►
From YouTube: IETF99-TLS-20170717-1330
Description
TLS meeting session at IETF99
2017/07/17 1330
https://datatracker.ietf.org/meeting/99/proceedings/
A
A
A
Basically,
you
agree
to
disclose
IPR
if
you've
got
it
and
topics
that
are
relevant
that
are
gonna
come
up
today,
you're
gonna
follow
the
process,
any
contributions
that
you
say,
including
at
the
microphone
and
email
on
the
jabber
everywhere,
are
covered.
The
other
thing
is
that
the
session
is
going
to
be
recorded.
So
what
you
say
it
the
mic
is
gonna,
be
remembered
and
for
further
details
you
can
ask
us
for
the
specific
links,
but
this
is
basically.
A
A
All
right
thanks
Joe,
basically,
you
know
kind
of
get
the
topic
you're
not
to
do
word
for
word.
That's
just
not
doable
jabber
scribe
anybody
in
the
window
at
least
okay
thanks,
Matt
great
reminders.
Please
say
your
name
at
the
microphone
for
the
scribes
in
the
minutes
and
I'll.
Let's
keep
refreshing
with
the
mic
what's
next.
So
this
is
the
agenda,
so
we
got
a
little
fun
with
the
agenda
time.
A
Yeah
I
go
quicker,
so
you'll
note
there's
a
big
draft
thing
after
Wednesday,
because
we
haven't
actually
finalized
how
much
time
all
the
slots
are.
Gonna
get
but
basically
Monday.
We
also
added
at
exporters
with
indicators
to
the
beginning.
There
hopefully
mix
here,
because
it's
a
working
group
draft
I
mean
did
have
some
updates,
so
we're
gonna.
Do
the.
A
A
D
A
And
then
Wednesday
we're
gonna
have
we're
gonna
talk
about
the
main
dress,
the
TLS
1.3,
the
detail,
strap
and
then
we're
gonna
go
into
another
topic
about
the
data
center
use
of
static
diffie-hellman
and
essentially
some
rebuttals
and
Tim's.
Gonna.
Give
us
a
little
quick
talk
about
a
project
they're
working
on
and
if
we
want
to
batch
that
part
of
the
agenda,
let's
do
that
on
Wednesday,
because
I
think
there'll
be
plenty
of
time
in
there
to
discuss
about
that
stuff.
So
as
any
other
agenda
bash
for
today,.
A
Okay,
so
the
document
status-
okay,
we
got
the
ECC
Cypress
sweets
for
TLS,
we'll
put
you
in
earlier
is
in
the
RCA
ters
queue
we
got.
The
ECT
HP
SK
with
AES
stuff
is
through
the
IHG
awaiting
occurs
clear
on
discuss.
We
believe
that
the
last
version
actually
addresses
it,
but
he
needs
to
tick
the
button
for
us
and
you
look
now
and
the
52
89
to
propose
standard
I
think
is
done.
A
Since
the
last
meeting
we
adopted
three
drafts,
the
DTLS
1.2
1.3
draft
exported
authenticators,
which
nick
is
gonna
talk
about
its
2nd
and
the
TLS
certificate.
Compression
draft
there's
no
update
on
the
certificate
compression
draft,
but
we
believe
there
will
be
next
time
and
TLS
is
completing
its
second
working
group.
Last
call
and
ecers
going
to
talk
about
those
on
Wednesday
and
it's
gonna,
complete
I,
think
tomorrow.
So
if
you
have
anything
else
to
say
great,
please
don't
open
up
any
new
things
that
are
really
super
important.
A
It's
through
working
group
last
call
so
we're
to
try
to
address
the
last
call
comments
on
that,
so
that
we
can
move
it
out
into
the
wider
world
for
the
DNS
crazies
to
argue
about
later,
then
we
got
a
three
drafts
in
progress.
The
INR
registries,
update
example,
handshakes
which
I
think
literally
just
had
updated
on
Monday
thanks
Martin
and
I'm,
applying
grease
to
TLS,
extensibility
I
think
just
expired,
but
we
can
get.
We
can
keep
that
backup.
The
last
meeting
we
talked
about
that
I
delegated
credentials.
We
didn't
say
no,
never.
A
We
just
said
it
needed
some
more
work
so
stupid.
Oh,
we
can
figure
out.
I
can
stick
you
together
with
the
people
that
have
the
other
questions
and
we'll
see.
If
we
get
that
one
rollin
and
Peter
Gammons
TLS
1.2
update
for
a
long
term,
support
is
kind
of
patiently
waiting
and
that's
it
for
the
document
status.
Any
questions.
F
F
G
F
F
This
does
not
change
anything
on
the
wire
in
TLS.
This
is
an
out-of-band
exported
value
that
can
be
sent
through
the
tunnel
at
the
application
layer.
