►
From YouTube: CORE WG Interim Meeting, 2021-01-21
Description
CORE WG Interim Meeting, 2021-01-21
A
Important
thing
this
is
an
official
itf
meeting
first
quarter
meeting
for
this
series.
We
are
going
to
have
three
interims
until
atf
110,
then
the
note
12
applies.
Please,
please
get
familiar
with
that,
if
you're
not
already
and
before,
switching
to
the
main
item
on
the
agenda
today,
which
is
the
cachable
oscar
document,
I
just
wanted
to
check
quick
with
kirsten
about
the
status
of
the
core
conf
documents.
A
So
that's
young
c
bar
and
yeah.
I
also
just
seen
your
mail.
I
think
your
library
is
probably
just
fine,
because
I
also
saw
your
exchanges
with
if
I
give
about
that
too
yeah,
but
I
saw
recently
all
the
four
documents
resubmitted.
So
I
suppose
that
seed
and
comey,
though,
are
still
requiring
some
some
work
to
do
on
the
needs.
B
A
B
C
This
has
been
in
parts
driven
by
research.
I've
been
doing
with
harvey
hamburg
on
evaluating
this.
So
as
a
result,
there
is
there
are
no
implementations,
but
let's
get
started
from
the
beginning
and
next
slide
please.
So
the
the
the
kind
of
big
picture
is
in
general.
We
can't
do
caching
of
oscar
requests
and
as
a
mitigation,
the
proposal
is
to
allow
clients
to
opt
in
to
a
mode
of
oscore
where
they
produce
requests
in
a
deterministic
fashion
and
can
then
all
arrive
at
the
at
the
same
request.
C
This
consensus
request
that
can
even
be
cached
by
proxies
that
are
not
part
of
the
group
and
still
deal
out
responses
to
the
group
members
in
the
version
that
we
would
like
to
publish
as
a
dasher
one
in
the
next
probably
a
few
days.
We've
all
we've
processed
the
input
from
the
last
meeting.
We
are
now
building
requests
in
pure
in
something
more
like
pairwise
mode
and
much
of
the
distracting
content
about
what
other
forms
of
consensus
requests.
C
D
Oh
christian
yeah,
while
I
remember,
could
you
please
please
go
back
to
the
previous
slide,
so
this
is
a
group
ghost
oscar
consensus
request?
Yes,
yes,
you
see,
I
actually
managed
to
read
something
before
this
meeting,
which
I'm
I'm
extremely
proud
of.
So
I'd
like
to
take
the
opportunity
to
to
ask
questions
so
the
consensus
request.
You
have
two
different
types
of
consensus
requests.
One
is
the
deterministic
request
and
that
is
a
pairwise
request.
C
D
C
But
hazard
has
an
id
like
all
the
others
and
everyone
who
wants
to
interact
with
that
peer
will
notice
that
either
it
is
a
deterministic
peer
or
it
has
some
data
in
the
key
material
that
the
participant
doesn't
recognize.
So
it
can't
kind
of
try
communicating
regularly
with
it,
along
with
the
key
id
there's,
also
a
hash.
Also,
there
are
other
rules
about
the
hash
algorithm
transported.
C
E
C
D
D
E
D
C
D
D
C
A
F
D
C
C
B
C
C
There
are
different
signed
responses
floating
around,
and
this
is
not
about
having
the
same
signed
response
all
the
time,
I'll
come
late.
So
the
what
probably
matters
here
is
that
the
response
is
not
sent
with
the
same
key,
but
this
response
is
sent
in
group
mode
using
a
sequence
using
a
proper
sequence
number
and
and
a
signature,
and
not
with
that
key.
That
can
only
be
used
for
this.
One
request.
D
So
yeah,
okay,
no,
no!
No!
No!
No!
Okay!
So
just
to
I
don't
know
if
it
helps
in
any
way,
but
in
grupo
score
we
define
the
mode
where
you
you
send
in
group
mode
and
you
get
the
response
in
pairwise
mode.
