Internet Engineering Task Force Interim Meetings, 31 Mar 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: LAKE WG Interim Meeting, 2020-03-31

Description

LAKE WG Interim Meeting, 2020-03-31

A

A

A

Okay, folks so I guess, the number of beeps seems to slow down I think we have 36 people which is kind of a good bit I.

A

Hope you can see the slides with, like virtual interim heading no.

B

Sorry ii know I cannot can't.

C

D

The slide okay.

A

D

Melissa, I guess once you grab the okay.

C

Let me change the order all to host.

C

Okay yeah, so you have the ho stroll now: okay,.

A

So let me just try and share again.

A

There we go okay, so folks can see the slides. Oh yes,.

E

A

So welcome to our lake replacement meeting for vancouver. You see, the chairs are gonna shine myself, we're here. You know the territory after mating this, the jammer room is there. We have 13 people in jabber and I've got 30 out on the WebEx, so please join. If you can, we have Anita Paris, Michael Richardson is taking notes and etherpad thanks Michael.

A

Yeah, we have to note where the PI's so I guess many of you will have seen this some of the course the last week, if you took part in either virtual meetings. If not, please read us and if you took part in the virtual meetings last week for the ITF people are using this queuing mechanism in the WebEx chest, I don't know if we will need it or not, we'll start without using that that people can just talk.

A

If that becomes too confusing, we'll use, then we swap over to using that plus Q minus Q thing gender.

A

So here's our agenda for today, gender bias, which is just now I, sent a mail earlier today to the list. There's kind of three issues I think might benefit from a little bit slightly higher level discussion than just the details of the text.

A

Then we go through the agenda as posted previously, which is the details of the working group last call and comments that are outstanding and that should take the bulk of this meeting and as the goal of the goal of the meeting is to progress that to the point where we can see the finishing line.

A

Hopefully, and if we get that done, then we there's some presentation on kind of state of play of two of the possible aches that have been that people are working on which is at heart and CTLs and then any other business as a rising I think we have two hours scheduled personally I hate to our meetings, but I hope are a bit quicker than that, but we'll see how we go.

A

So this is the moment for agenda bashing. Anybody have any agenda bashing.

F

Yes, so it would be great if we could reserve some time for next steps. So, even even if the working group last call comments dragged out I think we should have some some time for next step.

A

So Melissa, if you can remember.

A

Okay, are we good with this agenda.

D

I'm gonna assume so I.

C

G

C

Like to add that, while we have a double scribe, it's any substantial comments. Any substantial comments should be brought to the mic and not on drivers. So please refrain from having expensive discussions. Endeavor.

A

Or bring them to the mic and also, if you could add your name to the ether pad if you're attending, that would be helpful because there's currently four there and 36 people in WebEx, so please go to the ether pads and add your name as having attended stats there or a blue sheet all right. So we're that's the desire, that's their agenda. The three issues I sent a mail to earlier to the list, I'm going to assume that people have read that if you haven't then you'd, probably catch up as I go.

A

So basically the three issues I think that might come up in multiple comments that were made on that on the requirements text. The first is how this relates to cozy or in particular the second one is whether we we should I think we should. We might benefit if we recognize the reality that we have ed Hocken CTLs as candidates, things both which presumably likely to not go away. And the third point is it's kind of like how much precision is it useful to aim for with respect to lower layers in the communications environment?

A

So I'd like to just take a couple of minutes to take each of those in order and see if we can come to some agreement on where we stand with respect to those and then have that, hopefully shorten the discussion of some of the detailed texts.

F

With the co-ceo score part, there is a slide for in the requirements I.

A

Would like to not go there just yet so, essentially, I think that the number of comments that were made I made my own comments earlier as well, that the current text is very prescriptive about using cuz. They know his core as chair, and it seems to me that will make it difficult for us to get rough consensus because it kind of says you can't do. Ctrs I would like to see if we can figure in general. What's the right approach to.

F

Handling the current text is recommending cause. It's not mandating cuz. Is that too strong still.

A

Again, that's chair, I would worry. It is as chair, but I'd like to get comments from other people who make comments on this.

F

Okay, so yes, just one more thing before that, so loss core needs cozy algorithms to be negotiated in at home. So we can't go without mentioning cozy in in the requirements and then there are other which we also go into.

F

You would like to avoid duplicated information station of crypto rappers and their rather I mean the natural thing would be to use kasi. But that's beside the point. I think we can't go without the ache delivering Cosi algorithm still score, but that's basically so we need to mention Cosette someone.

H

C

H

I raised this point: I think the point was yes, you need to negotiate those algorithms for for us core as an output of this, but they don't need to be the same same as the algorithms that are used for the negotiation and.

F

That's what the latest text is saying. Thank you that.

I

You're on you a few, your fur denier email me to latest text. I was thinking. I, don't see like a lot of changes. So me, if I'm missing something is there, a branch I should be looking at is yeah.

F

It's the working group last call update okay.

I

Meet perhaps up explains why even see yeah a bunch of things I was expecting and.

F

Says the egg shall support negotiation, alcoci algorithms to be used inkosi, you know score the eggshell support negotiation of algorithm to be used in the egg. It doesn't say that you need in the egg, so.

A

I just posted into the Java, the diff between the wgl, see updates branch.

I

And sure I mean well I mean this text says it is strong. I can make that Josias reason by the egg. That's like prescriptive for no obvious reason. So.

A

Eric, what would you suggest it say that that would get your movies to be.

J

Struck entirely.

J

Maybe not what you should requirement, maybe maybe state to requirement about code complexity in code twice and then write is, can, for example, be achieved by using code. See then that aligns with a lot of other requirements. We have in the requirements document on security properties.

I

I come up with that.

F

Okay, great actually Steven, reading slide forward would simplify for everyone in this situation, because we have the text everyone on their opinion. Okay,.

A

But at a higher level we could we will get that. So the basic idea is that we don't want to be too prescriptive, but we do want to be able to mention codes and is that is that something that everybody is happy enough with I.

I

Can live with that.

A

So hearing no objection I think that's doctor we'll get to the text later, but that's our kind of go. So the second point, I wanted to I thought might be useful to touch I'm at a higher level than the text is the you know.

A

It seems to me that the output here of you know from the IETF, if not necessarily from the lake working group, is likely to be these set of requirements as a piece of text in an internet draft and CTLs developed in the TLS working group and likely, if this working group adopted at hoc that ad hoc produced by this working group. That seems like I like the outcome.

A

However, when the text we're talking about the ache as if there will only be everyone- and that seems to me- I- think two tiers up for a bit of argument that we don't necessarily have to if we just recognize reality that it's kind of likely that ad hoc and CTLs will both get progressed. Some levels at a different time line in different working groups and both try to meet the same requirements and I.

A

Think if we can recognize that and be happy enough leaders, not we're not saying it's the perfect I, don't but we're happy enough with it, and that might help us not get stuck. How do people feel about that kind of concept and recognizing that that's the case, I.

F

Think that's an excellent, excellent way forward. That's exactly what we want! America.

F

Yeah both suppose to have a compact version of TLS and an ultra compact.

I

I mean so not to put too fine a point in a Steven, but no, um like part of the reason why we printing effort in here is, we do not think, is healthy for the ITF standardized, a big pile of different aches, and so, if the outcome, ufo's basically pre, decides that question.

A

I'm not posing it as an outcome, I'm suggesting and and I'm saying it looks like that's the reality. That's what's gonna happen, so I'm not saying that, but what should happen. I'm saying that I I don't see how I think that's likely to happen. Put it there.

I

Okay, um I mean.

K

I

No going no I I was I was a little surprised to hear seconds as I'm.

H

Trying to process a well I'm confused here, because it seems like the chairs, are the ones who would be in the position of calling consensus on exactly this question.

H

So pre calling this seems kind of out of order.

A

So I mean Richard and Eric we have. We have a bunch of people have been working on this ad hoc thing for a couple of years. Now, hey I, don't seem to be going away. I mean what is your hope that that CTLs will just cause them to say.

H

Let's look at what the standards here are: Stephen leicht the standard for publishing and document is not that people are tenacious and they keep hanging around it's that there is ITF consensus, sure and so like. We need to clear that bar.

A

Okay, well, I mean if it's the people who are you know, if that's gonna, be a block, then we should I think we should recognize that block, because that's gonna basically mean this is a pointless working group.

A

If we have a bunch of people who are saying, I am arrogant for a talk and I'm, not gonna argue for anything else, and we have a bunch of people are saying. I'm arguing for CTLs and I'm, not gonna, for anything else seems to me that that's just taking this whole working group for failure. We can't resolve it, I think an atomic rate, but if the counters are, but that's basically just a nurse up for failure, not so here from Arizona I.

