►
From YouTube: LAKE WG Interim Meeting, 2020-03-31
Description
LAKE WG Interim Meeting, 2020-03-31
A
A
C
A
E
A
So
welcome
to
our
lake
replacement
meeting
for
vancouver.
You
see,
the
chairs
are
gonna
shine
myself,
we're
here.
You
know
the
territory
after
mating
this,
the
jammer
room
is
there.
We
have
13
people
in
jabber
and
I've
got
30
out
on
the
WebEx,
so
please
join.
If
you
can,
we
have
Anita
Paris,
Michael
Richardson
is
taking
notes
and
etherpad
thanks
Michael.
A
Yeah,
we
have
to
note
where
the
PI's
so
I
guess
many
of
you
will
have
seen
this
some
of
the
course
the
last
week,
if
you
took
part
in
either
virtual
meetings.
If
not,
please
read
us
and
if
you
took
part
in
the
virtual
meetings
last
week
for
the
ITF
people
are
using
this
queuing
mechanism
in
the
WebEx
chest,
I
don't
know
if
we
will
need
it
or
not,
we'll
start
without
using
that
that
people
can
just
talk.
A
F
C
G
C
A
Or
bring
them
to
the
mic
and
also,
if
you
could
add
your
name
to
the
ether
pad
if
you're
attending,
that
would
be
helpful
because
there's
currently
four
there
and
36
people
in
WebEx,
so
please
go
to
the
ether
pads
and
add
your
name
as
having
attended
stats
there
or
a
blue
sheet
all
right.
So
we're
that's
the
desire,
that's
their
agenda.
The
three
issues
I
sent
a
mail
to
earlier
to
the
list,
I'm
going
to
assume
that
people
have
read
that
if
you
haven't
then
you'd,
probably
catch
up
as
I
go.
A
So
basically
the
three
issues
I
think
that
might
come
up
in
multiple
comments
that
were
made
on
that
on
the
requirements
text.
The
first
is
how
this
relates
to
cozy
or
in
particular
the
second
one
is
whether
we
we
should
I
think
we
should.
We
might
benefit
if
we
recognize
the
reality
that
we
have
ed
Hocken
CTLs
as
candidates,
things
both
which
presumably
likely
to
not
go
away.
And
the
third
point
is
it's
kind
of
like
how
much
precision
is
it
useful
to
aim
for
with
respect
to
lower
layers
in
the
communications
environment?
A
Would
like
to
not
go
there
just
yet
so,
essentially,
I
think
that
the
number
of
comments
that
were
made
I
made
my
own
comments
earlier
as
well,
that
the
current
text
is
very
prescriptive
about
using
cuz.
They
know
his
core
as
chair,
and
it
seems
to
me
that
will
make
it
difficult
for
us
to
get
rough
consensus
because
it
kind
of
says
you
can't
do.
Ctrs
I
would
like
to
see
if
we
can
figure
in
general.
What's
the
right
approach
to.
F
A
F
F
You
would
like
to
avoid
duplicated
information
station
of
crypto
rappers
and
their
rather
I
mean
the
natural
thing
would
be
to
use
kasi.
But
that's
beside
the
point.
I
think
we
can't
go
without
the
ache
delivering
Cosi
algorithm
still
score,
but
that's
basically
so
we
need
to
mention
Cosette
someone.
H
C
I
F
I
J
F
A
A
A
It
seems
to
me
that
the
output
here
of
you
know
from
the
IETF,
if
not
necessarily
from
the
lake
working
group,
is
likely
to
be
these
set
of
requirements
as
a
piece
of
text
in
an
internet
draft
and
CTLs
developed
in
the
TLS
working
group
and
likely,
if
this
working
group
adopted
at
hoc
that
ad
hoc
produced
by
this
working
group.
That
seems
like
I
like
the
outcome.
A
However,
when
the
text
we're
talking
about
the
ache
as
if
there
will
only
be
everyone-
and
that
seems
to
me-
I-
think
two
tiers
up
for
a
bit
of
argument
that
we
don't
necessarily
have
to
if
we
just
recognize
reality
that
it's
kind
of
likely
that
ad
hoc
and
CTLs
will
both
get
progressed.
Some
levels
at
a
different
time
line
in
different
working
groups
and
both
try
to
meet
the
same
requirements
and
I.
A
I
I
mean
so
not
to
put
too
fine
a
point
in
a
Steven,
but
no,
like
part
of
the
reason
why
we
printing
effort
in
here
is,
we
do
not
think,
is
healthy
for
the
ITF
standardized,
a
big
pile
of
different
aches,
and
so,
if
the
outcome,
ufo's
basically
pre,
decides
that
question.
A
I
Okay,
I
mean.
K
A
H
A
If
we
have
a
bunch
of
people
who
are
saying,
I
am
arrogant
for
a
talk
and
I'm,
not
gonna
argue
for
anything
else,
and
we
have
a
bunch
of
people
are
saying.
I'm
arguing
for
CTLs
and
I'm,
not
gonna,
for
anything
else
seems
to
me
that
that's
just
taking
this
whole
working
group
for
failure.
We
can't
resolve
it,
I
think
an
atomic
rate,
but
if
the
counters
are,
but
that's
basically
just
a
nurse
up
for
failure,
not
so
here
from
Arizona
I.
J
Think
one
of
the
waters
for
we
are
definitely
or
game
for
yes,
Eric
stone.
We
think
compressed
Els
would
be
very,
very
useful
and
I.
Think
Erickson
would
use
that
in
a
lot
of
cases.
I
think
I,
don't
think
the
compressed
Els
will
be
smaller,
tamales
small,
for
the
moves
constrained,
iut,
develop,
spend
but
and
I
don't
think
it
maybe
should
I
think
it
should
still
be
TLS.
H
Yeah
John
I'm
pleased
to
hear
you
say
that
I
think
the
operative
question
here
is,
you
know
if
we
acknowledge
there's
use
cases
for
CTLs,
regardless
I
think
the
operative
question
here
is
and
the
reason
we're
doing
this
requirement
document
is.
Is
there
a
need
for
another
protocol
in
addition
to
CTOs
or
can-can
TLS,
be
made
compact
enough
to
to
meet
the
requirements.
J
H
So
I
mean
it
may
well
be
that
that's
the
case,
but
I
think
the
reason
that
occur
and
I
have
been
asking
for
the
precision
in
this
document
is
to
come
to
come
to
the
decision
that
you
seem
to
already
come
to
the
I.
I.
Don't
have
this,
you
know,
maybe
it's
because
I've
been
in
the
space
for
a
while,
but
I
don't
feel
for
the
end
of
like
technologies.
H
But
it's
not
clear
to
me
that
that's
the
case,
given
that
even
the
early
prototypes
of
CTLs
have
been
getting
in
the
same,
you
know
within
a
small
fraction
of
where
ad
hoc
case.
So
this
is
why
we
need
the
precision
in
their
apartments
to
do
this
evaluation
that
you
know
on
this
question.
We're
agrees.
You
can
have
an
opinion
already
you
and
that's.
What's
fine,
but
I
think
we
need
to
get
consensus
around
the
answer
to
that
question
and
build
that
consensus.
If
we're
gonna
make
progress
here
so.
K
If
I
could
jump
in
this
is
benkei
duck
I
think
that
John,
the
question
that
Stephen
is
trying
to
ask
you
is
is
roughly,
would
there
be
a
case
where
CTLs
is
small
enough,
that
you
no
longer
see
a
need
for
ad
hoc
and
what
you're,
just
trying
to
say,
is
sort
of
you
are
acting
like
you
assume?