So
it's
basically
you
send
a
multicast
and
you
get
back
a
unicast,
and
this
is
this
is
apparently
the
reverse.
Then
you
send
them
pairwise
and
get
back.
You
send
them
pairwise
and
get
back
something.
C
C
Then
there's
a
bit
of
a
quirks
that
we
will
have
to
do
that
is
in
group,
boss
code.
We
have
this
request
key
id
and
in
order
to
get
proper
request
response
binding,
we
use
the
request,
hash
or
possibly
something
derived
from
it.
Currently,
it
says
request
hash
as
the
request
kid,
because
that's
that's
what
ensures
that
the
responses
will
will
match
here
and
then
the
request
is
encrypted.
It
gets
put
into
a
fetch
request.
C
C
C
C
You
could
probably
extend
it
for
an
important
request,
but
I
don't
think
there's
too
much
value
in
it
and
if
it's
not,
if,
if
that's
not
okay
or
if
there
are
any
other
permission,
issues
like
the
deterministic
client
is
not
even
allowed
to
access
that
resource.
That
gives
you
a
401
protected
response
next
slide.
Please.
C
Then
other
than
in
in
kind
of
regular
oscore
messages,
the
server
can
actually
set
a
meaningful
outer
maximum
age
which
allows
the
cache
to
make
an
informed
decision
of
about
how
long
to
keep
it
and
sends
it
back.
And
here
we
have
that
part
in
group
mode.
So
it
does
a
signa
it
signs.
It
protects
the
message
with
its
own
group:
sander
key.
C
Next
slide,
please
so
that
was
the
the
mechanics
of
it
as
kind
of
things
that
we
explore
on
the
document
as
well,
but
are
probably
not
crucial
to
the
whole
operation,
is
that
you
can
send
those
requests
to
a
group
as
well.
So
you
can
have
this
many
to
many
group
situation,
although
bit
care
must
be
taken
to
send
the
responding
server's
key
id
then,
and
if,
given
that
this,
this
whole
setup
allows
an
adversary
to
see
that
different
requests
are
all
hitting
the
same
resource.
C
C
Now,
I
still
can't
know
the
very
resource,
but
it
can
at
least
observe
that
all
those
requests
are
going
for
the
same
resource
and
the
responses
that
come
back,
I'm
obviously
different
in
some
way,
so
there's
something
going
on
and
that's
a
way
of
how
to
how
to
hide
that
next
slide.
Please-
and
this
is
one
I'm
I
I
want-
we
probably
should
spend
a
bit
of
time
on
comparing
the
security
properties
to
what
we
usually
have
in
our
score,
so
usually
in
aust
core.
We
have
a
strong
threshold
statement
that
says
the
response.
C
The
server
of
this
response
was
created
after
the
client
created
the
request.
Now
this
property
is
lost,
because
if
we
did
not
make
this
property
lost,
then
an
older,
an
older
cash
response
could
never
be
used,
so
this
is
crucial
for
for
caching,
what
we
still
do
get
is
relative
freshness,
in
the
sense
that
we
can
do
something
like.
C
If
we
want
to
compare
them,
then
request
confidentiality
that
is
is
reduced
by
a
tiny
bit,
which
is
just
enough
to
ensure
that
the
cache
can
pick
the
right
response
to
serve.
It
might
be
worth
pointing
out
here
that,
of
course,
if
the
clients
do
have
some
variation
in
how
they
form
the
request
say,
one
sends
an
accept
header
and
the
other.
Doesn't
those
requests
still
do
not
look
the
same
and
don't
paint
the
same
cache
key
but
kind
of
it's
a
start
and
any
application
that
uses.
C
This
probably
has
rules
for
for
doing
normalization
on
the
request,
at
least
at
a
best
effort
base
and
the
kind
of
hardest
property
is
that
we
lose
source
authentication
for
clients,
because
we
want.
We
want
a
response
to
be
usable
for
every
client
that
might
request
it,
even
if
it
doesn't
go
through
the
server.
