►
Description
Internet Threat Model (Model-t) Program Meeting, 2021-12-07
A
So
welcome
all
this
is
the
model
t
iab
program
meeting
one
after
a
long
period
of
no
meetings
or
no
organization.
A
And
policies
for
the
hassle
in
sort
of
setting
up
the
timing
for
this
conflicting
other
meetings
for
some
people,
so
we
changed
it
at
the
last
minute,
but
a
good
number
of
you
are
here.
So
that's
great.
A
I
thought
the
agenda
would
be
four
items.
We
should
talk
about
the
status
of
the
program
and
discuss
that
and
discuss
the
way
forward.
A
Okay
moving
forward,
then,
so
why
don't
I
just
do
a
like
a
quick
rundown
of
you
know
a
couple
of
things
what's
been
going
on
with
the
program
or
not
be
going
on
with
the
program,
and
then
we
can
actually
discuss
so
try
to
bring
the
facts
to
the
table,
so
the
program
was
established
after
some
discussions
in
bitter
workshop
and
sag
in
2019
had
some
quite
active
discussions
in
2019
and
2020.,
there's
three
number
documents
and
quite
lengthy,
some
of
them,
including
many
that
have
been
updated
or
initiated
this
year.
A
Multiple
authors,
however,
less
discussions
in
late
2020
to
date
so
for
about
a
period
of
year
one
year,
largely,
I
think,
or
one
major
contributor,
that
has
been
a
a
literacy
problem
and
when
I
say
leadership
problem,
I'm
pointing
to
myself
not
being
able
to
organize
meetings
due
to
other
things
going
on,
and
people
have
criticized
that
and
that's
that's
spot
on
it
may
not
be
the
only
super.
That's
you
know
one
one
major
issue.
A
A
One
is
that
we
have
these
kind
of,
like
general
observations
about
trends
and
types
of
attacks
and
issues
that
we
see
by
you
know.
I
guess
almost
all
the
authors
involved
in
in
in
this
effort
have
a
published
something
on
this
mark.
Sorry,
for
for
the
typo
on
your
your
draft
names,
there.
A
One
issue
with
this
material
is
that
it
is
it's
very
interesting
and
very
relevant,
but
it's
sometimes
hard
to
know
when
we're
done
and
how
should
it
be
published.
So
so
the
question
about
being
done
is
it's
a
hard
one?
When
you
talk
about
you
know,
these
are
current
attacks
or
examples
of
specific
problems.
A
A
Also
I
mean
I
I
I
should
state
that
I'm
saying
all
of
this,
as
sort
of
my
my
personal
opinion
feel
free
to
disagree,
but
but
I
I
think
it's
also
a
little
bit
of
a
question
mark
how
what
would
be
the
best
way
to
publish
these
these
kinds
of
things?
I
don't
know,
for
instance,
if
there's
a
similar
academic
surveys
performed
or
written,
that
that
will
be
worse
or
equal
or
better
than
these
yeah.
So
I
had
some
question
marks
there.
A
Then
the
second
category
of
documents
is
what
I
would
call
principles.
These
are
kind
of
like
a
short
statements
about
some
some
arrangement
or
some
some
way.
Things
should
be
or
are
there's
some
history
of
the
iab
publishing
some
some
rfcs
on
this
type
of
format.
A
For
instance,
the
the
rfc
rc
8558
is
a
good
example.
You
know
like
it
doesn't
go
into
the
protocol
details
it.
It
states
an
issue
and
states
a
principle
that
that
one
should
follow
in
order
to
avoid
some
some
problems
and
they
usually
shorten.
They
don't
have
any
sort
of
official
ietf
status,
but
they
they
attack
a
particular
architecture
issue,
try
to
provide
guidance.
A
A
It's
not
the
only
one.
I
have
a
couple.
Maybe
the
most
recent
example
is
a
data
minimization
principle.
One
now
that's
worked
out
as
martin's
draft
is,
but
still
in
the
same
category.
A
And
the
third
category
is
kind
of
like
what
this
group
started
with
is
specific
efforts
to
make
suggestions
to
change
the
itf
guidances.
You
remember,
there's
the
you
know
way
to
write
itf,
rc
security
considerations,
3552
and
talks
about
the
internet
threat
model
in
one
of
the
park
sections,
and
the
question
is:
should
that
actually
change
kind
of
discourages
thinking
about
endpoint
security
aspects
too
much,
because
you
can't
do
much
and
35.50
is
not
the
only
one
there's
also
7258
yeah
there's
been
some
proposals
of
this.
I
I
would.
A
A
Certainly
speaking
as
a
as
an
example,
author
of
some
of
those
documents,
I
didn't
feel
super
motivated
to
push
more
because
it
felt
like
you
know:
it's
not
an
easy
way
to
reach
the
end
goal
and
actually
make
a
change
so
yeah
program
issues.
What
do
we
have?