J

Think one of the waters for we are definitely or game for yes, Eric stone. We think compressed Els would be very, very useful and I. Think Erickson would use that in a lot of cases. I think I, don't think the compressed Els will be smaller, tamales small, for the moves constrained, iut, develop, spend but and I don't think it maybe should I think it should still be TLS.

J

Very much like to see both are needed so.

H

Yeah John I'm pleased to hear you say that I think the operative question here is, you know if we acknowledge there's use cases for CTLs, regardless I think the operative question here is and the reason we're doing this requirement document is. Is there a need for another protocol in addition to CTOs or can-can TLS, be made compact enough to to meet the requirements.

J

Seems like it's possible: do a gay in messages 451 by Laura bomb and by whole thing's dish that has significant advantages from any protocol. That would cause fragmentation.

J

We should reach that kind of small messages that it would probably not be anymore.

H

So I mean it may well be that that's the case, but I think the reason that occur and I have been asking for the precision in this document is to come to come to the decision that you seem to already come to the I. I. Don't have this, you know, maybe it's because I've been in the space for a while, but I don't feel for the end of like technologies.

H

But it's not clear to me that that's the case, given that even the early prototypes of CTLs have been getting in the same, you know within a small fraction of where ad hoc case. So this is why we need the precision in their apartments to do this evaluation that you know on this question. We're agrees. You can have an opinion already you and that's. What's fine, but I think we need to get consensus around the answer to that question and build that consensus. If we're gonna make progress here so.

K

If I could jump in this is benkei duck I think that John, the question that Stephen is trying to ask you is is roughly, would there be a case where CTLs is small enough, that you no longer see a need for ad hoc and what you're, just trying to say, is sort of you are acting like you assume? The answer is that CTS will not be able to get that small, and you know it's perfectly reasonable to expect that or believe that, but I think Stephen is trying to ask.

K

Is: is it possible for you to change that opinion based on some data that we come up with the future work.

J

Also I think the messages or basically exactly just as small as they need to be to get off my performance and I think there is message guys. I have not seen any code ss4c a less obvious that having another, including that of C board and another to document implementations. That of Jose, which already is daryun or score, are UT device would add whose size and complexity so I'm good. Oh god, I.

I

Mean sorry, are you done? Yeah I mean I was like I. Should I shouldn t agree with John's basic principles? Obviously like, like you know, something bespoke will obviously always be able together. um You know obviously optimize further than something to stop this book and that's clearly true on I.

I

Think the the yeah and it going to Richard was saying I mean the reason, but the reason we are pressing on the acquirements is precisely that that we don't think the we didn't think the objective was to have be as small as humanly possible, but be small enough like not to be within the performance cliffs that these environments- you know um you know a present and so to understand where the performance cliffs environments are. So we understand performance curve against which we're trying to design for us and and as you know, one for myself.

I

If it became clear to me that, like you, couldn't hit those performance curves without doing things that I'm not prepared to do or their tails working group that we're stupid, then I would be like okay script like go ahead, I'm. Not so, but that's not yet clear me, which is why I'm, hence my comments on loss goal document.

F

Although it may not have been clear in the document, but hopefully it is now, there are strict limits. Specified I mean there are how much each message large, the messages can be and I I hope we can come to at the end of this meeting to understand, but those limits are there and they've been there for for a long time, even if it doesn't think here, we have been discussing this for almost a year now.

G

You can summarize what uh what are the size limits. I think.

F

John did already so we'd like to have. We are again stepping in ahead of the requirements. It's what you'd like to have an aka one-bite Laura wanna, link, layer and II I'm hot six dish.

I

560 sure, but we know that it's not possible for any public key base for any signature protocol and therefore it doesn't have to be seen if you're me: okay, that's correct, but but presume, but like the requirements document itself says we have to have one has integers, and so the I mean if, if what, if what you wish design is a protocol which only is based on pre-shared keys, then like that is a different design problem.

I

But the document says it has to have assessed signatures, and so, like look, my point is like that: did they like that? No I, yes, I, understand like there's like a lower limit for the very smallest, most compact protocol, with the most compact type of crypto, and then the question is like whatever: where are, where does the curve of cost for like every incremental byte, an embryo Cremona message hum, and that goes process the parts I'm trying to get an answer to, and so III understand this 51 point.

I

But on this responsive that question because I said no, we we know we're gonna think over that 51 limit in a number of cases. Unless we're gonna say we're only designing a protocol, those fish are caged, so.

F

This is when I was said: I think I was thinking of real public keys, but.

I

Sure well III again like, but the document says we have to have a senior's protocol. True, so.

F

I mean so there's there's one thing that needs to be clear as well. There are many spinning scenarios to support, including certificate based scenarios, which are not necessarily necessarily would fit into these type of frame size. For for the cases, people are looking at, for instance, in Laura Lyons, trying to design a real public key based escape base.

F

That is important case to get the rule public kids within the frame.

I

Size, okay, I guess, I- find this quite surprising. Given the original designs of ad hoc. We're seniors for Beijing, therefore could not fit into this list and I think the only thing was only brought up quite recently, um I'm finding like I'm finding this, like it's very little puzzle like.

F

That's I mean that's since version one there's been mentioning of static if you have my dancing that you're a mixed basis and for the benchmarks. Well, what you need to address those with the raw public key doesn't say it has to be signature based.

F

So that's I mean basically what what we see here is that requirements are clear on this point. What is the optimal.

F

And we we have an existence proof for it actually complies with that. If there are multiple candidates well, we have had plenty of time to develop these protocols. You've been discussing this for many years now, how long time, or should we wait for core or and another candidate to appear.

G

Well, in all fairness, you have been changing your proposal over those years actually.

F

Those requirements has not come from us. Requirements has come from other when you say you have then you're talking to the entire.

G

You mean, as document also.

F

Of course, we have written down the requirements from the from the working group. Yes, I mean.

G

F

Talking broadly talk.

G

K

Document the protocol.

F

Is the solution we are talking about requirements now, I suppose.

F

H

Solution is gonna be considered by this working groups than their requirements are kind of secondary I.

F

Have a proposal and that we move to the requirements slide. Some of these are actually so you don't have to ask questions before.

A

I'm not sure, if you're on, because I I see that we still haven't of the basic underlying disagreement here, which is I, think that's the people who are arguing for CTLs are essentially saying we don't want to do anything. That's not CPRS.

A

Dpms is good enough and you know you're trying to make a case to say that there is a situation where CTLs can't meet the requirement, but I don't think we've kind of if we could reach agreement on that that that is the case and that therefore there may be a need for a non CTRs based ache and I think that what gives away forward. But if we don't have that agreement and I think we're just gonna talk, let some requirements X and then get back to exactly at this disagreement. Well, I guess.

I

But is probably true, perhaps true, but I guess, like the discussion. We're having right now, is precisely that when I'm asking for which is that, um which is that we have in application scenarios and um and we and we have some re-encrypt of scenarios, and then we have some set of um you- know PACA sizes, that some curve of like cost against against against message sizes and that we and that what we want to be saying is for each of these scenarios.

I

This is the target we are attempting to hit for for those scenarios, and so far we have as far as I can tell so so my understanding is, we have basically um you know, we have.

I

You know about eight different of those scenarios, ranging from PSK to signature based on to full signature based on both sides with certificates and that well I'm. Trying to understand precisely is the turning point with thee, but the message, size and message number target is for each of us and cells like well. I here is John is serving.

I

It started as your honor serving that the message target for two of those, namely EPS, KS and steadily Helmand, is three: if three messages each 51 right, no one that you owned by each or the rest of them think.

J

That the Helmand might not be on yet it's maybe PSK and or decay that is thinking, I, think the users of a que doesn't really matter if they use the signature orders that they have Monday care about the performance and and security properties. So.

K

Sorry to jump in, but it sounds like occurs. Mentioning. We've got this list of call it eight different potential. You know crypto matching ups and you're John you're saying that maybe you know some of them may not be relevant to the application and that's fine but I think occurs. The point is that of these eight and I'm, not 100% certain about.

I

K

Like two or three of them that we feel like we have these concrete limitations in place of that, we think we can target the three frames and 51 bytes per frame, but then there's another five scenarios in terms of how the the crypto algorithm primitives might match up that. We don't have the same level of clarity about what we're actually targeting and.