C
So
if
we,
even
even
if
we,
if
we
kind
of
manage
through
through
other
means
to
preserve
client
source
authentication
for
clients
by
say
putting
a
signature
somewhere
in
a
in
a
non-cache
key
option
in
practice,
that
would
still
mean
that
the
responses
that
are
out
there
might
not
reach
that
very
client,
but
a
different
one.
So
this
is
kind
of
by
design
that
this
is
lost.
C
B
C
Whoever
is
taking
notes,
please
kind
of
put
an
exclamation
mark
with
my
name
there,
so
that
I
add
this
to
my
to
my
points
there,
but
my
expectation
on
the
result
is
that
it
would
be
a
lot
more
complex
and
it's
probably
out
of
scope
for
an
initial
version
here
and
kind
of
whoever
has
a
use
case,
for
it
could
could
look
into
it
more
deeply,
but
I'll
take
at
least
a
few
first
steps
and
and
see
where
how
far
one
can
get
here.
Thank
you
easily.
D
Yeah,
I
don't
have
much
to
comment
here.
I
think
that's.
I
just
wanted
to
say
that
some
of
the
properties
that
you
want
is
sort
of
reducing
security
compared
to
oscor,
but
that
might
be
okay
in
this
situation
and
it's,
I
think
the
emphasis
here
is
on
the
limited
and
on
the
simple
setup
that
you
have
and
that
I
think
that's
fair.
So
I
don't
have
any
objections
to
the
setting.
Although
I
haven't
actually
the
details
needs
to
be
covered.
D
B
D
C
Please
kind
of
one
one
point
that
we
know
that
is
that
that
might
raise
questions
is
that
we
have
now
two
ways
that
the
server
can
say
this.
This
request
is
bogus
and
they
don't
come
from.
They
don't
all
come
from
through
the
path
that
the
crypto
primitives
usually
guarantee
constant
time
for
so,
if
the,
if
the
hash
on
the,
if
the
hash,
if
the
hashtag
fails
the
client
an
attacker,
might
get
information
about
whether
it
gets
the
the
a
aeid
tag
right
now.
C
I
think
this
is
okay,
because
the
basic
basically
in
a
regular
case-
that's
that's
already
a
client's
fault
and
in
any
other
case
the
attacker
will
have
a
much
harder
time
guessing
guessing
guessing
a
good,
aeid
plus
hash
pair
anyway
than
with
regular
aead,
but
still
it's
kind
of
one
of
the
things
that
we
will
need
to
go
through
while
going
through
all
the
other
documentation
of.
Why
is
this?
Actually
all?
Okay
next
slide,
please.
C
C
D
C
The
the
overall
energy
consumption
should
not
be
impacted
too
much,
even
by
the
even
by
the
asymmetric
operations
that
we
suddenly
start
to
introduce
because
they,
at
least
if
proper
hardware
is
used.
The
the
energy
consumption
of
the
signature
operation
is
in
the
order
of
magnitude,
of
a
request
of
a
radio
transmission
and
sending
send
sending
kind
of
sending
the
same
package
to
everyone
instead
of
sending
it
to
the
next
top
or
the
next
two
hubs
once
and
then
letting
them
distribute
the
information
pretty
much
makes
up
for
that.
D
C
Was
this
yes,
so
this
is.
This
is
definitely
something
that
can
be
that
can
be
used
with
firmware
updates,
because
if
a
client,
if,
if
clients,
if,
if
clients,
use
a
pull
model
for
firmware,
where
they've
obtained
a
manifest
and
then
basically
get
the
resource,
get
the
firmware
from
the
from
a
large
central
server,
then
they
send
their
block-wise
requests
to
the
server
and
as
they
know,
that
kind
of
they're
already
giving
away
that
they
are
fetching
firmware
because
they
are
obtaining
a
megabyte
of
data.
And
what
else
could
it
be?
E
C
E
E
C
C
That
would
give
you
anything
that
you
can
put
the
results
in
relation
to
then
you
could
always
be
a
year
behind
and
watching
watching
recorded
television
as
soon
as
you
have
something
to
hold
on,
you
can
pro.