So
we
have
obviously
non-issues
also
so
so
clearly,
there's
interest,
there's
no
lack
of
contributions.
A
A
Given
that
we've
had
such
a
great
success
in
in
some
other
areas
like
communications,
we
do
have
some
issues
so,
like
leaders
was
mentioned,
I've
been
sort
of
in
with
you
know,
20
20
inside
wondering
about
whether
it
was
correct
to
frame
the
program
around
this
35
52
update
and
also
there's
quite
a
lot
in
in
the
discussion.
So
are
we
trying
to
tackle
too
much?
A
It
seems
to
be
difficult
to
agree
on
the
few
things
that
we
actually
want
to
push
out
and
there's
also
some
some
iab
constraints.
So
I
guess-
or
perhaps
media
could
speak
to
this,
but
in
general
the
iap
wants
to
have
programs
that
actually
produce
input
for
the
id
to
publish
documents
on
and
not
just
have
like
a
discussion
club
so
and
also
it's
important
that
the
iad
participants
or
ib
members
are
participating
very
actively.
A
Yeah,
I
I
may
be
jumping
the
kind
a
little
bit.
Maybe
we
should
discuss
the
the
situation,
but
there's
a
bunch
of
ways
forward.
We
could
declare
failure,
we
could
change
leadership,
we
could
rethink
the
goals.
We
could
sort
of
find
a
better
alignment
with
what
iap
can
actually
publish
or
some
combination
of
these
things,
or
maybe
some
other
things
that
you
guys
come
up
with.
A
B
B
From
my
perspective,
the
scope
of
this
program
was
troublesome,
has
been
troublesome
in
a
way
we're
on
a
we're
at
the
cusp
of
an
entire
new
model,
of
how
endpoints
manage
their
own
security
and
people
like
hank
and
dave
taylor
and
the
people
in
rats
and
suit
and
eat
have
been
working
on
finding
that
new
way
forward.
B
For
you
know,
in
the
ietf
and
elsewhere,
and
in
a
way
this,
the
real
interesting
stuff
to
me
at
least,
maybe
everybody
else
has
a
different
view
of
this.
Are
the
implications
of
that
model
right?
What
does
it
mean
to
have
trust
when
you
have
multiple
trust
anchors,
perhaps
in
various
componentry,
so
the
you
know
in
android,
you
can
have
multiple
personae,
for
instance,
what
does
that
mean
in
terms
of
end-to-end
security?
B
What
does
it
mean
when
you
have
endpoints
that
don't
necessarily
have
ip
addresses
that
are
in
the
device
in
terms
of
trust,
anchors
and
and
and
just
process?
Endpoints
right
is.
Where
is
the
bounds?
We
started
some
of
this
conversation
back
when
the
program
first
began,
but
it
it
was
this
that
was
immediately
ruled
out
of
scope,
and
so
you
know,
if
we're
going
to
do
a
35,
52
update,
I
just
say
you
know,
find
whatever
create
a
working
group
and
go:
do
it
right?
B
It's
not
it
it's
something
that
will
argue
over
as
to
what
goes
into
what
doesn't
go
in,
but
if
you
really
want,
but
the
internet
architecture
board
should
be
about
a
little
bit
more
than
that
and
should
be
looking
into
the
future,
and
if
not
the
internet
architecture
board,
then
who
right
should
it
be
the
irtf?
Where
should
that
work?
Go
because
right
now,
a
lot
of
it's
in
the
ietf
and
elsewhere?
It's
in
places
like
google
and
apple
right,
and
it's
going
to
be
elsewhere.
So
how
do
we?
B
A
Thanks
elliot,
can
you
jump
on
for
just
just
one
more
second,
and
do
you
have
like
a
concise
description
of
what
would
you
like
the
scope
to
be,
or
was
the
answer
broader.
B
Yes,
the
the
scope
I
would
like
to
see
would
be
new
security
models
for
the
effort,
end-to-end
communication
that
involve
the
the
evolving
trust
models
that
are
available
to
us
in
hardware
and
software,
both
through
virtualization
and
through
evolutions
in
in
chip
design.
C
Let's
see
here
if
I
can
make
this
work
yeah
it's
mark,
I
am
like
like
elliot
thanks
jari
for
getting
us
together.
What
I'm
really
hoping
for
out
of
today
is
some
sort
of
route
closure.
I
think
that
they're,
really,
you
had
three
broad
categories
of
activities
that
have
gone
on
so
far.
I
really
think
there's
there's
really
two
and
I'll
explain
that
in
a
second
I
I
think
your
middle
category
of
principles
is
something
that
the
iab
should
think
about.
Publishing
martin's
draft
is
is
really
interesting.
C
I
I
think
I
think
principal
drafts
principle
in
quotes
are
a
good
thing
for
the
iep
to
publish.
But
for
me
what
went
wrong
here
is
that
in
rfc
3552
we
have
a
document
that
is
from
2003
and
it
it
it's
not
even
worth
arguing
about
whether
or
not
the
threat
model
inside
of
that
document
is
current.