H

I would note that, even if we were just gonna do an ad hoc working group, we would need those scenarios to know ad hoc was done. um You know there's, as honnest pointed out, there's been a lot of change in ad hoc over over it's the time. The span of time it's been around as people have talked about additional scenarios and additional mechanisms, um so even just having a definition of done for whatever the protocol is, we'll need to know that sort of scenarios that are conventions and I guess.

I

Yeah I think that also goes to what they're worth the criticals required. I mean this document I'm looking right now, it says, like um you know, in section 2.2, it says neutral, public key authentication up so maybe need to be supported for our pecans to pick a basic dedication in the cases do feel Maquis change, hopefully, usage for these public keys and chthonic.

I

These public keys is expected, so I mean like if that's not right, this need to be fixed and if the Senate and the Bend be clear, if the scenarios are that we no longer care certificates, all we care about is like raw public keys is like true is exactly just scenarios, namely PSK and raw public key sorry, pivot, PSK and then rock public keys. There are statically, fianlly, proper keys and, like wool and like we should write that down and then I'm like and then look at where we are there. So.

K

I guess echo sorry to jump it again once more, but I could for this list of scenarios. Do you think that I was currently in the requirements document is intending to be that list or as close to that list, I thought.

I

It was but now but but now I'm think I'm hearing. Maybe it's not.

J

I would not say that certificate is those sculptors interested in that, but I would say that if we prioritize something it should be P escape routes. Elliptical diffie-hellman and/or became those elliptical of the famine because things that or what a very constrained IOT device deployment is likely to to use because it's what they can use. It's also space where it lacks where the world lacks a really compact, efficient.

J

Aka overhead starts to make meaning.

L

The law to your certificates or sure I, I, guess I'm actually trying to like um I.

I

Mean I mean so so III don't know how I don't know how we got like I mean I. Think you know this is like. We've got here, sort of a security sprout, but on.

I

But I guess I'm wondering if perhaps the the answer is but like radically Dscoop this hard constants, like I, mean if the so your users wasn't earlier, which I didn't follow up on, but I was interesting, which is effectively that we have these. We have these situations or people are doing. um You know on your raw raw PS case now right and uh are they're doing with keys now. Yes, how are they what you were teasing for the ache? Okay? Yes, no! Sorry, I'm, sorry, sorry, the the application scenarios!

I

This is intended this place or ones which people are using. Just like nothing or like just shared keys right.

I

F

Mean currently or what well, this yeah.

I

What what is what are thee, what do they do? The application environments in which this new technology is intended to be introduced.

F

So I mean what I know of this is.

F

Because Ericsson is not a member of Laura Lyons, it's a rumored that there is going on work on replacing the PSK, which is currently used with public key based, authenticated.

F

Exchange provision the Pierce case to be used, but that's that's one of the they they're really looking for something constrained. This is exactly the type of setting that we are. There are other settings as well. People would like to move from. It is a based provisioning scheme to a public key division right.

K

Really do we need to like go through this list of eight things and say like what are people doing for this now, and what do people want to do with this in the future?.

A

I'm not sure we we do I mean it sounds to me like what's require is an existence, proof of a realistic scenario. Ctls come up nice.

K

For the question that you have been attempting to get us to stay on topic for yes, I agree, that's the case, and if we're going to try to answer that question, then we probably only do need to care about there's one or two most minimal of the eight scenarios. Yeah.

A

And I think leave I'm, not sure of that this entirely, but I believe that the feeling of the people proposing yet walking for they've already done this. That's what they've kind of been saying to me and clearly that's if they have already done it, it hasn't kind of landed, because that's it's not perceived that way. Sure.

H

I, like Ryan Parker, the reason done it. You know the there's not agreement that they've done. It is that there hasn't been agreement on what it is. I thought that was the part of the point of this document. It's to establish what the target was, so that one could evaluate whether or not in fact, Ed Hawk was meeting all the things they they they people apparently assume they do me.

A

So, rich and I think that's kind of right, but I mean whether the idea of a requirements document was ever a good idea is a different thing. I think what we're getting down to now is that is, if there is an existence, proof that there's a scenario that's realistic cannot be met by CTLs. Then that might give this working group away forward. Do we all agree with that? If the.

I

Existence proof is there sure, but I'm, not I, guess I, guess I'm trying to avoid creating serration like it and bound them I work for people on which I think you know just even um I, guess: I guess like like I'm, just finding I, guess I'm trying to find a little confusing trying to figure move forward, because um when this work was first introduced, um you know there was a lot of um you know there was there was a there was a lot of sort of you know, measurement of scenarios which looked to me like they were isomorphic to TLS scenarios, but were designed to be much more compact.

I

So you know it would be like well, it's still Sigma and they're still signatures, but there's you know but but like we're, gonna like have the students assumes that a band and we're going to compactify the messages or you know on etc, etc, cetera right and if the, if the notion instead is that um and yes they were like, we were more BK, but there's a pile of things right.

I

So their whole, like, like list of like I'm like I'm, like to stuff, which is the very good kind of thing, likes to kill us at a specifiers. It would sound like a framework for like doing on one things right and if the truth, that matter is that all the really matters is um is like well public keys and exactly to exactly two modes, which is sure, sir tsks, and defending a development and raw public eats with static static, static, static, a gentleman um and like no.

K

Those are tapas.

I

In scope then, like it doesn't start to seem like it might be appropriate this line a new, a new thing that was designed like not to have any sensibility only do those two things and nothing else. Given that, like you know, you know given given that, like those are not like things and I, think you're in the court area or TLS is trying to work, and so like I'm trying to for real I got like, but then there hey.

I

This document, like is the document like, has like a specification practically like a protocol, which is what has.

K

It requirements Edwards.

I

A protocol which is like essentials, invincible, steel s and like covers many, the same application areas, and so I try understand what those the real crime is, or the other or not, and particularly like it like says certificates it. It says like signatures, it's like. Oh, this is real or they're, not.

F

So there are requirements for for or the setting where you use mixed potentials as well. Mister.

I

Angels being raw public, he on one side in PSK any other or seen the certificates on one side or what any were mixed. Mixed public keys.

F

Would probably keep someone scientific transmitted.

G

That doesn't need them. The size limits. The problem. My problem is always like and I've seen this numerous times is at the beginning, everything is portrayed as lightweight, and then you have all these. It met already at the fairly early stage. You have this laundry list of features and then you only add more in in a split second, it won't be won't, be this small anymore I.

F

Think adding more features doesn't make it less efficient for the case when you use that ecstatic, but.

H

F

H

She had to give on those features right.

J

Well, TLS implementation typically implement basically everything TLS 103, a lot on to suit hundreds of sizes suits a lot of extensions. That's not the case for very, very, very constrain. Our UT devices expect them to really implement PSK authentication and they will use. They will probably not support anything else, then exactly what they may not that's.

G

True for web browser-based implementation, if you, if you look at an embedded in implementation, it's of course different, because you can sort of compile out some some of the code that you don't want.

G

The flexibility there is some cost associated with it and and I don't see how you meet those requirements standing in the sort of cases that you have outlined.

J

I think there's a difference between complexity and this in the specification and complexity in what you can use to actually implement implement. You can choose to implement just a small subset right.

A

Can I interrupt this chair if that's okay, I'd like to get back to if there is an existence, proof that we need something that is not CTRs I, think we have a way forward. If there is no existence, proof that's acceptance and we don't have. If we don't have consensus that existence, whether existence proof is there and I really don't see much your way forward, because I'll just keep repeating this discussion.

I

Well, I was: um what are you talking, I'm.

H

Just gonna ask what existence proof to you means you just so I understand.

A

So I think you and Eric we're asking for you show me the scenario where CTMS cannot do what's needed. If that, if a realistic scenario exists where that's true, it seems there is a need for another protocol and ad hoc is proposed, and after that we can discuss whether it should be extensible or how much Croft it should get well.

A

Unless we get to the point where we know if CTMS and something else or CTRs is all it's gonna be done, I think this we're just gonna, keep repeating this discussion, as has happened for a year or more sure.

I

So that's why I'm trying to propose a different, a different way of thinking about this cuz either, which is that um so I hear you're saying um but I guess like what well the reason as I sort of said. The reason that I primarily interested is in Italy was I. Think it's unhealthy for the ietf, just a large number of like big on it. Protocols.

E

Is that be maintained, enlarged.

I

For us on or ten, we already have two. We already have two mate frankly, like.

E

So more than more than more than one well.

I

More than two or three, which we already have more of right, I'm just looking up, we have we have Ike hip.

E

And TLS and SSH.

