Internet Engineering Task Force Interim Meetings, 19 Nov 2020

Previous Meeting Next Meeting

⏯

youtube image

►

From YouTube: TEEP WG Interim Meeting, 2020-11-19

Description

TEEP WG Interim Meeting, 2020-11-19

A

Record actually.

B

We are now recording. Can people see my screen? Yes,.

C

B

Okay, so I'm gonna go back over this slide and between yesterday and today I added some diagrams to explain these, because I would like some opinions on this one here and there was a part two of this slide and so there's actually one two three four five, six slides the original two and then four diagrams that just expand on two three and four in case you didn't understand those and so I'll kind of walk through this one.

B

So this is issue 43 um that originally was filed by hanus and he's not here yet, but at least the rest of us can talk about the different options, because I think uh raised the question: had a couple of options and I'd like to discuss them, and so I'm gonna go back over these, but I'm gonna do so one slide at a time and uh explain we'll go through a particular example.

B

So let me go into full screen here. So you know this went.

B

All right all right, so here's the example: okay and then I'll walk through a slide on option, one, two: three and four. So um the example.

B

The example case we're gonna walk through is where you have an untrusted app that has a dependency on uh trusted, app, a okay that trusted app a comes from tam, a and say in the untrusted manifest that has the ta a's identifier and the tami's uri okay, now internally, that is expressed in a suit manifest and that suit manifest depends on a different trusted component, meaning a different suit, manifest that different suit manifest and this example is hosted by tam, b. Okay.

B

This might be, for example, because tam b is the ta developer and the trusted component b might have say a personalization data that contains a private key necessary to decrypt a that would be an example, okay, and so that's why, uh in the architecture document and previous discussions, we've said these two things could be from two different tams, and so here uh the suit manifest for a depends on the suit manifest for b. Okay.

B

So that's the example: we're gonna walk through four different potential approaches that we could take, although one and two are very similar, okay, so option one works as follows: right the agent sends out a query request and just as a reminder, the query request happens by the agent opening up an http connection to tam a that has uh empty content. It's the first message which comes in that http response. That's current request.

B

The agent says: hey, I need a okay, so in this example, either here or maybe a priori tem a would have to reach out to 10 b and go and fetch or download the content. That's the the bundle with the suit manifest for uh for bundle b, okay, and so what protocol is this? That's why it's a dashed line here?

B

It's not necessarily the t protocol, maybe it's https or something, but um the question is well what, if tam b only wants to release that to an authorized entity that attests and so that's a whole bunch of extra work that would be necessary there uh and so that one's very complicated it might be doable. But it's very complicated.

B

Okay, to try to figure out what this fetch b thing is, but if in theory you could get b, then what happens is a would send install with both suit manifests in there and and the agent installs them both and sends back a success in the success case.

B

So here the difficulty is: what does this fetch b thing, especially when b needs the uh courier to a test, and in this case part of the point is tam a is not trusted by either for for the content of b, and so how do we solve that um complicated but potentially doable? If you want to do eventual work? Okay, so that's option one option two is very similar.

B

The only difference in option two is that the install messages are on two different messages right, and so you install each dependency success and then, finally, you install the dependent a, but otherwise it's the same thing. Okay option number three works like this: okay here so remember here the dependency resolution, one and two is done by the tam a now. This has to fetch all the dependencies, so it can push all the installs down.

B

The agent is only talking to the the top level tam you, the one that actually that the ua actually depends on okay, unlike uh those option, three puts the dependency resolution inside the agent okay, so my understanding is the suit manifest actually allows this, and that's why this one is my uh preferred uh out of the four. This is one I like the best okay and this one works as follows: right career request, hey, I need a that part's, the same tame, a just says: okay, here's a here's, some dangling dependencies.

B

It depends on b and here's the uri for b, and so that's expressed in the suit manifest that has this dependency on this thing that has to be resolved. Okay, and so at this point um the agent can't complete that install right because it needs the dependencies before it can install a, but it has the tan b's uri, because it was in that suit, manifest okay, and so it has to reach out to tam b. That says: hey I need to resolve a dependency 10 b sends a query request. Saying please attest to me.

B

Qr response says: hey! I need b, here's my evidence b says great you're authorized. You can install b, okay, great successful, and at this point the suit manifest processor is done with that particular dependency and then can continue finish installing a and send back success. A okay yeah go ahead.

C

um So how does the agent know that it needs to go to tam b, so in your messaging here.

B

Yeah in the suit manifest for a the manifest for a identifies each dependency, just like the ua's manifest identified the dependency for a and it included the tam a's uri. The all the information necessary to resolve that dependency would be inside a suit manifest that comes back in this install.

C

Okay and a manifest is sent query, request response.

B

The manifest is sent inside the install message right: okay, okay, so this install a has the suit manifest for a which includes. You know the binary, if that's bundled with the with the manifest, includes the metadata for a which includes all the list of dependencies, if any, which in this case would include the information necessary to resolve b. Okay. So here the disadvantage of a is just that there can be a significant delay between the install and the success of to that's in response to that install okay.

B

So in some sense, if a if the tam is trying to keep steep, then he sends this install and potentially never hear us back for a while right. What if this was a took a long time to download or just took a long time to reach or whatever there could be a significant delay in between here. Okay again, this is still my favorite option out of these, but that is the disadvantage.

B

Is you have to deal with this fact that I send an install and don't get back to success until everything is all done, meaning until uh the agent is kind of done and knows whether it's succeeded or failed, and so there could be a significant way. So that's the disadvantage here.

D

Is that actually a disadvantage.

C

So so the disadvantage comes to the the timeout and and the amount of caching potential that the tam. So it gets to to the question of the scalability versus latency performance when.

B

I get to when I get to the part two slide. You'll see, there's another wrinkle that doesn't show up in this particular example. uh So put that put put that question in the back of your head because we'll come back to it, but my opinion is no: it's not a problem. So all right, so so dave.

C

I suck at note-taking, so I was trying to capture the options and I didn't quite match the differences between options. One and two.

B

Okay, the short version, the one sentence version is on this slide, which is a slide seven in the proceedings. Oh, so maybe I don't need.

C

To take notes on.

B

Them option, one was the only difference, was one install message and option two with separate, install messages, and I only split those because they came up in the notes on issue number three uh issue: 43.. If they weren't.

C

Separated in the.

B

Issue in comments, I would have combined those into one option.

C

Oh, can you show me those again okay, this is.

E

Awesome one one: two.

B

No significant difference as far as the the main issue goes.

C

E

A

When you have a three and a four, when you have three next page, where you have four yeah.

C

I haven't finished with four yet.

B

A

B

Yeah yeah four.

C

Gets to what was.

B

Hannah's proposal: okay, something closer to honestly proposal here with that delay. I want to say you can see this install kind of has a hanging, no response until the end, right so honest proposed what if you had something else that came back here, that indicated you know continue or in progress.

B

He described it for a different case and the one that I'm walking through, but in the example that I'm walking through, then you might say you know I'm working on it. So it's not a success. It's not an error. We have to define a brand new message for this. That says: okay working on it just to let you know uh and then at the end you have to send back a success to send back the success either unsolicited.

B

By unsolicited I mean when you first open the http connection. Instead of a zero byte post, that gets a query request. It could be a post that just has the success in it and in that case it's unsolicited, and this gets into that question with um the discussion we were having about token yesterday, because the install echoes back the token in in here the in progress and so what token to use here. Do you reuse the token or, what's that some of the complexity there, or do you generate a new message here?

B

Is this another query response? You generate a success to you and so that's the complexity. Reason that I don't like option number four, because I don't think the delay is a problem and trying to define this other message or what you do about those to me is unnecessary complexity.

B

Okay, I'm gonna flip back and forth. So people see the difference between three and four again: okay, any clarifying questions between those two options.

A

uh Let's do this option three right, let's say imagine example: uh application ad depends on non-personal. Data depends on 10 or 100 other types, ps yep. Then this process takes long right. Do we need to handle that case? It almost puts this and dependencies. You finish depending it takes uh 15 minutes finish right, then your install a to successor a will not work. That's the line well,.

B

The same thing can happen.

B

The same thing can happen if you have zero dependencies, if you just have a really complicated install that just takes 15 minutes because you're on a constrained device and you've got to do a bunch of operations that depend on maybe resources being available that might take a while to be available and so on. um You might need this. You might take 15 minutes even with no dependencies.

A

So now, let's just separate yourself: it's a do. We treat as let's use http as a practical example right here, so we do it. It's a even in store a and successfully that's a two http transactions. They're, not the same transaction. We'll talk about here, mobilization token expiration right, not the individual, http transaction right, because we said it's a queries, but in stock a is a it's a uh it's um interesting! It's a it's actually requested. It's always initiated from agents right agent, reach out time, a yeah, so.

F

B

A

B

For anybody else, that's new each message going to the right is an http post and each message going to the left is an http response to a post. So there's a invisible post. That's right before this query request.

