►
From YouTube: LAKE WG Interim Meeting, 2020-01-16
Description
LAKE WG Interim Meeting, 2020-01-16
A
A
C
A
Seconds
or
so
all
right,
great,
okay,
so
I
hope
the
slides
are
being
presented
from
my
laptop
a
minute.
So
we
have
the
coordinates
which
you've
all
managed
to
find.
We
have
the
note
well,
which
I
hope
you've
all
read.
If
you
haven't,
please
read
it
and
behave
accordingly
and
we
have
the
agenda.
So
if
you
can
see
the
agenda
on
screen
now,
this
is
the
agenda
bashing
session.
A
Our
plan
basically
is
to
do
this,
then,
to
let
Garron
talk
about
the
requirements,
issues
to
the
ones
that
are
in
github
and
then
chat
a
bit
about
planning
for
the
next
ITF
meeting
and
maybe
beyond
I'll.
Just
note
that
yeah
we
have
a
couple
of
people
who
want
to
leave
after
about
an
hour
ashore
a
little
longer.
So
if
we
can
try
and
run
us
into
about
an
hour,
I
think
that
would
be
good,
so
people
don't
get
tired
as
well.
A
A
Yes,
we
can
okay,
I
want.
Sorry.
Sorry
I
should
have
said
that
the
eval
of
is
Ivalo.
Sorry
for
my
pronunciation
as
a
great
County,
great
tech
minutes
and
he's
taking
those
in
the
ether
pads.
We
also
have
the
jabber
room
which,
as
of
now
has
just
minutes,
I
guess
we're
not
using
that
today
and
people
are
using
the
chat
in
WebEx
as
well.
Okay,
so
go
run
it
over
to
you.
Okay,.
D
Thanks
so
yes,
lake
is
about
specifying
a
lightweight
authenticated,
key
exchange
for
all
score.
We're
working
on
the
requirements.
Draft
latest
submitting
version
is
also
the
adult
0-0
version.
There
has
been
reviewed
by
a
croc
and
Karthik
and
I
try
to
address
some
of
those
in
update
on
top
and
also
listing
some
issues,
and
this
is
what
we're
going
to
talk
about
today
or
10
issues.
No
particular
order
is
high
level
or
significant
architecture
issues
interleaved
with
editorials.
So
so
we
should
just
get
to
the
bottom,
the
bottle
divisive.
D
Then
we've
covered
the
important
things
first
issue
and
by
the
way
and
I
think
this
is,
we
should
I
mean
interrupt
me
at
any
time,
and
also
the
objective
here
would
be
to
have
a
way
forward
for
all
of
these
issues,
with
assigning
people
to
produce
some
some
something
that
perhaps
helps
us
progress.
This
work
or
setting
up
new
issues,
that's
that
would
it
would
be
the
idea
of
outcomes,
so
we
are
included
on
this
hysteresis,
and
so
the
first
issue
is
now
a
bit
old,
its
it
was
discussed
in
the
early
autumn.
D
It's
a
question
having
ailment
change.
We
can
either
use
signature
based
public
keys
or
static
pH
table
keys
and
static.
D
is
much
more
efficient
from
method
to
overhead
point
of
view,
which
is
something
we
are
care
a
lot
about
here,
but
the
question
was:
could
we
simply
skip
the
signature
based
mode
and
I
think
the
answer
we
have
already
gone
some
time
since
it
I
think
the
answer
is
that
we
we
should
probably
not
do
that.
We
should
probably
keep
both
these
modes.
D
D
Units
on
the
aka
level,
which
old
messages
and
we're
discussing
different
rate
in
you
in
its
frames
and
targets
and
the
objective
is
to
minimize
performance
impact.
We
look
at
the
smallest
number
of
radio
radio
later
units
and
we
also
have
the
fragmentation
unit
of
co-op,
which
is
blocks,
and
then
we
have
sort
of
a
more
intricate
discussion.
But
this
is
the
basic
issue
of
terminology:
do
you
have
any
problem
with
this
terminology,
or
can
we
live
with
that?