I

E

Mean I'm just telling you I'm.

I

Just telling you when we wanted to add it was a multi-year effort. Nearly add new crypto got new cut, lived, a curse to hum to to to protocols right uh-huh yeah hold work, there's always were a dope to Kirstin protocols is bananas, and so, like the hum.

I

So now that, like to my philosophy, everybody else's philosophy, but um the but I that said, if we have a and I think I think why think it's expensive is we have a winter general purpose protocols, and so, if there's, if there's an understanding that like actually, this is designed for like a really special set of use cases, there's not like a generic system that just happens to be slimmer, then I think it like make sense to try to carve that off and be like hey works.

I

Gonna do that, but when I read this document stock in this is it is April. Crime is document for lycra generics and abuse cases. That's what giving me heartburn and so, if, like it and so I think I think I, don't know if khakha Bell wanted to be on the on one of his.

K

Thing really de microphone, but.

I

um You know I, my suggestion was attempt to let them narrow the scope here um and um and if the school board, much more than it be I, went easier to see how, like it made sense to have like a custom protocol that, like only did that wall, wonder who thinks so.

A

Here speaking, prayers in the record I mean I actually have some sympathy for that argument, but I don't think we could claim that it has ITF consensus that they're. You know this I didn't say.

A

That does make another say, not duplicate, sometimes I.

A

Can connect mapper it's my understanding that the the ad-hoc proponents believed that they have provided that existence. Proof. Is that much too much you guys believe pretty much: yeah, okay and and Eric and and Richard, particularly and others I'm in a course. Obviously you guys, don't you see.

J

A

But that's the same criticism that people are making. It has changed so I think you, my understanding is the ad-hoc proponents believe that they have offered an existence, proof that there's things that you can't compress TLS to do, and my understanding is that the TLD CTLs proponents do not believe that they have seen that existence. Proof am I correct about both proponents positions. As of today.

A

You don't think you've seen this existence, proof that there's a thing you can't compress TLS down to or do you think that there is such a thing? I mean.

H

For such a thing to exist, you would need to have a clear statement of what the thing is, which is exactly what Eric and I were asking for in our last call code is well.

A

Actually you're asking for a little bit more I, think you're asking for you know a range of a panoply of options or the full kind of description of the environments. But if it's an existence, proof I think that's bit more tractable well, I.

I

Mean I mean this business back to work. This point I, think about weight, bet that choosing between two things person and when you're done, um you know um I mean haha so I'm yes, I mean it's only be the case. What so they certainly be.

I

Certainly the case that, if like there was a demonstration there's something that, like one couldn't do on by something down TLS without doing appalling things that we were going to do, then then yeah then, like we said today after you have to say like that, is not a viable path, but I wouldn't tell you if you're done, if, like you, have eight different applications, nurse or five or whatever the number is and like you've, no idea what meeting those operations means right.

K

Can I jump in so I think occur if I can sort of train paraphrase? Maybe you were saying if the only use case that we cared about was exactly the symmetric, pre-shared key case, and we did not have an ad hoc that was also wanting to do rob public key and certificates and all this other stuff, and we were just focusing on symmetric, showed PSK.

K

Then it kind of seems like we do. Have this existence proof that CTLs is not a good fit for that. Would you agree.

I

Let me try to LinkedIn, you want it a little bit, I think I think we'd. Have it I think that um what I would say is that okay, I think your actual print thing you gave I think it's probably right, which is to say like. Why? Would you pull in all this apparatus of all you wanted to do with that? Alright and.

K

I

Just want to clarify that I. Don't that's not a concession that CT also to have it does not have messaging there. That compact, which is not true.

K

Okay and so then I was gonna, try and fall on to say, but no once you start on adding other thing, other use cases into scope, and it requires a lot more flexibility and options to be able to do or not do different types of things.

K

Then that gets you worried, because it's no longer this very limited scope and it starts to look more general-purpose and once you have this flexibility in the apparatus that you need for a general purpose mechanism, then it's no longer this very narrow scope and it looks a lot more similar to EOS.

I

Yeah, so the use case is that a general purpose- egg, like TLS or I, get designed for yes.

A

M

A

Song, what I like what I think I was hearing from Ben's find somebody there was there kind of. Is an existence, proof there or a live very limited scenario. I, don't mean to say we kind of all know that if somebody writes a program defines it a protocol for that very limited scenario, it will extend to do all the things we kind of know that that's kind of inevitable, I, think right and that causes were worried.

I

That someone um not really no I, think I mean the thing. The thing that made the the the part of Ben's thing that I found compelling was the on with the specificity, what I mean so that the really it doesn't make. You have a very limited scenario and you're willing to commit yourself to the only operating furloughed scenario, then taking a then under certain circumstances, taking a generalized protocol and slimming it down to that may or may not make sense and well I was saying: was it really?

I

What you wanted to do was PSK, and um you know, and if you home in the hoisting, the even the CTLs apparatus in a very wanna make sense, but that's not that. That's not that when you, but the reason that the reason I've found it that's not proof of this is you were talking about. Is that when you stack on the other application scenarios on you know on I listed in this requirements document the the limitation which motivated that conclusion no longer holds.

E

Three or four years ago, I think we need that exact determination. We looked at TLS and said: I, don't think we can compress this at all the way that we would like, and and so we created ed, Hawk and and then we got this multiple year long well, we can make TLS work for you.

G

Many of the things at the beginning of a misunderstanding also, where Els sees and and how it can actually be used. Remember that there was a lot of effort spent in embedded at Els, implement implementation. Centers I have been used for many of the IOT platforms, and obviously people learnt the last on what works and what exactly.

E

I and I have and I have deployment experience with with your code and problems getting it across networks. Okay, so I mean yeah, we tried and we failed.

K

E

Like DTLS, we need something like CT I can help you the problems with the cook.

H

This attempt earlier attempt documents it somewhere because.

H

E

Make it work? No, he didn't.

K

Attempt to make.

E

Dtls work on on coach fret on constrained networks. We failed and said gosh looks like we need to do. Edie hawk as I. Don't think we can push through something like CTLs through the working group. Well,.

I

I guess I, don't remember: I, don't recall anybody coming to me either for today anyway, CTOs, which I wouldnt, when the first people ever come to you. What I saw was a proposal to do the entirely different. So.

E

Because because we actually did the work beforehand right, we actually did the work beforehand because you're, not the only person that can figure out how to do. You know bit of crypto right, so I, don't.

I

Member calling fine yeah Michael we're.

E

In this situation, okay, where it might be, the right answer- is that we should construct. What I don't know is is do I need to create a compressed version of TLS, which is cryptographically and functionally equivalent to TLS, or am I allowed to trans transliterate, that into something that looks like TLS, but but isn't actually compatible with TLS Mike.

G

Let's be unlike this is sort of a history lesson a little bit, but at the beginning it was actually the story was portrayed as this is the application layer, security solution and we are using it on top of TLS that actually has prevented a lot of the tls community to even look at this, because they thought that this is something unrelated.

G

Only much much later years later, we finally found out that this is actually supposed to replace TLS and become sort of like the DLS, with four different coding. That's why we are here.

J

Never had the plan to replace TLS. This is meant to work in use cases where Tina's obviously doesn't work very well. If you try to use current DTLS, uber becomes very constrained. Radio, you will it's not fun, wait. Well, that's crucial, and this was not only the earlier already from the beginning. A clear goal of this was to reuse Cosi. We felt like we have causing these devices. You.

G

J

G

Here, let's also, let's see what we can do with it cool. So that's the next misconception, because just because Oscar uses cozy, it doesn't mean that all of this traffic supports all of cozy and you don't have Cozine in in the devices I think you randomly mix stuff together. You don't even have co-op in all devices.

G

F

This is this, is this is arbitrarily put things together? This is a no score implementation, we're assuming because we are building an aka for Oscar. It seems many of the city as people are not at all interested in that part, but that's for your information and and what we have is exactly a cozy encrypted. We have algorithms and we have co-op and we have Seaborg well at hoc. You need much much more Sun cozy, which you don't have on the device.

F

The fact is that this is very tiny extension to if you have cozy, Seaborg and co-op and that's one of the points but I don't think we should discuss the cozy part, because that was already item one. Then we are on item two in in sub-bullet Cibola in item in the agenda item. One I think we should leave that and get back to quantification of the existence proof, because that is what might lead us forward. I'd, like also to add the time aspect here we have a stressed timeline.

F

People have implemented all score in constrained environment which takes a long time and they they want to have an a key exchange protocol securely application. So I think we actually should should take care of all the time we have in this progress.