The
answer
is
that
CTS
will
not
be
able
to
get
that
small,
and
you
know
it's
perfectly
reasonable
to
expect
that
or
believe
that,
but
I
think
Stephen
is
trying
to
ask.
J
Also
I
think
the
messages
or
basically
exactly
just
as
small
as
they
need
to
be
to
get
off
my
performance
and
I
think
there
is
message
guys.
I
have
not
seen
any
code
ss4c
a
less
obvious
that
having
another,
including
that
of
C
board
and
another
to
document
implementations.
That
of
Jose,
which
already
is
daryun
or
score,
are
UT
device
would
add
whose
size
and
complexity
so
I'm
good.
Oh
god,
I.
I
Mean
sorry,
are
you
done?
Yeah
I
mean
I
was
like
I.
Should
I
shouldn
t
agree
with
John's
basic
principles?
Obviously
like,
like
you
know,
something
bespoke
will
obviously
always
be
able
together.
You
know
obviously
optimize
further
than
something
to
stop
this
book
and
that's
clearly
true
on
I.
I
Think
the
the
yeah
and
it
going
to
Richard
was
saying
I
mean
the
reason,
but
the
reason
we
are
pressing
on
the
acquirements
is
precisely
that
that
we
don't
think
the
we
didn't
think
the
objective
was
to
have
be
as
small
as
humanly
possible,
but
be
small
enough
like
not
to
be
within
the
performance
cliffs
that
these
environments-
you
know
you
know
a
present
and
so
to
understand
where
the
performance
cliffs
environments
are.
So
we
understand
performance
curve
against
which
we're
trying
to
design
for
us
and
and
as
you
know,
one
for
myself.
I
If
it
became
clear
to
me
that,
like
you,
couldn't
hit
those
performance
curves
without
doing
things
that
I'm
not
prepared
to
do
or
their
tails
working
group
that
we're
stupid,
then
I
would
be
like
okay
script
like
go
ahead,
I'm.
Not
so,
but
that's
not
yet
clear
me,
which
is
why
I'm,
hence
my
comments
on
loss
goal
document.
F
Although
it
may
not
have
been
clear
in
the
document,
but
hopefully
it
is
now,
there
are
strict
limits.
Specified
I
mean
there
are
how
much
each
message
large,
the
messages
can
be
and
I
I
hope
we
can
come
to
at
the
end
of
this
meeting
to
understand,
but
those
limits
are
there
and
they've
been
there
for
for
a
long
time,
even
if
it
doesn't
think
here,
we
have
been
discussing
this
for
almost
a
year
now.
G
You
can
summarize
what
what
are
the
size
limits.
I
think.
F
I
But
the
document
says
it
has
to
have
assessed
signatures,
and
so,
like
look,
my
point
is
like
that:
did
they
like
that?
No
I,
yes,
I,
understand
like
there's
like
a
lower
limit
for
the
very
smallest,
most
compact
protocol,
with
the
most
compact
type
of
crypto,
and
then
the
question
is
like
whatever:
where
are,
where
does
the
curve
of
cost
for
like
every
incremental
byte,
an
embryo
Cremona
message
hum,
and
that
goes
process
the
parts
I'm
trying
to
get
an
answer
to,
and
so
III
understand
this
51
point.
I
F
I
mean
so
there's
there's
one
thing
that
needs
to
be
clear
as
well.
There
are
many
spinning
scenarios
to
support,
including
certificate
based
scenarios,
which
are
not
necessarily
necessarily
would
fit
into
these
type
of
frame
size.
For
for
the
cases,
people
are
looking
at,
for
instance,
in
Laura
Lyons,
trying
to
design
a
real
public
key
based
escape
base.
I
Size,
okay,
I
guess,
I-
find
this
quite
surprising.
Given
the
original
designs
of
ad
hoc.
We're
seniors
for
Beijing,
therefore
could
not
fit
into
this
list
and
I
think
the
only
thing
was
only
brought
up
quite
recently,
I'm
finding
like
I'm
finding
this,
like
it's
very
little
puzzle
like.
F
F
F
F
G
G
F
F
A
A
Dpms
is
good
enough
and
you
know
you're
trying
to
make
a
case
to
say
that
there
is
a
situation
where
CTLs
can't
meet
the
requirement,
but
I
don't
think
we've
kind
of
if
we
could
reach
agreement
on
that
that
that
is
the
case
and
that
therefore
there
may
be
a
need
for
a
non
CTRs
based
ache
and
I
think
that
what
gives
away
forward.
But
if
we
don't
have
that
agreement
and
I
think
we're
just
gonna
talk,
let
some
requirements
X
and
then
get
back
to
exactly
at
this
disagreement.
Well,
I
guess.
I
But
is
probably
true,
perhaps
true,
but
I
guess,
like
the
discussion.
We're
having
right
now,
is
precisely
that
when
I'm
asking
for
which
is
that,
which
is
that
we
have
in
application
scenarios
and
and
we
and
we
have
some
re-encrypt
of
scenarios,
and
then
we
have
some
set
of
you-
know
PACA
sizes,
that
some
curve
of
like
cost
against
against
against
message
sizes
and
that
we
and
that
what
we
want
to
be
saying
is
for
each
of
these
scenarios.
I
I
You
know
about
eight
different
of
those
scenarios,
ranging
from
PSK
to
signature
based
on
to
full
signature
based
on
both
sides
with
certificates
and
that
well
I'm.
Trying
to
understand
precisely
is
the
turning
point
with
thee,
but
the
message,
size
and
message
number
target
is
for
each
of
us
and
cells
like
well.
I
here
is
John
is
serving.
J
K
Sorry
to
jump
in,
but
it
sounds
like
occurs.
Mentioning.
We've
got
this
list
of
call
it
eight
different
potential.
You
know
crypto
matching
ups
and
you're
John
you're
saying
that
maybe
you
know
some
of
them
may
not
be
relevant
to
the
application
and
that's
fine
but
I
think
occurs.
The
point
is
that
of
these
eight
and
I'm,
not
100%
certain
about.
I
K
Like
two
or
three
of
them
that
we
feel
like
we
have
these
concrete
limitations
in
place
of
that,
we
think
we
can
target
the
three
frames
and
51
bytes
per
frame,
but
then
there's
another
five
scenarios
in
terms
of
how
the
the
crypto
algorithm
primitives
might
match
up
that.
We
don't
have
the
same
level
of
clarity
about
what
we're
actually
targeting
and.
H
I
would
note
that,
even
if
we
were
just
gonna
do
an
ad
hoc
working
group,
we
would
need
those
scenarios
to
know
ad
hoc
was
done.
You
know
there's,
as
honnest
pointed
out,
there's
been
a
lot
of
change
in
ad
hoc
over
over
it's
the
time.
The
span
of
time
it's
been
around
as
people
have
talked
about
additional
scenarios
and
additional
mechanisms,
so
even
just
having
a
definition
of
done
for
whatever
the
protocol
is,
we'll
need
to
know
that
sort
of
scenarios
that
are
conventions
and
I
guess.
I
Yeah
I
think
that
also
goes
to
what
they're
worth
the
criticals
required.