So.
B
I,
don't
think
it's
just
a
terminology
issue
on
Oh
I
mean
like
this
terminology
is
fine,
but
but
I
think
that
the
the
things
I
think
we
need
draw
is
for
any
types
of
point
where
we
think
and
I
hesitate
use
this
word
where
fragmentation
occurs.
Ie
there's.
B
A
there
are
conceptual
units
at
a
few
transmitted,
and
then
there
are
the
actual
things
on
the
wire
which
your
transmit
power
on
the
air.
There's
your
transmitted
and
and
who's
responsible
for,
like
doing
that,
disassembly
and
reassembly
is
actually
not.
It
is
actually
I
can
rolls
in
point
a
number
of
ways.
B
So
I'm,
like
I'm,
fine
with
the
and
so
I
think
the
thing
so
so
in
particular
the
on
so
you're
calling
a
protocol
units
right,
isn't
it
so
I
guess
this
is
what
trying
to
it's
like
these
yell
s
right
on
not
as
I
want.
You
see
us
for
sure
analogy
right,
which
is
a
GG.
Let's
spikes
and
then
it
has
mana
has
messages
in
those
flights
and
you
can
send
the
messages
separately.
You
can
send
like
a
mobile
pin.
B
You
can
send
on
you
know
each
flight
as
multiple
messages,
which
then
turns
into
some
arbitrary
number
of
things
on
the
interface,
so
a
wire
interface
and
so
on,
I
think
on
and
so
not
being
able
to
talk
about
sort
of
assuming
that
the
that
the
ache
presents
each
flight
as
if
it
were
a
monolithic
thing
to
the
to
thing
below
it
is
like
is
that's
actually
quite
that's
actually
quite
a
constraint
on
on
so
I'm,
not
sure
we
should
be
assuming
that
constraint.
I.
E
B
That's
certainly
true
on
the
I
think
I
need
to
see
part
of
what
I'm
getting
at
here
right
is
on.
B
When
I
was
in
Henry,
leisha
had
a
conversation
about
best
sort
of
where
we
started
will
to
have
the
fermentation
and
defragmentation,
and
in
particular
like
when,
like
quick
and
GCLs
were
design,
there
was
an.
B
Ip
fragmentation
with
that
and
this
an
appropriate
location
for
the
for.
B
And
for
reassembly
visit
was
at
the
higher
level
protocol
error,
and,
and
so
it
is
that
it's
something
we
have
and
similarly
on
is
an
assumption
that
and
and
in
particular
on
and
contrariwise,
if
we
look
at
this
protocol-
and
this
is
true
of
ECL
F
results.
True
in
the
Assumption,
where
you
use
on
or
use
code
where
we're
on
any
given
on
radio
or
wire
thing
has
to
be
self-contained.
Cryptographically
is
that
you
can
burn
an
enormous
amount
of
information
on
cryptographic
overhead.
B
So,
if
first
is
your
frame,
size
is
on
this
50th
cache,
and
then
you
say
each
frame
has
to
in
visit
a
single
on
coop.
You
know
a
co-op
which
is
the
SE
OS
core
message
right.
You
like
consumes.
You
know,
like
basically
eight
eight
to
ten
octet
of
overhead.
You
like
to
leave
earlier
just
screwed
up
in
maturity,
checks
and
that's
clearly
extraordinary,
desirable,
so
I
think
that's
I,
guess
what
I'm
pushing
on
is
like.
D
B
D
B
But
isn't
but
what
I
mean?
Let
me
ask
you
questions.
It
seems
quite
a
while
to
read
co-op
in
OS
core
on
I
suppose
that
I
have
the
situation
where
I
have
to
transmit
on
what
we
hit.
Oh
so
I
got
a
transmit,
will
say:
150,
I,
caps,
right
and
and
then
my
radio.
My
radio
unit
has
MTU
of
50
a
50
Akash
like
what.
How
do
you
do
that
ferret
is
miles.
