►
From YouTube: IETF-RATS-20221212-1500
Description
RATS meeting session at IETF
2022/12/12 1500
https://datatracker.ietf.org/meeting//proceedings/
A
A
C
A
I
can
start
with
some
boilerplate
chair
stuff,
so
the
the
this
is
the
nope.
That's
the
wrong
one,
I'm,
sorry
that
is
okay.
This
isn't
the
hf115
reusing
those
slides,
but
this
is
the
the
virtual
interim
in
December
of
2022.,
just
a
refresher
on
the
note.
Well
so
everybody
I
think
everybody's
familiar
with
the
IP
policies
for
the
ITF,
so
just
take
note
of
what
that
is
and
anything
that
you
say
or
contribute
will
be
will
fit
under
that
IP
policy.
A
A
A
A
D
D
C
A
E
E
The
the
term
attestations
is
no
longer
used
in
the
intentity
claim,
I
think
it
says
now
evidence
and
were
attestation
results,
and
then
there
was
some
clarification
in
the
privacy
consideration
section
about
freshness
and
replay
protection,
and
then
there
was
also
a
number
of
typographic
and
other
really
minor
changes.
Oh,
oh
so
yeah.
So
those
were
the
three
changes
in
draft
18
and
then
you
know
honest
the
review
and
he
found
a
bunch
of
little
minor
things,
wording,
changes
and
missing
words
and
wrong
capitalization.
D
D
A
E
E
D
D
E
D
E
E
C
Yeah,
so
this
is
saying
just
quickly,
so
it's
about
the
semantics
here
ISU,
because
you
can
of
course
encode
Yang
in
C
boy
Jason,
but
that's
not
the
point.
I
assume
that
we
are
not
trying
to
map
named
words
and
yang
those
statements,
basically
and
and
try
and
make
them
make
them
values
here.
Is
that
correct.
C
C
You
know
the
responses
overreach
for
the
eat
document,
which
focuses
on
zebra
and
Jason,
which
basically
says.
Yes,
we
are
doing
gang
and
I
I.
Don't
if
there's
anything
you
wanted
to
say
that
I
think
you
want
to
exclude
young
here,
but
but
the
response
opens
it
for
yeah
yeah.
So
that
is
my
confusion.
E
B
A
Yeah
and
I
think
that
was
the
that
was
Lawrence's
request.
If
somebody
had
an
objection,
I
think
hey
Hank
was
just
clarifying
that
that
he
was
reading
the
response
correctly,
which
I
think
is
that
he
said
my
interpretation
was
that
that
his
response
was
in
line
with
the
direction
which
is
to
not
include
Yang
in
the
in
the
internet.
Draft.
C
C
E
A
E
D
E
E
G
G
All
right,
Lawrence's
was
choppy
so
I'll.
Just
repeat
what
I
said.
My
comments
before
was
adding
a
comment
in
the
GitHub
and
then
closing
it,
but
not
changing
the
text
and
my
suggestion
for
adding
a
comment
in
the
GitHub
which
I
could
do
is.
Did
you
say
that
the
the
UE
ID
and
the
suid
may
or
may
not
be
the
same?
The
document,
the
the
spec
does
not
constrain
it.
G
If
there's
any
constraints
necessary,
then
a
profile
constraint
whether
they
must
be
the
same
or
they
must
be
different
or
whatever
else
any
other
constraints
in
the
relationships.
There
is
up
to
a
profile,
but
right
now
there's
no
constraints,
and
we
can
just
say
that
in
the
GitHub
issue
and
close
it
because
I
think
the
text
is.
B
G
B
E
E
E
A
D
G
Or
when
there's
complete
silence,
if
I
just
jump
in
yeah
I,
think
that
the
text
is
fine.
I
think
the
one
thing
that
the
working
group
may
want
to
discuss
and
I
noticed
that
Eric
Voyage
is
not
on
the
call,
but
I
think
it
might
be
appropriate
for
the
ar-4si
document
and
talk
about
the
relationship
between
this
claim
and
the
trustworthiness
vectors
I.
G
F
So
this
is
Gary
here
can
I
add
a
label
of
won't
fix.
Keep
it
open
indicate
that
on
the
issue
that
we
think
this
issue
would
be
better
taking
handling
the
Air
Force
eye
document,
if
I
close
it,
then
you'll
lose
track
of
some
of
the
right
up.
The
warrants
is
provided
in
there
and
also
the
decision
we
made
today.
E
F
G
E
E
E
Detailed
investigations
of
methods,
so
the
response
here
is
appendix
F
today
provides
good
examples
of
different
ways
to
specify
the
key,
so
you
could
can
do
it
with
UE
ID.
You
can
do
it
with
x-time,
uncertificates
and
or
the
cause
a
kid,
so
it
appendix
F
describes
those
examples.
They're.
Just
examples,
though,.
E
E
A
G
F
A
C
Yeah
sorry
I
mean
two
meetings.
At
the
same
time,
that's
a
little
bit
difficult,
so
I
heard
so
I
was
confused
by
the
issue
of
the
first
place.