A

Okay, so the last I heard that I think I could summarize. There was a kind of an acceptance that they there is a niche there that this existence proof could exist in or could fill that existed. Sorry, let me start again there. There is an existence, proof of a thing that you couldn't really compress TLS for there.

A

The last statement I think echo made was that if you try and define an ache for to fill that niche, you inevitably will extend this to the point where it has to have enough mechanism that really you haven't filled a niche because you've done. Is you end up doing as much as CTRs tones? No, you said that I'm trying to suppress what you said on.

I

Tracy explained quite different, actually, which is that on dad my concern about this.

I

This document, this requirements document and this in this process, hasn't predicated on the idea that there was gonna be a we're gonna sign it like a generalized ache with like a whole bunch of knobs that basically did a whole bunch application scenarios, and that is a source of my concern and if, um if, if what ones that is being proposed, which I thought I heard, John Nelson saying earlier, was a much more simpler set of protocols which only does about two things, which is say RPK and PSK, and is not intended to be generalizable.

I

This is for category of things. Then um then it might possibly be the case that it was attractive, design, saying new, rather than trying to like sometimes languish as much potentially much more done and.

E

So I we thought we were doing what we're doing what you're just the second part, Acker I always thought. That's well.

I

I mean this is the spread, this I'm reading the readings requirement document and it like it, has like three different ways to curious: difficut s-- um it has, you know it has signatures and and and and let me start it be home in you know.

E

How can I have.

H

H

Different scenarios, this requirements document visions the.

I

H

Feel it's my doing are.

I

Are by reference um in line in a in line in a in order to listing in line an ordered list.

F

So are certain important cases which are by reference certificate by reference.

F

These cases, where you identify public key by a hash or URL, those cases are clearly iot use cases that that's it's no construct. It's dripping down the protocol or removing those components from the protocol, because that that will not be fit for purpose. Whether we need to have some what kind of deployments we are looking at. There is a wide variety of iot settings and, as I mentioned in in or I think, it's actually one part of the the credential section.

F

Speaking about a we've heard companies mentioning this deployment path, where you start off with the pre shared key, and then you, because it's perceived as simple to do starting point and then you remove like Laura Lyons, is now doing moving to a row. Public key based provisioning would like to take perhaps the next step and add certificates that might not be in that application, but other applications. They want to go that path so saying that this this protocol must not support signature, or this must not support certificate. I.

F

Think that's a that's, not the right starting point, but we could. We could, of course, try to prioritize the the scenarios which are most relevant for IOT use case. Okay,.

I

Steven will now run the scenario like bit. You in Aikido yeah.

A

It's inevitable, I mean it's that's gonna happen and and yeah.

F

I think it could make sense that I mean starting from the starting from the point where you actually have.

F

You have a a simple application, simple setting with with the pre-shared keys with like no an implementation of all score and you'd like to the natural first step would be to add a PS k base 8, but that not might be optimal from a security point of view or deployment point of view. There are migration paths to consider as well sure.

I

I agree: I, agree that but I guess um right on, but I think I guess what I was trying to say but I mean, but the point where what you're proposing to eventually built is it protocol of enormous enormous amount of flexibility sensibility for a pile of application scenarios then, like yes, absolutely gonna, create those things one by one or you could start with a protocol which are somewhat more general and slim it down.

I

And it's not clear to me why one would think that, like a queen, then one by one starting from heat frame from nothing, is the right way bill.

F

There's very clear is that we need to support and that's that these scenarios, where you are just using real public keys and visually those muscles supported. So that's sure you can go any way you like, as long as you support those sure.

I

And I think I think the point return I are trying to make is it is that we believe CT else can support those use cases and when they're colloquy can been in my earlier was me saying that it seemed that that was a lot of complexity of inches a lot of capacity to his work. If the only thing you care about was accused cases, but if it you actually care about, it's like a much more safe use cases consequent in this document, then suddenly that meant that comply. Sorry, miss Othmar, subtracted, I, think.

J

The protestation is clearly Orbach a.m. and PS Cadiz all day. He saw the reason for the hooks existence and I think the further you go in the other direction. If you have certificates with signatures, then I think then you will not have much method, not the difference between head hook and CTRs when it comes to latency a message size.

F

K

Mean it sort of seems like we have two different loci loci of functionality where you know, there's a core area that it really is is the primary goal, the primary thing it targets and then it sort of creeps out or extends a little bit from there with that Hawk being this sort of, maybe we focused on its origins as the pure PSK or Rockwell, the key thing and GL s, of course, starting out from the very full-featured web scenarios, and yes, it's sort of possible for these, who have Oliver get morphed or crunched into some other scenarios.

K

But there's I can overlap with the distribution between the two of them and I.

K

Think that's the the space with this heavy overlap is, what's being so problematic for us to think about, but I'm sort of coming to the conclusion, which could still be changed, of course, but if we do have a solid core of work that we want to focus on that, you know has the very constrained nature in terms of being the pure PSK drop of the keys, it feels fairly natural to define a protocol that works for that and, if it happens, to evolve into something a little bit more extensible as Steven is saying, is inevitable.

K

It's not entirely clear how concerned we need to be about that evolution, given that it has its origins and its focus in the more narrow case, and it just sort of if somebody ends up using that in the the broader signature certificate case, because it's easier for their deployment because they're already using it. For other reasons, I, don't know how concerned I should be about that.

K

Similarly to you, if someone is already using TLS and they start having the smaller devices and they want to pack it down a little bit and get into a new use case scenario, but also it's not seem very concerning to me.

K

And yes, I agree with with echo and Richards that we should not go into things and say our primary focus is to produce a general-purpose ache.

K

K

But if we have a core focused point of work that we want to start with, and we could say this is what we're gonna focus on for now and it might be extensible in the future to do some other things, but we're you know it might not, and if it doesn't end up that extensible, we still think that there's value from doing what we're focusing on now, like that sort of view, point is something that feels reasonable to me. But I, don't know if it's the case for everybody.

A

So does everybody? Does anybody want to question Ben's description there or is that his band's description other way forward something we could live? Why.

I

Don't quite understand what it means so I mean: does it mean stripping out basically the signature, signature and certificate modes of this protocol departments I.

K

Mean so because I should apologize for coming up with something off the cuff that is vague and hard to follow, but I think it sort of touches back on a point that I had started to bring up earlier, which is to sort of consider what are the current and future expected use cases and are not youth kid? What are the current and future expected deployment scenarios?

K

A deployment scale for these eight or 17 or, however, many different combinations of crypto primitives, and if it turns out that the only ones we know actually have current deployment or near future deployment? Are you know two of them? Then?

K

Maybe we don't need to spend a lot of time on the other 15 in the requirements document right now,.

A

I mean then I would love that it's out provided right forward. However, I I don't know it, it's possible to write a protocol that can't be extended into the areas that would cause concern to the people who, like CTRs I, don't know.

K

If that's actually possible, I I agree, it doesn't seem clear that it's it's possible to to write a protocol on that way, but you also don't have to write the protocol and spend a lot of time on the full generality of things. You can say: I want to write a protocol and make sure I get the narrow bits right and sure it's gonna be possible to do the other stuff with it as well.

K

But I can worry about how did you that properly later and if it ends up being kind of janky, because I painted myself into a corner well I have some other options for the more generic scenario.

I

So I'm certainly not like trying to argue with design a protocol which, like no one, has any idea how to extend ever. That would be unwise, um um um I'm talking out what the I was liking, what the requirements documented and hence the implied charter for this work, is um right.

K

And I think your point is that the current requirements document is very generic and it doesn't give a sense of what is the focus versus? What is you.

A

Know we're throwing.

K

It in there, because we can.

A

But that's the nature of the IETF process right when you have a bunch of smart people who are saying well what about this? What about this? The people keep adding to the requirements document. That's just how it happens.

I

Okay, well I mean but then but then then then I think the question is: if it needs to be cut out, there are not I just look with this work or.

A

To try and characterize the way I think Pam was trying to describe it. There is maybe there's a missing requirement to say. The focus here has to be either on there really kind of tightly constrained. Very you know: PS k, +, RPK kind of modes or on a generic thing and those no those may not be the same solution.

F

I

Guess I this may be a way for that. This is a natural candidate text, um but um I mean I I guess this is something that we referred.

I

Sorry Eric, can you repeat that last I said I said this sounds like a key way forward. I have to see some like some. It's some clean, concrete.

A

Okay, so let's be optimistic for a second, so people, please start typing in the jabber room in the WebEx chat on the back of your hand whatever and see if you can cope with some text that tries to express that.