G
E
E
That
is
within
the
co-op
layer,
so
it
looks
to
be
below
OS
core,
and
if
you
do
co-op
over
DTLS,
for
instance,
then
that
appears
to
be
above
DTLS,
which
is
a
an
interesting
problem.
But
there
is
it.
There
is
a
tussle
between,
should
I
send
a
256
byte.
E
Blocks
above
co-op,
which
get
transmitted
translated
into
two
or
three
radio
units,
or
should
I,
send
thousand
24,
byte
or
2,000
byte
block
units
which
gets
translated
into
much
many
many
more
radio
units
and
there's
a
tussle
between
the
two
things
is
because
of
what
what
of
what?
Where
the
retransmissions
occur-
and
this
is
a
this-
is
definitely
a
matter
of
tuning
for
different
radios
and
different
technologies
and
different
network.
B
So
I
guess
I'm
just
I'm
just
trying
to
ensure
that
we
don't
like
I
just
want
I'm
sure
that
my
comment
here
was.
We
don't
presuppose
the
architecture
that
would
then
result
in
very
suboptimal
tuning
for
some
particular
environment
home
tried
to
do
and
because
I
owners
in
the
environments,
maybe
as
well
I'm
trying
to
make
sure
that
we
don't
alter
Knology.
That
presupposes
that
so.
E
The
take
home
and
I
and
I
know
that
you're
on
and
I
have
discussed
this
before
is
yes,
we
could
do
something
in
you
know
three
round-trips,
but
each
of
those
round
trips
would
be
big
enough
that
we
would
require
multiple
radio
fragment
round
trips
anyway,
so
we
haven't
actually
optimized
the
radio
units.
By
making
the
round
trip
count
lower
and
making
bigger
packets
we
we
could
have
multiple
steps,
each
one
which
is
shorter
and
that
might
actually
be
more
efficient
than
having
fewer
message
round
trips.
So
I
think
your
point
is
well-taken.
E
C
E
Don't
think
that
the
multiple
fragmentation
layers
should
be
out
of
scope
for
the
ache
I
think
the
ache
needs
to
an
ad
to
be
evaluated
in
terms
of
the
different
possibilities
of
those
fragmentation
models.
The
ache
may
actually
make
it
provide
advice.
You
know
make
this
thing
bigger
and
even
though
it
acquires
more
lower-level
units
or
make
this
thing
smaller
and
have
multiple
messages,
because
it
optimizes
radio
units
I
think
that
the
ache
specifically
should
be
aware
of
that
and
should
be
in
scope.
C
F
B
F
F
G
B
B
You
can't
pipeline
like
an
arbitrary
number
of
of
messages
on
the
radio,
and
so
basically
you
know
you
have
five
messages
in
queue,
but
as
a
practical
matter,
you
have
to
send
two
and
then
you
in
the
knowledge
meant
you
could
send
two
more
kind
of
thing
and
so
then,
until
basically
like
the
kind
of
the
kind
of
flights
you
think
about
wheels
like
a
teepee
you'll
get
you
like
you've
got
much
so
much
more
effectively
window.
Your.
E
Your
window
is
often
one,
and
it's
often
one
at
a
hot
by
hot
layer.
So
in
fact,
your
IP
window
from
across
six
hops,
it
consists
of
of
six
transmit
act,
transmit
acts
with
the
possibility
of
retransmissions
or
drops
in
between
which
kills
your
entire
transmission.
So
if
you
and
there's
people
trying
to
solve
this,
make
it
better
and
do
other
things
with
it.
But
that's
this!
The
the
fifteen
460
environment
today
and
it's
usually
driven
by
the
fact
that
the
devices
don't
have
much
memory
for
buffering
of
forwarded
packets.
E
D
node,
a
and
B
will
congest
each
other
in
node,
C's
a
forwarding
buffer,
and
so
they
sit
there,
essentially
a
single
whatever
the
opposite
of
windowing,
a
single
task,
single
threaded
across
the
whole
network,
because
something
Kaiser
captures
the
the
transmission
buffers
and
that's
desired
or
because
and
because
you
prefer
that
everyone
takes
the
turn
rather
than
they
fight
each
other.