Next
slide,
please
so
this
was
initially
presented.
I
believe
that
an
IETF
97
it
was
adopted
as
a
working
group
in
IETF
98.
In
the
meantime,
we've
made
a
few
changes,
but
this
was
sort
of
inspired
by
building
a
working
implementation.
We
have
a
fork
of
going
script,
a
library
that
Watson
lad
worked
on
as
well
as
upcoming
nginx
boring-ass,
a
self
implementation
which
is
underway.
This
is
deployed.
F
F
There
been
several
updates
since
last
ITF
in
response
to
things
that
we
found
during
implementation,
as
well
as
comments
from
the
mailing
list,
one
of
which
is
that
the
signature
and
the
H
match
are
both
asymmetric.
So
you
can't
take
an
exported
Authenticator
from
the
client
and
set
and
pretend
it's
from
the
server
so
and
and
vice
versa.
The
certificate
verify
in
the
meantime
had
been
updated
in
TLS
1.3,
we
updated
our
draft
to
match
kind
of
exactly
with
what
TLS
1.3
is
doing.
F
We
also
limited
the
types
of
signatures
that
you
could
support
in
this
to
TLS
1.3.
Although
exported
authenticators
works
in
TLS,
1.2
and
3,
the
the
crypto
itself
is
only
TLS
1.3,
as
well
as
we
cleaned
up
the
text
in
response
to
several
questions,
when
people
were
confused
about
the
meaning,
this
is
now
also
on
github,
so
any
additional
issues
we've
got
there
and
that's
about
it.
So
that's
all
I
have
how.
E
I
F
I
F
I
E
A
H
F
Yeah
so
probably
be
worth
making
one
more
pass
at
this
I'll
sync
up
with
you
afterwards
to
see.
If
we
can
try
to
kick
to
do
a
little
bit
work
I
got
a
call,
people
might
think
I
think
I
think
we
didn't
wait
too
long.
I
think
you
know
like
if
we
certainly
don't
have
formal
analysis
by
you
know
Singapore
our
latest.
We
should
just
go
to
work
every
boss
call,
but
if
people
are
playing
all
the
time,
how
do
you
get
it
all.
A
I
That's
good
so
I'm
gonna
be
quick.
We've
had
a
bunch
of
discussion
about
max
fragment
length
which
was
fine
way
back
when
with
RC
6666.
That's
a
great
mouthful
next
slide,
so
more
complaining
about
max
fragment
length.
It
doesn't
actually
address
the
use
cases
that
we
have
today.
Only
the
client
can
choose
how
big
fragments
are.
I
They
go
down
to
4k
and
there's
no
way
of
except
it's
saying
as
client
that
you're
willing
to
limit
the
size
of
the
fragments
that
you
send
to
a
server
without
also
limiting
the
size
that
the
server
sends
to
you
in
all
cases.
So
as
soon
as
the
server
supports
this
extension,
you
end
up
stuck
with
small
records
and
that's
not
ideal.
Now.
The
other
thing
is
it's:
it's
completely
symmetric,
so
once
you
negotiate
max
fragment
length,
both
sides
are
expected
to
respect
the
same
value
so
long
list
of
problems.
I
I
It's
not
really
in
negotiation.
You
just
advertise
your
limits
and
the
other
side
advertises
their
limits
and
that's
happy
only
governs
the
encrypted
records
as
I
understand
it.
People
send
really
large
certificate
messages
occasionally
and
they'll
be
perfectly
welcome
to
do
that
in
a
single
record.
Once
it's
in
the
clear
there's,
not
a
lot
of
value
and
adding
extra
record
headers
to
everything,
so
I
didn't
change
that
I
haven't
yet
pushed
the
button
on
on
zero
one.
There
was
a
bunch
of
discussion
of
it
on
the
zero
zero
draft.
I
C
F
Would
have
or
King
in
the
working
group
which
I
guess
the
way
you
were
going
with
this
that's.
F
I
was
just
gonna,
send
your
PR,
but
then
you
said
something
that
surprised
me
so
now
I
think
we
need
to
discuss
it,
okay.
So
what
would
happen
if
there
was
some
version
of
TLS
which
approved
the
certificates.
I
Like
the
primary,
the
primary
limitation
here
is,
if
you're
running
an
AE
ad,
and
you
want
to
you-
want
to
allocate
a
certain
amount
of
space
to
hold
the
entire
psycho
text
and
then
transform
it
into
a
plain
text.
You
have
to
have
the
whole
thing
if
you
want
to
do
this
right
sure
and
as
a
receiver,
and
if
you
don't
want
to
allocate
too
much
memory
for
this
sort
of
thing,
sure.
F
I
F
So
right
so
specifically,
specifically
the
client,
hello,
of
course
client
is
no
indication
of
what
the
server
will
accept
right.
