
to
continue
to
be
used,
I
and
I?
U
U
The
only
concern
I
think
that
you
know
we
might
want
to
address
or
discuss
is
that
if
a
you
know
what
the
privacy
concern
was
raised
about
a
specific
entry
or
that
certificate
was
had
an
entry
and
all
of
the
logs
than
an
ecosystem
used,
then
that
could
be
potentially
catastrophic
to
the
specific
ecosystem.
But
again,
that's
really
a.
I
think,
a
problem
for
the
policy
over
the
inner
to
solve.
So
that's
that's
kind
of
privacy.
The
second
one
is
secrecy.
U
U
So
the
this
16
was,
in
the
current
version,
even
include
this
Rob's
traveling's
draft.
He
has
out
the
proposal
that
Peter
put
out
on
a
list
and
then
solids
as
well
all
kind
of
center
around
this
idea
of
just
preventing
some
data
figuring
out
a
way
to
have
some
data
not
included
in
the
cert
know
the
next
slide,
so
Peter
Bowen
put
on
the
list,
I
think
a
set
of
a
base
assumptions
we
kind
of
want
to
have
what
are
the
goals
of
redaction
again.
This
is
for
pre
certificate.
U
Redaction
I
think
it's
a
good
set
of
goals,
I
updated
it
based
on
the
discussion
and
the
email
list,
but
if
we
kind
of
all
agree
that
this
is
what
we
want
redaction
to
do-
and
this
is
these-
are
like
the
things
it
needs
to
be
able
to
do
to
be
successful.
Then
I
think
we
can
have
a
good
discussion
if
there
are
things
that
we,
you
know
disagree
with
here,
then
I
don't
know.
Hopefully
there's
consensus,
since
this
discussion
already
took
place
on
the
list
I'm
working
out
of
that
assumption
as
well.
U
So
we
can
go
to
the
next
slide,
so
redaction
was
added
in
april
2014.
It
was
to
two
forms
of
redaction
domain
name
redaction,
so
like
like
wasabi
presented,
we're
not
including
secret
example.
Calm
at
the
time.
It
was
basically
just
replace
any
secret
with
private,
with
the
word
private
it
yeah
so
and
then
the
other
one
was
named
constrained
intermediate
CA.
U
So
if
the
intermediate
CA
is,
is
constrained
to
specific
domains
than
anything
issued
by
that
CA
on
on
those
domains
doesn't
need
to
be
included
in
the
log
itself
and
we've
had
you
know,
various
updates
occurred
over
the
next
two
years
and
this
16
was
kind
of
the
next
stage
where
this
really
came
up
again
as
a
topic
last
year
and
there's
a
bunch
of
discussion
at
that
time.
It
still
contained
the
same
two
basic
versions
or
mechanisms
for
redaction
domain
labels
and
in
constrained
intermedia
cas
this
added
the
idea
of
an
extension.
U
You
know
like
like
what
we
discussed
with
Sabo.
We
need
to
have
some
kind
of
mechanism
identifying
that
you
need
to
do
a
verification
of
the
SCT
versus
certificate,
so
Adam
Everett
acted
labels
extension,
but
it
was
pretty
complex
for
a
TLS
client
to
actually
go
through
that
verification
process.
Quiet
decoding,
Andrey
encoding
a
fair
bit
and
it
wasn't
I.
It
wasn't
unique,
so
you
couldn't.
If
you
had
a
pre
certificate,
it
could
theoretically
match
to
multiple
fall
certificates.
U
This
this
version
as
far
as
I
understand,
is
what's
currently
implemented
by
semantic
in
some
cases,
so
they're
they're
logging,
redacted
certs
right
now
that
use
the
mechanism
described
in
this
16.
So
you
know
the
next
slide.
So
this
is,
as
I
understand
the
current
three
proposals
or
mechanisms
that
are
that
we
want
to
discuss
today.
U
One
is
this
17
and
straddling
a
draft.
It
updates
the
the
redaction
mechanisms,
a
fair
bit.
It
uses
a
you
know.
It
still
includes
the
main
constraint
CA
and
the
domain
labels.
It
uses
a
redacted
subject:
alt
name
extension.
So
all
these
kinda
have
some
common
common
threads
with
different
names
for
them.