B
Guess
I'm,
probably
we've
drilled
on
this
too
much
I,
guess
I'm
I
I'm
going
to
live
with
messages
for
like
you
know,
for
a
little
while
but
on.
But
let
me
let
me
let
me
like,
but
like
I'll,
take
the
action
item
to
go.
Read
this
document
again
and
like
see
if
I
think
that
messages
is
presupposing
too
much
and
if
it
is
then
all
like
I'll
propose
new
terminology.
If
not
I'll
shut
up
we're
supposed.
B
I
think
it
would
be
helpful
if
we
documented
the
thing
that
Michael
said
earlier
on,
which
is
that
you
can
have
that
this
dish,
the
dessert
OS
core,
like
conceptual
unit,
exists
above
co-op,
and
so
you
can
have
effectively
one
OS
core
on.
You
can
have
one
OS
core
on
whatever
you
want
to
call
it
message
with
a
single
integrity
check.
This
spans
multiple
radio
frames,
not
a
problem,
because
that's
actually
a
very
important
case
restriction
or
non
restriction.
Yeah.
D
B
Mean
because
it
cuz
a
bug
needs
if
you
do
block
wise,
if
you
do
it
so
that
the
that
each
individual
block
each
of
your
reading
is
one
or
score
message
and
like
I
say
you
bet,
you
have
a
huge
amount
over
it,
so
we
obviously
don't
to
do
that
and
so
on.
Hi
plague
is
worth
it's
worth
document
that,
because
it
does,
it
does
actually
point.
It
does
actually
tell
it
give
us
a
curve,
burger,
Haut
bandwidth.
We
have
to
work
with.
D
B
B
B
G
B
B
A
Also,
have
a
question
number
two
correct
me
if
I'm
wrong,
but
I
think
I've
here
I
only
hear
people
who
are
working
on
TLS
use
the
term
flight
I
just
wanted
to
check.
Does
everybody?
Is
everybody
happy
without
term
or
do
we
need
to
kind
of
define
it
in
this
document?
Just
so,
everybody
has
the
same
understanding.
The.
A
A
B
I
I
think
I
think.
The
reason
why
one
might
think
you
want
to
save
flights
is
in
just
what
I'm
sort
of
trying
to
get
earlier
is
that
if
you
think
about
your
typical
sort
of
Sigma
protocol
right
on
on
where
you
know
be
weird
with
where
the
first
message
from
the
responder
is
a
is
a
homing
key,
which
is
a
clear
followed
by
a
followed
by
like
some
a
ad
block
hum
of
protected
certificate,
or
something
like
that
on
and
eventually
followed
by
some
other
ad
block.
B
Well,
you're
waterboarding,
ad
blocks
they're
getting
a
certificate
and
they
contain
data
on
like
calling
each
calling
that
a
message
of
odd
and
that's
sort
of
why
we've
got
this
flight
terminology.
It's
a
particularly
truth:
you're
piggybacking
on
procedure,
if
you're
kind
of
piggybacking,
multiple
application
messages
on
the
stain
on
the
same
flight,
so
I
mean
like
particularly
think
about
like
quick,
write
or
or
or
gs-13,
you've
got
to
0-5
RTC
mode
right
and
so
the
server
can.
B
The
server
can
like
stream
like
as
many
as
many
application
messages
at
want
soon
as
they
send
Jesus
intent.
You
know
what
do
a
lot
and
so
like
it
was
like
our
third.
If
Radian,
it's
really
easy,
like
totally
different,
it's
like
there's
that
there
are
times
and
so
calling
those
messages
like
their
flights
and
so
like.
G
B
Also
Steven
my
foot
was
I
was
going
to
go,
read
through
this
again
and
see
if
I
see
what
I
thought
was
appropriate
and
an
either
shut
up
or
make
a
poll
question.