I
mean
this
document
I'm
looking
right
now,
it
says,
like
you
know,
in
section
2.2,
it
says
neutral,
public
key
authentication
up
so
maybe
need
to
be
supported
for
our
pecans
to
pick
a
basic
dedication
in
the
cases
do
feel
Maquis
change,
hopefully,
usage
for
these
public
keys
and
chthonic.
I
These
public
keys
is
expected,
so
I
mean
like
if
that's
not
right,
this
need
to
be
fixed
and
if
the
Senate
and
the
Bend
be
clear,
if
the
scenarios
are
that
we
no
longer
care
certificates,
all
we
care
about
is
like
raw
public
keys
is
like
true
is
exactly
just
scenarios,
namely
PSK
and
raw
public
key
sorry,
pivot,
PSK
and
then
rock
public
keys.
There
are
statically,
fianlly,
proper
keys
and,
like
wool
and
like
we
should
write
that
down
and
then
I'm
like
and
then
look
at
where
we
are
there.
So.
K
J
I
would
not
say
that
certificate
is
those
sculptors
interested
in
that,
but
I
would
say
that
if
we
prioritize
something
it
should
be
P
escape
routes.
Elliptical
diffie-hellman
and/or
became
those
elliptical
of
the
famine
because
things
that
or
what
a
very
constrained
IOT
device
deployment
is
likely
to
to
use
because
it's
what
they
can
use.
It's
also
space
where
it
lacks
where
the
world
lacks
a
really
compact,
efficient.
I
I
But
I
guess
I'm
wondering
if
perhaps
the
the
answer
is
but
like
radically
Dscoop
this
hard
constants,
like
I,
mean
if
the
so
your
users
wasn't
earlier,
which
I
didn't
follow
up
on,
but
I
was
interesting,
which
is
effectively
that
we
have
these.
We
have
these
situations
or
people
are
doing.
You
know
on
your
raw
raw
PS
case
now
right
and
are
they're
doing
with
keys
now.
Yes,
how
are
they
what
you
were
teasing
for
the
ache?
Okay?
Yes,
no!
Sorry,
I'm,
sorry,
sorry,
the
the
application
scenarios!
I
I
I
F
Exchange
provision
the
Pierce
case
to
be
used,
but
that's
that's
one
of
the
they
they're
really
looking
for
something
constrained.
This
is
exactly
the
type
of
setting
that
we
are.
There
are
other
settings
as
well.
People
would
like
to
move
from.
It
is
a
based
provisioning
scheme
to
a
public
key
division
right.
A
K
A
And
I
think
leave
I'm,
not
sure
of
that
this
entirely,
but
I
believe
that
the
feeling
of
the
people
proposing
yet
walking
for
they've
already
done
this.
That's
what
they've
kind
of
been
saying
to
me
and
clearly
that's
if
they
have
already
done
it,
it
hasn't
kind
of
landed,
because
that's
it's
not
perceived
that
way.
Sure.
H
I,
like
Ryan
Parker,
the
reason
done
it.
You
know
the
there's
not
agreement
that
they've
done.
It
is
that
there
hasn't
been
agreement
on
what
it
is.
I
thought
that
was
the
part
of
the
point
of
this
document.
It's
to
establish
what
the
target
was,
so
that
one
could
evaluate
whether
or
not
in
fact,
Ed
Hawk
was
meeting
all
the
things
they
they
they
people
apparently
assume
they
do
me.
A
So,
rich
and
I
think
that's
kind
of
right,
but
I
mean
whether
the
idea
of
a
requirements
document
was
ever
a
good
idea
is
a
different
thing.
I
think
what
we're
getting
down
to
now
is
that
is,
if
there
is
an
existence,
proof
that
there's
a
scenario
that's
realistic
cannot
be
met
by
CTLs.
Then
that
might
give
this
working
group
away
forward.
Do
we
all
agree
with
that?
If
the.
I
Existence
proof
is
there
sure,
but
I'm,
not
I,
guess
I,
guess
I'm
trying
to
avoid
creating
serration
like
it
and
bound
them
I
work
for
people
on
which
I
think
you
know
just
even
I,
guess:
I
guess
like
like
I'm,
just
finding
I,
guess
I'm
trying
to
find
a
little
confusing
trying
to
figure
move
forward,
because
when
this
work
was
first
introduced,
you
know
there
was
a
lot
of
you
know
there
was
there
was
a
there
was
a
lot
of
sort
of
you
know,
measurement
of
scenarios
which
looked
to
me
like
they
were
isomorphic
to
TLS
scenarios,
but
were
designed
to
be
much
more
compact.
I
So
you
know
it
would
be
like
well,
it's
still
Sigma
and
they're
still
signatures,
but
there's
you
know
but
but
like
we're,
gonna
like
have
the
students
assumes
that
a
band
and
we're
going
to
compactify
the
messages
or
you
know
on
etc,
etc,
cetera
right
and
if
the,
if
the
notion
instead
is
that
and
yes
they
were
like,
we
were
more
BK,
but
there's
a
pile
of
things
right.
I
So
their
whole,
like,
like
list
of
like
I'm
like
I'm,
like
to
stuff,
which
is
the
very
good
kind
of
thing,
likes
to
kill
us
at
a
specifiers.
It
would
sound
like
a
framework
for
like
doing
on
one
things
right
and
if
the
truth,
that
matter
is
that
all
the
really
matters
is
is
like
well
public
keys
and
exactly
to
exactly
two
modes,
which
is
sure,
sir
tsks,
and
defending
a
development
and
raw
public
eats
with
static
static,
static,
static,
a
gentleman
and
like
no.
I
In
scope
then,
like
it
doesn't
start
to
seem
like
it
might
be
appropriate
this
line
a
new,
a
new
thing
that
was
designed
like
not
to
have
any
sensibility
only
do
those
two
things
and
nothing
else.
Given
that,
like
you
know,
you
know
given
given
that,
like
those
are
not
like
things
and
I,
think
you're
in
the
court
area
or
TLS
is
trying
to
work,
and
so
like
I'm
trying
to
for
real
I
got
like,
but
then
there
hey.
I
A
protocol
which
is
like
essentials,
invincible,
steel
s
and
like
covers
many,
the
same
application
areas,
and
so
I
try
understand
what
those
the
real
crime
is,
or
the
other
or
not,
and
particularly
like
it
like
says
certificates
it.
It
says
like
signatures,
it's
like.
Oh,
this
is
real
or
they're,
not.
I
G
That
doesn't
need
them.
The
size
limits.
The
problem.
My
problem
is
always
like
and
I've
seen
this
numerous
times
is
at
the
beginning,
everything
is
portrayed
as
lightweight,
and
then
you
have
all
these.
It
met
already
at
the
fairly
early
stage.
You
have
this
laundry
list
of
features
and
then
you
only
add
more
in
in
a
split
second,
it
won't
be
won't,
be
this
small
anymore
I.
F
J
Well,
TLS
implementation
typically
implement
basically
everything
TLS
103,
a
lot
on
to
suit
hundreds
of
sizes
suits
a
lot
of
extensions.
That's
not
the
case
for
very,
very,
very
constrain.
Our
UT
devices
expect
them
to
really
implement
PSK
authentication
and
they
will
use.
They
will
probably
not
support
anything
else,
then
exactly
what
they
may
not
that's.
J
A
Can
I
interrupt
this
chair
if
that's
okay,
I'd
like
to
get
back
to
if
there
is
an
existence,
proof
that
we
need
something
that
is
not
CTRs
I,
think
we
have
a
way
forward.