B

That's the response and the next http goes from here, and this is the http response um and then there's an invisible, empty post here with a message that comes back and then there's a post here with a response that comes back in the install a post in the success with a you, know: okay and then another post with a success with an empty response, and so that's how the http has http messages, work.

A

Right because these are two um independent or two separate active transactions and options, so.

B

A

Right, we need to ensure the token whatever that station, what have stations transaction id? Let's say that way. Install air well expect a token and then transaction id back say just that transaction done. As long as I have a longer uh expiration time window, this can work. It doesn't need to acknowledge it. It doesn't have heartbeat of acknowledgement. So I'm working on I'm working out right option for someone about heartbeat acknowledgement.

A

I'm live I'm working on, so I think that um I tend to not go there. I also favor option three or option four myself, but I don't change the protocol here dramatically to add that heartbeat acknowledgement.

B

Yeah right, um I'm gonna go back just to respond to you to the slide that we had that we covered yesterday, which is this one which is um uh pending the discussion that we will have in suit uh at the suit working group um that it is possible that we may not actually need a token for install and delete, and so there may be no need to keep state on the tam. With a token. So that depends on what the resolution is for suits. So.

A

So coco we need to identify- I guess, you're literally here, to try psychiatry or token.

A

We want to be stateless like that status means for user transaction right, but that data is in the payload itself when we say install ta1, hey right application, a this won't identify this one, that's transaction request, okay, say.

B

The identifier is the identifier of which suit manifest. You were installing that's right here and uh the response, and it this is basically copied out of the uh install or delete well. The install in this example, but.

A

It's uh it's not requested id. Is it right? It's a it's. What to install not to say we yeah, which transaction.

B

Right and so why do I care which transaction it was? I claim that I don't.

A

Well, I want you for that, to I have somewhere have a good time. It has two commands to install some out of order. Spam. Whatever say request is sent to install command, you need to identify which ones responded.

A

B

You're never going to have two installs for the same suit, manifest or if you do. The second one is a no op right, and so the suit digest identifies whether you're installing a or b.

B

You don't need the token to match.

D

B

Suit digest says.

D

B

Me in a stall with a suit digest. That's the token uh brendan preach, collect pre. Please uh correct me if I'm wrong, but this is my understanding so.

D

Correction needed.

A

D

I said no correction needed no, the.

C

D

Is that the uh the suit manifest has a digest? The digest is collision resistant. If you have a collision, reduc resistant digest, you have a unique identifier or a you know, statistically probably unique identifier, and that should be good enough for virtually any purpose.

A

There I thought it was a suit.

A

The manifesto file is a described dependency sparked with the application itself. It doesn't depend on which transaction right that is unique in that way, but it's a another unique based on like in the morning and send it send the install command where's the afternoon install command. Those two commands should be different. It.

C

A

Their own unique identifier to me those are different transactions all right, but I would object.

D

So said that, so there are different transactions, yes, but they have the same result and what you care about in suit is results.

D

So if you send the same command a second time and you have a dangling uh reference to the the first one that hasn't been closed and you get a record of a report back that says, I have installed this image or you know this manifest well. The result of installing this manifest is both of those previous dangling commands can now be cloaked.

D

It doesn't matter which one induced the the the completion, because both of them are satisfied.

B

My yeah, I am proposing I'm just going to summarize what brendan's saying by saying. I would like the uh t messages to be item. Potent.

A

The matter right so yeah, um like first command, do second one may become a uh evenly installed from client. It explained as a reinstall right first worked. Second install is maybe reinstalled or it in the water decline, so that actually has different interpretation. So I also feel that anytime, you do a device update web application. Installation should have unique transaction id.

A

B

A question to brendan um because the suit manifest defines the was it the the update procedure, if I'm using the right term capital? U update capital p. I think it's update procedure. Okay, if you already have a particular suit, manifest with a particular digest installed and you initiate the update procedure a second time.

B

What would you expect the suit reports to contain.

D

The suit report should contain exactly the same content as if it were installed, each of the checks will result. In the same result, each of the um you might get a different result code for a fetch like it might say. I've already got that rather than I got that. Okay, I'm I I'm not so far. We have left that as an application or an implementation dependent detail, um but it certainly wouldn't be a failure.

D

It might just give you a different result code, so the the result should be either identical or the parts that matter are identical.

B

And if it is, uh you know if the fetch had a different result. Wouldn't that be the same as if you pre-cached the binary and uh with the you know, in other words, the the binary was pointed to by the manifest, but the binary wasn't in bundled into the manifest, and if you already had the binary cache locally, isn't, wouldn't you get the same result in that case, the first time?

B

Yes, it's verifying, okay, so yeah that thank you for verifying my understanding. um So my belief, then, is that the token shouldn't matter, in other words, even if you were to reorder the two and respond um with uh you know, if you were to flip the successes in the reverse direction and match them with the opposite ones, you'd end up with exactly the same result.

B

G

Doesn't matter.

B

Okay, I'm going to flip back to their slide, but this is just where I was pointing to where it is in the student manifest.

H

So dave, do you still want comment on your questions from about 20 minutes ago, because I think I forgot most of my answers already now.

B

uh Any comments that you still have yes, you're next in queue, go ahead. Anything you still remember. Yes, I there's so.

H

Much I would like to comment on I I should have made notes, so uh the delay was a little bit vast. I have to uh highlight um so. First of all, there was this sequencing question. uh Could you go back to one of the interactions like option three, for example, this resolves a interaction between team. A and tempe leaves everything to agent.

H

uh I I still think there might, if you, if you're going with evidence and such there might still be a relationship between a and b, because I am not entire, because tem b now has to understand what is depending on it, when there is a request coming that when this is this uh thing initiated from agent. That is not highlighted here. I think, and then tempe has to request evidence now, and it doesn't know why um it doesn't know that tam a has some done something and provided probably also uh at the station requests.

H

It can be. Probably it could be another entity entirely, no idea what time a uh actually created uh evidence received for a and even if tempe would receive it. It could probably, I might not have had to discover a verifier to check that evidence, because it's again a separate entity somewhere else.

H

So uh it is surprised by this, maybe and uh and why, by the uh concatenated thing from option, one or two is- is somehow mitigating that problem, because tem a could now provide that information to me it is actually more fragile, because agent, I think, is a chaining and therefore, if tem a10b stuff fails. How does agent the agent know about this? uh That is like uh tab. A has to inform agent, like my dependency failed. That is more complicated, more complex. So, in this options three and four are better.

H

I think, but now the uh the burden of appraiser is somehow weird for tempe. It doesn't know. I think what to do here. Sometimes all right.

B

I done second respond, but I want to make sure you can finish before you forget what else you're going to say so.

H

No, no! That's! That's! That's the.

B

Most important thing: the.

H

Other three are gone. I think okay.

B

Gotcha, so let me respond to that, so let, before I get into b for a second, let's talk about tam, a okay when uh so the the way that this works is query. Request would include uh the challenge. So, if you're using nonces right, then this is where the nonce would appear and the e will appear in query and query.

D

B

Sorry I was getting background noise. What's that somebody interrupting.

C

I think somebody uh they muted, okay, okay,.

B

So I'm just I'm going to say what a is and then I'm going to say how it's the same for b. So in a the same message that carries the evidence also carries the fact that it need that it's asking for a but what it does not pass. The tam a in the current protocol is, it does not identify which untrusted app is expressing a dependency on a okay.

B

It's not something would normally be in the evidence unless we start specifying it in rats, and it's not something. That's the t message. So what that means is tam a is making a decision purely based on the fact that the agent says that it has a need for a and the team can decide whether to grant that request or not, regardless of who's depending on it. Okay.

B

So now, let's go to 10 b same answer: tan b.

B

It could have been that this uh that the untrusted app had a dependency on b right, if that was the case, tim b, wouldn't know which untrusted app at least today, and therefore it does not need to know at least that's the current claim, which he, the fact that it's a you know, taa. That depends on b, because it didn't know that an untrusted apple, that's not part of the requirements right now, and so here what happens? Is that the reaches out to tam b and 10 b doesn't know why?

B

Yet so it sends a query request. What's your state, and why are you asking me, okay and the response, the agent attests with his evidence and says, and I'm talking to you, because I need b, apparently, okay and then tam b can decide whether to grant that wish or not. So the point is that tam b is doing the same thing as tam a where the thing that you're worried about is not currently requiring the protocol. You don't care what the dependent, what the dependent uh piece.

H

Okay; okay, that is what's confusing to me, because the slide literally starts with dependencies and a dependency chain, and then the solution has nothing to do with dependencies at all, so that.

B

Is something that has to do with yeah? The title is showing what the suit manifests look like right and so in this. If we were having this.

C

B

The suit working group right, if we said if you have a reference from one suit, manifest to another suit, manifest right where a depends on b, there's nothing in the manifest for b that identifies a only the other way around.

H

Okay: okay, in this case, all the decisions- why something is not working in this option? Three or four even is better, because uh yeah the agent has total control of about completeness. um It might be interesting to have this uh aliveness feature. uh I have no strong opinions of what is unless it's, if it doesn't scale. Well, if you do that, a lot right.