I
don't
think
anyone
would
argue
that
it
is,
but
we
in
model
t
we
didn't,
have
a
way
to
transfer
the
work.
C
I
don't
know
if
that
makes
sense,
but
it's
we
didn't
have
a
mechanism
by
which
the
people
who
were
energized
by
the
model
t
program
could
actually
take
the
work.
It
was
probably
never
going
to
be
published
by
the
ieb
and
find
another
home
for
it
now
unlike
elliot.
I
think
what
should
happen
here
is
that
I
do
think
that
we
should
go
away
and
do
something
about
3552
and
the
related
rfcs.
C
I
think
we
should
divide
the
threat
model
from
the
guidance
that
we
give
to
protocol
designers
and
authors
on
how
to
write
security.
Consideration
sections,
I
think,
those
those
are
they're
not
orthogonal,
but
they're
separate
tracks
for
a
protocol
designer
to
think
about,
and
I
think,
finding
a
path
to
take
those
from
model
t,
because
we
have
some
work
already
there
take
those
from
from
model
t
and
transfer
them
somehow
somewhere
in
the
ietf,
should
be
part
of
the
closure
that
we
achieve
for
the
program
so
number
one.
C
The
the
first
track
that
I
would
suggest
to
us
is
a
track
that
takes
those
principled
drafts
and
makes
a
decision
about
whether
or
not
whether
or
not
we
can
recommend
to
the
iab
that
the
iab
consider
publishing.
I
think
that's
that's
one
track,
but
the
other
track
is
then,
how
do
we
transfer
the
other
work,
because
I
think,
there's
very
valuable
work.
That's
gone
on
as
part
of
model
t
you're
right
all
of
the
air
left
the
balloon
last
year
for
a
variety
of
reasons,
but
I
don't.
C
I
think
that
if
we
re-energize
that,
I
think
that
that
work
would
come
back,
especially
if
we
could
find
a
home
that
was
perhaps
not
the
ieb
to
do
that.
Work
right
and
whether
that's
you
know
the
general
security
area
or
we
went
to
suck
dispatch
with
the
proposal.
Whatever
it
was
right,
some
mechanism
by
which
could.
C
Some
mechanism,
by
which
we
could
achieve
closure
for
model
t
and
yet
get
some
deliverables
and
results
that
are
valuable
and
based
on
the
energy
that
that
we
had
in
the
beginning.
I
I
think
that's
that's
my
take
on
it
and
and
the
the
division
of
the
work
streams.
I
think
is
important
to
me
as
well.
I
think
that
documenting
the
threat
model
is
a
different
task
than
providing
guidance.
D
Great
ux,
so
I
I
think
I
like
the
way
that
mark's
thinking
here
in
terms
of
the
two
streams,
although
the
the
division
that
you
had
there
yari
was
pretty
helpful.
D
I
I
do
think
that
there's
a
set
of
things
in
this
in
this
bundle
that
you've
got
identified,
that
that
are
clearly
within
the
remit
of
the
iab
and
and
others
that
don't
necessarily
stay
there.
Now.
D
I
think
the
original
intent
with
model
t
was
to
to
incubate
some
of
that
work,
sort
of
warm
it
up
a
little
bit
and
try
to
get
a
little
bit
of
momentum
behind
some
of
the
the
concepts,
and
I
I
think
that
elliot's
touched
on
one
of
the
topics
that's
come
up
in
in
that
space,
which
is
how
how
endpoint
security
has
evolved
into
this
sort
of
multi-faceted
multi-multi-component
multi-multi-componentized
thing.
D
That
is
no
longer
very
easy
to
reason
about
in
the
very
simple
models
that
we
had
previously,
but
I
suspect
that
we're
going
to
need
to
be
a
little
further
along
with
the
work
that
it
referenced
in
suit
and
whatnot
before
we'll
be
confident
in
being
able
to
say
what
the
the
threat
models
are
there
and
I'm
not
involved
closely
enough
to
be
able
to
say
whether
that's
that's
where
it
is
the
principles
document
that
you
identified.
D
I
think
I'd
certainly
be
willing
to
to
do
some
more
work
on
the
one
that
I
put
together.
I
only
recently
saw
the
one
that
you
don't
put
out
on
minimization.
I
don't
know
how
I
missed
that
it's
it's
also
a
useful
thing
to
have,
but
I
don't
know
whether
this
is
the
right
forum
as
it
stands
to
have
that
discussion.
D
E
E
I
think
what
I
think
is
very
important
to
get
published
in
some
form
is
updated
threat
model
to
get
itf
people
to
understand
that
their
device
is
not
always
100
percent
trusted.
The
other
end
point
is
not
always
hundred
percent
trusted
and
intermediaries
is
not
100
trusted,
and
you
should.
You
should
consider
that
and
when
you
design
your
protocol
and
if
possible,
you
should
try
to
avoid
it.