If
there
is
no
existence,
proof
that's
acceptance
and
we
don't
have.
If
we
don't
have
consensus
that
existence,
whether
existence
proof
is
there
and
I
really
don't
see
much
your
way
forward,
because
I'll
just
keep
repeating
this
discussion.
I
Well,
I
was:
what
are
you
talking,
I'm.
A
So
I
think
you
and
Eric
we're
asking
for
you
show
me
the
scenario
where
CTMS
cannot
do
what's
needed.
If
that,
if
a
realistic
scenario
exists
where
that's
true,
it
seems
there
is
a
need
for
another
protocol
and
ad
hoc
is
proposed,
and
after
that
we
can
discuss
whether
it
should
be
extensible
or
how
much
Croft
it
should
get
well.
I
So
that's
why
I'm
trying
to
propose
a
different,
a
different
way
of
thinking
about
this
cuz
either,
which
is
that
so
I
hear
you're
saying
but
I
guess
like
what
well
the
reason
as
I
sort
of
said.
The
reason
that
I
primarily
interested
is
in
Italy
was
I.
Think
it's
unhealthy
for
the
ietf,
just
a
large
number
of
like
big
on
it.
Protocols.
I
I
So
now
that,
like
to
my
philosophy,
everybody
else's
philosophy,
but
the
but
I
that
said,
if
we
have
a
and
I
think
I
think
why
think
it's
expensive
is
we
have
a
winter
general
purpose
protocols,
and
so,
if
there's,
if
there's
an
understanding
that
like
actually,
this
is
designed
for
like
a
really
special
set
of
use
cases,
there's
not
like
a
generic
system
that
just
happens
to
be
slimmer,
then
I
think
it
like
make
sense
to
try
to
carve
that
off
and
be
like
hey
works.
I
I
A
A
J
A
But
that's
the
same
criticism
that
people
are
making.
It
has
changed
so
I
think
you,
my
understanding
is
the
ad-hoc
proponents
believe
that
they
have
offered
an
existence,
proof
that
there's
things
that
you
can't
compress
TLS
to
do,
and
my
understanding
is
that
the
TLD
CTLs
proponents
do
not
believe
that
they
have
seen
that
existence.
Proof
am
I
correct
about
both
proponents
positions.
As
of
today.
A
A
I
Mean
I
mean
this
business
back
to
work.
This
point
I,
think
about
weight,
bet
that
choosing
between
two
things
person
and
when
you're
done,
you
know
I
mean
so
I'm
yes,
I
mean
it's
only
be
the
case.
What
so
they
certainly
be.
K
Can
I
jump
in
so
I
think
occur
if
I
can
sort
of
train
paraphrase?
Maybe
you
were
saying
if
the
only
use
case
that
we
cared
about
was
exactly
the
symmetric,
pre-shared
key
case,
and
we
did
not
have
an
ad
hoc
that
was
also
wanting
to
do
rob
public
key
and
certificates
and
all
this
other
stuff,
and
we
were
just
focusing
on
symmetric,
showed
PSK.
K
I
Let
me
try
to
LinkedIn,
you
want
it
a
little
bit,
I
think
I
think
we'd.
Have
it
I
think
that
what
I
would
say
is
that
okay,
I
think
your
actual
print
thing
you
gave
I
think
it's
probably
right,
which
is
to
say
like.
Why?
Would
you
pull
in
all
this
apparatus
of
all
you
wanted
to
do
with
that?
Alright
and.
K
I
A
M
A
Song,
what
I
like
what
I
think
I
was
hearing
from
Ben's
find
somebody
there
was
there
kind
of.
Is
an
existence,
proof
there
or
a
live
very
limited
scenario.
I,
don't
mean
to
say
we
kind
of
all
know
that
if
somebody
writes
a
program
defines
it
a
protocol
for
that
very
limited
scenario,
it
will
extend
to
do
all
the
things
we
kind
of
know
that
that's
kind
of
inevitable,
I,
think
right
and
that
causes
were
worried.
I
That
someone
not
really
no
I,
think
I
mean
the
thing.
The
thing
that
made
the
the
the
part
of
Ben's
thing
that
I
found
compelling
was
the
on
with
the
specificity,
what
I
mean
so
that
the
really
it
doesn't
make.
You
have
a
very
limited
scenario
and
you're
willing
to
commit
yourself
to
the
only
operating
furloughed
scenario,
then
taking
a
then
under
certain
circumstances,
taking
a
generalized
protocol
and
slimming
it
down
to
that
may
or
may
not
make
sense
and
well
I
was
saying:
was
it
really?
I
What
you
wanted
to
do
was
PSK,
and
you
know,
and
if
you
home
in
the
hoisting,
the
even
the
CTLs
apparatus
in
a
very
wanna
make
sense,
but
that's
not
that.
That's
not
that
when
you,
but
the
reason
that
the
reason
I've
found
it
that's
not
proof
of
this
is
you
were
talking
about.
Is
that
when
you
stack
on
the
other
application
scenarios
on
you
know
on
I
listed
in
this
requirements
document
the
the
limitation
which
motivated
that
conclusion
no
longer
holds.
E
G
Many
of
the
things
at
the
beginning
of
a
misunderstanding
also,
where
Els
sees
and
and
how
it
can
actually
be
used.
Remember
that
there
was
a
lot
of
effort
spent
in
embedded
at
Els,
implement
implementation.
Centers
I
have
been
used
for
many
of
the
IOT
platforms,
and
obviously
people
learnt
the
last
on
what
works
and
what
exactly.
E
E
I
E
E
In
this
situation,
okay,
where
it
might
be,
the
right
answer-
is
that
we
should
construct.
What
I
don't
know
is
is
do
I
need
to
create
a
compressed
version
of
TLS,
which
is
cryptographically
and
functionally
equivalent
to
TLS,
or
am
I
allowed
to
trans
transliterate,
that
into
something
that
looks
like
TLS,
but
but
isn't
actually
compatible
with
TLS
Mike.
G
J
Never
had
the
plan
to
replace
TLS.
This
is
meant
to
work
in
use
cases
where
Tina's
obviously
doesn't
work
very
well.
If
you
try
to
use
current
DTLS,
uber
becomes
very
constrained.
Radio,
you
will
it's
not
fun,
wait.
Well,
that's
crucial,
and
this
was
not
only
the
earlier
already
from
the
beginning.
A
clear
goal
of
this
was
to
reuse
Cosi.
We
felt
like
we
have
causing
these
devices.
You.
J
G
Here,
let's
also,
let's
see
what
we
can
do
with
it
cool.
So
that's
the
next
misconception,
because
just
because
Oscar
uses
cozy,
it
doesn't
mean
that
all
of
this
traffic
supports
all
of
cozy
and
you
don't
have
Cozine
in
in
the
devices
I
think
you
randomly
mix
stuff
together.
You
don't
even
have
co-op
in
all
devices.
F
This
is
this,
is
this
is
arbitrarily
put
things
together?
This
is
a
no
score
implementation,
we're
assuming
because
we
are
building
an
aka
for
Oscar.
It
seems
many
of
the
city
as
people
are
not
at
all
interested
in
that
part,
but
that's
for
your
information
and
and
what
we
have
is
exactly
a
cozy
encrypted.
We
have
algorithms
and
we
have
co-op
and
we
have
Seaborg
well
at
hoc.