So
if
you
don't
have
anything
to
hold
on,
I
would
be
careful
to
use
this
for
firmware
updates,
because
then
you
could
be
kind
of
someone
could
be
slowly
skewing
your
time
to
the
80s
there's
a
movie
for
that,
but
other
than
that.
Yes,.
E
C
C
So
one
one
thing:
one
thing
that
will
so
one
one
thing
that
will
make
this:
how
do
I
put
that
best?
One
thing
that
will
need
a
bit
of
exploration
is
how
this
is
bad
best
tradeoff
between
inner
and
outer
block
wise,
because
one
thing,
because
the
the
experiments
have
shown
pretty
clearly
that
fragmentation
is
pretty
bad
and
once
you're
over
that
threshold
of
the
link
layer
and
you
you're
in
big
trouble
and
I'm
kind
of
feeling
reaffirmed
for
having
won
that
message.
C
Yes,
so
if,
if,
if
we
transport,
if
if
this
is
used
for
anything
larger
than
kind
of
some
very
small
data,
then
it's
probably
advisable
to
use
out
to
use
out
of
fragmentation,
to
get
down
to
the
link
layer
mtu
and
to
then
use
inner
block
wise
for
a
same
size
of
the
same
size
of
blocks
say
possibly
4k.
Or
so
I
mean
if
it's
from
where
you
have
to
put
those
that
data
somewhere
anywhere,
maybe
1k,
maybe
4k,
something
that
you
can
reasonably
manage
in
a
block-wise
fashion.
C
E
3.1
carson
asked
a
question
earlier
about
doing
requests
against
the
sensor,
and
I
I
I
I
can
imagine
in
this
case
the
sensor
is
quote
behind
the
proxy
and
there's
some
number
or
a
large
number
of
requesters
in
front
of
it,
who
you
know
it's
sufficient.
The
temperature
doesn't
change
more
than
every
couple
minutes
and
you
have
a
thousand.
You
know
devices
that
want
to
know
the
temperature
yeah,
maybe
that
that
would
make
sense
to
me.
E
E
C
The
the
thing
is
this:
this
has
with
with
observation.
This
is
multicast
responses
and
multicast
responses.
What
we've
been
doing
originally
and
we'll
probably
still
be
doing,
because
this
documentary
is
behind
the
other
one-
is
to
create
the
create
to
create
a
consensus
request
in
a
different
way
and
have
the
server
serve
that
consensus,
request
and
kind
of
do
some
extra
work
to
get
to
get
where
we
get
here
for
free,
and
then
we
have
an
ongoing
observation
over
which
we
can
send
out
the
notifications.
G
E
Which
ones
to
use
I,
I
think
that
some
more
real
world
examples
would
be
useful.
A
concern
that
I
I
have
about
in
the
should
we
do
this
at
all
is
how
is
this
configured
such
that
it
is
enabled,
and
given
that
we
have
made
some
compromises
in
the
os
core
properties
which
we're
not
sure
are
safe
or
we
may
may
be
safe
for
certain
circumstances
and
unsafe
for
other
circumstances?
C
A
C
D
Yeah
great
great
work
good
to
see
it's
progressing.
Thank
you
and
also
the
implementations.
That's
I
mean
that's
the
driving
force
here
and
that's
as
as
michael
mentioned
on
on
that.
There
is
a
reasonable,
interesting
application
for
this,
and
I
I
think
I
mean
I
like
this
technology,
of
course,
but
I
think
that
it
definitely
makes
sense
to
have.
C
Think
yeah
performance
of
group
oscar
hit
me
pretty
hard
when
I,
when
I
first
set
up
everything
for
the
test
bed,
because
that
was
the
first
time
I
realized
how
expensive
asymmetric
cryptography
still
is
I
mean
I
don't.
I
don't
even
want
to
want
to
guess
how
much
an
rs
a
signature
would
take
on
on
on
an
embedded
device,
but
even
the
software,
even
the
software
signature
takes
like
a
second
or
so,
and
this
is
all
I
mean
this
and
group
of
co
in
general.