If
the
server
hello,
the
client,
doesn't
know
what
the
server
will
accept.
The
client,
the
client
was
that
and
so
I
mean
I
guess
I
think
mean
it
doesn't
matter,
but
on
we
could
assess
later,
but
there
isn't
the
reason
I
got
up
about
this
was
because
it
was
like.
I
A
Can
we
ask
how
many
people
actually
read
this
draft
so
about
10
as
well?
So
there
was
there's
been
pretty
I
mean
this
was
discussed
on
the
list.
I
was
not
super
extensively
in
context
of
the
TLT.
Tell
us
one
book
three.
A
A
Gonna,
take
a
long,
that's
great,
and
now
we
have
a
good
hour
and
15
minutes
to
talk
about
encrypted
s
anonyme,
so
Christian
Europe.
You
only
have
like
six
slides.
So
it's
not
that
many,
but
still
this
topic
is
consumed
vast
quantities
of
time,
because
it's
an
important
topic.
L
G
G
G
What
has
changed
was
the
reason
and
they
have
been
a
but
service
of
reason
beforehand
to
not
try
to
after
complexity
of
sni
encryption
in
tiaras,
and
the
main
reason
is
that
hey,
the
other
side
of
the
boat
is
leaking.
Why
should
we
plug
all
these
I
turns
out
that
the
other
side
of
the
world
yee-haa
dragon
Daleks
I
mean
we.
We
are
first
a
deployment
of
HTTPS
in
a
big
proportion
of
the
communication
I
encrypted,
as
goodness
leaks,
are
fewer
and
fewer.
We
have
the
next
week.
G
He
said
the
classic
thing
which
is
did
the
symmetric
of
the
SNI?
Is
the
DNS
request,
typical
transactions
of
a
will
resolve
an
M
and
then
use
that
as
the
s
ni
for
the
next
year
estimation,
and
so
it
makes
little
sense
to
go
to
great
lengths
to
encrypt
yes
and
I.
If
the
DNS
request
is
in
clear-text
hour,
does
change?
Is
that
we
start
adding
deployment
of
DNS
or
Tierra's
Sanada
is
underdog
deployments
week.
We
are
to
the
point
where
we
can
find
encrypted
the
s
transaction
and
then
yes,
ni
is
the
only
leak.
G
So
you
want
at
that
point
to
fix
that
and
that's
it.
The
pressure
increases
we
get
a
solution
and,
and
then
at
the
visit
right
now,
I
said
I
is
become
their
the
prefer
to
remain.
If
you
want
to
do
censorship,
as
in
do
not
go
to
Swiss
bank
account
dot-com,
you
have
two
ways
to
do
that.
You
have
one
way
which
is
to
block
it
in
the
DNS,
but
that's
easily
circumvented,
and
yet
the
other
way,
which
is
to
do
packet
inspection,
find
the
s
ni,
encrypt,
X
and
block
it
so
hey.
J
G
The
high
level
summary
is
I,
don't
know:
I'm
just
described,
yeah,
okay,
everything
that
is
India
s,
ni
ocean
draft,
his
text
that
was
on
the
night
in
list
which
I,
basically
organized
and
I,
walked
with
awake
on
that
and
to
make
sure
that
was
not
saying
something
completely
crazy
and
and
to
organize.
So
basically
the
first
thing
I
got
from
the
meaning
list.
G
Was
the
list
of
North
attacks
against
the
s
ni
encryption
that
the
biggest
mayor
I'm
not
going
to
wreak
applicate
all
the
attacks
on
the
marina
that
appeared
a
dissident
draft
and
if
you
read
the
draft
and
you
find
a
taxi
type,
did
not
correct
phylum
I'll
be
happy
to
scrub
them
down
there.
The
big
one
are
typically
the
kind
of
replay
attacks
when
it
is
a
class
of
attacks
in
which
you
hide
the
s
ni.
G
But
then
someone
replies
your
connection
or
user
in
a
side
channel
on
the
other
side
and
say:
okay,
we
play
encryption
connection,
use
a
side
channel
by
not
what
you
did
and
if
we
don't
fix
that
somehow,
then
again,
it's
not
worth
it
so
I
went
to
that
and
and
basically,
if
we
go
to
that
data,
there's
still
a
couple
of
solution
that
are
plausible
and
I
listed.
These
possible
solutions
in
the
draft
so
next
slide
is.
G
The
first
solution,
which
is
not
a
terrace
level
solution
which
which
is
actually
deployed
to
some
degree
today,
is
basic
HTTP,
fronting
solution.
Okay,
you,
basically,
you
have
a
website
called
say
something
that
example.com
that
accepts
to
mask
the
HDD
connection,
to
hidden
that
example.com
and
in
the
simplest
implementation
returns
to
a
clearance
connection
to
this
slot
inside
and
then
Avila
TS
connection.