E
I
don't
think,
as
a
first
step,
just
describing
these
threats
in
a
good
way,
and
maybe
it
might
be
harder
to
to
give
agree
on
guidance
exactly
what
to
do,
but
I
think
publishing
something
doesn't
need
to
update
three
the
old
internet
threat
model
that
might
be
hard
to
do
so.
Yes,
another
document
that
describes
these
new
types
of
threats
that
we
we
see.
I
think
that
would
be
a
good
first
step.
A
F
Yeah
mallory
here
I
wanted
to
come
off
mute
to
say
that
I
think
that
the
current
work
maybe
falls
into
two
categories.
One
is
sort
of
more
immediate
things
that
I
agree
with
martin
that
iab
should
be
focusing
on
prioritizing,
but
then
there's
some
of
it.
F
That
makes
me
agree
with
elliott
on
the
long-term
view,
there's
a
lot
of
other
places
where
this
is
being
discussed,
the
issue's
not
going
away
without
actually
having
run
this
idea
by
colin
who's,
also
on
the
call
it
might
make
sense
for
it
to
be
an
irtf
research
group,
given
the
persistence
of
the
issue
and
places
where
you
know,
research
that
can
also
attract
folks
from
outside
the
existing
community
to
think
about
with
the
hope
that
it
influences
or
at
least
inspires
the
working
groups
that
have
to
grapple
with
these
issues
in
the
long
term.
F
I
think
when
I
look
at
the
slate
of
work
in
front
of
us,
I
feel
like
that
distinction
might
be
helpful
in
moving
some
of
the
short-term
work
forward,
while
thinking
there
might
be
a
place
to
put
more
of
a
long-term
stuff
thanks.
G
Yeah,
I
guess
I
could
jump
in
since
mallory
summoned
me.
I
mean
some
of
these.
A
G
G
One
of
the
reasons
the
work
indeed
ended
up
in
the
iab.
I
tend
to
agree
with
the
people.
Who've
said
that
there
are,
you
know
that
there
are
updates
to
35
52
and
if,
if
we
want
to
do
that,
that
has
to
happen
in
the
ietf
and
it's
clearly
a
lot
of
work
which
can
come
out
of
this
and
fit
into
an
ietf
group,
and
I
agree
that
there
are
some
principles
drafts
that
that
makes
sense
for
the
iab
to
publish
it's
not
clear
to
me
what's
left
and
how?
G
So
I'm
not
sure
I
understand
what
the
remaining
pieces
are
well
enough
to
know
whether
they
would
possibly
make
sense
for
the
irtf
whether
they
fit
within
some
of
the
work
that's
going
on
in
the
itf.
G
A
Where
does
it
fit
yeah
clearly
for
for
many
problems?
There
is
this
like
short-term
actions
to
be
taken,
and
then
there's
like
this
messy
future
thing
and
and
if
you're
saying
missy
feature
thing:
it's
not
for
the
irtf
at
least.
A
G
A
Yeah
further
opinions
and
thoughts,
lots
of
people
on
the
call
speak
up.
H
I
I
just
wanted
to
point
out
that
some
of
the
questions
that
we're
asking
here
are
things
that
are
already
being
asked
in
the
context
of
ppm,
the
the
new
privacy
preserving
measurement
working
group
that
had
a
buff
at
112
things
like
how
do
you
design
protocols
and
under
the
assumption
that
certain
clients
may
be
malicious
or
acting
against
you?
How
do
you
design
protocols
when
servers
are
also
potentially
malicious?
H
These
are
sort
of
natural
things
to
ask
in
the
context
of
like
distributed
systems
and
multi-party
computation
in
general,
and
I
would
expect
this
evolving
threat
model.
Whatever
happens
to
be
to
be
sort
of
sharpened
in
the
context
of
that
working
group,
as
we
try
to
reason
about
the
design
of
ppm
and
its
relevant
security
property.
So
that
is
not
to
say
that,
like
ppm
is
the
home
for
this
particular
discussion.
H
But
I
think
it's
it's
a
forcing
function
for
us
to
acknowledge
that
the
internet
or
the
threat
model
of
like
client
server
with
trusted
endpoints
is
perhaps
no
longer
applicable
to
you
know
new
work.
So
I
I
would
point
folks
there
for
a
discussion
or
for
perhaps
you
know,
more
exploration
of
this
topic.
A
D
Oh
okay,
well
maybe
I'll
say
like
these.
It
was
very
brief
what
chris
said
about
ppm
and
what
elliott
said
about
the
the
cluster
of
of
endpoint
related
work.
Sort
of
makes
me
think
that
perhaps
we're
at
one
of
those
points
where
the
evolution
of
the
threat
model
happens.
Piecewise
and
we
have
this
work
that
goes
on.
No,
I'm
sorry,
florence,
your
mic
is
not
working.
Maybe
you
can
try
again.