F

In real time, or should we give some an action to produce that text, I was.

I

I was actually hoping we could do it you're on your suggestion, because I also hit one conference calls.

F

So you want text for what are the prioritize use cases? I guess.

I

I guess I was I, guess I'm not very difficult, but like prioritize it in the world of looking for what I'm looking for is is is heavy, is having this work scope down to the point where it's not a fully generalized ache for like let the end uses cases for currently specification, not in order of operation there, what they won't be designed and if the, if the idea is that we're gonna first like design.

I

If this is like an open-ended charter which is like well we're gonna fight for his line, PSK, then, where does that hurt, began organizer difficut, then we're gonna design a short end, glob like no. That's like not I'm, not cool with that. If it is we're a designed this thing and then maybe something later will retarted accents and stuff, then like then, maybe right but like.

I

But my point is that my point scope with this of the this specification is like a fully germ, awake right and and and so like they go back to the with Mike Michael we've been quite a bit earlier, like that seems to me precisely this in area for TLS resigned them so and so, like I'm, not really going to concede. There's not an appropriate use for that use case. I.

F

Still don't understand, we have. We have problems, a setting where we think there is no good solution today and we don't see any other solution. So what why but prioritize use cases and you need to comply with those? What I mean that that would at least be the so the disco where, where you can sure.

I

I guess I guess what I'm looking for yo, I'm, sorry well, I'm, looking but sorry so I thought would, if I understood what Ben and Steven were attempting to accomplish. It was to create a target scope. That would be a target scope, not for this working group specifically, but for ED hoc to work on that.

I

Then the people who, let's say the people who were interested in CTLs, would think was a sufficiently small scope that they would not be interested in pushing CT loss for it is that your try to accomplish, even if we can accomplish that I would be happy yes right and so um um so just taking just taking a list of things in this document of prioritizing them doesn't solve my problem um and so now contract.

I

Now, in my last comments, what I was asking for was a you know was for each of these cases a set of like numbers that we were supposed to have targets um which I something me valuable but like. If we're only gonna do two of them. Then, like the number of targets, we need much smaller.

F

So what was exactly wrong with Ben's statement that we target certain use cases where, where these eighty, this okay needs to perform? Well, if it happens to apply to two other other cases? Well, what's the problem with that.

G

In order to get there you have to essentially, if you want to support all the use cases, you are designing a generic.

F

And exactly what is the problem with IIIi.

I

Thought I should be myself, I think having the ITF, a big pile of jr. gates is bad. Okay,.

A

So I think we have looped around to the top of the error. This artwork all again sure.

I

A

Anybody I'm, just noting, however I think was just before that we almost got to do a possible point that might bring progress so so I think it's not too. It's not kind of prioritizing I think what we want to say is that there's there are some. There are some niches. There are some kind of deployment scenarios where we don't believe we can compress a generic protocol in a satisfactory manner.

I

I'm sorry I'm going to concede that point Stephen, um um it's the sizing, much more much more much more nuanced, which is that it's not worth if all you care about is one very small set of use cases. It's not working only the effort of like hoisting in a generic completed compression era protocol. That's a different statement understand if we're going to be designing for eight different use cases, um and even if any individual one only uses one like then I think I think compressing. Jari protocol makes a lot of sense.

I

I can try to try to write that out in more detail like I, just like it's really important to be present. What I'm trying to say here, because I'm not saying we use, you said.

A

Okay, I agree with what you said and I agreed what I said.

L

I

I'm just trying to figure out whether or not we're not we can plaus went way forward on this call right now, um so.

K

I did write some text at the bottom of the etherpad. Oh.

I

B

I

K

It's the type of text people are asking for it. Oh.

I

I'm glad we had that I was like actually waiting for pageants stop stalking like I've like lost it.

E

I'm gonna pull it up above into.

I

The float oh wow, we're like we're like cleverly, adding our names that the ghost ate the crowd, I.

I

Mean I would have to study this, but this is this is in this is the zone of what I was thinking.

A

So Mike I guess so again it's perhaps this is text that we just need to take to the list and I consider.

A

Does anybody have a immediate comment at this text seems absolutely crazy or absolutely wonderful.

A

In the background of us, he doesn't like it. Yes,.

I

My five-year-old think my five-year-old is concerned about accident. Like acts I mean I mean like this. This approximate I was expecting based on what Ben said and I, don't think that's a little more product. This is like in his own of things. I was thinking were more sensible.

A

Your honor John, have you had a look at her.

J

What Ben said before it was very good day.

I

I really I'm sure people do hate being a specific read something on the fly, um so I I was just that we like like this is this is text like which, like I, can think about for a little bit.

I

It's look at her eyes and think about a little bit too and uh Richard Roth, so I think like I was just with her circle by email and then and then perhaps he can schedule an or call um I if needed, to try to hammer something out and it feels like it, everybody if every like this is garbage, then we don't need to do right. I'm.

A

Fine with that, it's okay, so the the action and, if Michael get in these bad yeah, the action is, you know we need to send this text the list as people does. It seem to make sense as part of the whole thing and possibly.

I

Circle back and have another call if needed, I'll commit I will commit to to to reading this carefully and chatting originally and coming back button like the next few days, with some more thoughts.

A

Okay, great and I think I think we covered all three of the points I wanted to cover in all that discussion, think and yeah so I I. Do we want to proceed with the agenda as previously planned then, and thanks for for all the discussion, I think it's the key kind of disagreements that we're trying to get over here. Do we want to potatoes planets with the requirements slides?

A

I

Yeah it'd be helpful, saying there were some points that we're staying in to.

A

Just try and find one second.

A

Look like you expect it to yes, okay, so say next slide as you need it next line. Where is it now.

I

Didn't work you're on the same slide.

F

N

F

We are in submit version, zero to reduce Christopher, would Richard Barnes, there's Cora and mr. Feeny, this posted March 24th, and there is the github branch working on. There were some update to comers from a career last night.

F

Right I, don't think.

I

It's just like like like when we, when we get through like it, let's, let's just be sensitive to as we go through this things that were just recapping the discussion we just had and not do them right.

F

And I think also in. We should think for each comment whether this actually has to be solved in the requirements document or whether this actually more belongs to design phase sure.

F

So here is a new formulation in case you haven't seen it so it's they shall, it says, shall specify how to provide cozy algorithms to all score, and then there is a recommendation because.

F

Duplicated implementation, but we can go, we can sort of it.

I

Sound like we asked Josh for that. um The rest of this looks fine.

I

um Well, sorry, the next and this last bullet point I, guess, like I, think there were two points here right. um One is like whether or not this should be roughing Jose and the second is like what actually should uh should carry but I propose. We punt this because this seems to be the core of any suggestion, and so just what kind of role.

F

Makes like please I.

F

Think this is just that's an.

F

Identifier, this was put in by Karthik I think this is the purpose of this session. Identifier is for formal verification to note that connection identifier is now removed from the draft, so.

I

Karthik's online poker is usually a crotchet kennedy style session identifier, that will you man, when you.

M

Do want to agree on a unique identifier for this agreed-upon session, that sort of notion of freshness. You cannot just use the same strategies and generate a session key that session. To me, the first session identified the point of this particular session. You need that good, formal proof, but also more practically. There should be something, and typically this is a transcript. The transcript can be thought of as a session. Identifier in this particular sense.

I

Let me just you see, we did we try to solve this problem in TLS meter see we did it there, because I think I.

F

Mean yes, Kartik said this is when you think about. Maybe that's not what you think about it's like a transcript, rather than yeah,.

I

He said so we had this. um No, we we actually had this because, like we talked about with both what the informal angles were, I just find the damn thing hang in a second. Let me just I'll, take a look and try to find some text like I. Just I find this very confusing to people very confusing, because I wasn't sure what I meant, but, like all for some texture, that's not a problem. I I agree objective.

F

Right so then we have the discussion about mist bindings, and the note here is just saying that we do want support the case so, for example, I should public key or the public itself, though both of those things are.

I

Right so the issue is Karthik I'm trickin I get this more light than I can, but that, if you treat people's public keys as their identities, then you get any miss finding problems um because it's pop, unless it, unless it's impossible to register what key for don't have possession- and this is the heart of like what Sigma uncovers right, and so the classic way to do this is do is to include the identities at the endpoints inside the transcript itself.

I

But if it is the endpoints or merely the, are merely public keys, and you don't get that, then you don't get that property and so on. That's what that! That's the reason I'm pushing on this now, maybe we can just like him with the Sun, but that's the reason. That's what I'm pushing on I think about my represent equipment.