It's
it's!
It's
quite
a
bit
better
for
TLS
client
to
implement
a
lot
a
lot
less
complex,
I,
don't
know
of
any
log
operators
that
are
actually
implementing
this.
U
The
next
one
is
solace.
I
won't
go
into
that
one,
but
savas
is
another
version.
There's
obviously
some
some
similarities
between
that
one
and
straddling
strapped,
and
then
the
next
one
is
the
one
that
Peter
Bowen
and
Tara
wheeler
posted
to
the
list
just
the
other
day.
This
adds
a
pre
certificate
transformation
extension.
U
D
Yeah,
we
will
short
on
time
actually
so
I'm
not
sure
about
additional
presentations
on
this
on
this
topic
on
I
think
that
if
there
are
some
immediate
questions,
this
would
be
a
good
time
to
do
it,
but
I
do
want
to
get
to
the
next
presentation
within
what
time?
What
time.
L
U
D
S
Is
dkg
I
just
wanted
to
clarify
the
terminology?
Your
frame,
this
discussion
in
or
you
have
privacy
versus
secrecy.
The
privacy
really
seems
to
be
more
about
toxic
data
and
might
be
something
that
is
relevant
after
something
has
already
been
entered
into
the
log
in
a
non
redacted
form
and
I.
Don't
think
any
of
these
address
the
toxic
data
questions
that
right
so.
U
Yeah,
the
question
is
whether
we
need
to
solve
that
technologically,
for
instance,
if
I'm
an
implementer
I
can
just
say:
okay,
you
run
a
log,
and
toxic
data
was
submitted.
We're
going
to
no
longer
trust
that
log
now
you
can
do
whatever
you
want
with
it
blow
it
away.
You
know,
get
rid
of
it.
So
do
we
need
to
have
a
technological
solution
to
removing
toxic
data.
G
D
K
That's
her
Wes
article
USC,
so
you
know
the
problem
I
see
with
this
is
you're,
taking
a
fairly
simple
solution
that
was
designed
to
make
sure
that
everything
is
always
published
and
then
you're
trying
to
figure
out
ways
how
to
not
publish
stuff
in
it
or
two
published
up
with
a
secret
and
and
you're
going
to
take
this
simple
system
and
make
it
you
know
like
incredibly
come
is
trying
to
deal
with
reaction
and
trying
to
deal
with.
You
know
privacy
and
you're
going
to
get
into
issues
of
well.
K
How
do
we
solve
offline
dictionary
attacks
to
these
types
of
things,
you're
going
to
get
into
issues
of
well?
Okay,
but
I
you're
right
I
did
not.
You
know,
produce
this
entry
in
my
log
or
I
produce
this
private
entry.
My
log
because
example.com
told
me
to
even
though
they
really
didn't
so
then
you
get
into.
He
said
he
should
kind
of
comments,
and
the
reality
is
that
you
know
the
notion
of
certificate.
Transparency
was
to
be
open
and
honest
and
we're
now
inserting
ways.
That's
going
to
break
those
conversations
in
the
future.
I.
U
D
L
L
The
key
point
is
how
to
extend
the
current
city
protocol
to
do
this
work.
Okay.
So
so
we
want
to
use
this
extension
protocol
to
log
in
the
software
binary
codes.
Oh
it's
a
type
OS
digest
so
because
some
sometime,
the
software
provided
to
not
want
to
want
to
you
know-
and
there
are
some
license
restriction
or
they
want
to
make
sure
to
in
the
air
lock
in
they
are
the
lock
content
on
the
lock
tree.
So
that's
why?
Maybe
sometimes
we
use
this
digest
so
no
logging,
these
informations,
can
bring
some
benefits.
L
I
think
this
benefits
are
very
similar
to
the
teaching
benefits,
so
it
can
associate
k
enable
anyone
to
monetary
and
audio
deter
the
software
provider
activity.
So,
if,
if
they
do
the
mystic
miss
distribution,
if
it's
something
legal
software
provider
to
distributor
the
the
some
software
okay
and
we
can
also
find
a
back
door
of
the
distributed
software
and
also
we
can-
because
there
are
a
lot
of
locks
there
and
we
can
compare
the
lock
the
lock
forced
for
the
same
software
in
different
locks.