D
Yeah,
there's
a
there's,
a
piecewise
evolution
that
that
needs
to
happen
as
we
get
further
through
the
the
work
say
in
in
suit
or
ppm
or
whatnot,
and
trying
to
generate
a
grand,
unified
theory
for
the
threat
model
is
a
little
premature.
Perhaps
that's
that
maybe
that
may
be
something
for
people
to
think
about.
A
Thank
you
I'll
observe
that
yeah
I
mean
at
least
from
my
perspective.
Some
of
these
issues
are
sort
of
pressing
problems
in
the
internet
today,
so
I
think
it's
important.
We
do
think
about
the
problem,
because
it's
already
present
it's
not
a
future
thing.
D
Yeah,
the
question
is:
what
aspect
of
those
things
you
you
you
think
is
is
necessary
and
do
you
need
to
fold
it
into
a
ground
unified
thing
or
can?
Can
you
just
say?
Does
this
particular
thing
need
a
targeted
set
of
solutions
and
I
think
that's
where
we've
sort
of
hit
with
the
the
principles
drafts
is
trying
to
just
have
that
that
one
punchy
little
little
tweak
rather
than
than
trying
to
get
everything.
A
Yeah-
and
I
certainly
agree
with
that-
I'm
not
in
favor
of
grand
unified
theories
for
anything.
Of
course,
the
principal
droughts
are
also
sort
of
grand
unified,
but
looking
at
the
very
small
angle
of
it,
but
they're
not
tied
to
a
particular
use
case
necessarily
so
yeah.
I.
C
A
It
feels
like
there's
multiple
topics
that
are
of
interest,
both
the
trust
model,
evolution
and,
and
then
some
of
the
principal
things
and
other
other
documentation
and-
and
some
of
that
is,
is
perhaps
doable
as
short-term
thing
that
the
iab
can
take
care
of,
or
at
least
some
parts
of
the
trust
model
that
model
evolution
can
could
happen
at
the
itf.
But
then
there's
these
more
fussy.
A
Topics
are
like
the
everything
that
has
to
do
with
endpoints
and
and
the
sort
of
the
full
theory
of
what
is
an
end
point
and
how
it's?
A
But
maybe
that's
because
we
haven't
really
fully
understood.
We
need
to
work
on
that,
make
sure
that
we
actually
have
a
crisper
definition
of
that.
So
I'm
not
ruling
out
that
that
that's
a
thing
that
we
could
do,
but
but
some
of
these
other
things
seem
easier
to
do.
B
Yeah,
I'm
sorry
arty
slightly.
I
I
would
what
I
would
suggest
look
I
I
wouldn't
want
to
split
the
you
know.
I
wouldn't
want
to
say:
hey
hold
up
all
this
work
for
things
that
aren't
there
as
I,
as
I
said
in
the
chat
right,
but
I
do
think
the
board
would
be
well
advised
to
think
about
these
things
that
are
coming
along
right.
The
idea
that
we
already
have
code
in
the
field
that
handles
these
multiple
truss
models,
it
sort
of
doesn't
do
it
well,
in
my
opinion,
but
that's
just
my
opinion.
B
We
have
tested
code
that
demonstrates
rats
coming
along
right.
We
have
this
whole
notion
of
you
know
the
the
some
of
this
is
intertwined
right,
we're
aiming
towards
a
world
where
cryptography
is
the
norm,
but
we
have
components
in
that
in
in
in
our
architecture
that
aren't
yet
there
but
need
to
get
there,
and
so
some
of
that
is
intertwined
between
you
know
with
trust,
anchor
work
and
other
things
and
see.
I
know
that's
a
pretty
broad
area
right
it.
It
needs
to
be
well
scoped.
B
My
suggestion
is
simply
that
we
for
or
the
board
or
whoever.
However,
you
want
to
structure
it
takes
some
time
to
do
that
scoping
to
do
that,
scoping
work.
If,
if
drafts
are
needed,
maybe
you
know
ask
people
to
write
drafts
right,
say:
hey,
do
you
have
opinions
here?
Call
them.
Can
you
say
we're
interested
in
this
topic
if
you're
not
interested
in
the
topic,
yeah
we'll
go
elsewhere.
A
I
guess
I
mean
I,
I
think
those
kinds
of
things
that
they
actually
referenced
are,
at
least
in
my
mind,
more
like
solutions,
confidential
computing
trusted,
computing
rats
and
so
on
and,
and
that
is
all
well
and
proceeding
and
reasonably
well
understood.
I
would
claim
and
to
some
extent,
also
fairly
widely
deployed,
not
universally,
but
still.
A
A
I
Yes,
so
I
I
just
wanted
actually
jim
has
his
hands
up,
so
I'm
not
sure
if
he
also
wanted
to
say
something,
but
I'm
going
to
say
what
I
want
to
say.
No,
so
I
agree,
I
think,
with
everybody
that
there's
definitely
work
like
we're
not
done
here
there
is.