You
do
an
HTTP
request
to
the
hidden
site,
and
people
have
to
do
that
today.
There
is
some
deployment.
G
The
big
advantage
of
that
solution.
Is
that
what
you
can
do
it
mean
if,
if
you
are
at
the
only
see
it
takes,
is
some
level
of
cooperation
so
that
the
funding
side
can
serve
the
content
of
the
hidden
side,
but
you
can
do
it
and
and
that's
what
is
done,
the
big
issue
is
a
first
issue.
Is
that
well
first,
you
have
a
generic
trust
issue
in
all
this
mounting
solution
that
if
you
go
people
via
an
intermediary,
the
intermediary
we'll
know
we'll
know
who
goes
there.
G
G
What
happens
is
at
the
front
inside
as
we
serve
the
content
of
the
hidden
side
and
that's
a
really
big
trust
issue,
because
I
think
that
if
the
front
inside
is
somehow
averted,
not
only
do
you
find
out
who's
accessing,
but
you
can
also
serve
them
content
of
your
choice
and
that's
kind
of
risky
there's.
Another
issue,
which
is
the
discovery
issue
which
is
coming
again
to
every
of
those
solutions,
wishes.
G
G
We
add
discussions,
I
mean
at
several
of
us
our
discussion
about
what
would
be
the
plausible
solution
there
and
the
possible
solution
there
to
make
that
HTV
solution
better
is
to
have
some
kind
of
a
proof.
I
mean
basically
adding
a
certificate
that
says
that
a
high,
the
hidden
side
assures
you
that
you
can
use
something
on
my
behalf.
If
he'll
be
fine
and.
G
Of
course,
you
have
to
make
sure
that
you
do
that
in
the
right,
where
you
have
to
make
sure
that
the
the
certificate
is
done
correctly,
that
it
cannot
be
moved
because
clearly,
there
is
an
obvious
attack
in
which
the
bad
guys
would
say,
hey,
you
know,
try
to
access.
Your
bank
account
go
to
my
own
site,
you'll,
be
fine
and
well
not
be
ok,
so
you
you
need
to
be
very
clear
that
when
you
sign
a
certificate,
you
have
a
way
to
audit
the
certificate
or
what
to
make
sure
you.
G
You
really
want
to
have
something
that
certificate
transparency.
You
may
want
to
use
multiple
certificates
on
several
quality.
You
may
want
to
use
a
TLS
every
code
of
some
kind
as
an
addition
in
a
circle.
That's
a
that's
an
issue.
Okay,
you
want
to
have
a
good
exploration
that,
because
I
mean
these
things
have
a
tendency
to
become
obsolete
over
time
and
again
you
you
want
to
make
sure
that
it's
gear
and-
and
you
clearly
don't
see
how
your
thing
to
manager,
Earl,
Weaver
kitchen,
leads
or
something
like
that.
G
So
so,
basically,
it's
shot
expression
that
you
want
to
make
sure
that
people
don't
do
random
stuff,
like
that
saying,
hey
in
order
to
access
example.com,
go
to
Dan's
website
and
then
as
a
small
server,
and
suddenly
you
receive
millions
of
connection
against
toast,
so
it
that
that's.
That
means
that
probably
no
certificate
that
the
proof
shall
be
bilateral
says
not
only
does
hidden
said
that
yeah,
it's
okay
to
go
to
fronting
that.
G
Are
you
doing
an
HTTP
connect
which
is
weird
but
tunnel
inside
HTTP?
Are
you
doing
one
of
the
tiers
one?
One
three
solution
will
be
looking
at
letter.
You
could
put
that
in
the
in
the
certificate
as
well,
and
that
could
be
factored
the
one
point
shopping
for
saying
how
I
can
organize
is
a
s
ni
encryption
as
she
be
fronting
stuff.
G
G
The
issue
with
the
earth
HD
solution
is
that
if
you
want
to
not
compete,
it
was
the
content.
You
have
to
fall
back
to
age
to
be
connect
the
city
using
the
H
besides
the
oxy,
and
that
means
double
encryption.
That
means
some
very
we
have
data
passenger
in
the
data
center
is
at
me
say
something
want
to
do
at
a
large
scale.
G
The
other
solution
that
we
have
a
Maps
sort
of
have
looked
at
two
solutions
were
mention
in
the
TS
working
group.
One
is
the
so
called
quasi
eternal
solution.
So
it's
an
extension.
It's
a
way
to
use
TLS
1.3
that
was
first
described
in
the
Tokyo
meeting
available
and
which
basically
assume
that
you're
going
to
send
to
client
hellos.
So
the
first
plant,
hello,
is
going
to
the
funding
side
and
the
second
client
hello
is
going
as
data
data
to
the
14
side,
but
it's
really
meant
for
the
hidden
side.