So
maybe
it
can
also
help
us
to
find
some
progress.
L
Okay,
it's
very
similar
to
the
city
for
the
certificate,
the
monitoring,
okay
next
page,
and
so
how
to
do
these
things.
So
the
just
like
what
I
said
we
just
simply
extended
just
simply
extend
current
city
locking
mechanism,
so
so
what
we
would
do
we
extend.
Firstly,
we
need
to
lock
the
software
binary
codes
or
is
digested
into
this
more
Croce,
moco,
tricky
mussoorie,
more
country,
okay,
and
instead
of
the
tis
server
certificate
and
also
when
we
log
it
and
the
the
Sangha.
L
The
same
time
step
is
about
the
binary
code,
okay
and
and
so
based
on
this.
Based
on
this
idea,
we
also
need
to
do
some
extension
to
the
current
Samsung.
Some
data
structure
of
the
marquetry
of
the
lock
system,
such
as
we
need
to
devise
a
new
type
trans
I
turn
a
new
market
released
and
a
new
SPT
definition,
and
also
we
need
to
extend
the
Sun
current
or
certificate
transparency
message
process
of
the
input
output
output
permits
a
budget.
L
The
other
things
are
a
totally
the
same
with
a
CT
protocol,
another
page,
okay,
an
actual
real
informing
pages,
I
listed
all
the
changes
or
other
extensions
to
current
the
city
protocol,
and
so
today
is
about
the
new
binary
transparency
log
entry.
Actually,
the
the
main
point
is
that
here
we
have
the
scientist
software
attributes
in
this
entry,
it's
a
binary
code
or
its
is
going
to
digest
and
under
it
and
is
capable
either
in
the
CMS
format.
L
L
Can
that
means
that
my
my
craft,
where
r
follow
the
the
base
drafts
of
update,
such
as
maybe
the
the
new
type
of
being
estimating
with
proof
computing
mood
right,
yeah
and
buttered,
because
my
currently
drafting
is
based
on
the
on
the
older
version
of
just
yeah.
So
that's
a
song
new
enumeration
type
of
order
for
the
structure
of
the
of
the
law.
Okay
and
a
next
page-
and
also
this
is
about
the
new
moco
tree
leaves.
The
main
difference
is
that
here
we,
this
is
not
a
certificate
information.
L
L
And
this
thing
these
are
the
two
new
updated
our
messages.
Why
is
how
we
add
a
new
binary
code
entry
into
the
certificate
lock?
So
there
are
some
new
inputs,
and
outputs
and
I
do
not
want
to
go
into
too
much
details
and
about
another
wise.
How
to
get
the
log
entries
from
the
from
the
tree
and
also
there
are
some
extension
to
them.
So
if
you
are
interested
please
to
agreed
the
document,
thank
you
and
I
think
that's
all
and
yeah
I
think
I
can
follow.
E
Your
emissary
google,
so
one
question
is
about
preventing
log
spam
right,
so
insignificant
furnace.
It's
very
easy
to
only
accept
submissions
that
makes
sense
because
just
check
signature
chain
here
you
also
allow
a
condition
correctly
logging
of
just
the
hashes
of
of
the
software
rather
than
like
the
full
binary.
So
how
do
you?
How
do
you
make
sure
that
you
only
get
valuable
submission
and
not
just
like
random
hashes.
L
Think
I
see
I
think
this
year
problem.
We
can't
agree
with
just
a
very
straight
folder
to
extend
at
the
city
city
protocol
and
we
have
the
software
harsh.
We
have
the
issue
and
the
and
the
under
the
software
providers.
Public
key
use
this
information
to
find
the
software
provider
and
the
lock,
but
maybe
you're,
not
yeah
yo.
Your
provides
on
your
problem
yeah
in
this
yeah.
L
J
I'm
really
glad
to
see
this
is
work
in
the
space
of
binary
transparency.
Oh
I'm
richard
barnes,
recently
of
mozilla,
so
I,
that's
us
going
and
one
of
the
things
I
worked
on
when
I
was
one
of
the
last
things.