There
are
open
questions
and
there's
things
that
we
could
write
down
and
there's
things
that
we
need
to
discuss
and
things
that
need
to
evolve.
I
The
idea
also
things
that
are
in
scope
for
the
iab
and
like
these
principal
documents,
and
I
believe
there
is
interest
in
the
iap
to
work
on
these
documents,
but
we
don't
necessarily
need
a
program
for
that
right.
You
can
also
any
ib
member
can
bring
in
this
work
in
the
iab
and
we
have
some
discussion
there.
Programs
are
really
valuable
if
we
have
a
group
of
people
who
could
jointly
contribute
to
these
kind
of
documents
and
improve
them
and
have
some
discussion
about
it.
I
So
for
me
the
question
is
really
is:
is
model
t
as
program
still
useful
in
any
way,
and
it
wasn't
clear
to
me-
or
it
isn't
clear
to
me
if
the
answer
is
yes
so
again
like.
Even
if,
if
we
end
up
closing
this
program,
it
doesn't
mean
the
work
is
done.
I
mean
I
know
that
closing
a
program
gives
maybe
a
kind
of
a
wrong
sign,
but
this
is
definitely
not
the
message,
but
it
might
not
be
the
case
that
the
ib,
by
providing
such
a
program
can
actually.
F
J
If
I
could
jump
in
jump
in
here
now,
I
agree
with
what
miriam
just
said
that
if
we
close
down
this
model,
t
exercise
that
sends
a
wrong
signal
which
I
think
will
be
very
very
damaging
in
both
the
short
term
and
the
long
term,
and
I
think
at
the
moment
we
seem
to
be
talking
around
about
issues
about
where's
going
to
be
the
right
form
in
an
its
setting
to
do
with
particular
pieces
of
work.
She
saw
to
be
done
by
the
ib
should
be
done
on
the
research
group.
J
To
take
a
very
simple
of
a
view
about
this,
I
would
take
a
more
private
experience
and
say:
well
just
continue
the
discussions
on
this
mailing
list.
For
now,
and
once
we
have
reached
for
some
definition,
we
we
have
reached
some
kind
of
agreement
about
what
our
particular
solution
might
look
like
or
what
a
particular
document
might
be,
and
we
then
figure
out.
Where
is
the
best
place
to
steal
that
document
through
the
idf
machinery?
Maybe
it
goes
to
the
ieb
for
them
to
consider
and
then
publishes
an
ib
document.
A
I
Can
I
reply
to
that
point,
so
my
understanding
was
that
model
t
is
exactly
that
right.
It
was
this
venue
to
provide
a
mailing
list
and
eventually
so
meetings
to
figure
out
what
are
the
concrete
things
that
we
can
then
pursue
in
the
ietf,
and
it
just
didn't
happen
over
the
last
years,
and
that
comes
makes
me
to
the
confusion
that
maybe
you
know
having
an
ib
program,
might
not
be
the
right
venue,
because
we
don't
have
the
right
people,
that's
what
we
tried
already.
I
I
I
agree-
and
I
said
this
myself-
that
just
closing
the
program
sends
a
wrong
signal,
so
I
would
be
happy
to
have
another
plan
for
it,
but
just
doing
the
same
thing
that
we
tried
for
the
last
three
years
doesn't
seem
like
a
good
plan.
J
Yeah
I
mean
perhaps
some
of
the
program
material
is
just
too
ambitious.
I
mean
some
of
the
talks
we
had
before
about
overarching
overarching
solutions
that
gives
me
the
ebg
reason
makes
me
want
to
run
away
screaming
as
quickly
as
possible.
J
J
So
maybe
another
way
forward
might
be
to
find
somebody
else
who
could
share
or
assist
the
ad
in
the
job
of
seeing
this
group
and
actually
helping
it
to
have
maybe
more
regular
meetings
like
the
one
we're
having
just
now
or
try
to
do
a
bit
where
I'm
twisting
behind
these
to
get
documents
produced.
I
think
that
might
be
another
way
forward,
rallying
hoping
that
yani
can
somehow
cars
carve
something
out
of
his
infinite
amounts
of
spare
time
to
try
and
drive
this.
C
I
want
to
follow
up
on
something
that
miriam
said
and
I
was
happy
to
hear
say
that
that
we
wouldn't
close
down
model
t
without
an
alternative
way
to
get
the
work
moving
forward.
C
Those
expected
outcomes
either
didn't
happen
or
didn't
happen
in
the
way
that
people
expected-
and
I
I
really
stress
that
is
one
of
the
things
that
might
be
really
useful
to
do-
is
to
not
sort.
I
don't
want
to
say
recharter,
but
to
rethink
what
is
possible
here
and
when
I
say
what
is
possible,
it's
the
two
strands
of
work
that
I
talked
about.
Originally,
what
is
possible
for
the
iab
to
do
and
what
is
possible
for
this
iab
program
to
transfer
somewhere
else
so
that
that
work
gets
done.