If
that
were
four
people
or
two
people
watch
I
resolve
it
now
good.
A
B
B
You
know
to
be
able
to
send
multiple
messages
at
the
state
it
without
intervening
run
trip.
But
if
we
assume
that
every
single
met
every
single
by
modulator
we
use
or
we
have
stop
my
environment
and
not
very
valuable
feature
and
I
just
don't
know
if
I
the
ready
environments
know
like
is
this
like.
Is
this
like
stop
the
waiting
like,
like
all
them,
Reginald.
A
B
So
that
case
I
think
we
probably
sure
that's
terminology.
It
makes
clear
that
it's
possible
to
mobile
messages
within
we
didn't
give
in
time
a
given
record
window,
which
is
your
flight
to
appropriate
and
I'm
happy
to
send
them
to
Patrick.
B
B
A
D
The
score
already
provides
a
way
to
generate
a
new
security
context
from
an
existing
security
context.
That
does
not
provide
perfect
forward
secrecy
and
that's
something
which
we
think
should
be
supported,
and
this
could
be
by
a
special
resumption
procedure
or
it
could
be
reusing.
The
PSK
authenticated
mode
of
the
a
key
question
is:
what
should
we
say
anything
about
this
or
what
level
should
we
specify
this
in
the
requirements
document,
and
should
we
have
a
special
resumption
procedure
or
not
if
we
specify.
C
G
B
It
worth
noting
I
think
that
the
arm
that
the
actual
are
the
thing
were
defending
here
is
both
PFS
and
PCs,
and.
E
B
Should
probably
note
on
because,
as
you
as
you,
as
you
know,
with
with
like
the
kind
of
resumption
style
that
that,
like
this
TTP
krypter
or
what
tails
one
for
uses
I'm,
you
actually
can
get
PFS
even
without
it,
if
a
Helmand
round.
If
you
can't
get
pcs
that
one.
G
B
D
We
definitely
need
to
have
your
I
mean.
The
solution
typically
would
would
have
key
separation
between
the
eight
messages
and
the
Oscar
messages
between
keys
use
for
resumption
and
traffic
keys.
That's
that's
sort
of
the
general
question.
What
will
conform,
maybe
in
terms
of
a
particular
question,
do
we
really
need
separate
keys
for
what
we
call
application
data
in
the
egg,
so
the
plant
applications
to
use
with
so-called
application
data
is
currently
it's
limited
to
things
related
to
transporting
authorization
and
certification
certificate,
related
information
and
the
difficult
use
cases
zero-touch.
D
Setting
in
this
figure
here
below
where
we
start,
you
haven't
an
a
ke
which
is
augmented
with
authorization
information
going
to
a
trusted
third
party,
an
authorization
service
to
get
authorization
information
with
which
you
can
do
authorization
already
in
the
second
message,
and
then
you
could
optionally
add
as
an
enrollment
protocol
after
that.
So
basically
that's
a
question.
Do
we
really
need
separate
keys
for
this
type
of
data?
D
B
I
mean
so
I
would
have
called
that
part
of
the
egg
right
I
mean
like
that
particular
information
I
mean
like.
If
you
think
about
how
you
handle
that
you
know
in
in
one
of
the
protocols
you
typically
design,
we
call
that
a
confirmational
I
get
like.
B
For
instance,
you
know
what
should
you
shut,
that
an
extension
so
I
think
like
I,
think
having
that
in,
like
the
you
know,
having
that
in
the
same
team
generally,
I
think
the
really
relevant
question,
though,
is:
do
we
want
0-5
or
PC
date
like
do
we
want
like
that?
We
want
the
server
to
be
able
to
send
application
traffic
upon
receiving
the
first
message.
That's
the
thing,
I
think
the
P
separation.
B
D
B
D
B
Thanks
yeah,
that
would
be
some
thoughts.
Okay,
sit
right,
so
I
think
I
think
that
in
that
case,
like
I
think
that
I
think
like
this
is
like
I
think
this
is
part
of
the
egg.