You
need
much
much
more
Sun
cozy,
which
you
don't
have
on
the
device.
F
The
fact
is
that
this
is
very
tiny
extension
to
if
you
have
cozy,
Seaborg
and
co-op
and
that's
one
of
the
points
but
I
don't
think
we
should
discuss
the
cozy
part,
because
that
was
already
item
one.
Then
we
are
on
item
two
in
in
sub-bullet
Cibola
in
item
in
the
agenda
item.
One
I
think
we
should
leave
that
and
get
back
to
quantification
of
the
existence
proof,
because
that
is
what
might
lead
us
forward.
I'd,
like
also
to
add
the
time
aspect
here
we
have
a
stressed
timeline.
F
A
Okay,
so
the
last
I
heard
that
I
think
I
could
summarize.
There
was
a
kind
of
an
acceptance
that
they
there
is
a
niche
there
that
this
existence
proof
could
exist
in
or
could
fill
that
existed.
Sorry,
let
me
start
again
there.
There
is
an
existence,
proof
of
a
thing
that
you
couldn't
really
compress
TLS
for
there.
A
The
last
statement
I
think
echo
made
was
that
if
you
try
and
define
an
ache
for
to
fill
that
niche,
you
inevitably
will
extend
this
to
the
point
where
it
has
to
have
enough
mechanism
that
really
you
haven't
filled
a
niche
because
you've
done.
Is
you
end
up
doing
as
much
as
CTRs
tones?
No,
you
said
that
I'm
trying
to
suppress
what
you
said
on.
I
This
document,
this
requirements
document
and
this
in
this
process,
hasn't
predicated
on
the
idea
that
there
was
gonna
be
a
we're
gonna
sign
it
like
a
generalized
ache
with
like
a
whole
bunch
of
knobs
that
basically
did
a
whole
bunch
application
scenarios,
and
that
is
a
source
of
my
concern
and
if,
if,
if
what
ones
that
is
being
proposed,
which
I
thought
I
heard,
John
Nelson
saying
earlier,
was
a
much
more
simpler
set
of
protocols
which
only
does
about
two
things,
which
is
say
RPK
and
PSK,
and
is
not
intended
to
be
generalizable.
I
This
is
for
category
of
things.
Then
then
it
might
possibly
be
the
case
that
it
was
attractive,
design,
saying
new,
rather
than
trying
to
like
sometimes
languish
as
much
potentially
much
more
done
and.
E
I
I
mean
this
is
the
spread,
this
I'm
reading
the
readings
requirement
document
and
it
like
it,
has
like
three
different
ways
to
curious:
difficut
s--
it
has,
you
know
it
has
signatures
and
and
and
and
let
me
start
it
be
home
in
you
know.
I
Are
by
reference
in
line
in
a
in
line
in
a
in
order
to
listing
in
line
an
ordered
list.
F
These
cases,
where
you
identify
public
key
by
a
hash
or
URL,
those
cases
are
clearly
iot
use
cases
that
that's
it's
no
construct.
It's
dripping
down
the
protocol
or
removing
those
components
from
the
protocol,
because
that
that
will
not
be
fit
for
purpose.
Whether
we
need
to
have
some
what
kind
of
deployments
we
are
looking
at.
There
is
a
wide
variety
of
iot
settings
and,
as
I
mentioned
in
in
or
I
think,
it's
actually
one
part
of
the
the
credential
section.
F
Speaking
about
a
we've
heard
companies
mentioning
this
deployment
path,
where
you
start
off
with
the
pre
shared
key,
and
then
you,
because
it's
perceived
as
simple
to
do
starting
point
and
then
you
remove
like
Laura
Lyons,
is
now
doing
moving
to
a
row.
Public
key
based
provisioning
would
like
to
take
perhaps
the
next
step
and
add
certificates
that
might
not
be
in
that
application,
but
other
applications.
They
want
to
go
that
path
so
saying
that
this
this
protocol
must
not
support
signature,
or
this
must
not
support
certificate.
I.
F
F
You
have
a
a
simple
application,
simple
setting
with
with
the
pre-shared
keys
with
like
no
an
implementation
of
all
score
and
you'd
like
to
the
natural
first
step
would
be
to
add
a
PS
k
base
8,
but
that
not
might
be
optimal
from
a
security
point
of
view
or
deployment
point
of
view.
There
are
migration
paths
to
consider
as
well
sure.
I
I
agree:
I,
agree
that
but
I
guess
right
on,
but
I
think
I
guess
what
I
was
trying
to
say
but
I
mean,
but
the
point
where
what
you're
proposing
to
eventually
built
is
it
protocol
of
enormous
enormous
amount
of
flexibility
sensibility
for
a
pile
of
application
scenarios
then,
like
yes,
absolutely
gonna,
create
those
things
one
by
one
or
you
could
start
with
a
protocol
which
are
somewhat
more
general
and
slim
it
down.
F
I
And
I
think
I
think
the
point
return
I
are
trying
to
make
is
it
is
that
we
believe
CT
else
can
support
those
use
cases
and
when
they're
colloquy
can
been
in
my
earlier
was
me
saying
that
it
seemed
that
that
was
a
lot
of
complexity
of
inches
a
lot
of
capacity
to
his
work.
If
the
only
thing
you
care
about
was
accused
cases,
but
if
it
you
actually
care
about,
it's
like
a
much
more
safe
use
cases
consequent
in
this
document,
then
suddenly
that
meant
that
comply.
Sorry,
miss
Othmar,
subtracted,
I,
think.
J
The
protestation
is
clearly
Orbach
a.m.
and
PS
Cadiz
all
day.
He
saw
the
reason
for
the
hooks
existence
and
I
think
the
further
you
go
in
the
other
direction.
If
you
have
certificates
with
signatures,
then
I
think
then
you
will
not
have
much
method,
not
the
difference
between
head
hook
and
CTRs
when
it
comes
to
latency
a
message
size.
F
K
It's
not
entirely
clear
how
concerned
we
need
to
be
about
that
evolution,
given
that
it
has
its
origins
and
its
focus
in
the
more
narrow
case,
and
it
just
sort
of
if
somebody
ends
up
using
that
in
the
the
broader
signature
certificate
case,
because
it's
easier
for
their
deployment
because
they're
already
using
it.
For
other
reasons,
I,
don't
know
how
concerned
I
should
be
about
that.
K
But
if
we
have
a
core
focused
point
of
work
that
we
want
to
start
with,
and
we
could
say
this
is
what
we're
gonna
focus
on
for
now
and
it
might
be
extensible
in
the
future
to
do
some
other
things,
but
we're
you
know
it
might
not,
and
if
it
doesn't
end
up
that
extensible,
we
still
think
that
there's
value
from
doing
what
we're
focusing
on
now,
like
that
sort
of
view,
point
is
something
that
feels
reasonable
to
me.
But
I,
don't
know
if
it's
the
case
for
everybody.
A
K
Mean
so
because
I
should
apologize
for
coming
up
with
something
off
the
cuff
that
is
vague
and
hard
to
follow,
but
I
think
it
sort
of
touches
back
on
a
point
that
I
had
started
to
bring
up
earlier,
which
is
to
sort
of
consider
what
are
the
current
and
future
expected
use
cases
and
are
not
youth
kid?
What
are
the
current
and
future
expected
deployment
scenarios?