C
I
think
that's
a
very
different
conversation
than
the
short-term
long-term
conversation
which
I
think
is
also
a
valuable
conversation
to
have,
but
a
completely
different
one.
If,
if
if
there
was
a
gift
that
we
could
give
to
the
iab,
it
would
be
a
road
map
for
closure
right.
It
would
be
we're
going
to
do
these
things
for
the
next
six
months
achieve
these
goals,
and
then
then
we
will
be
done,
at
least
with
this
effort,
and
that's
kind
of
what
I
I
would
hope
would
happen.
C
Next
is
sort
of
a
rethinking
of
based
on
what
we
know
from
the
last
year
and
a
half
or
two
years
here
are.
The
things
we
can
do
here
are
the
things
that
are
achievable:
let's
document
them
and
move
on
them
and
for
the
other
things
that
we
need
other
people
to
do,
let's
find
a
way
to
transfer
that
work
out
of
an
iab
program
into
somewhere
else.
I
Yeah,
I
would
like
to
make
one
more
remark
about
iab
programs,
so
you
know
iab
programs
for
some
to
some
extent
always
kind
of
serve
and
support
the
iab.
Of
course,
these
iab
programs
are
very
useful
for
us
to
get
in
touch
with
the
rest
of
the
community
to
have
a
discussion
with
your
community
get
input
from
the
community
exchange
thoughts,
but
at
the
end
this
is
the
this
is
the
characteristic
of
an
ib
program.
I
It's
a
program
that
supports
the
iab
and
and
because
there
was
probably
little
progress
in
the
program
and-
and
the
discussion
wasn't
very
focused.
I
think
there
has
been
also
less
not
in
this
topic,
but
in
the
program
itself
there
has
been
less
interest
by
the
iav.
So
so
I'm
happy
to
to
take
up
this
program
and
and
having
some
and
it
doesn't
have
to
be
an
iav
person
who
has
to
lead
the
program-
that's
not
necessary,
but
there
still
has
to
be
some
iv
involvement.
I
A
Thanks
yeah
wondering
how
to
go
forward
and
we
have
preserved
one
hour.
I
I
think
we
have
some
sense
of
what
the
what
the
constraints
are,
there's
interest
for
this
piece
and
that
piece
and
a
little
bit
of
a
more
futuristic
and
less
clear
things
also
are
interesting.
A
Media
has
laid
out
well,
the
sort
of
the
I
guess,
constraints
or
red
lines
from
from
iab
perspective,
how
this
needs
to
work,
or
perhaps
we
could
indeed
write
this
closure
plan
that
we
propose
that
these
things,
these
three
things
are
interesting
and
this
thing
should
go
to
the
ietf
this
way
and
and
then
it's
like
itf's
problem,
and
this
thing
is
taken
over
by
the
iab,
or
I
mean
this
is
deliverable
to
the
iabi.
I
will
publish
it
and
and
here's
the
way
that
we
can
actually
do
that.
A
Maybe
that
involves
retartering
model
t
or
creating
a
more
focused
group
to
provide
feedback
on
the
principal
drafts,
for
instance
specific
principle
drafts
and
and
any
other
actions
that
that
might
be
needed,
and
and
maybe
that
would
be
a
way
out-
and
it
would
be
clear
it
wouldn't
would
not
feel
like
this
is
termination.
But
this
is
like
we're
we're
doing
this.
Taking
these
things
forward
and
putting
those
other
things
over,
there.
A
Of
course,
the
the
faucet
topics
are
always
difficult
to
deal
with
how
to
be.
How
do
we
keep
a
discussion
going
on
with
them
and
and
where
I
don't
have
an
answer
for
that,
but
maybe
that's
no
yeah,
I
I
guess
martin
was
saying
earlier
that
we
don't
have
to
solve
everything,
focus
on
the
urgent
things
and
specific,
concrete
stuff
that
you
can
do
and
do
incremental
instead
of
granite
plan.
A
But
I
I
think
this
call
has
at
least
for
me
sort
of
highlighted
a
little
bit
better
like
what
what
what
are
people's
interests.
So
I
wasn't
clear,
for
instance,
how
much
interest
there
is
in
in
these
different
pieces.
I
was
maybe
a
little
bit
surprised
that
there's
a
fair,
fair
bit
of
interest
in
actually
documenting
the
the
actual
model
changes
and
I'm
taking
that
to
the
itf.
So
so
that's
good.
A
I
wonder
what
to
do
with
the
rest
of
the
call.
We
could
perhaps
briefly
dive
into
the
technical
stuff,
and
I
dislike
it
when
when
we
only
discuss
process
and
before
forums-
and
I
of
course
should
also
discuss
at
least
a
few
drafts.
G
Yeah,
so
so,
without
wishing
to
bog
it
down
with
too
much
process,
if,
if
we
are
suggesting
that
some
work
goes
to
the
itf,
we
should
maybe
figure
out
a
slightly
more
concrete
plan
for
how
to
do
that.