To
be
honest,
so
I
have
no
problems
with
it
being
closed
and
not
acted
on
as
I
I
think
it's
about
a
key
identification
standards
and
I.
Don't
think
we
want
to
go
there.
So
I
would
be
fine
with
just
abandoning
the
issue.
C
E
E
E
E
Mostly
it
will
be.
You
know,
since
we
haven't
had
any
anything
here
so
far,
that's
required
to
change.
It
will
mostly
be
just
fixing
the
the
spelling
and
the
typographic
errors
and
I
think
there
will
be
one
cddl
adjustment
but
relatively
more,
and
it
doesn't
change
the
semantics.
It's
just
a
question
of
how
to
use
CDL
most
actively.
D
E
H
A
C
C
C
C
H
A
A
It
looks
like
it's
about
evenly
split.
Eight
people
participating
five
red
through
it
three,
if
not
of
those
that
are
participating.
So
anybody
else.
Okay,
it
looks
like
it's
settled
down,
so
it
sounds
like
it
seems
like
us.
Folks
are
familiar
with
it,
so
the
next
question
I
have
is
if
there
are
only
sort
of
minor
wording,
changes
in
version
19.
F
A
A
A
A
So
I'll
conclude
from
the
voting
that
where
it
seems
as
though
version
19
would
be
a
reasonable
candidate
for
isg
review,
but
we
will
want
to
wait
until
that
that
is
out
and
we've
had
a
chance
to
look
at
it
before
we
actually
recommend
it
for
ASU
review,
but
I
think
that
can
be
done.
You
know
offline
on
the
list.
I
don't
know
that
we
need
to
meet
again.
C
C
Why
I
think
it
should
be
a
fix,
is
what
Thomas
commented
on
four
days
ago
that
when
you
do
this
should
normative
statement
you
that
it
should
be
coming
with
a
rationale?
What
the
exception
is
when
so,
when
is
it
okay
to
format
it
and
or
how
would
it
be
obvious
to
the
relying
party
that
it's
not
confronted
with
evidence
and
and
I
think
that
is
a
valid
concern?
To
be
honest,
I
I
wouldn't
know
how
to
use
that
at
the
moment.
I
think.
F
C
C
That's
not
that's
not
good!
Then
you
clearly
can
state
that
yeah
go
ahead.
Send
evidence
to
the
underlying
party,
and-
and
some
of
that
feels
weird
to
me
when
is
this
okay?
How
can
an
implementer
tell
that
this
is
okay?
How
do
you
mark
evidence
as
such
when
you
send
it
to
a
relying
party,
because
it
has
to
go
to
the
verify
in
the
first
place?
So
so
that
is,
that
is
things
that
I
would
like
to.
F
F
So
so,
first
off
I've,
already
I've,
already
stated
my
view
on
this.
There's
a
they're
a
perfectly
valid
attestation
architectures,
where
the
verifier
is
integrated
into
the
relying
party.
So
when
you
talk
about
sending
something
from
the
verifier
to
the
relying
party
you're,
assuming
the
specific
architecture.
F
C
C
F
F
F
A
B
Yeah
we're
just
gonna
come
back
today.
I
was
just
gonna
say:
we've
we've
talked
about
four
possible
ways
to
to
settle
this.
One
Gary
mentioned
removing
the
the
2119
language
one.
The
must
not
that
that's
in
the
issue
that
was
the
the
initial
submission
one
was
to
to
add
a
brief
rationale
to
the
should,
not
that
that
says,
except
where
a
profile
identifies,
why
you're
you're
you're
not
adhering
to
this,
should
not,
and
then
the
other
option
was
just
no
change
at
all.
B
F
That's
not
necessarily
going
to
apply.
You
know
you,
you
know
usages
of
that,
but,
for
instance,
a
web
often
registry,
which
is
an
ietf
RFC
industry-wide
security
A.D,
if
it's
not
possible
for
an
attestation
format
to
actually
to
actually
Define
distinguish
claims
between
evidence
and
that
and
results
that
is
I'm.
F
An
expert
reviewer
on
that
for
that
particular
registry
I'd
have
to
reject
it,
because
the
architecture
has
no
contemplation
of
such
a
such
a
distinction
so
and
one
of
the
first
one
of
the
first
things
me
and
Lawrence
were
asked
by
the
security
IDs
at
the
time
when
we
submitted
eat
for
consideration
by
the
ITF
was,
can
this?
Can
this
be
applied
to
Fido?
I?
Have
to
look
it
up?
It
was
an
email
from
about
four
or
five
years
ago,
but
but
so
I,
don't
really
I.
A
A
What
we
want
to
get
to
is
an
explanation
for
how
the
rat's
architecture
is
interpreted
such
that
it
that
a
phyto
implementation
of
it
makes
sense.
In
other
words,
the
just
the
description
of
the
application
of
rats.
Is
you
know,
aligned
with
or
in
harmony
with
the
rat's
architecture?
Okay,
I,
don't
think.
That's
an
architectural
thing.