B

Right right, my I have two goals that I'm attempting to optimize simultaneously and maybe at odds sometimes, but I'm hoping not one is that I would like the agent to be able to scale down to a constrained device and number two. I would like an ultra scalable tam that ideally has zero state or, as close to zero state, is at me zero state between http requests as possible.

B

Now that might not be possible, but how close to zero? Can you get, and then you can make your tambie ultra scalable.

D

Okay, so all right, I have some comments. I guess I should join the queue.

B

I can't see the queue so unless nancy's managing it, I just speak so no.

C

I mean remember, nobody's helping take notes and.

E

B

We have a small enough participant list that I'm fine, just jumping in unless nancy.

C

Wants to start, you guys should just jump in I'm I'm not. This is a side meeting yeah, so jump in brennan. Don't.

I

D

Yeah, okay, so uh option two is an interesting one. um I think we could make it work if, if you, if this is what you want, if this is desirable, then the only thing I see here- that's even remotely problematic- is that tam a might lie and provide an old version of b that it fetched at some previous time.

D

But that sounds like that: providing very easy to overcome.

B

Yeah, that's not the only problem that is one problem. I I I believe that this one would be solvable if we wanted to go here, it's just a bunch of work, so the bigger. I don't think it is the bigger.

C

Question to me is if please work.

B

If tambi's policy is that, I will only give out the b suit manifest to somebody who attests to me that I trust that they're running inside of the right tee.

D

Okay right, so so you can. You can deal with that by forwarding the evidence on from the agent.

D

If tam a forwards, the evidence from the agent on to.

B

Tambi, it's not that easy. No, the evidence itself. If you inside the rats architecture, you have to ensure that that evidence is fresh okay. So the notion of the challenge is to say, if you're using nonces, which is the way that eats were first defined, it might not be the only option. But nonsense is like the thing that we usually talk about.

B

Then the evidence has to sign the nots provided by the thing that wants to receive the evidence, and so that means you can't just forward on the evidence used for a because that would use a's nonce and you need the one signed with b's nots.

D

Okay, there's probably a way around that, in fact, I'm convinced there's a fairly clean way around that, but it starts invoking trusted time servers.

B

There are three options in the ras architecture.

D

B

Nonsense: okay, which requires an extra round trip to go and fetch the nonce, but hey you know the teat protocol. Has this query request step that kind of has that extra thing which I would like to get rid of in cases where you don't need it? The second option is synchronize clocks, and so that one requires time stamps, but it requires that you have a clock and that that's actually synchronized with a trusted time source.

B

So that's the hurdle there and the third one is something that is using handles um that requires both of them have the same epic number that they get the same epic uh thing from some trusted handle distribution server; okay, that one is actually doable and uh can potentially be used to solve this as long as all of them have the same, handle distributor.

B

I saw hank nod once, and so I don't know if he has any comments on that, but I agree with you brandon this one is solvable, it's just work to solve it. um I don't know if there's sufficient reason to do the work to solve it or if we should just say we're, gonna specify option three fair enough.

H

Yeah, I can add to this that this uh both solutions, synchronization of clocks or distribution of handles, requires extra effort. It's as easy as that, um and so uh there might be scenarios where this is unavoidable, but then architectural advice, it's also doable. The evidence conveyed can change uh appraisal. Evidence is not defined here. So so you can add that on, but without it you cannot. Do this fair uh relaying of evidence by still claiming it's fresh.

D

So you do have one more option that is.

H

The timestamp server.

D

Right the trusted timestamp server puts an additional uh piece of effort in that the agent has to get its uh its evidence. Time stamped rest of it falls away the rest of it's fine.

H

That is a handy distribution. Thingy like you, can you can do it's a hybrid of handle and clock. You can, of course, with every uh request for evidence. You can butterfly uh keep a uh fresh timestamp from a timestamp server that that's how tuda works effectively uh the time-based unidirectionalization, and then you can relay evidence as long as you will want for the feasibility of the timestamp token, and so that that's fine, of course. Also, but it's again it's it's.

H

It's introducing the idea that both temps have to have access to the same timestamp server provider, which is a handy provider in the architecture actually yep.

B

um Ning you were trying to.

A

Say something yeah? I would like to add the comments. I just said uh this model was option. Three in general are favor options for reason. uh Think about the chaining dependency right. If the a depends b b depends c. So if his option two will be collect c and count back to a because I don't want to scale. If I let it divide, the agent handle that right, 800 dependency is equal to a go. To b. Equal to c depends on that. If you have chain dependency, it can go further.

G

A

C

A

It will fail yeah.

C

I don't see why I think any of these options will allow for that chaining. It's just you're, just nesting differently.

D

Oh sorry, I I actually.

I

D

With that point, and in fact the thing that I would bring out is that when especially when we start invoking things like a uh constrained device, getting uh one of the tams to do all of the work for the constrained device and thus cutting down the number of round trips, it has to do cutting down the bandwidth that it consumes cutting down.

D

All of that even the number of secure sessions it needs to establish those all save resources, those all cut down what the device actually has to do and that gets you closer to being scalable not further.

B

Ming's point is that if you have a tree of stuff, you know a depends on b depends on c a depends on d. If they involve different tams, that means you have to go out and collect all of the nonces and stuff send them down to the agent. So you now have a whole bunch of nonsense. You need to include either in your evidence or evidence, sets somehow to be able to pass back. That's the complexity. Is it solvable?

B

Yes, if we want to do the work, but I don't know that it's important work to do so.

D

No indeed, and that's where the question of unidirectional attestation probably makes more sense.

A

Another comment so, if I may say devices, we may not have this control. I complexity that monetization to oppa, maybe right so constraint devices that application may not be that too heavy. I would say never station need to go out. Hopefully that's a it's, not a comma.

A

So that's exactly right, so you're good option.

B

Two is the one that had us originally put into the issue that he filed. So I think this is what he was thinking when he filed the issue before we had the discussion, and so since he's not on here. I'm just saying.

C

B

He's on your own.

D

Welcome very descriptively.

B

Named web authorization.

D

B

Since you opened this issue, do you need me to go back through these or do you have opinions on them now.

C

On this, you may be on mute.

H

H

It could be no microphone locally muted, but this webex is on.

C

A

Let's say I'll put it in the chat here, I'm doing it, he can kill us. Okay, yeah! Let me do it so, okay, good! Thank you.

A

Let's ask whip us like. Can you hear us.

C

Just like I'm, I'm the rats working.

B

The entire working group- yes.

A

B

Okay, so I do have one more slide. That's a different example, uh but I don't know if, but we can go back and forth between these. But uh if honest, you have any comments before I add in the the last piece of the question.

B

Did anybody else have something they did not get to say yet on options? One two three and four before I add in the other piece, meaning same question: different example um yeah. I do.

F

Yes, so um from from the what I learned from the hackathon option, one and two difference between one and two and three or four, is how much the cheap message format gets simpler or not and making the time as much as possible as a state list. For then the tip message format gets simpler and simpler. So.

B

Yeah! Wait for the last one too, because, honestly, that that your your point is actually a nice segue to the other problem during.

I

The hackathon I was trying to.

B

Implement: okay, yeah, uh okay,.

C

Akira um you're saying the messages get simpler as you go from one to option. Four.

F

um Between one and two.

C

F

And between three and four.

C

F

Three and four is the mo: it gets simpler. Yes,.

B

So I'd like to show the other example then, unless hanus can speak um because you'll see there's another dimension, that makes things complicated as well. So here's the other case. Okay, remember this case was: I have a ua that depends on ta that a that depends on b, okay different case starting from the ua. In this case I have an untrusted app, that's going to be updated, so it's already installed and previously dependency on ta1 right. Sorry, I'm!

B

I was using a and b now, I'm using one and two yeah sorry, uh so untrusted app depended on tb1 new version of ta, sorry of the untrusted app comes down.

B

This one now depends on ta2 instead, okay, so maybe I switched out a crypto library and I'm now using a a different uh ta implementation of that crypto library or something like that. Okay, so I want to remove the dependency on the old ta and add a dependency on the other one. Okay. So that's what happens on the untrusted, apps, updater, okay and now, furthermore, assume that space is scarce such that I only have space to install ta2 after ta1 is removed. Okay, that's the example.

B

I want to walk you through okay, that if I tried to install ta1 first before removing ta2 I'd get sorry out of space okay, so what happens here is if I walk through the flow right. The query response gets in this I'm going to use both of these making these simple to say: there's only one tam here I could split in two tams, but uh let's combine it into one tam just to keep this one a little bit simpler.

B

The query response says: hey, I need ta1 and my and I no longer need ta2 okay. So the query response has both of those in there and you say what does the tam do now? Okay, it says, because I wanted to try to implement this and I scratched my head for a while saying. How do I implement this? What do I do in the tam?