G
So
he
do
his
one-two
punch
and
then
the
can't
hello
is
delivered
to
the
hidden
side,
and
thus
our
hero
comes
back
on
the
hidden
side
that
works
in
the
TRS
1.3,
because
in
case
one
country,
the
certificate
itself
are
encrypted,
so
the
the
actual,
sound
hello
doesn't
say
from
where
it
comes
from,
and
it
has.
The
big
advantage,
though,
is
that
you
achieved
very
good
characteristics
plus
its
end
to
end.
G
It
is
basically
your
encryption
key.
Is
we
negotiate
with
the
hidden
side,
not
with
the
front
inside,
so
you
remove
for
that
reality
in
which
the
front
inside
could
deliver
the
wrong
content,
and
also
it
has
only
one
encryption
and,
after
all,
the
first
phase
of
just
one
encryption.
So
it's
it's
a
pretty
good
solution
for
that
the
it
does
not
require
the
star
extension
does
say:
I
mean
the
bits
of
the
way
off,
don't
change.
G
G
G
G
G
G
So,
for
the
first
session
you
have
to
use
something
else:
use
the
HTTP
fronting
solution,
maybe
with
an
HTTP
connect
inside
or
use
the
quasi
eternal
solution
to
get
your
first
connection
there
and
establish
it,
and
all
that
is
of
course,
is
hard
in
the
draft
next
slide,
please
so
an
example:
the
combined
ticket,
as
we
can.
How
do
that?
If
you
look
at
the
syntax
of
the
ticket
in
TS
one
country,
there
is
actually
an
extension
field.
G
G
It
will
be
tempting
to
try
to
add
align
that
implementation.
Who
is
the
definition
of
delegation
token
for
the
HTTP
solution
was
again.
The
delegations
token
explains
why
this
is
a
good
idea.
There
obvious
attack
with
that
is
that
if
I
am
a
malicious
site,
I
can
send
you
a
resumption
token
and
it
becomes
a
dos
against
some
server
attack,
but
they
also
so
maybe
I
need
to
put
more
than
just
in
them
and
need
to
put
an
authorization
at
something.
G
G
At
that
stage,
I'm
not
saying
that
hey,
we
should
do
a
or
b
I'm,
just
trying
to
say
hey.
Should
we
walk
in
the
direction?
Is
that
something
the
ATF
should
do?
Is
that
something
the
working
with
and
I
think
that
between
the
delegation
talkin
between
the
combined
ticket
having
them
sanitized
properly
I
think
a
communicated
cure
I?
Think?
Yes,
that's
something
we
should
do
and
and
I
think
that
if
we
do
it,
we
might
have
a
very
good
solution,
but.
A
Up
to
the
floor
and
I'm
sure
the
mic
will
line
will
get
very
long,
but
I
want
to
thank
you
for
putting
together
the
summary,
because
those
are
all
the
three
things
that
I
remember
the
way
that
we
talked
about.
It
was
very
concise
way
and
we'll
take
a
cue
we'll
do
some
Q
moderation.
So
we
got
the
microphone
at
the
front
so
far
away.
E
I'm
implementing
a
new
is
number
form
of
encrypted
SNI
and
I
think
that
all
the
missiles
being
discussing
the
draft
seem
fine.
On
the
other
hand,
I
am
a
bit
sad
that
the
fact
that
the
number
of
round
trips
required
for
establishing
connection
increases
in
some
cases
you
desire
any
I
and
for
the
map.
M
Bret
Jordan
I
have
a
question
or
more
or
less
a
concern
about
sni
encryption.
This
may
or
may
not
be
popular
amongst
the
group,
but
I
attended
a
talk
at
RSA
by
Google
on
their
beyond
Corp
strategy,
basically
controlling
their
network
without
firewalls
and
their
extensive
use
of
middle
box
technology
to
protect
their
own
network.
It
seems
like
a
really
cool
idea.
Google's
done
it,
it
seems
like
a
really
great
way
for
enterprise
going
forward
my
concern
with
encrypted
sni.
A
Do
you
ever
do
you
want
to
respond
cuz?
My
thinking
is
that
we're
not
the
protocol
police
and
we
can't
enforce
people
to
implement
everywhere,
and
these
are
optional
standards.
So
I
see
your
point,
but.
G
N
Kathleen
worried
already
ad
I
do
want
to
make
sure
that
this
conversation
has
had
enough
on
the
ops
area
working
group,
although
list
or
OPSEC,
because
although
we
might
not
be
the
protocol
police,
this
does
have
a
large
impact
and
we've
already
seen
the
fallout
of
not
having
the
conversation
initially
right.
So
I,
one
of
my
questions,
I,
was
going
to
get
up
the
end
and
ask
you
know
it's
good
that
you
have
the
the
attacks
enumerated.