K
K
A
K
If
that's
actually
possible,
I
I
agree,
it
doesn't
seem
clear
that
it's
it's
possible
to
to
write
a
protocol
on
that
way,
but
you
also
don't
have
to
write
the
protocol
and
spend
a
lot
of
time
on
the
full
generality
of
things.
You
can
say:
I
want
to
write
a
protocol
and
make
sure
I
get
the
narrow
bits
right
and
sure
it's
gonna
be
possible
to
do
the
other
stuff
with
it
as
well.
I
So
I'm
certainly
not
like
trying
to
argue
with
design
a
protocol
which,
like
no
one,
has
any
idea
how
to
extend
ever.
That
would
be
unwise,
I'm
talking
out
what
the
I
was
liking,
what
the
requirements
documented
and
hence
the
implied
charter
for
this
work,
is
right.
K
A
A
To
try
and
characterize
the
way
I
think
Pam
was
trying
to
describe
it.
There
is
maybe
there's
a
missing
requirement
to
say.
The
focus
here
has
to
be
either
on
there
really
kind
of
tightly
constrained.
Very
you
know:
PS
k,
+,
RPK
kind
of
modes
or
on
a
generic
thing
and
those
no
those
may
not
be
the
same
solution.
F
I
Guess
I
this
may
be
a
way
for
that.
This
is
a
natural
candidate
text,
but
I
mean
I
I
guess
this
is
something
that
we
referred.
I
I
If
this
is
like
an
open-ended
charter
which
is
like
well
we're
gonna
fight
for
his
line,
PSK,
then,
where
does
that
hurt,
began
organizer
difficut,
then
we're
gonna
design
a
short
end,
glob
like
no.
That's
like
not
I'm,
not
cool
with
that.
If
it
is
we're
a
designed
this
thing
and
then
maybe
something
later
will
retarted
accents
and
stuff,
then
like
then,
maybe
right
but
like.
I
But
my
point
is
that
my
point
scope
with
this
of
the
this
specification
is
like
a
fully
germ,
awake
right
and
and
and
so
like
they
go
back
to
the
with
Mike
Michael
we've
been
quite
a
bit
earlier,
like
that
seems
to
me
precisely
this
in
area
for
TLS
resigned
them
so
and
so,
like
I'm,
not
really
going
to
concede.
There's
not
an
appropriate
use
for
that
use
case.
I.
F
Still
don't
understand,
we
have.
We
have
problems,
a
setting
where
we
think
there
is
no
good
solution
today
and
we
don't
see
any
other
solution.
So
what
why
but
prioritize
use
cases
and
you
need
to
comply
with
those?
What
I
mean
that
that
would
at
least
be
the
so
the
disco
where,
where
you
can
sure.
I
I
guess
I
guess
what
I'm
looking
for
yo,
I'm,
sorry
well,
I'm,
looking
but
sorry
so
I
thought
would,
if
I
understood
what
Ben
and
Steven
were
attempting
to
accomplish.
It
was
to
create
a
target
scope.
That
would
be
a
target
scope,
not
for
this
working
group
specifically,
but
for
ED
hoc
to
work
on
that.
I
Then
the
people
who,
let's
say
the
people
who
were
interested
in
CTLs,
would
think
was
a
sufficiently
small
scope
that
they
would
not
be
interested
in
pushing
CT
loss
for
it
is
that
your
try
to
accomplish,
even
if
we
can
accomplish
that
I
would
be
happy
yes
right
and
so
so
just
taking
just
taking
a
list
of
things
in
this
document
of
prioritizing
them
doesn't
solve
my
problem
and
so
now
contract.
I
F
A
Anybody
I'm,
just
noting,
however
I
think
was
just
before
that
we
almost
got
to
do
a
possible
point
that
might
bring
progress
so
so
I
think
it's
not
too.
It's
not
kind
of
prioritizing
I
think
what
we
want
to
say
is
that
there's
there
are
some.
There
are
some
niches.
There
are
some
kind
of
deployment
scenarios
where
we
don't
believe
we
can
compress
a
generic
protocol
in
a
satisfactory
manner.
I
I'm
sorry
I'm
going
to
concede
that
point
Stephen,
it's
the
sizing,
much
more
much
more
much
more
nuanced,
which
is
that
it's
not
worth
if
all
you
care
about
is
one
very
small
set
of
use
cases.
It's
not
working
only
the
effort
of
like
hoisting
in
a
generic
completed
compression
era
protocol.
That's
a
different
statement
understand
if
we're
going
to
be
designing
for
eight
different
use
cases,
and
even
if
any
individual
one
only
uses
one
like
then
I
think
I
think
compressing.
Jari
protocol
makes
a
lot
of
sense.
I
L
I
B
I
I
I
A
I
I
I
really
I'm
sure
people
do
hate
being
a
specific
read
something
on
the
fly,
so
I
I
was
just
that
we
like
like
this
is
this
is
text
like
which,
like
I,
can
think
about
for
a
little
bit.
I
It's
look
at
her
eyes
and
think
about
a
little
bit
too
and
Richard
Roth,
so
I
think
like
I
was
just
with
her
circle
by
email
and
then
and
then
perhaps
he
can
schedule
an
or
call
I
if
needed,
to
try
to
hammer
something
out
and
it
feels
like
it,
everybody
if
every
like
this
is
garbage,
then
we
don't
need
to
do
right.
I'm.
A
A
Okay,
great
and
I
think
I
think
we
covered
all
three
of
the
points
I
wanted
to
cover
in
all
that
discussion,
think
and
yeah
so
I
I.
Do
we
want
to
proceed
with
the
agenda
as
previously
planned
then,
and
thanks
for
for
all
the
discussion,
I
think
it's
the
key
kind
of
disagreements
that
we're
trying
to
get
over
here.
Do
we
want
to
potatoes
planets
with
the
requirements
slides?
A
N
F
F
I
Sound
like
we
asked
Josh
for
that.
The
rest
of
this
looks
fine.
I
Well,
sorry,
the
next
and
this
last
bullet
point
I,
guess,
like
I,
think
there
were
two
points
here
right.
One
is
like
whether
or
not
this
should
be
roughing
Jose
and
the
second
is
like
what
actually
should
should
carry
but
I
propose.
We
punt
this
because
this
seems
to
be
the
core
of
any
suggestion,
and
so
just
what
kind
of
role.
F
M
Do
want
to
agree
on
a
unique
identifier
for
this
agreed-upon
session,
that
sort
of
notion
of
freshness.
You
cannot
just
use
the
same
strategies
and
generate
a
session
key
that
session.
To
me,
the
first
session
identified
the
point
of
this
particular
session.
You
need
that
good,
formal
proof,
but
also
more
practically.
There
should
be
something,
and
typically
this
is
a
transcript.
The
transcript
can
be
thought
of
as
a
session.
Identifier
in
this
particular
sense.
F
I
He
said
so
we
had
this.
No,
we
we
actually
had
this
because,
like
we
talked
about
with
both
what
the
informal
angles
were,
I
just
find
the
damn
thing
hang
in
a
second.
Let
me
just
I'll,
take
a
look
and
try
to
find
some
text
like
I.
Just
I
find
this
very
confusing
to
people
very
confusing,
because
I
wasn't
sure
what
I
meant,
but,
like
all
for
some
texture,
that's
not
a
problem.
I
I
agree
objective.