M

More generally, whenever we talk about authentication, they have to talk about identity and what identity of the two parties are and open, because you have so many different ways: identities, including the top of the key I. Don't think this is going to change, but if there was some notion kind of a global identity that you could use, I think that the devices knew about each other, and that would make this much more explicit.

M

I agree that there is a concern that, if what we are agreeing upon is the key, but what you really want to agree upon both the identities and there is a myth there is a gap between what they are, what indicating and what you wanted, or did it I mean if you had only one mode, it's very easy to make this very precise. If you have three or four words, and you have to be careful about what is this notion that generalizes across PS case and RPGs and certificates?

M

F

So that we need to change the requirement, I understand assisted an issue in verification, but do we need to change anything in the requirement here or in the text? um I.

I

Guess I guess I'm only know I'm going to let this go, but I think when we actually try this protocol design, we're ski important understand and actually I mean like so to be clear on what 7250 and TLS has this problem right, which is a you, could just name well 10 to 50 name are P K's um has the exact same problem or, basically, you know guarantee miss binding. So we actually do the protocol design.

I

um If we with any kind of our PK, it would be important to stipulate what um what were the guarantees I mean to provide all um but I think we just put a pin in that I think that I.

J

Agree with everything said everything that you solution need to match, what the actual deployments or and what what kind of identities can they provide? What is reasonable to them? A Kay.

A

Yeah, just you just wanna check John and your honor. Are you okay, with kind of taking your own notes or going back to recording for this? We're just Michael has to move I go off to another meeting, so I think we're you may be losing your note-taker take notes from here. Okay, great thanks. Thank.

F

You next please.

F

This is the new replay protection formulated by yeah, something similar like that. ah That.

I

Was good to me, I could I wasn't able to find that um good I didn't understand the branch but Alice fine.

F

Right so yes, this is, this is certain.

F

Property that you don't really verify I.

F

Mean you basically just verify the public key I mean this is related to her identity.

F

It's only verify that the public key, the signature matches the public key, but you don't verify that the public he actually is the identity.

I

Then Karthik yeah I think you were this. What did you mean.

F

No, this is not party, oh.

I

F

Can't blame him. Oh I was in the pointing.

M

So I guess there's two questions here. One is about authorizations that you want to make sure that this is the identity who actually want to want to talk indicate, but the other one seems to be trying to read this text carefully.

M

Both parties should agree on the identities of both parties, since, if somebody authenticates to me, if Alice authenticated to me as far as the protocol I also need to know that Alice intended to authenticate it to me and not to somebody else and that sort of related identity was finding well, it's kind of called recipient authentication, not just send that authentication. So I need to know that both parties agree on the identities of both parties. I'm, not sure, that's exactly what is being said.

M

Yet, oh, but no, it would be a natural thing to say you.

F

Propose so rephrasing here, maybe we actually.

I

F

I

It a shot, then we have some crappy text for this in a 446 I think it's like we did but I think sounds like you. Don't know what to do. I agree. That's good! That's a good! Technically to get it.

F

G

F

This is actually your comment is about the third paragraph: if s maybe in different ways right so.

I

Actually I'm sure I heard yes right yeah. So this the proposal looks fine and- and it's often read- looks fine. The UM the the is the reason that I'm, like the well I mean read my comments very quickly, but I think I was trying to get out here. Is that there are. There are non protocol designs on that.

I

The way you actually build, your plantation, that um that learn that leads of like compromising PFS as an example getting any kind of ticket based reduction scheme, and so, as I understand, we are specifying resumption here, which means that you might then IQ possible ability can pick up age reduction scheme which case you'll, be violating this rule, and so I understand like what like?

I

How do you actually write this rule in a way that seemed sensible um like even if you do, even if you do like um I guess so, I guess I guess if you're always doing to me Helmand then you're gonna say you know this problem um because you don't deserve TT, so maybe I'm, just like a man to protecting, tell us behavior on this. So if we're I guess going back the previous thing, you said there was your RTD and you said it's always doing defeat Helmand, so we rockin her.

I

um So what so in the I guess are we thinking? We were design resumption mode, the didn't the feel Minh or that would you be hoisted not under on the OS Lauren. So we wouldn't anyone.

M

F

We haven't talked about. Do we need to determine that now or can that be left the design thing I.

I

Think I think what guys like this is it. This is like a war. This isn't like an actual Worcester like if we include this Texas wrong, we'll just deal with it. It's a fine, yes,.

F

So we leave it, as is then.

I

Yeah sounds good.

F

This was one comment by Christopher. Would he wanted to ask the question about hybrid sort of simultaneously more than one key exchange and I assume that it's awful here.

I

I think it should be. Why did we green that previously, some again good.

F

And then there was a clarification about elliptic curves that they are also in part of them negotiation.

F

Previously, it was missing if the statement that shall allow negotiation. It just stated that the call shall allow multiple.

F

Yeah, okay, so so this this was the statement about what is the result of a successful negotiation and we proposed- or someone actually can't remember, who proposed that we should have the least the most preferred algorithms, because I mean you could be less specific. You could speak about wrong integrity and negotiation integrity and so on. Yeah we're happy with that.

F

That might lead to the lease and.

I

Yeah so IIIi think it'd be fine. If you told I, think he fine. If you told the the end points that they had a new good that if the final protocol required you negotiate a certain way, um it's like I mean, let's take it. Let's take it a protocol, like um you know any protocol that has gonna offer answer structure right um wherever the offer or gives like you know his order to list.

I

The answer has to do something right on like it'd, be fine if he told the answer he had to do like I, don't know one of those one of the two things I do these people that we do our kick the one in they're listed as my favorite, but the one on my listed at their favorite any fine. If you told them that they do one of those two things um I just don't get the protocol, but no, but no protocol I'm, aware of guarantees that, without like without like a bunch of extra.

F

So what I found is that this section actually contains the text below which states, integrity and downgrade attacks. So we can simply just remove this.

F

Sounds good next.

F

Right so coming back to that actual that paragraph, so the question is: should we quantify strong I? Think after the buff off there was a mail exchange or someone proposed exactly this and the list decided that was not necessary?

F

Then we also have the I mean we don't need to go into curve in two to nine, whether it's approximately two to eight bits, but we definitely want to support max shorter than twenty eight. So so we might want to add something. They think that as he proposed, we should have hundred twenty eight bits integrity, but that we allow remarks something like that. Would that be acceptable.

I

I think maybe I think ours are gonna, have a long conversation with this, so I'm not sure do some tracks in mine, Karthik.

M

The bits of security, I think is pretty controversial anyway in general people to understand it. Well, so it she had some informal target, saying 128 bits of security that people will understand what you can instantiate with. So you might be able to get away with shorter, max Fischer I'll say, but.

F

M

Still achieving still achieving the same level of security, so.

I

What have a live food sounds like sounds like you're open to saying this in principle, so one I float syntaxin and we can. We can decide after since text. If, like this is a good idea or a bad idea, sounds good. I think you're.

J

Soon, here is play I.

I

Also send a PR them and then I mean like understand a people might like the PR man is here.

F

Thank you next.

F

Yes, this, this was partly by.

F

Basically, spelling out what this is, Sigma and Sigma are in this respect.

F

First, paragraph hope that it's here now second paragraph is on just noting that some information may be may need to be transporting plaintext identifiers to lock relation between yeah.

B

M

A notably the PHP, SK identifier, yes,.

F

hmm Yes, why is that? That's that's. Presumably mention is another paragraph other other than that connection. Identifier is removed.

F

Data also comes from duck, one.

G

Question gone on this identity protection ever saw so there. The issue of this unlink ability was that related in the identity, protection of a started in a separate section. So it was you had one.

F

Comment about privacy yeah and that we added the privacy consideration: okay, yeah, so that's basically, the privacy consideration currently employed- and this was about Siri data, harness problems, but the access token being mentioned here. So we route that it's also I had the concern about CSR and the use of CSR. They would like to see that more like early application data, in fact, if you use like it's proposed here in this example, is are in the third message. That's very close to me.

F

I think that this is sort of an alternative way of doing passing the e-ticket signing request and then finally, we should proposed a formulation for protection of auxiliary data, which we thought was really good, so copy that.

F

Once here, no thanks, please.

F

Yes, now might go that did he that's a shame, so this was comments, some text that Michael put in and they could commented on and Michael responded to what what we as working group could discuss is whether we think this is actionable or not. Whether this is a requirement I mean.