But
do
you
have
the
uses
of
this
enumerated
just
so?
N
O
O
There
is
another
way
that
you
can
view
it
too,
however,
and
that
is
to
view
TLS
as
being
two
separate
protocols,
one
a
key
agreement
protocol
that
results
in
a
ticket
and
the
second
a
session
protocol
that
involves
using
that
ticket
to
talk
to
a
host
and
in
traditional
TLS.
Those
two
are
with
the
same
host
in
future.
Tls
is
in
things
like
deprive,
etc,
maybe
they're
different.
O
O
G
The
first
point
you
have
is
about
these
separating
the
key
agreement
and
the
actual
connection
and
I
think
that
in
fact,
the
combined
token
solution
is
very
close
to
the
design
you
mentioned
them.
Yeah
the
EM
and
by
all
means
I
mean
if
you
want
to
contribute
the
the
also
one
is
about
his
delegation.
Tucker,
yeah
and
I
must
apologize.
I
am
kind
of
an
amateur
there
and
I
use
the
wrong,
who
also
should
not
have
been
certificate
because
we
are
gonna
read
that
into
the
in
PKI,
which
is
not
what
I
meant
it's
effective.
G
G
G
C
Daniel
can
go
more
from
the
ACLU
Christian
thanks
for
doing
this
work
for
documenting
it
and
for
bringing
me
here.
I
hope
that
we
can,
as
a
working
group,
adopted
I
think
this
is
important.
Work.
I
am
not
particularly
convinced
by
arguments
that
that
this
is
going
to
cause
the
the
Internet
as
we
know
it
so
I'm
happy
to
see
it
going
forward.
C
One
caveat
that
I
wanted
to
note
with
the
solutions
we're
that
are
basically
fronting
solutions.
You
had
mentioned
the
risk
that
the
fronting
site
can
basically
attack
the
confidentiality
and
integrity
of
the
messages
coming
from
the
hidden
site.
The
risk
there's
also
actually
a
risk
that
goes
in
both
directions
and
that,
if
there's
any
legal
liability
about
the
hidden
site,
if
the
fronting
site
is
passing
the
traffic
and
they
clear,
the
hidden
side
can
actually
cause
the
fronting
site
to
have
additional
legal
liability.
F
Ben
Schwartz
Google
so
again
to
repeat
dkg.
Thank
you
very
much
for
for
doing
this,
write
up
and
thinking
carefully
about
these
issues.
I
really
appreciate.
It
definitely
support
mr.
out
on
the
topic
of
beyond
Corp
and
corporate
network
architectures
I'm,
confident
that
there's
no
impact
here,
because
because
anybody
who
controls
a
domain
name
that
they
don't
want
to
be
subject
to
this,
that
they
don't
want
to
participate
in
encrypted,
that's
and
I
simply
would
would
not
authorize
or
promote
the
use
of
encrypted
s
in
either
and
wouldn't
support
it
on
those
servers.
F
F
And/Or,
a
positive
operational
improvement
to
the
system.
I
think
I'm
I'm
really
much
less
interested
in
in
solutions
that
are
cryptographically
correct,
but
they
don't
provide
an
obvious
benefit
to
the
server
operator,
especially
the
the
frontal
side.
Otherwise,
I
think
we
creating
something
that
that
really
gets
very
low
usage,
as
opposed
to,
for
example,
that
the
current
fronting
systems,
which
are
very
widely
used,
not
because
they
offered
some
sort
of
s
and
I
hiding
capability,
but
because
they
offer
operational
advantages
to
CDN
operators.
P
A
D
Hi,
its
ability
endure
I
just
have
three
comments
to
make
so
I
think
one
comment
I
had
was
that
this
kind
of
feels,
like
it's
merging,
to
do
different
things
together,
like
protecting
the
IP
privacy
with
the
fronting
server
solution.
It's
like,
then,
the
IP
privacy
and
also
encrypting
s
Anaya
is
hiding
the
SMI
information,
so
some
I'd
like
a
solution
which
kind
of
like
separates
those
two
in
some
way
like
clearly,
we
would
not
be
using
a
fronting
solution
if
we
weren't
going
with
fronting
server
solution
for
going
the
best
night.
D
Another
comment
is
that
I'm
concerned
about
the
ability
to
supply
fronting
server
hostname
with
the
combined
ticket,
similar
to
some
concerns
that
we've
had
with
the
origin
server
frame
and
in
HTTP
working
group.
So
I
would
take
a
look
at
that
and
see
what
the
arguments
against
that
were
and
like
the
third
one
is
that
I
would
I'm
surprised.
D
You
initially
mentioned
some
application
based
solutions
and
like
in
the
HTTP
layer,
and
then
you
don't
mention
it
in
the
potential
working
group
solutions
that
is,
for
example,
one
potential
solution
could
be
using
alt
SBC
with
exported
authenticators.