I
Right
so
the
issue
is
Karthik
I'm
trickin
I
get
this
more
light
than
I
can,
but
that,
if
you
treat
people's
public
keys
as
their
identities,
then
you
get
any
miss
finding
problems
because
it's
pop,
unless
it,
unless
it's
impossible
to
register
what
key
for
don't
have
possession-
and
this
is
the
heart
of
like
what
Sigma
uncovers
right,
and
so
the
classic
way
to
do
this
is
do
is
to
include
the
identities
at
the
endpoints
inside
the
transcript
itself.
I
But
if
it
is
the
endpoints
or
merely
the,
are
merely
public
keys,
and
you
don't
get
that,
then
you
don't
get
that
property
and
so
on.
That's
what
that!
That's
the
reason
I'm
pushing
on
this
now,
maybe
we
can
just
like
him
with
the
Sun,
but
that's
the
reason.
That's
what
I'm
pushing
on
I
think
about
my
represent
equipment.
M
More
generally,
whenever
we
talk
about
authentication,
they
have
to
talk
about
identity
and
what
identity
of
the
two
parties
are
and
open,
because
you
have
so
many
different
ways:
identities,
including
the
top
of
the
key
I.
Don't
think
this
is
going
to
change,
but
if
there
was
some
notion
kind
of
a
global
identity
that
you
could
use,
I
think
that
the
devices
knew
about
each
other,
and
that
would
make
this
much
more
explicit.
M
I
agree
that
there
is
a
concern
that,
if
what
we
are
agreeing
upon
is
the
key,
but
what
you
really
want
to
agree
upon
both
the
identities
and
there
is
a
myth
there
is
a
gap
between
what
they
are,
what
indicating
and
what
you
wanted,
or
did
it
I
mean
if
you
had
only
one
mode,
it's
very
easy
to
make
this
very
precise.
If
you
have
three
or
four
words,
and
you
have
to
be
careful
about
what
is
this
notion
that
generalizes
across
PS
case
and
RPGs
and
certificates?
M
F
I
Guess
I
guess
I'm
only
know
I'm
going
to
let
this
go,
but
I
think
when
we
actually
try
this
protocol
design,
we're
ski
important
understand
and
actually
I
mean
like
so
to
be
clear
on
what
7250
and
TLS
has
this
problem
right,
which
is
a
you,
could
just
name
well
10
to
50
name
are
P
K's
has
the
exact
same
problem
or,
basically,
you
know
guarantee
miss
binding.
So
we
actually
do
the
protocol
design.
I
J
A
I
Was
good
to
me,
I
could
I
wasn't
able
to
find
that
good
I
didn't
understand
the
branch
but
Alice
fine.
I
M
M
Both
parties
should
agree
on
the
identities
of
both
parties,
since,
if
somebody
authenticates
to
me,
if
Alice
authenticated
to
me
as
far
as
the
protocol
I
also
need
to
know
that
Alice
intended
to
authenticate
it
to
me
and
not
to
somebody
else
and
that
sort
of
related
identity
was
finding
well,
it's
kind
of
called
recipient
authentication,
not
just
send
that
authentication.
So
I
need
to
know
that
both
parties
agree
on
the
identities
of
both
parties.
I'm,
not
sure,
that's
exactly
what
is
being
said.
I
F
I
F
G
F
I
Actually
I'm
sure
I
heard
yes
right
yeah.
So
this
the
proposal
looks
fine
and-
and
it's
often
read-
looks
fine.
The
the
the
is
the
reason
that
I'm,
like
the
well
I
mean
read
my
comments
very
quickly,
but
I
think
I
was
trying
to
get
out
here.
Is
that
there
are.
There
are
non
protocol
designs
on
that.
I
The
way
you
actually
build,
your
plantation,
that
that
learn
that
leads
of
like
compromising
PFS
as
an
example
getting
any
kind
of
ticket
based
reduction
scheme,
and
so,
as
I
understand,
we
are
specifying
resumption
here,
which
means
that
you
might
then
IQ
possible
ability
can
pick
up
age
reduction
scheme
which
case
you'll,
be
violating
this
rule,
and
so
I
understand
like
what
like?
I
How
do
you
actually
write
this
rule
in
a
way
that
seemed
sensible
like
even
if
you
do,
even
if
you
do
like
I
guess
so,
I
guess
I
guess
if
you're
always
doing
to
me
Helmand
then
you're
gonna
say
you
know
this
problem
because
you
don't
deserve
TT,
so
maybe
I'm,
just
like
a
man
to
protecting,
tell
us
behavior
on
this.
So
if
we're
I
guess
going
back
the
previous
thing,
you
said
there
was
your
RTD
and
you
said
it's
always
doing
defeat
Helmand,
so
we
rockin
her.
I
So
what
so
in
the
I
guess
are
we
thinking?
We
were
design
resumption
mode,
the
didn't
the
feel
Minh
or
that
would
you
be
hoisted
not
under
on
the
OS
Lauren.
So
we
wouldn't
anyone.
M
I
F
F
F
Yeah,
okay,
so
so
this
this
was
the
statement
about
what
is
the
result
of
a
successful
negotiation
and
we
proposed-
or
someone
actually
can't
remember,
who
proposed
that
we
should
have
the
least
the
most
preferred
algorithms,
because
I
mean
you
could
be
less
specific.
You
could
speak
about
wrong
integrity
and
negotiation
integrity
and
so
on.
Yeah
we're
happy
with
that.
I
Yeah
so
IIIi
think
it'd
be
fine.
If
you
told
I,
think
he
fine.
If
you
told
the
the
end
points
that
they
had
a
new
good
that
if
the
final
protocol
required
you
negotiate
a
certain
way,
it's
like
I
mean,
let's
take
it.
Let's
take
it
a
protocol,
like
you
know
any
protocol
that
has
gonna
offer
answer
structure
right
wherever
the
offer
or
gives
like
you
know
his
order
to
list.
I
The
answer
has
to
do
something
right
on
like
it'd,
be
fine
if
he
told
the
answer
he
had
to
do
like
I,
don't
know
one
of
those
one
of
the
two
things
I
do
these
people
that
we
do
our
kick
the
one
in
they're
listed
as
my
favorite,
but
the
one
on
my
listed
at
their
favorite
any
fine.
If
you
told
them
that
they
do
one
of
those
two
things
I
just
don't
get
the
protocol,
but
no,
but
no
protocol
I'm,
aware
of
guarantees
that,
without
like
without
like
a
bunch
of
extra.
F
F
F
Then
we
also
have
the
I
mean
we
don't
need
to
go
into
curve
in
two
to
nine,
whether
it's
approximately
two
to
eight
bits,
but
we
definitely
want
to
support
max
shorter
than
twenty
eight.
So
so
we
might
want
to
add
something.
They
think
that
as
he
proposed,
we
should
have
hundred
twenty
eight
bits
integrity,
but
that
we
allow
remarks
something
like
that.
Would
that
be
acceptable.
M
F
I
F
G
F
Comment
about
privacy
yeah
and
that
we
added
the
privacy
consideration:
okay,
yeah,
so
that's
basically,
the
privacy
consideration
currently
employed-
and
this
was
about
Siri
data,
harness
problems,
but
the
access
token
being
mentioned
here.
So
we
route
that
it's
also
I
had
the
concern
about
CSR
and
the
use
of
CSR.
They
would
like
to
see
that
more
like
early
application
data,
in
fact,
if
you
use
like
it's
proposed
here
in
this
example,
is
are
in
the
third
message.
That's
very
close
to
me.