I
worked
on
was
all
a
few
weeks
ago
was
getting
a
basic
binary
transparency
scheme
set
up
there,
so
you
might
take
a
look
at
that
as
an
antecedent,
because,
okay,
that
scheme
is
just
hacked
on
top
of
certificate
transparency.
J
D
J
J
There's
running
code:
okay,
we
could
just
do
it,
so
I
think
it
is
worth
thinking
through
how
you
could
do
it
more
directly,
but
without
these
extra
layers,
but
yeah
so
just
want
to
point
out
this
from
yessum
some.
J
D
S
So
this
is
dkg,
so
I'm
happy
that
this
work
is
going
on.
There's
also
work
going
on
outside
of
the
ITF
on
binary
transparency.
There's
been
some
discussions
that
are
not
moving
very
fast,
but
between
different
free
software
distributions,
in
particular,
so
debian
and
freebsd
and
pi
PI
and
the
npm
repositories
have
talked
about
this
and
the
in
those
discussions
the
we
breach.
I
think
a
different
set
of
conclusions
than
the
direction
that
you're
heading
with
this
draft.
S
So
I
want
to
know
want
to
follow
up
with
you
more
on
that
this
off
list,
but
in
particular,
there's
a
question
about
the
logs.
The
logs
banish
you
and
ensuring
the
identity
and
version
of
the
software
is
a
critical
component
of
the
laws,
because
that's
what
unique
in
order
to
be
able
to
do
the
review-
and
it's
not
clear
to
me
that
we
have
that
clearly
enough
in
that
in
the
patterns
length.
Yes,.
M
Yeah
mountain
Thompson,
Mozilla,
but
I
don't
actually
have
an
answer.
The
question:
yes,
we
would
look
on
it.
Favorably
and
echo
will
happen
answer
the
question.
I
got
up
to
ask,
was
you've
got
the
equivalent
of
an
SCT
here?
Is
that
really
necessary?
There's
a
lot
of
machinery
associated
with
that
and
it's
possible
and
I
don't
know
how
to
deliver
one
of
those
with
the
binary
necessarily
in
a
way
that
would
be
consumed
by
someone
actually
executed.
M
B
Adam
agni
Google,
similar
to
dkg
I,
wanted
to
emphasize
the
point
of
binding
transparency
as
I
understand.
It
is
to
make
sure
that
you
aren't
given
some
magical
backdoored
single
special-purpose
binary,
but
if
all
the
log
contains
is
like
the
shower
hash
of
some
lump
of
machine
code,
that's
not
really
useful.
It
needs
to
be
tied
into
things
like
verifiable
builds
and
like
source
trees,
or
it
needs
to
be
like
the
whole
binary,
and
you
need
to
have
not
too
many
versions.
Richard
is
shaking
his
head
at
me.
Maybe
I
misunderstandings.
P
So
so
I
think
it's
absolutely.
It's
absolutely
case
that
sorry
erihskroy,
so
first
of
all,
I
think
is
the
case
in
an
ideal
world.
This
is
time
to
verifiable.
Builds
on
verifiable
is
ensure
that
that,
generally
this
thing
you're
distributing
matches
the
source
code.
People
can
examine
on
the
purpose.
From
the
reason
we
did.
This
episode
on
preparing
his
parents
at
all
is
we
is,
if
we're
willing
to
commit
that
we're
going
to
ship
this
many
releases.
Then
we
tied
it
and
we
tie
the
binaries
of
the
police's.
P
Every
scroll
up,
first,
all
clock
with
my
mozilla,
had
on
and
then
take
my
his
all
head.
Often
my
80
head
on,
but
I
only
have
one
hat
so
so
from
Missoula
perspective,
on
the
reason
why
we
did
the
hack
that
were
describing
is
because
it
works
today,
and
so
we're
able
to
take
advantage
of
existing
log
infrastructure
and
therefore
we
were
able
to
have
that
value
today.
So
thank
you
to
google
and
company
providing
that.
P
So
we
would
be
interested
in
if
there
were
a
someone,
someone
willing
to
run
or
something
set
of
people
willing
to
run
a
log
buyer
conspiracy,
log
that
we
could
then
what
they
use.
We
would
Peterson
using
that
I,
don't
think
we
wouldn't
be
interested
in
using
what
influence
a
new
protocol
that
was
not
tied
to
anybody
operating
a
loss
in
size
of
the
value
right.