So
that
you
can
do
it
completely
in
the
application,
and
so
you
could
say
that
hey
my
the
first
time.
Yes,
you
don't
get
privacy,
but
then
the
second
that
you
point
to
like
whatever
fronting
server
that
you
want
and
then
you
can
authenticate
it
authenticate
that
you
own
the
front.
G
F
Eric
rajala,
as
sort
of
a
co
scribe,
is
something
we
should
be
working
on.
I
also
AM
concerned
that
we
have
too
many
mechanisms
and
we
probably
shouldn't
I'm
trying
to
bash
them
into
one
well.
I
wanted
to
show
up
on
us
at
the
point
Brett
was
making
is
I.
Think
people
may
be
not
quite
understanding
it
and
maybe
in
making
crap
if
I'm.
If
I'm
misunderstanding
it
dad.
There
are
some
spectrum
endpoints
which
and
we're
in
a
business
on
Wednesday
to
I,
think
which
examine
the
s
and
I.
F
And
if
it's
a
you
know,
if
it's
I
don't
know
if
a
specific
it
it
does,
and
so
the
the
the
the
concern
here
right
is
that
anybody
who
is
willing,
if
you
are
what,
if
you're
in
the
non
in
dispatch
bucket
and
you
agree
and
it
becomes
known
or
suspected
that
you
that
you
were
fronting
for
anybody
else,
then
you
have
to
end.
You
have
to
end
up
in
the
inspector
pocket
and
to
limit
everybody
and
something
inspector
I.
Think
I.
Think
I've
understood
that
correctly.
F
F
The
the
point
I
think
that
serve
owed
made
is
that
there
are
a
bunch
of
natural
extensions
to
this
sort
of
domain,
fronting
that
are
we're
basically
a
bunch
of
content
into
servers
that
are
all
basically
up,
but
all
of
it
show
the
same
credentials
effectively
and
all
you're
trying
to
do
is
hide
us
and
I
between
like
food,
github
and
barbecue.
How
calm
and
those
are
things
which,
which
we
a
bunch
of
HTTP
mechanisms
to
enhance,
and
so
we
can
public
a
them
better.
F
The
fronting
server
not
have
access,
as
you
were
saying
to
the
plain
text
so
I
think
that's
that's
the
company
to
be
making
is,
but
in
solutions
which
which,
which
are
just
about
streamlining
ordinary
domain
fronting
and
once
it's
are
about
hiding
the
plain
text
from
the
fronting
server,
so
I
think
yeah,
I
guess
the
last
thing
was
gonna
say
is
yes,
it
would
be
really
great
if
we
could
figure
out
some
way
to
streamline
the
discovery
of
who
the
fronting
servers
were
I.
F
Think
that,
yes,
as
Ben's
it
I'm
Ben's
making
the
face.
That's
also
a
separate,
a
separate,
an
idea
we
should
be
trying
to
fix,
but
I
think
we
probably
would
be
maybe
to
to.
F
One
and
then
the
other-
and
it's
worth
noting
that,
probably
if
you,
if
you
did
think
you
had
an
out-of-band
mechanism
for
distributing
like
a
public
key
for
the
fronting
server,
that
would
make
Martin's
sort
of
tunnel
and
tell
one's
fake
tell
them
that
can
doesn't
look
more
attractive
than
the
than
the
cookie
mechanism.
Though
we'd
probably
find
somebody
with
the
ticket
thing
work,
actually
I
guess
I,
probably
work
tubes,
you
could
simply
wrap,
usually
wrap
the
identity
in
the
ticket,
so
photos
in.
O
G
G
N
Kathleen
Moriarty
I
fully
understood
all
of
the
examples
and
the
implications
and
that
you
wouldn't
have
to
encrypt
us
and
I.
There
was
just
lots
of
discussion
at
the
iesg
retreat
that
when
things
like
this
come
up
at
the
ops
area
is
notified,
it
has
a
chance
to
speak
up
right,
so
I'm
honoring
that
and
making
sure
we
have
that
discussion
first
and
it's
documented
they
have
a
heads
up
instead
of
being
shocked.
Later,
it's
just
easier
yeah.
That's
so
thank
you.
F
G
L
Brian
Ford
EPFL
just
want
to
echo
well
both
that
first
express
my
support
for
this
in
general.
This
is
something
very
important
to
work
on,
but
also
echo
a
couple
other
comments,
one
looking
at
it
at
it
as
a
more
potentially
more
general
thing,
I
think
rich
said
it
brought
up
the
point
we
should
think
of
you
know
kind
of.
Does
this
nest?
Can
you
you
know,
negotiate
a
tunnel
with
in
a
tunnel
efficiently.
You
know
they're
good
it
does
it
work.