F
I
I
guess
IIIi
I
think
this
is
a
Michaels
like
Michael's
past
year.
I,
basically
think
is
like
not
unreasonable.
You
know
this
is
a
ghost
battle.
Adam
Langley
have
one
joining
keep
it
all
boiled
on.
So
you
know,
like
I,
wouldn't
put
this
text
in
here's
I,
don't
think
it's
actually
a
wolf
I'm,
not
gonna
fight
about
it.
If
you
will
think
it's
morning,
cuz
like
I
I,
agree
with
a
philosophy
being
established
here
by
and
large,
but.
G
I
F
And
there
are
good
to
nine
there
now
service
Richard
commented
that
the
first
paragraph
was
overlapping
very
much
on
the
mouth.
This
stated
underlying
transport
to
remove
that
and
then
realize
that
this
section
should
probably
change
to
availability.
Now
you
understand
it,
you
should
have
I
should
have
copied
in
the
actual
text,
but
it's
basically
saying
that
text
is
saying
saying.
J
F
I
So
in
this
yeah,
so
I'd
like
I'd,
like
that
I'd
like
that
take
a
step
back
on
this
I
think
this
is
like
this
is
the
part
that
we
had.
There
were
six
super,
can
choose
the
beginning
and
I.
Think
like
I
put,
we
I
mean
I'm,
happy
to
read
your
gifts,
but
I.
Think
I,
don't
want
I,
don't
argue
about
these
right
now.
Okay,.
F
F
So
we
actually
did
some
of
these
in
preparation
for
the
sec
dispatch
interim
March
2019,
the
benchmarks
are
exactly,
or
at
least
that
I
can
tell
type
of
properties.
That's
requested.
There
is
North.
I
am
Laura
one
time
of
air
there's
the
back
of
time
and
those
spreadsheets
are
actually
intended
to
use.
It's
not
yet
calculations
for,
for
this
aren't
in
calculations
for
specific
protocols,
but
spreadsheets.
Also
there
is
a
how-to.
Basically
how
you
feel
in
your
message
size
is
how
you
get
out
the
time
of
air,
so
it
essentially
provides
type
of
data.
F
C
E
A
B
I
K
A
D
J
So
this
is
the
changes
since
the
zero
one
version.
Basically,
we
have
tried
to
implement
all
the
suggestion
from
the
working
group
to
fulfill
the
requirements
to
optimize
the
protocol,
even
more,
which
is
also
aiming
at
the
requirements,
and
we
have
made
some
clarifications
based
on
people
trying
to
implement
and
do
formal
verification
of
in-home,
so
algorithm,
okay,
no
score
now
independent
of
each
other.
J
We
have
a
requirement
mix
them
mixed
mode
and
we'll
go
into
that
later.
He
derivation
static,
diffie-hellman
mode,
no
cereal,
instead
of
parallel
as
based
on
a
second
one
Celtic
on
the
list
about
static
TV
Raman,
this
design
has
changed
to
make
them
sign
instead
of
signed
an
act.
It's
now
similar
to
I
recent
is
that
it
made
more
sense
with
its
mixed
mode
and
that
it
saves
bytes.
J
The
identifier
encoding
has
been
optimized
so
that
there
is
a
lot
more
values
that
take
a
single
byte.
We
have
made
encryption
of
message
to
in
CPA
no
greater
protection
as
discussed
in
the
Sigma
paper.
This
can
be
done
see.
We
have
added
an
optional
integrity,
protected,
subject.
Name
for
the
case
you
protect
against
is
finding
attacks
in
cases
where
you
can
ident
can
assign
a
nickname
to
the
key
then
several
occasions
and
a
lot
more
test
vectors.
You
have
implemented
almost
everything
in
the
specification
now
next
slide.
J
So
this
slides
illustrate
new
method
types,
so
0
3,
&
4
was
what
was
there
before
1
&
2
or
the
new
mixed,
where
you
have
one
party
authenticates
with
the
signature
he
and
the
other
with
a
static
if
he'll
monkey-
and
this
is
to
optimize
the
demo-
the
requirement
that
one
party
should
authenticate
with
a
certificate
and
the
other
widow
or
PK,
then
you
get
the
best
at
least
overhead.
If
you
do
signature
and
starting
to
the
helmet.
J
Here's
Michael
illustrating,
when
you
mixed
a
symmetric
mode,
so
the
method
parameter
which
is
the
first
in
sent,
can
be
0
1,
2,
3
4
is
a
symmetric
node
and
that
integral
determine
if
the
responder
in
case
with
the
signature
or
a
static
development
key
and
similar.
If
the
initiator
authenticates
with
a
signal
or
a
static,
DVR
monkey.
Now
you
get
four
different
possibilities
and
this
has
been
implemented
with
sing
a
field
called
signature,
knack
of
the
suggestion
by
actor
last
meeting.
J
Basically,
the
static
live
Hellman
you
get.
If
you
mix
in
these
ethanol,
static
keys,
we
think
you
get
a
little
bit.
We
can
authentication
properties,
but
on
the
other
hand,
you
get
stronger
security
properties
in
case
of
a
key
compromise.
I
think
that
something
for
the
working
group
to
discuss
in
the
future
and
then
the
blue
dot
here
a
chance.
These
two
in
cpa,
encryption
without
the
integrity.
J
J
Here
is
a
summary
of
the
message
sizes,
so
sizes
has
been
a
message.
Eyes
is
for
the
PS
k,
plus,
if
burned,
if
M
has
been
slim
the
bit
because
of
the
new
optimized
coding
of
identifiers,
the
or
decay
case
is
now
a
lot
smaller.
As
that,
if
difficulties
is
used
instead
of
signature
keys
and
with
these
numbers
we
can,
you
can
see
that
we
will
be
able
to
fit
into
three
unfragmented
frames
in
P
prime
hope.
J
I
J
J
J
A
I
Don't
bother
my
slides
because,
like
my
slides
were
much
more
like,
like
you
know,
overview
CTLs
and
I
think
you
know
you
know:
I
don't
have
like
a
diff
nice
DF.
The
way
that
John
does
here,
I
guess
the
most
relevant
things
are.
We
know
we're
continued
updated.
We
have
several
implementations
in
progress.
One
and
Rustom
warning
go
and
it's
been
adopted
by
TLS
serve
in
it
and
it
is.
There
was
a
home
to
adopted
and
the
Charter
is
it
now
I
mean
we
chartered
so
I,
don't
know
the
status.
I
The
Charter
has
been
a
blessing,
we're
getting
pretty
close
and
then
once
it
as
soon
as
the
charterer.
The
sticks
them
will
be
will
be
actually
something
that
working
conversion
and
we're
working
with
Karthik
and
others
to
to
to
adapt
the
TLS
one.
Three
proofs,
the
security
to
he,
tell
us
the.
B
A
Price,
so
we
have
like
six
minutes
left
I,
think
I
think
we
have
a.
We
have
a
set
of
minutes
about
the
requirements.
People
have
a
bunch
of
actions
of
tips,
but
they
will
try
and
fulfill
in
the
next
week
or
two
will
will
hope
that
pain,
it's
being
a
great
ID
and
saving
the
day,
with
the
suggestion
for
how
to
characterize
things
and
work,
I
guess
on
ad
hoc
and
CTLs
continues
with
that.
I
think:
that's
our
agenda
are
there?
Is
there
any
other
business
or
something
that
I
forgot?
Are
we
skipped
over.