A
Yeah,
could
we
perhaps
divide
this?
This
work
a
little
bit
so
I'd
be
very
interested
in
this
principle,
stuff
and
and
could
perhaps
write
the
plan
for
for
that,
together
with
yeah
obvious
co-conspirators
marketing.
Perhaps
if
you
can
help
and
then
the
threat
model
stuff,
how
would
we
hope
we
do
that?
We
need
to
write
something:
any
volunteers
who
want
to
do
that.
C
I
ari,
I
would
volunteer
to
take
that
part
of
it
or
at
least
lead
a
group
that
was
interested
and
then
you
and
I
could
coordinate
on
making
sure
that
you
know
not
just
for
I,
the
iab,
but
for
the
participants
in
the
community
that
the
two
pieces
of
text
looked
similar
so
that
you
could
understand
them
and
how
we
were
addressing
the
problem
that
we've
sort
of
identified
today
so
yeah.
C
I
would
be
happy
to
volunteer
to
to
lead
a
group
of
people
who
are
interested
in
talking
about
the
threat
model
and
what
to
do
about
it.
For
instance,
I
thought
you
know
as
an
example,
I
think
martin's
comment
about
an
incremental
approach
to
the
threat
model
is
a
really
interesting
one
and
one
that
I
really
hadn't
thought
very
seriously
about,
but
I
think
deserves
some
attention
so
yeah.
I
would
be
happy
to
step
up
and
and
lead
one
one
half
of
her
one
part
of
it.
I
I
just
I
just
have
a
clarifying
question
because
I
had
two
things,
so
I
also
heard
that
there's
a
lot
of
interest
in
working
on
the
threat
model,
but
it
seems
like
some
people
still
really
want
to
mainly
update
3552.
I
You
know,
which
would
be
like
a
short
document
and
maybe
just
like
a
few
paragraphs,
and
there
seem
to
be
other
people
who
are
rather
want
to
work
on
like
more
comprehensive,
full
separate
threat
mode.
So
I
would
just
like
to
understand
where
people
are.
C
Maybe
that's
a
great
question,
but
could
I
suggest
that
it
needs
a
group
of
people
to
go
away
and
and
think
about
it
to
come
up
with
an
answer?
C
I
think
that's
a
very
reasonable
question,
and
actually
one
of
the
benefits
of
having
this
hour
together
is
that
some
people
said
some
very
sensible
things
about
reconsidering
3552's
threat
model
right
there.
There
is
one
of
the
themes
that
we
heard
was
we
can't
build
this
all-encompassing
model
anymore
right
and
then
there
was
martin's
really
interesting
comment
about
using
a
more
incremental
approach
to
identifying
certain
characteristics
of
the
threat
model
right
and
and
I'll
be
honest
in
full
disclosure.
C
My
my
interest
always
was
updating
35.52,
but
one
of
the
values
of
getting
together
today
is,
I
think,
now
there's
a
group
of
people
who
should
get
together
and
and
talk
about
what
the
right
thing
is
to
do
and
and
I'm
I'm
I'm
also
influenced
by
elliot's
early
comments
in
the
call
that
there
are
short-term
things
to
think
about,
and
there
are
long-term
things
to
think
about
and
getting
the
right
people
together
is
going
to
be
extremely
important
for
the
success
of
that.
A
A
A
Yeah
and
now
we
are
nearing
the
end
of
the
hour,
so
it's
maybe
the
right
thing
actually
to
end
here
and
and
then
go
to
the
list
for
for
the
discussion
on
the
detailed
discussion
of
the
drafts,
it
would
be
useful
to
get
more
reviews.
I
think
martin's
traffic
is
really
good.
A
And
one
team
will
pursue
this
threat
model
proposal,
not
not
the
content,
but
the
process
plan
for
it
and
one
team
will
pursue
the
the
principal
stuff
and
and
then
we'll
reconvene
after
a
couple
of
weeks,
hopefully
get
some
results
before
the
holidays.
I
K
I
I
turned
on
my
media
because
I
wanted
to
channel
mallory
saying
that
maybe
we
just
have
another
interview
focusing
on
these
kind
of
topics,
but
I
think
actually,
the
kind
of
design
team
approach
you're
proposing,
makes
totally
sense.
Just
because
like
if
you
have
a
small
group
of
like
three
to
five
people,
then
it's
a
different
kind
of
discussion
and
then
I
think,
having
having
another
interview
in
january
whatever
to
like
present.
The
results
from
this
discussion
would
be
really
helpful.
A
A
Good
then
I
thank
you.
The
hour
is
full
and
we
have
plenty
of
discussion
and
interested
participation.
So
so
thank
you
for
that
and
I
think
we
learned
something.
So
that's
that's
really
good
thanks
a
lot
and
have
a
nice
day
or
evening
or
night
or
whatever
it
is
perhaps.