L
You
know
if
and
when
we
need
it
for
two
steps
and
not
just
one.
We
should
at
least
think
about
that
carefully.
I
think
you
know
kind
of
backing
up
at
you
know.
In
the
general
sense,
the
discovery
problem
is
very
close
to
a
routing
problem
at
a
higher
level
and
over
overlay,
Network
kind
of
thing.
You
know
discovering
these
these
relationships
now
I'm
not
I'm,
not
proposing
to
jump
into
any
kind
of
routing.
You
know
problem
activity
and
and
of
course,
the
discovery
problem
should
be
kept
separate.
H
Okay,
okay,
I'd
like
to
get
an
idea
of
how
many
people
have
read
the
draft.
That's
okay,
a
lot
very
good,
very
good.
What
and
I
think
right
now.
What
I'd
like
to
do
is
get
an
idea
from
the
room
of
you
know
who
thinks
this
is
something
this
area
something
the
working
group
should
be
looking
at
and
working
in
so
I
would
take,
and
that's
kind
of
you
know
not
picking
a
particular
solution
yeah,
but
just
this
kind
of
area
and
and
we'd
have
to
do.
H
I
A
A
A
L
L
Traffic
analysis
vulnerabilities-
you,
you
know
you
alluded
to
as
to
some
of
these
issue.
You
know
some
of
the
attacks
like
for
especially
the
replay
attack.
That
makes
it
really
easy.
You
know
to
break
the
hiding
in
some
cases,
but
also
also
you
know.
There
are
a
lot
of
ways
to
to
look
at
TLS
traffic.
L
You
know
TLS
is
a
very
leaky
protocol
in
other
in
other
ways
for
traffic
analysis
purposes,
and
you
know,
kind
of
the
rest
of
that
problem
might
be
a
big
enough
fall
of
wax
that
we
should
deal
with
it
separately,
but
I
just
wanted
to
bring
that
up.
You
know
as
an
important
closely
related
problem
is.
A
B
You
have
never
for
a
moment
taking
where
the
vendor
hatches
the
vendor.
They
take
no
long
walk
for
then,
if
I
will
started
with
filtering
based
on
this
tonight,
because
wasn't
the
clear
and
but
then-
and
he
figured
that
sometimes
you-
the
client
sent
the
wrong
guess
amide,
because
there
was
just
one
certificate
to
the
other,
and
so
it
didn't
matter
so
they
started
filtering
by
the
names
in
the
certificate
that
was
returned
from
the
server
know.
At
some
point,
we
figured
out
that
we're
not
going
to
get
that
certificate
in
tears.
B
Q
Akamai
I
would
like
a
pony,
but
I
do
not
think
we
should
be
adopting
this
graft
yet
I
think
we
should
have
a
more
clearly
defined
recipe
before
we
have
about
two
hundred
cooks
on
the
task
and
that
this
would
be
better
addressed
by
a
much
smaller
design
group
coming
coming
to
us
for
the
better
define
proposal
before
adoption.
So
I
guess.
My
argument
is
I.
Think
that.
A
This
draft
actually
just
lays
out
the
options.
It
didn't
actually
pick
one.
So
even
if
we
were
to
adopt
it,
we
haven't
asked
that
question,
but
if
we
were
to
adopt
it,
as
is
it's
not
saying
pick
this
one,
so
you
could
argue
that
this
is
the
design
document
that
you
could
work
on
and
at
the
end
say
here
are
the
five
options
we
considered.
We
pick
say
we
pick
number
three
so
there's
ways
we
could
do
that.
F
I
think,
but
I
think
I
think
that
what
I
was
somebody
good
out
of
this
conversation
was
that
we
want
to
work
on
this,
and
then
I
think
you
know
we're
somewhere
at
the
moment
between
a
coalition
of
willing
and
a
design
team,
and
you
know
I
guess
I
mean
hope
that
by
singapore
people
be
ready
enough
us
men
to
get
together
and
say
we
think
we
should
do
x
that
either
were
you
know
that
work
they
were
ready
to
have
a
discussion
which
things
we
should
do
or
lease
already
did
give
me
a
design
team
to
try
to
pick
one
to
flesh
out
the
flesh
of
the
options
but
I
think
I
agree:
we're
not
ready
to
pick
a
solution
and
I
think
in
terms
of
documents
that
people
think
is
important
to
have
a
document
them
get
it
out.
F
F
A
Agreed
that
we
wanted
to
work
on
this
and
then,
however,
that
ends
up
happening
is
how
it
happens
and
I
actually
don't
plan
Kathleen,
and
we
needed
a
charter
extension
for
this.
We
don't
need
to
recharge
for
this,
because
it's
so
great
that
is
it
for
today.
Folks,
you
get
an
hour
back.
Thank
you
very
much.