B

Okay, because what you need to be able to do in order for things to succeed, you need to first send a delete on ta1 and then, when that, once when that one finishes, then you can install ta2 right. If you do anything else, any other sequence, it won't succeed. Okay, this is the this is the golden path right. You do the delete when the success comes. You do the install. So how do you actually do that?

B

So you can say well. What I want, then, is: I want the delete success. Response could trigger the install message going to what is the trigger is the install because, normally so far, we've only talked about an install being triggered by a query response. Okay, and so how do I do that? Does that mean that? So these are different possibilities right says: what do I trigger the what it triggers this install message right, because the query response that I needed ta2, but I only sent a delete message.

B

I couldn't send the install then I had to wait for the delete to finish so what triggers the install is the question? Okay, now think about what happens if the uh okay, so what happens? If the success message is, uh is you know lost for some reason it times out, uh because there was some connectivity glitch or something so it couldn't contact the tam, and you know maybe something happens with another thread or whatever that there actually is another query response: was there a race condition or what? How do we resolve that?

B

What's the right way to specify the 10 behavior, so here's four options there. One thing we could do is to make the problem go away by combining install and delete into one message, and so, instead of having to serialize these, just going back here. Remember back here in option one we can pass multiple suit, manifests and install. So this is this: install a plus b is the same as two separate messages and for the delete and install they're two separate messages, so we could have a message that does install a delete.

B

You know install b, delete a in one message right. So that's what option one is and which would change the message structure to combine both of the fields in the install and delete into one message to be an install or delete message, and that would be option one okay, then you could do it in one round trip and not have to wait and keep state and remember: oh I'm waiting around to install this ta two, and so I have to remember that he's asked for ta2 and so on. So that would be option.

B

One option two is to say: well I never have to remember anything. I only triggered the install of the delete in response to a career response right and so then the query response comes in. I see a delete and an install request and sorry I ignore the install I sent a delete next time around. He has to j, he has to connect to me. I generate a brand new query request.

B

He sends a career response saying I need to install ta2 still, and you say great now I can install ta2 okay and so that when I the success doesn't trigger anything. I have to cause the agent to generate another query response in order to trigger the rest of the flow that would be option. Two okay option, three is to say the success and the query response get to combined into one message.

B

So my query response can say, and I now need ta2, and so we would combine the fields and success and query response into one message similar to option number one. So listen, there's still two round trips, so the analogy here is uh delete a sorry. uh Let's say here delete a success in career response. Sorry, it's and uh install the other one in success. Right that I didn't draw the picture here.

B

Option number four is to allow the the installment delete to be triggered either by reception of a success or a reception of a query response.

B

But this has a bunch of extra complexity, because the success is giving you the deltas on the state, like I just finished, installing one thing, but I'm not retelling you what I still need or what I don't need and the query response is the full state. And so now I have to deal with being able to parse both deltas and full stage and deal with that in my state machine, and so this one, in my opinion, is the most complex um out of these.

B

My preference would be option number one only because to uh brandon or whoever's point this one reduces the bandwidth and constrained devices by getting things down into fewer round trips. That's option number one: it's the only one that has the that has not an extra round trip. All two three and four all have the extra round trip and so option number one would be the most friendly for a constrained device in terms of bandwidth and latency.

G

uh Dave- this is honest. I don't know if you can hear me can go ahead, um like I missed uh the initial part of the discussion but uh leveling up into where we came from and and what we discussed on the github issue. um I think the difference between uh your view and my view was.

G

You basically argued that the dam should do all the conflict resolution and then it just pushes things down.

B

I'm arguing that only the agent does dependency resolution. That's option three right option. Three is the one that is my proposal that only the agent does resolution. The tam never does dependency resolution. In this example.

G

Oh okay, then I completely misunderstood your because you you said that these additional messages which I have introduced like in I think this continued up or something is not needed, but I think then we on the same page any way uh already on that and- and the question is um what you are looking at here- is: what's the best way to implement it then.

B

Yeah option number three before you get on, I was explaining. There's no continue here, there's only a continue in option number, four, the continue or in progress or something option. Number three has no new messages and all the dependency resolution is on the client, meaning the agent, and this is the one that is my preferred approach. The disadvantage on this one is that the 10 sends an install and it may be a long time before it gets the success message for a because the dependency resolution has to happen in the meantime.

B

But my belief is this: is the normal suit manifest processors dependency resolution thing is consistent with the suit spec.

G

But, for example, here in this exchange uh you, the client, in with the install the client, gets the da and then suddenly figures out that oh, it needs some personalization data uh from a different from bambi, let's say, uh and but it has no way to send that message to time b. It basically has to wait till it gets by magic. uh What is there or is that the message that is not it's kind of hidden here, yeah.

B

uh Sorry I walked through this before you get on so I'll briefly do the same thing, but this is showing us the teat messages, the http messages, if you remember, there's never.

C

B

Line going to the left without a line going to the right, that's a zero byte post and so the.

C

B

Request is a response, and so what happens here is in the suit manifest of a it identifies the dependency which in this case it depends on suit manifest b, which is reachable via tam b. And so what happens is he has to open the zero byte post off the tam b, saying I need to contact you ten b then responds to the tea queer request, saying.

B

Why are you talking to me and then he says, here's my here's, my evidence and I now need b and the flow continues, and so the invisible one is that zero byte post, okay, good yeah yeah, um that makes sense.

B

Okay, so this was uh saying uh my preference is for option number three, although the other ones could work with effort, okay, but option number three. My belief is that this is the simplest, but this is still a case which is only doing install and stall. So the other variation is when you have a delete and install whether they're two different tams or the same tam and in the case with the same tam.

B

This is why I argue that if you want the tam to be as stateless as possible, then either option one or option three. Where option one is the simplest.

B

One is the one that allows the tam to be the most scalable, as well as providing the fastest latency and bandwidth reduction in option number one: okay, but this one does require a message: format change, because we take two messages and combine them into one message and take the different fields and say: they're, just optional: you can have installs and or deletes in the same message, but probably not a big drama.

B

That's my belief, and so here, because I was trying to implement this during the hackathon. I was working on the delete, behavior right and I came into this case here in my implementation, saying I don't know what to do if I, if I get both of them, and so I didn't implement the case of what happens when I ask for both of them, because I kind of stopped here and said file issue and we'll discuss first before I go to implementation.

G

B

And so because, if they would have been commanded one message I could just do it all in one pass. I don't have to keep any state query response generate stuff. Send the install slash visit, delete flush, all state, I'm done wait for the next time that he connects and so option number one would be the simplest for the tam yeah. The reason.

G

I think why we had this installed delete as separate messages was um related to the earlier debate about the security domains where creating a security domain was more um had this separate um sort of additional payloads uh and now, if and the delete didn't um so I don't yeah.

B

But now we move that into the suit manifest, and so that means the cheap protocol is simpler. Now so right, I think you're right the original reason they were split. Those no longer applies yeah, so other implementers akira.

B

uh Do you have any uh thoughts on this? Would you be okay, combining insulin to lead into a common message? Other implementers.

F

um Yeah one of the three is yes, it's the same as uh tam is going to. Tam is going to be a stateless or the agent going to keep the tracking. So uh yes, one is the time.

B

So three keeps it stateless, but has the extra round trip one.

F

Gets rid of the extra.

B

Round trip, yes,.

F

And for the tip message format combining installing the link? Isn't that isn't that it doesn't look yeah.

B

F

B

To both of them is identical, that's the success or error message and so you're going to do the same kind of response to both messages anyway, and so one of them has a list of suit manifest and that one has a list of component ids to delete, and so we just put your installer delete message: has a list of zero or more suit manifests and a list of zero or more component ids to delete.

B

Can you say why you prefer three.

B

Yes, I agree with hannes, uh but I don't know this suit, I'm looking for, if there's a technical reason to prefer three I'd like to hear it, because I can't think of a technical reason. The three is better than one.

B

Okay, because otherwise, I'm going to generate a request that does option one on this screen and option three on uh on this one, uh because that's my preferences here, but if somebody can give me technical reasons why something else is better happy to listen.

H

um I might have a comment on combination of content or messages. Basically, basically, you are uh you're not actually combining the uh operations. You are concatenating them in a single message, so that could be a general structure because it could in theory, then facilitate one or three.

H

Both don't know, I'm just asking sorry.

C

I was gonna, ask the same thing. I I see them as being separate, and so you could do both.

D

um What is the reason.

B

D

A single post request, per command or per request.

B

I want to respond to nancy that I didn't understand your question. Brandon uh in option number one. This combines two messages that are going from the tam to the agent option. Number three combines two messages from the agent to the tam. There are actually two independent things right doing. One change.

C

B

Do the other one.

C

Correct and that's why I was saying I I I guess I wasn't seeing them as as one or three you could do both.

B

Yeah, I I don't know if a reason to do three is my question, but sorry.

E

B

E

On to your question,.

D

Yeah I'm just asking if.

B

D

A specific serialization reason, or something else that has uh induced the pattern of sending only a single t, message per request or response.