So
so
that
respect
so
my
question
would
be
is,
is
in
fact
they're
going
to
be
enough.
P
People
willing
to
run
a
binary
spesial
want
to
make
that
work
did
something
I'll
actually
occur
on
now
with
the
head
off
on
on.
This
seems
to
be
a
long
ride
representing
it.
This
used
to
be
out
of
charter
scope
for
this
working
group
on
and
so
I
and
soon
as
we
my
working
group,
do
it
is
it
now
and
you
can
they
surely
k
the
rechargeable
first,
even
quits.
P
Right
and
I
guess
I
wonder:
Stan
the
scope
of
the
work
before
you
determine
where
their
new
working
groupers
mediator
or
where
there
was
in
scope
for
this
working
group
for
some
future
generations.
Working
great.
H
Rich
sauce,
yeah
I
think
this
kind
of
thing
is
useful.
I
look
at
attribute
certificates
which
don't
have
a
key,
but
they
have
a
place
to
put
other
attributes
like
they
like.
A
digest
of
the
thing
is,
and
then
the
person
who
signed
the
attribute
is
the
software
publisher,
yeah,
so
I'm
address
the
spare
miss.
You
would
also
get
identity
issue
yeah.
W
Phil
Han
Bakic
emotive
one
of
the
things
that
comes
to
mind
is
that
if
you
want
somebody
to
run
log,
we
do
actually
have
some
code
signing
infrastructure
and
his
problematic
in
that
every
plant.
It's
not
just
every
CA
does
different
things.
Every
platform
that
we
support
for
code-signing
has
a
different
way
of
doing
things
and
signs
different
things
and
that
sometimes
you're
assigned
executable.
W
Sometimes
it's
the
package
that
installs,
sometimes
it's
installer
and
I-
think
that
probably,
if
we're
going
to
do
something
rather
than
just
do
the
CT
transparency
thing,
I'd
rather
see
a
working
group,
look
at
how
to
decode
sign
properly
across
the
board.
This
and
the
other
reason
I'd
like
to
do
it
slightly.
It
separately,
is
when
people
are
mentioning
attribute
certificates
which
I'm
afraid
they
gave
me
the
screaming
heebie-jeebies
I
I
would
like
to
get
away
from
asn.1,
as
we
saw
in
that.
Q
Dinner
Frank
Akamai
just
two
seconds,
a
few
comments
that
have
been
made
here
that
one
I
think
this
is
really
valuable
work
too.
It
is
dubiously
in
scope
for
this
working
group
and
that
three
there
is
going.
There
is
probably
enough
work
to
be
done
on
support
infrastructure
connect,
this
practical
practical
to
to
merit
for
knopf
another
working
group.
Q
D
I'd
actually
argue
that
the
question
of
the
mechanics
of
code
signing
is
totally
orthogonal
to
this.
We're
talking
about
arbitrary
binary
blobs
here
and
we
aren't.
You
know
we
aren't
assuming
anything
about
the
internal
structure
of
these
blobs.
So
you
know
the
question
is:
if
we've
got
a
blob
of
data,
how
do
we?
How
do
we
log
it
so.
S
L
S
D
But
those
are
not
those
do
not
assume
anything
about
the
signing
mechanism-
a
date,
that's
right,
yeah,
so
anyway,
I.
You
know
the
main
things
that
we
wanted
to
ask
a
couple
of
questions
about
this
number.
One
is
their
interest
in
seeing
this
work
go
forward
in
the
ITF,
even
if
it
doesn't
happen
here,
if
yes
hum,
if
no
okay,
so
this
interest
in
this
work.
Second
question
is
about
the
applicability
of
this
draft
or
the
appropriateness
of
this
draft
for
adoption
by
somebody
so
hum.
D
If,
yes,
this
is
a
suitable
draft
for
using
as
a
basis
for
this
work,
okay
hum,
if
it's
not
a
suitable
basis
for
the
work,
okay,
yeah.
Okay,
thank
you
that
that
helps
clarify
some
stuff.
Okay!
Is
there
anything
else
afraid
we
don't
have
time
to
go
back
to
savas
additional
discussion,
but.