C
Yeah
yeah,
and
that
stated
such
in
the
in
the
eat
document
right.
It
says
the
eat
format
follows
the
operational
model
described
in
figure,
one.
That
is
where
evidence
only
evidence
only
goes
to
the
verifier
threats
architecture.
It
literally
says
that
so
now,
you're
telling
me
it
is
not
doing
that.
F
Yeah,
but
it
can,
but
it
doesn't
happen,
it
doesn't
have
to
right.
I
mean
it's:
it's
there
we've
the
document
is,
is
written
as
such,
but
let
me
rephrase
this.
The
document
is
conformant
with
the
architecture
document
I.
Think
in
this
case,
though,
the
language
was
kept,
vague
and
I.
Think
it's
the
right
thing
to
do
to
allow
for
the
different
exceptions.
Let's
leave
aside
Fido
for
a
second
evidence
can
be
evidence.
Cannot
it
can
be
complete
conveyed,
not
in
a
token
format.
F
Oh
sorry,
results
can
be
conveyed,
not
in
a
token
format,
but
in
a
UCCS
format.
The
working
group
made
a
very
made
a
decision
to
remove
all
mention
of
UCCS
in
this
document.
Therefore,
it's
up
to
the
UCCS
saw
editors
to
decide
when,
for
instance,
an
IAT
claim
or
any
other
claim,
that's
the
Providence
of
the
token
issue
gets
conveyed
as
evidence.
All
right,
sorry
results.
F
E
Okay
to
me,
the
rats
architecture
does
inform
eat
and
really
now
you
know,
we've
worked
with
this
architecture:
the
rats
architecture
for
a
long
time
years,
I,
don't
I,
think
it
is
flexible
enough
to
accommodate
Fido
I.
Don't
think
we
have
to
rearrange
anything
I'm
here
and
I'm
kind
of
puzzled.
By
this
discussion,
I
mean
the
the
whole
document.
Is
you
know
it
does
use
the
rats
architecture
terms.
I
really
would
not
I
don't
want
to
revisit
the
whole
rats
architecture.
E
A
I
think
I
think
what
we
need
is
to
capture
the
there
were
like
four
Carl
mentioned.
There
were
four
different
options
that
hadn't
been
discussed.
We
should
capture
those
four
options
in
the
issue
and
then
have
whatever
appropriate
discussion
is
needed.
I
I
think
that
you
know
the
conversation
around
hey.
We
don't
have
to
be
compliant
with
rat's
architecture
is
just
I
I,
don't
it's.
F
The
document
is,
the
document
is
conformant.
Even
the
last
time,
I
had
a
little
discussion
with
David
Hank
on
the
GitHub
repo.
It
was
already
resolved
in
favor
of
the
rats
architecture.
So
it's
so
don't
don't
worry
about
that.
Carl's
already
said
he's
going
to
put
the
four
options
in
there
into
the
repo.
F
H
F
F
E
I'm,
basically,
okay,
with
almost
any
option
here
just
to
get
the
document
through.
You
know,
with
the
understanding
that
you
know
there,
there
will
be
further
drafts
here.
So
I
I
really
don't
want
this
issue.
To
hang
up.
Hang
us
up
for
iesg
review.
That's
the
that's
my
top
priority,
so
whatever
we
can
do
to
get
through
into
into
IHS
iesg
reviews
sooner
rather
than
later
is
what
I
want
to
do.
A
G
Last
one
I'm
in
the
same
spot
as
Lawrence
as
long
as
it
doesn't
regress.
Anything
then
I
don't
care
so
the
issue
that
I
want
to
talk
about,
given,
though
I
think
we
have
all
the
relevant
parties
on
the
call
right
now
is
I,
didn't
see
in
the
slides
unless
I
missed
it
issue
343,
which
is
the
IAT
definition
that
Thomas
mentioned,
and
so
there's
a
discussion
between
Thomas
and
Carl
and
Lawrence,
and
if
I
understood
right.
G
G
But
the
text
in
the
document
says:
don't
use,
float,
use,
integer
I
approved
it
this
morning
and
it
looks
like
Thomas
just
did
as
well,
but
wanted
to
give
visibility
to
the
rest
of
the
group,
but
I
didn't
quite
follow
why
we
could
not
do
it
in
the
cddl,
which
were
a
lot
better
too
in
things,
but
I
have
no
objection
either
way.
So
I
just
want
to
give
a
minute
for
people
to
discuss
this
issue.
E
B
Well,
I
I'm,
the
only
voice,
that's
been
against
doing
it
in
cddl,
so
I
I'll
speak
and
the
reason
I'm
saying
this
is
this
claim
isn't
defined
in
this
document,
it's
being
reused
from
somewhere
else
and
I.
Think
if
you,
if
you
claim
to
reuse
something,
then
change
the
definition
and
change
the
pros.
You're,
no
longer
reusing,
and
if
we
get
to
the
point
where
cddl
Imports
are
used
now,
you've
got
kind
of
this
weird
animal
where
eats
using
it
one
way
and
other
stuff
is
using
it
some
other
way.