B

When you say I I'm trying to parse your words here and translate them into t protocol terms, do you mean only sending one response? Query one type response in response to a cheap request or you're asking about something at the http layer. That's what I'm not understanding which.

D

Question I'm asking about the intersection of teep and http. Is there a reason to send only a single tp message, be it request or response in any given http message? ah Thank you.

B

I understand your question now: um no, the uh other than what the transport specs says right now, but there's no inherent principle behind that. That says that that's a requirement and if you haven't.

C

Either right now it is zero.

B

Or one, and if you want it to be zero, one or more, that would be possible if there's a good reason for it. Yeah.

D

If you made that change, then you.

B

I'm thinking about that. That's an interesting observation.

A

um And I got a comment here I mean so um I see this as a slow slope here where we combine. I understand all the nominations I'll give it. I want to see this one. Let's give an extended example here I depend on application, one, but now repeat by tier two and tf3.

A

Right again, I go to uh plural, suffer ts. So now we optimize that up by option one you have, you should delete one message. So it's a delete here, one but installed here to not tier three, so where's the ps3 will hang out right so which one pick uh so that's right.

J

A

Sense for the patch yeah.

B

Today, that install is a batch and a delete, zip hatch today.

A

Right so now they say right. I talk about case here is right. You install uh ddta one button, install tier two and tier three. The.

C

A

One approach we were getting one message: what does that mean? That means away delete tier one install both tier two and tier three in one message.

E

A

As a batch as a batch message.

B

Correct today you can install ta2 and three in the same message and you can delete ta1 in a single message or you can even delete five tas in one message and you can install five tas in one message. But what you can't do is you can't uh delete one or more and install one or more in the same message.

A

Doing mixed operations, which I said today so one operation type by message,.

B

So here, if we were to combine them and I'm going to compare it with brendan's suggestion- which I hadn't thought about before, um if you combine them into one message, then the behavior is you: do all the deletes before the installs? Okay, you just process all the deletes you process, all the installs, then you're done with the message, and you send back your your uh your error or success with the suit reports.

B

If you split them into multiple messages, you could have done that, like. Let me go back to say this message here with install a comma b. If you took brennan's approach, you wouldn't need to have done this. You could have done another variation that would be semantically. The same would be install a and install b as two different t messages in the same http response right. That would be equivalent in brendan's example.

B

So I think the only difference is better separate compression, but semantically it's identical, but I think, like I said, I think the only difference is, um is just seaport compression, um I think the other possible difference. I don't maybe there's an interesting thing there.

B

I can't think of a case is, um if you install a and b, if you're, using tokens which again I'd like to get rid of, um then you'd have to have a all the answers being the same success message as opposed to, if I said success for a and success for b, I could split those into two different messages sent at different times.

B

If we get rid of the token and just use the suit digest, then that difference goes away and the only difference is this: is the zebra compression what you could.

H

Do for the success? Is you uh open up a sibo sequence of all the success responses and stream them until they're done, and then you end the rest for a connection.

B

Yeah but my example is what happens if successive a and successive b there's a delay of, say uh you know three minutes while you're doing work in between those two right right.

H

And on the rest, close stage.

B

I don't want to have to have a hanging hdp uh connection, that uh the tam scalability.

H

Oh you're thinking in http, I was I'm thinking, http, 2 and co-app, and there that is not an issue. But if you're going with old-school hdp, that will become an issue. Yes, yep.

I

C

I think for constrained devices we we have to presume conventional http for now well,.

B

That argument goes both.

C

E

B

People would argue that.

E

B

Constrained devices you want to go co-op, but uh that's a different argument. It's outside of our workshop right now.

G

Actually funny enough, because we also discussed this uh sim cards use an http s based protocol straight into the sim card. So and sim cards are not necessarily known for being high performance devices.

E

B

Okay, any other thoughts on this, because otherwise I'm going to take some direction and and do pull requests for people to review, uh to see if you like my write-up of option, one on this slide and option three back here, uh because I think that gives the most efficient answers in terms of both separate compression etc. So I thought brendan you made me think to see. Is there actually an advantage to do that? Because that's that's not a your point is correct.

B

um I don't know if it buys us anything given that you lose some support compression, but it's would you like a further spanner for your works.

B

I will accept one will I like it, I don't know, but.

D

B

What's this better.

D

If you go down the road of sending multiple seaboard messages within a uh a single http request- and you just so happen to pack those in a single seabor structure- and you look down the road to when packed seabor is available, your packed sea or argument goes out. The window.

B

Okay, I understand, I think in the past we said uh we would have to do another version of the protocol if we ever wanted a switch to use pepsi boar, and that might be never um we don't know so that was the iutf 108 discussion.

H

Yeah, having seen this progress, it looks likely that this is a useful thing and will happen right now. um I'd also say that, for the options here, why brenton's suggestion is a very interesting compromise for meeting in the middle here.

H

I would also like to hear an argument why the mixing of installation, operations and deletion operation operation general is not allowed, so you could have a single cheap message, not that http congratulations of off of messages right.

H

That would allow for all of these, and there might be a reason why you don't do that, and one of the reasons might be the the the latency of the accumulated uh batch operation here, uh which I understand now, but but uh but there is a reason why you haven't done this and you're considering merging, install and delete only on the message level and not on the transfer level, and that is, I think, an option that has to be at least spelled out at some point. I think.

B

So right now my preference brennan, so just thinking about the discussion we had at 108 that I just summarized you can look in the minutes, but there was a discussion about. I think it was 108 right where we talked about paxibor, 107 or 108.

B

I think it was one way, but um some recent iatf uh team meeting, my preference, would be to say great idea what, if we just punt that to say at such point in time, if ever as we take your dependency on taxi board, then we do it at that same time and just go with option one of this slot as being the simplest one. For now um that would be my preference, but I am not. I don't feel strongly about it. So.

D

The argument I was making to be clear was that you put take a dependency on packed seaborg, but you simply recognize if, if pax seaboard became available, then it would be a relatively low cost upgrade to cut the bandwidth costs yeah. I understand.

B

um I guess partly my preference has to do with the transport spec as currently is currently specified. It has multiple uh interoperable implementations right now um and number one does not require any changes to that and your idea would require changes to the transport spec and implementations and get roughly the same behavior and maybe some additional advantages that you're pointing out. But I don't know if it's if the advantages are worth having to change the spec and the implementations. If the spec has already completed working group last call so, but it's a good question.

D

Fair enough I mean. Maybe this is something that sits out and and sits there in the back as background is an option for the uh the the next variant of the spec. If one ever happens that.

B

Was exactly what I was trying to say when I said at such point in time as we depend on taxi or whatever else so you know hold for document, update type of uh response, yeah.

B

But it's a you're making I'll think about it. Some more! I see if I can think of any other things after this, but uh thank you for raising the question. That's a great point.

F

um In the future discussion of the tip protocol, um we really need to this uh defi um um concrete to make a decision who's going to. Who is the person going to take uh responsible of a dependency resolution, so the agent side or ten side, and I think everything today's discussion is going on. The agent's side is going to take care of the dependency and then after yes,.

B

Brandon, do you want to summarize the suit discussion uh and the suit manifest around uh dependency resolution, just like.

D

Give us a little bit.

D

Manifest the way the suit manifests work, the only uh entity, that's actually trusted to do dependency resolution is the manifest processor uh and that's just because anything else can uh play nasty games if you have multiple trust domains involved. So if you, uh if you have to evaluate who is allowed to install um a a component in slot in positions a b and c, then you need to make that determination actually on device there's nowhere else.

D

That can trust it to do that, and- and so the result of that is that dependency resolution can only be done on device, because only the device can be trusted to determine whether um the the various signers of the various components actually had the right permissions to be able to do that. um So that's that's the effective result that, when it comes to dependency resolution, the um the manifest processor looks at what dependencies are required and fetches them, as required.

D

Nothing specified as to whether this needs to be depth first or breadth first, but it's probably a depth-first search.

B

Thank you, so that's so, in other words, the suit working group. The manifest processor is on the agent side, just to put the two terms together.

F

And we only have it uh option for the option three and four and.

B

Well, uh option one and two would be possible only with a bunch of extra spec work.

I

And it would be.

B

Harder to do with the suit, with the normal suit model right. So yes,.

D

F

The kind of that's.

D

Where bundling comes in in the suit manifest, um there would be nothing to stop you from producing an additional manifest which bundles a bunch of things together overrides a couple of locations and as long as all the permissions work out, it's fine, but it can go in one.

B

Message: okay, um I see uh uh so my son mentioned so I'd ask why uh you prefer option number three on this slide instead of option number one uh and the answer was each remove and install results are contained into a single report which is better and I'm asking if you can elaborate on in what sense it's better right. I mentioned why I think number one is better in the metric of uh round trips, for example, um but in what metric do you think option?

B

Number three is better if you can put that in chat or.