I

I guess IIIi I think this is a Michaels like Michael's past year. I, basically think is like not unreasonable. um You know this is a ghost battle. Adam Langley have one joining keep it all boiled on. So um you know, like I, wouldn't put this text in here's I, don't think it's actually a wolf I'm, not gonna fight about it. If you will think it's morning, cuz like I I, agree with a philosophy being established here by and large, huh but.

G

Nobody would disagree with that right. You. Nobody wants to create protocol and put stuff in there that nobody understands.

F

But is there a harm having this text in the require in this requirement?

F

I'm not gonna, fight about it.

F

Okay, let's, let's keep it next I.

I

Misunderstood this misunderstood this tax diagram, okay,.

F

I

Yeah, it's here: yeah I, I, just I just misread the extra point out to me in your in your response.

F

And there are good to nine there now service Richard commented that the first paragraph was overlapping very much on the mouth. This stated underlying transport to remove that and then realize that this section should probably change to availability. Now you understand it, you should have I should have copied in the actual text, but it's basically saying that text is saying saying.

J

Something that you should not be able to like send singing message and gifts of new to lockdown for a long time something along these guidelines. But.

F

So we could, we could look at that or you could send comments if you have problems with a new title or section. Otherwise, we moved to the last section, which is the lightweight part, and so here's the new we were clarifying some benchmarks here is the new ya information which.

I

So in this yeah, so I'd like I'd, like that I'd like that take a step back on this I think this is like this is the part that we had. There were six super, can choose the beginning and I. Think like I put, we I mean I'm, happy to read your gifts, but I. Think I, don't want I, don't argue about these right now. Okay,.

F

So what I did is basically note that what you requested in your email put that here that text intended here is to show what's expected to be achievable and or PK would statically if we have monkeys or feasible for that. That was one remark from my side and that next slide please.

F

So we actually did some of these in preparation for the sec dispatch interim March 2019, the benchmarks are exactly, or at least that I can tell type of properties. That's requested. There is North. I am Laura one time of air there's the back of time and those spreadsheets are actually intended to use. It's not yet calculations for, for this aren't in calculations for specific protocols, but spreadsheets. Also there is a how-to. Basically how you feel in your message size is how you get out the time of air, so it essentially provides type of data.

F

It's not what it as a graph or something like that, but it provides the type of data I. Think you requested. Okay,.

I

Why can we take another, look at that and.

F

The final slide on this topic is this: is this is what produced those type of diagrams look.

I

At that, why don't you think.

F

Yeah, so we have some issues to resolve if I remember right before actions to and to Karthik someone else get a.

C

Look at them in the minute, so there was an action point for a current practic to propose. So what is this? An identity, protection, no I'm, sorry 120.

E

C

Yes, exactly on security strength and about it.

C

So it's captured in the minute.

A

Question on scheduling: is it feasible to try and resolve these actions? In let's say the next two weeks sounds good I mean I, realize there's a whole bunch of other working group sessions going on in the next week or two, so they are busy. But let's try for us. Okay,.

B

F

What about the text.

F

What do we do with that? I was.

I

Hoping the a few days looking at it and talking to people and then I, send in comments, some might send my thoughts and then I was hoping. You got to do this a.

K

F

A

Make sure it gets highlighted to the list out of the minutes, and we ask people to to read better think where that see what to do about it, including possible people in the requirements document.

A

Okay, so that was your last night, that's good, so we had a couple of quick kind of status updates on ad hoc and CTMS.

A

Currently, this is that hoc. First, you want to stick with that and maybe just take like seven minutes. Each yeah I mean I will need a minute, a half so whatever.

D

J

You shall destroy it, sir yep great. This is version, sir one slide.

J

So this is the changes since the zero one version. Basically, we have tried to implement all the suggestion from the working group to fulfill the requirements to optimize the protocol, even more, which is also aiming at the requirements, and we have made some clarifications based on people trying to implement and do formal verification of in-home, so algorithm, okay, no score now independent of each other.

J

We have a requirement mix them mixed mode and we'll go into that later. He derivation static, diffie-hellman mode, no cereal, instead of parallel as based on a second one Celtic on the list about static TV Raman, this design has changed to make them sign instead of signed an act. It's now similar to I recent is that it made more sense with its mixed mode and that it saves bytes.

J

The identifier encoding has been optimized so that there is a lot more values that take a single byte. We have made encryption of message to in CPA no greater protection as discussed in the Sigma paper. This can be done see. We have added an optional integrity, protected, subject. Name for the case you protect against is finding attacks in cases where you can ident can assign a nickname to the key then several occasions and a lot more test vectors. You have implemented almost everything in the specification now next slide.

J

So this slides illustrate new method types, so 0 3, & 4 was what was there before 1 & 2 or the new mixed, where you have one party authenticates with the signature he and the other with a static if he'll monkey- and this is to optimize the demo- the requirement that one party should authenticate with a certificate and the other widow or PK, then you get the best at least overhead. If you do signature and starting to the helmet.

J

Yeah can take next slide.

J

Here's Michael illustrating, when you mixed a symmetric mode, so the method parameter which is the first in sent, can be 0 1, 2, 3 4 is a symmetric node and that integral determine if the responder in case with the signature or a static development key and similar. If the initiator authenticates with a signal or a static, DVR monkey. Now you get four different possibilities and this has been implemented with sing a field called signature, knack of the suggestion by actor last meeting.

J

There's still some trade-offs, as we can see between unity, properties and performance.

J

Basically, the static live Hellman you get. If you mix in these ethanol, static keys, we think you get a little bit. We can authentication properties, but on the other hand, you get stronger security properties in case of a key compromise. I think that something for the working group to discuss in the future and then the blue dot here a chance. These two in cpa, encryption without the integrity.

J

The reason you can do this is that the encryption here, the second message is only still always only protect against, has the attacker an active attacker in the Sigma protocol can ask the responder the initiator is not authenticated before message three or.

I

So so so John what happens if the if the initiator takes some action based on the auxiliary data.

J

Data is signed: okay, okay, act, we think killed in the inner match, okay and the signature. If there is okay.

I

I misunderstood the section you were covering.

J

Here is a summary of the message sizes, so sizes has been a message. Eyes is for the PS k, plus, if burned, if M has been slim the bit because of the new optimized coding of identifiers, the or decay case is now a lot smaller. As that, if difficulties is used instead of signature keys and with these numbers we can, you can see that we will be able to fit into three unfragmented frames in P prime hope.

J

Sixty the limitation is 45 bytes of payload same for 51 by Laura bomb and the limitation there is 51 byte frames this. Oh man.

I

It's really a bummer you're, one byte short on the hunt, our pique passe ici da chief for the big six. huh What so you said, the limit yeah. So you said the limit is 45, so in 6000 we're one boy over.

J

The first bullet here says that we can identify that we can save a few more okay, okay, yeah I, see right. Let me super irritating.

J

There are several length fields that are new, neither language which the teams are known or some fields that are actually included several times right. We, we can't say I, think at least two bytes here for these 46, which we can implement later, because this is important.

J

A

We just changed slides to the city, that's ones any question. Another I think it's mostly to be taken to the list really.

I

Don't bother my slides because, like my slides were much more like, like you know, overview CTLs um and I think you know you know: I don't have like a diff nice DF. The way that John does here, um I guess the most relevant things are. We know we're continued updated. um We have several implementations in progress. One and Rustom warning go and it's been adopted by TLS serve in it and it is. There was a home to adopted and the Charter is it now I mean we chartered so I, don't know the status.

I

The Charter has been a blessing, we're getting pretty close and then once it as soon as the charterer. The sticks them will be um will be actually something that working conversion and we're working with Karthik and others to to to adapt the TLS one. Three proofs, the security to he, tell us the.

K

Charters on next week's tell a chat, didn't see any to rush it. No next one I've.

B

Been working on a Oh C based implementation based on our empathy, Ellis, sorry, honest, I! Didn't get you online beforehand item what I don't want to like when I had slides, I didn't I, don't want.

I

To I, don't want to promise something for you: okay,.

A

Price, so we have like six minutes left I, think I think we have a. We have a set of minutes about the requirements. People have a bunch of actions of tips, but they will try and fulfill in the next week or two will will hope that pain, it's being a great ID and saving the day, with the suggestion for how to characterize things and work, I guess on ad hoc and CTLs continues with that. I think: that's our agenda are there? Is there any other business or something that I forgot? Are we skipped over.

A

Thank you, nothing! Thank you all and we'll just go some lists as necessary organizers of the meeting. So thanks very much for all the discussion. Thank you.