B

Whatever because rtt, I don't follow because option number one has a one: fewer round trip option number three has two round trips and so option. Number three still has I'm gonna give the analogy here um I don't know. Maybe I'll use this one gotta say: um delete success, query, response, uh install okay and so there's two round trips. Where option number one combines these like this one, and so it's installer delete and success. So the equivalent is this one looks more like option one. This one looks more like option number three.

B

If I change the labels and so round trip time would argue for option number one I claim so unless I'm missing something so.

B

Okay, I just wonder if we want to okay here we go single report, shows the proof of transactional updating processes, success um a.

B

Error message or success message can include more than one suit report each you know zero, zero or more suit reports right. Each suit report, reports on the success or failure of a particular suit uh manifest by digest, and so your response can report on any number of successes and any number of failures in the same uh success or error response.

B

Okay, oh I see okay, maybe that answers your question. So single report does not mean single t message: it can be zero or more shoot reports per teat message.

B

Okay, unless you comment again, I'm going to assume that that answers your question, but if I'm missing something, please feel free to continue.

B

All right, um what do people think should we go to a different issue for a change.

C

You should um okay, I I only set up the webex for two hours.

C

B

I said we can either stop now or we can use 45 minutes productively if people are because if you would have stayed for the whole rat session, then.

C

Yeah, no, I I'm I'm just being cynical because we've spent an hour and 15 minutes on on one issue.

B

I'll tell you what the ones that I picked for the slides with the bigger hairier issues right at the end of the slides. That means comparatively everything else is uh far more straightforward, because I didn't call them out for slides right. That was very intentional.

C

F

uh And also most.

D

F

Most of the other issues is related to 40 and 43.

F

B

F

Clear we did it, but for the message format relation yes,.

B

um So between yesterday and today I tried to uh open some pull requests based on things we talked about yesterday. Would people rather spend time seeing the proposed resolutions that we kind of agreed on or would people want to spend time picking one of the issues that we haven't discussed yet and start getting into.

B

That I don't know uh akira do you have a preference.

B

Or what? What which thing to talk about next um for everybody else I'll mention the nomenclature that we're using here, ready to close means, it's already in the published internet draft um have proposed text, means that sitting in a pull request. That's not yet merged and fixed an editor's copy means it's merged and get in the github copy, the editor's copy, but not in the submitted drafts, and so those the three labels.

B

So anything that says fixed an editor's copy means we've already merged it. It was on that list of stuff that akira showed in the group yesterday that says, some things have been merged have proposed text means that we probably already talked about it, but there's a poor request with text that you may not have seen, um and blank ones are ones that haven't been discussed in meetings so other than it was on, probably on a curious slide of hackathon issues, which is why I'm asking akira. Is there something you think you'd like to talk about?

B

You want to pick one.

B

Other than that, because I can pick one I'm just I I picked the previous ones, and so if somebody else has a preference, you know go ahead and pick one. Otherwise, I'm happy to just to just arbitrarily pick one. But uh I uh look at the other implementers to see. Is there something else that you consider blocking.

F

Not not really.

B

All right, so, um how about we s start at the top and kind of triage things and at least agree on. Maybe what the next step is? Who has the action item.

B

Some of these might be easy. Some of these might be, uh let's take it to the list or uh whatever. So I guess I'll just start at the top, if that's okay with people yeah, okay, all right.

B

um So who is uh this one? Is that somebody on the call, I I don't know github handle to uh real name mapping.

F

uh He's not in the call but um yeah okay he's working with us. Yes, okay,.

B

So I understand the issue the the question he's raising is today. What the draft says is that the suit manifest is embedded see where's the example um is embedded.

B

There's a two examples: okay uh is embedded directly with cbor versus embedding it as a beaster that you didn't have to call another seaboard processor on okay and so whoever filed this says. You know he would prefer it if it was embedded as a beaster, but you don't actually see the manifest. You just see this uh blob here, as opposed to today, where you paste it into say a seaport decoder and it actually decodes inside the manifest.

B

At least inside the suit envelope, I should say not the manifest the suit envelope so since suit envelope is something that brendan you defined.

B

Do you have any preference or recommendation for how you expect people to use suit envelope.

D

So the first thing is that suit envelope is probably uh pending the suit meeting going to be used as a suit envelope tag.

D

As in we're going to define a a keyboard tag for suit envelopes, I important step here. um So if you care that that's there, then maybe that's something. That's other than that. The the next thing you should probably know is that everything inside of the suit envelope is already b string wrapped, so that may or may not affect your opinion of this.

D

My take on it is that it's easier to set the end point of your suit parser to determine whether or not you've got an overflow of an individual object. If you know where that object ends,.

B

So is that an argument for here it's making a point that says the fields inside the envelope are already b stern coded here right, you see, this is just a b beaster. Instead of the actual full, you know cddl and stuff. I use things that argues for doing bister and coding.

D

What it's saying is that it's not a deep structure to parse the manifest, and so you don't lose a lot by parsing it. However, that being said, if you want to find endpoints safely, then you probably want to have the uh the the end pointer, something that you can actually set. um What that will also point out is that you get a little bit more reusability and modularity of code, if you, uh if you do, structure things in that way.

D

One of the arguments that I was given for wrapping cozy structures in b strings within the list of cozy structures. That we've got was that this was what the cozy libraries actually expected. They wanted a start pointer and an end pointer, and if you didn't have an end pointer that was difficult to do, but.

G

Brenton, uh like I didn't quite understood whether you suggested us to use the b string b string based wrapper or rather than a structure directly. That's what I didn't cluster.

B

Bistro comes with the length, and so you know right where the end pointer is in the in the example that the filer uh wants us to change to what we have now looks like this, and when you start the uh object here, you don't have the pointer, you don't know what the actual size is, and so you start you can you say well the size of this one is such and such and the size of this one and such and such, but you can't just jump to the end so.

D

And that that's relevant for some uh library implementations so like this is why I made the point about the cozy objects within um within suit the one uh it was when kuhn was looking at this. He said that it was really hard to um to hand a cozy object to a cozy library. If you didn't know what the end pointer for that cozy object was okay,.

B

All right so you're saying your recommendation is to go ahead and accept the request and change it as uh directed here. So it looks like this.

D

Yeah, it costs you a few bites, but it makes your software more modular. Okay, I am convinced.

B

By your argument,.

F

And it's more easier to make the examples. Yes in the deep message. Yes, yeah.

B

Okay, so uh deep side, meeting discussion. Yes, let's do this. Okay,.

H

B

Increases visibility.

H

Of structure, so that is the this is the cost. The cost is the decreased visibility, but if you do it in a modular way, as brandon says, it actually might provide you with a canonical way how to go through the layers here and then it's not a problem at all. Okay,.

B

So I'm going to go on 83 we've already talked about the meaning that was part of the slides. um 81 was part of the slides. We've talked about um this one came up on the hackathon and was already accepted, and so I'm going to skip over it. It mean accepted by the implementers, and so it's not as interesting to talk about, given that all the implementers already agreed at least the implementer is worth a hackathon agreed. I should say basically what this one says is.

B

The text was ambiguous in terms of when you need to include the tc list, and the answer is you include it whenever the query request asks for it: duh, okay, okay, um so going on to this one, so accurate, you want to summarize what this one is going to scan through it here for a second.

B

F

So, uh for me, it wasn't very difficult to understand, but for me uh for the re just reading the draft, the text and the the person who never attending the idf discussion- maybe maybe it gets confused, there's a two places for signing and who's going to take who's going to be responsible for the signing, um keep message itself and the suit manifest, and my my take my understanding is the suit cheap message itself is, should be signed by tam and suit. Many faces should be signed by tc, just ta sign or t developer tc site.

F

B

F

B

Editorial there's no technical thing to discuss. It could be that we point back to you know pick your section, the architecture document or that we have a one sentence version of each or something make it more readable. There's no technical question here: okay,.

F

Yes, because just reading the message protocol draft, it doesn't say why you need to uh signers actually, whereas.

B

The architecture document does.

F

B

B

um 78 we, you started mentioning at the end of the meeting yesterday akira, and that was the one that I asked you, which uh issue number covers it and you said 78 right before the meeting ended, and so let's just show people what was in here.

B

um This is the one that uh you can see. The token is in here and at the end of the hackathon we had this meeting about this little field in here there's a this one was filed because there was a bug in the spec you can see here.

B

Other integers, like data item, requested, come after options, and then you notice right in here, there's an integer. That's not up there, that's before options, that's the contradiction, the spec, that the teep error does not actually conform to this right here that akira uh discovered during the hackathon. So uh so we said well, how do we fix that? And so one thing we could do is say this is correct, in which case all we do is we move the error code down um and notice. This is a uint versus this.

B

One is an int, and so uh you can see at the end here. I think here you have a comment: okay, this is kind of what we agreed during the hackathon uh here, as the proposals to say, uh star uint instead of star int and the error code moves to the end.

B

Yes, yes, so this is the proposal from akira and isobusan and myself- and I forget, who else was there so.

F

Okay, then, for the parsing, the tip message on only expecting the mandatory is the first type in type entry and the option option is always there option could be empty, but it's it's still ox a0 or ox a something will be expected and anything else is option and.

B

You can see the idea was to change it to, and so, if token is optional, which we kind of talked about yesterday in the meeting, then if token is there, then it would be inside the options portion not in the stuff at the end, because it's optional so there's already a per request that I have. That actually does that, although some of the token question is still open based on the suit meeting, all right.

H

Just one minor knit as you provided labels that will not be encoded in any case because of the array, I would also create a label for the last member here that is now uh asterix you and let's go.

B

Back to uh yeah you're right error code does have a label here so yeah.

H

And also for consistency, uh I mean the other two.

B

Yeah, I think, you're right. I think that was a bug in the because you can see here. So let me just show where this came from, because I was not the author of this. I think um I helped edit it and so some areas may be due to me. Some may be due to hana some, maybe due to somebody else, but uh it was.

B

We all know that there was some bugs in there before, but you can see the star in the label right here and then, if we look in, I think it is the you know. Maybe it's not copied into here, I'm just looking to see if the query request is actually copied into this issue, because it's in the query request I'm looking for here. It is here you can see. There's no uh label on the data item requested here.

H

Now but data item requested is a group name, I assume and therefore uh it would uh maybe uh be labeled in the group. uh I don't.

B

Know what you mean by a group name, you have to educate me on that.

B

It's just no! This.

H

Is just oh, this is just then it's okay. I don't. I can't see this because it's not labeled so.

C

H

Because if those three items have labels, I would just be consistent and have this fault. Oh threesome,.

B

Yeah, I don't have it up here. It's that yeah, the the that is um the production I've lost. The issue that I was in the production for data item request was something like data item requested equals. um You know uh uint within size, four or something like that or size. Eight, something like that. It's defined as a uint with a maximum size.

H

Yeah again, but just prefix it with some some human readable label uh and then it would be consistent. Yeah.

B

So then it uh it does uh insert another, you know byte or something into the encoding, but it makes the stuff be more consistent and something no.

H

No, it is not biting into the encoding, because labels are not conveyed over the wire. Therefore, human readers of the cdda here type will not be encoded, token will not be encoded and the to be labeled. Of course, label will not be encoded. Of course,.

B

Okay, I thought it was encoded, but so uh if it's not, then.

H

Then you want to have a if you're, not if you want it to be encoded, make it a map.

G

H

It's quite unique.

G

We don't want it.

B

Sorry, you're right, it's encoded! If it's curly braces it's not encoded.

H

If it's square braces exactly but it's for humans, and then you know what it is you can uh where, if you have a good label, you can remove.

G

The comment and.

H

It's a description: okay,.

G

Humans is called standards, people yeah.

B

G

B

That that tells me so thank you for pointing that out. I think um there's probably some cases in the currently submitted internet draft um that define numeric values for some things that are on the left side inside of square brace things that can probably be deleted because they're never conveyed so the actual numeric value, wouldn't matter so there's probably a couple of unused productions in there. We can delete.

H

Also uh you're using uh the color notation, which already types these as strings, so you can't uh retype them by defining type. That would also be an error.

B

So that that there's there are errors in the cdl you're pointing out so.

H

It's only cdi frosting, it's just some consistency stuff and this would not validate. If you define type again.

B

So I'm going to see if I can open the actual uh spec here, because I almost certain there's bugs in the cdl then.

H

Yeah I mean I haven't, have to uh look at it at the whole and make a review in any case at some point, so.

G

But it's it's not. I think it doesn't speak in favor of cddl. If uh so far, all the specifications need either you or carson to fix them, uh uh because cdl is so complicated. Yeah.

H

So this, uh if your question, if your perception would be correct uh honest, I would agree with that.

B

So this right here is the thing: is the list of things that I'm saying probably a significant number of these can be deleted here?

B

Some, I don't know what you're saying, because some of these are inside like this. One right here can't be deleted right. That's a.

C

B

The ones with the colons like this see component of these here and so down here somewhere. This component, like this line right here, can be deleted as an example yeah, so the one unknown.

H

That can't be deleted. I don't, I didn't see what.

B

Sorry, I'm going to scroll back up to show where it was.

H

B

The example even.

J

B

B

uh I'm looking for it here.

H

B

H

B

H

B

H

No, no he's not right. Let me explain this to you. If you're using the colon notation, that's a specialization of the arrow notation, an arrow is prefixed by a type. A colon is prefixed by string, it's a convenient functions for people that come from json because they expect the label to be a string and they use a colon there. So, if you're using a colon for a label, it's always a string.

H

If, if you use the arrow annotation like with x list above then, this is a type and you have to define the type somewhere with the colon it's already typed. This is a strain.

D

That really doesn't tricked me up as well. I expected it just to be a any arbitrary type that I put in there. It took me a while to get used to it.

B

Right because I was the one that inserted this type here, and so this is uh my misunderstanding. I had the same problem that brennan you just mentioned here um uh and you're, telling me that my intent was uh that I should have my intent may be wrong right, but my intent was that this should be. You know an integer followed by the bister and I should have used an arrow if I actually wanted that.

B

Oh I don't know if this means that it's an integer or if you said it was a type I was assuming integer and then a beaster as back-to-back uh fields in the in the map.

H

If you use the arrow, it becomes a type name now. Component id is a type name and you have to say type name, rule as or the equal sign integer, and then you would uh define the type.

B

Gotcha, so the typo is that that colon should be an arrow in this case and then this production is used.

F

Yeah yeah, let's use arrow as much as possible.

D

Yep, I agree just forget that colon exists and everything will be fine.

H

F

Is exactly what's the cdda.

H

It says, use the arrow instead you're, if you're coming from jason use the string short one. That's basically.

B

This right here, you're saying this: I can treat as being a human comet right. Yes, this is a human.

C

B

This is a human comment, and so that item requested here is just missing the human comment in front of it.

H

Exactly that is what I was saying and for human comments. I personally, as a style, always use a colon notation, because it's it's uh it's a shorter and you don't have to define the type for never being used. It's just useless. So in arrays I typically use the colon notation and for maps. I use the arrow notation gotcha. Thank.

B

You for the explanation yeah it's explaining yeah, um so you were saying down here in this there's now, I'm back in the issue in the document right you're, saying add the human comment on the left side here you know a label or something like that because it doesn't affect anything anyway. I know where there's nothing that affects the bytes. It's just saying it's just a documentation, um clarity, exactly exactly all right! Gosh! I learned something about seaboard. This has been useful. Okay,.

F

It is very useful.

G

Okay, it is, I agree, because you need to have hank in addition to rfc, to actually get it right. Yep. I'm still insisting that uh it's not a coincidence that you know all the groups I've been to everyone always gets it wrong. That can't be a uh yeah. This is not random.

B

Seabor is like kirsten's initials, and so the point is he is the spec right. You have to go to him.

D

This is a cda thing, not a seaboard thing. Unfortunately, yeah.

I

D

Clearly, you did cddl wrong because cddl is not your initials. That's the right.

I

Thing yeah yeah.

H

That is an inherited problem. Cdl meant something entirely different back in the day, but we, it was the seaboard definition language for first, and it was something else. We didn't start this. uh We just put it over when it was abandoned. It's supposed to be hbdl there you go hbdl, yeah, hey, I'm fine with cuddle.

B

All right, let's pick another one, um a couple of these that are just saying yeah. We should add examples into the spec. So this this is one of the two. That's just saying. We should use examples into the spec um this one. We talked about in slides this one. We talked about in slides uh this one we talked about during the meeting.

B

uh It didn't have a slide other than a curious slide, but it was covered kind of, in my token slides um that one was covered in slides.

B

That's the other one. That says, let's add an example. Once we have an example of a suit manifest and an example of an eat, we should add those into this document. It says here's an example eat that would be usable in the deep context. Here's an example soup manifest would be usable in a antique context. Just so we have examples.

B

uh That's on the back burner until the soup manifest well until the the rat's claims for eat. Are there cause. You won't see the example until there's something to actually put in there the soup manifest we could start doing. If we constructed a soup manifest for say you know, maybe a trust zone or something that has a place to install stuff into. We could do that now. It just hasn't. It hasn't blocked implementers. Yet yep um those are already in the latest spec, um not a big.

B

Now we're getting down to things that might not be a big deal. uh I could go into 51 49. I had so I'm putting 51 on the stack that will be the one I go into. I don't find something better 49. We had a slide about, and uh lawrence referred to it in the rats meeting.

B

um 44 honest: do you remember what you want to cover 44.

G

Yeah so so, when I was working on implementation, I um I was wondering how to best- uh and this is on using um utilize, x1 509 certificates uh in this whole thing, but uh now, since we pushed a lot of um content over to suit, I think this is more um a topic for suit, because that the reference rfc is is uh kind of, at least at that time. I need to reread it's like kind of complicated, but um I think this is now more a suit topic, rather than deep.

B

Okay, so do you think we should close this thing and just bring it up in suit, or do you think that once.

J

B

Okay, making sure there's nothing we need to do in the spec. That's a reference to anything so but you're, okay,.

G

B

G

B

Okay, looking for any other low hanging fruit here, 43 is what we just spent all that time discussing another one: examples that one overlaps with the other one.

B

uh There are two that are just optimizations but are worth discussing at some point, so we could also cover one of those because optimization should we punt it to later, or should we go ahead and cover stuff now, 40 is interesting because this one um before hanus got on.

B

I alluded to it in one of the slides that I just showed in the the long discussion we had for 45 minutes, um and this has to do with uh the token discussion as well, and so um it's it's there's no new discussion, this one, but it might be worth just me pointing out what what 40 is tracking. Okay, uh maybe I'll do that just by referring to the slide here where I covered it.

B

um It was here remember when I talked about this line here that says: is it possible to send something unsolicited if you don't have a token and so up here? The question is remember: if you have a zero by post career request comes down and you send a query response. Okay, so the question in option in 40 is: is it possible to send a query response without having to have the extra round trip to get the query request? Okay, because this was possible in otrp?

B

Now let me tie this back to the discussion of the challenge needed in the evidence. If you're going to send evidence, you need to make sure that evidence is fresh.

B

There are three ways in the rats architecture to make sure that it's fresh nonces which need a challenge time stamps which do not need a challenge and handles which do not need a challenge. So if you need a knots, you have to do the extra round trip right. That's the actual chat, get get the nonce.

B

The only case that uh that the issue number 40 is interesting is in the case we're using timestamps or handles okay, and so that's the scope of what issue 5 40 is is, if you're using uh time stamps or handles.

B

Then there's nothing that then the question is: can you just jump and send the query response without having the extra round trip? That's what issue 40 is tracking.

B

In other words, if you were to delete the token in here, because the only thing that you have to that you need it for right now is to get the token out of the request. If you do eat the token, then you don't need it um in the case where you're using handles or timestamps.

B

Any comments on that now that you understand, hopefully what issue 40 is.

G

Tracking looks good to me.

B

uh So then we have any time left. Are we at the end here? I'm just checking the time. Oh, we still.

C

Got 15 cuts, that's left, okay,.

B

Let's go back to 51 since um uh since we've never talked about this one before and only I think, comments there's from hanus and me in here. So currently, if we look in the teat protocol, spec there's the error code space right, and so, if you hit a failure, processing, something whether it's a team manifest or just parsing the teat message: okay, there's an error code space. Now in recent per request, we've made the change that says anything that would belong in a suit report.

B

No longer has a teep error code right, there's, just a t bar code that says suit manifest processor, failed cc report see the suit report for details, but those things that are t failures that have error codes, and so that's what's defined, and it defines this uh I currently it has an iana consideration section that says we propose an inter registry for the type error codes um and the, uh and it says that the inner registry for those error codes is listed as expert review right. That's the spec says right now.

B

It doesn't actually say why this you want expert review or why you have things so I'm raising. This is a question.

B

Okay, do we actually want to have vendors that extend error codes and put custom error codes into there, um or do we just say, here's the set of error codes right by a perhaps poor analogy right just to take an arbitrary other numbering space right, http has error code spaces and those ones are extensible, but that one says ietf review, okay and uh it's an interesting analogy just because both of them, the error code, is not the only thing that you can pass right.

B

If you, even if you use a standard error code, I can pass a custom thing in the text string along with it. You can do that in http. You can do that in the teat protocol too, so you can already already extend stuff by putting stuff in the text string. So the question is: what policy should we have on adding new error codes? Is it like rfc required, in which case, maybe you don't need an iona registry, just rev the rfc?

B

Is it expert review? Is it ietf review or something else? Okay- and so uh the question here is, it would be simpler if we didn't have to have ayanna involved um or if we did then maybe iatf review instead of expert review, because you don't need a designated expert, but since we've never actually talked about this, that's why this issue is here in case people have views on what direction we should take. As far as error code, extensibility.

G

I think we should sort of make it as simple as possible for people to add new stuff, and so I I'm more in favor of expert review like in general, not just for this one, because writing new rfc, just to add an error code to me, is overly complicated and most people like it's not that we need to prevent the random people on the street to register error codes for deep.

B

Yeah, I don't feel strongly about this one, so I'm fine going along. If that's what everybody thinks, I I'm not going to argue against it, but it seemed like extra complexity without the rationale. So I just wanted us to talk through what the rationale is. Do you think that people will actually extend the error code, space.

B

Among the implementers right now go ahead, yes,.

G

Yeah, I think they would uh but uh but it's uh a rare occurrence right.

B

Nancy, are you saying something.

C

My audio is cutting out, so I I can barely hear you guys.

B

Did you have an opinion on this nancy.

C

C

um There is a notion of having some extensibility from from the error codes perspective right. I don't know.

C

Diana registry.

B

C

Question is: can we leave it expensive but not have to.

B

Go well so the question I would ask, given that you have the text field is numeric. Error codes are interesting in addition to the text codes if and only if I claim feel free to argue otherwise, I claim.

B

If you have code, you would pay attention to specific error codes and do something different right if it's just for human logging you're going to use the text string for that, okay, and so, if somebody, if a vendor or an implementation- or you know a future standard- wants to add a new error code, the question is: what would the behavioral change be if it saw that error code? If the tam saw that error code coming back? What would the tam do differently? If you can answer that question, then you need a new error code.

B

If you, if you say I would just log it differently for human statistic gathering, then I would claim that the text message is already.

B

B

So my question to hanas and other implementers is: do you think you would extend? They have a need to extend the error code space and a way the tam would need to treat it differently to have different behavior, based on seeing that error code in an error message.

B

When I filed this, I couldn't think of anything that the team would do differently if it's an error, it's an error, but I I I mean there might be a couple of categories of errors that are already in the spec, but I couldn't think of new categories. So that's why I found the issue is to ask this in an actual meeting.

F

For me, but just the vendor adding any message they would like, and the t string should be fine.

B

Meaning all you would use it for is uh logging in human diagnostics and stuff, not for you know, case statements in the tab.

F

No yeah, yes, yeah. Yes, that's right!.

B

Yeah, I I'm all I I'm happy to have at iana registry an expert review if we think that your tam is going to have a case statement. You know a switch statement with new cases that are going to be added for specific values and it's going to do something different behaviorally. um But I've not heard that argument. Yet that's why I'm asking so I don't know if honest you have any examples or at least hypotheticals. You can come up with.

G

I would have to I have to try it's a good question. um It's a good question, yeah good! Thank you. Yeah.

B

Feel free to think about it. You don't have to answer right now, but I won't consider this one closed until we can either agree on what the answer is and if the answer is yeah, we came up with an answer and then it's fine as the as the document has it. But if we can't come up with an answer, then asking iona that doesn't have a designated expert and having anna review the stuff. It's just more overhead that I don't know if it's actually necessary. So all right!

B

That's what 51 is.

G

Yeah, it's a fair question: yeah, um okay,.

B

I'm gonna look for anything else, uh because otherwise I think that the other one's just examples requests for examples. Anything else here, nope those are both ready to close. So I think we're at the bottom. So everything else is just open. Pull requests ready to be reviewed. I guess by uh the without going through these just to get a repeat question to I think nancy. Do you have eggman on this repo.

B

I don't know if nancy can hear me um right now whenever I file one of these issues whenever I follow open a pull request here. I add all of this uh t protocol spec authors other than myself, except for I can't add accurate, because I have to keep doing um you know akira, please review and comment because the it's he's not showing up as a contributor, so I need one of the admins to fix that so all right. Well, I propose that we end here.

B

Hey dave, I'll fix that. Okay! Thank you cheer! Oh yeah. Sorry, I missed the fact that you were on yeah thanks jira.

B

uh And then I guess my last question to tiru, which I could follow up over email, but since you're on now um for the architecture document, we were following a process since there was lots of uh vigorous working group discussion as the architecture that only the chairs were closing issues.

B

Do we need anything that drastic here or can we just say the authors are welcome to close issues up until we start working your blast call. You have a preference here.

J

I think it works for me anyway. I've been following with the updates to the architecture document and I've been closing the issues that have been addressed, so I just thought two or three new issues that needs to be addressed. Not many are left. Okay, so.

B

So if you don't mind closing the issues, then we'll just mark them ready to close. If you want to keep doing that for the protocol spec, that's fine, I'm happy to do whichever process that you want so sure. Okay, all right great! That's everything that I think is useful to go through on this call here. So um unless nancy has anything else, I'm gonna stop sharing.

J

J

B

It sounds like we can end here, thanks all for sticking around.

B

B

All right goodbye good night, whatever time zone you're in good morning, whatever.

F

Yeah I like that it's.

B

B

You look pretty fresh at 3am.

B

Oh it's a good thing. I have a low res camera. You see, I don't look fresh at all.

B

F

8 pm here, yeah.

F

E

F

E

Good afternoon.

C

Good evening.