So
I
think
explain
it
like
I
just
misunderstood,
like
what
you
were
or
you
had
a
mic
here:
yeah.
D
D
D
You
will
send
general.
This
would
be
a
huge
framework
with
lots
of
extensions.
So
that's
why
we
don't
use
that
term,
but
maybe
we
need
to
find
a
better
term
okay,
but
for
what
do
we
agree,
at
least
on
the
click
on
the
content,
and
then
we
can
try
to
find
out
the
good
term
requirement
documents
right.
D
D
E
D
E
E
D
The
general
I
mean
again,
we
haven't
talked
about
the
general
question
we
have.
We
started
with
a
particular
question,
I
think.
Unless
people
disagree,
we
will
try
to
find
a
different
name
for
application
data.
We
will
explain
what
met
what
content
is
and
we
will
argue
that
they
don't
need
separate
keys
this
in
particularly
I.
B
Think
it
may
be
like
maybe
like
auxiliary
data
or
additional
data,
or
one
of
those
terms
like
one
that
implies
that
it's
somehow
associated
or
associated.
But
if
the
applies
it
is
part
of
the
egg.
I
think
it's
about
used
because,
like
I
think
application
data
is
like
the
messages.
I
then
kind
of
transmitted
over
OS
core
yeah.
D
B
D
B
I
think
that
the
really
critical
part
like
I
think
the
thing
that
you
want
I
think
the
thing
I
think
is
like
that.
Not
only
is
it
okay
to
have
them
be
on
the
same
team
mature
they
needed
in
the
same
key
material,
because,
because
what
you're,
what
you
want
to
do,
is
you
want
to
make
assertions
about
the
security
of
the
you
know?
You
want
to
milk
assertions,
you
know
you
know.
Crotchet
can
any
style
the
constructions
about
the
about
what
there
was
outputted
8
tells
you
and
what
they
mean
about.
B
B
As
I
understand
it
as
I
understand
it,
the
way
this
is
we're
supposed
to
conceptualize
it.
This
is.
This
is
supposed
to
be
like
a
you
see,
style
system
right
where
we
have.
You
know
a
on
where
we
have
a
where
this
just
pops
out
like
a
session
ID
and
some
keys,
and
then
those
get
imported
into
escort
right,
that's
like
like
do
we
say
that
somewhere,
like
that's
it,
that
decimal
gives
you
a
key
separation,
yeah.
B
So
I
thing
would
you
say:
I
think
I
mean
I
think
seeing
that
that's
the
model
I
think
it's
a
key
thing
and
III
apologize.
I
can't
remember
if
it
says
that
really
clearly,
but
if
it
does
of
an
Anglophile.
D
B
G
E
D
B
D
D
So
this
is
a
question
about
extensions
and
also
what
we
need
to
write
in
requirements.
About
extension,
the
current
version
does
not
target
pay
core
or
post
quantum.
We
want
to
allow
that
in
the
future
extension
and
the
question
is:
how
do
we
formulate
that
subject
sense
that
tensions
are
already
built
in
through
cosy,
so
we
get
I
mean
you
algorithms
new
certificate
for
most
new
schemes?
D
That's
that's
basically
already
covered,
but
we
want
to
say
something
about
extensibility,
and
this
is
what
we
say.
So
we
say
it's
desirable
up
to
eight
supports
some
kind
of
dance
ability.
The
ability
to
later
include
new
egg
modes,
such
as
pay
new
working,
cozy,
etc,
and
then
there
is
a
statement
about
complexity
here
or
simple:
okay,
be
taken
to
avoid
feature
creep
and
expansions
working
against
this.
So
the
question
is:
do
I,
don't
think
it's
it
yeah
good.
B
B
B
I
think
that
the
the
the
the
the
principle
here
is
like
not
like
make
something
which
cannot
possibly
be
tended
but
make
something
where,
when
you
have
extensions-
and
you
don't
want
them
not
costing
you
so
if
you
don't
want
PQ
I
turn
the
page
I'm
not
paying
a
constant
price
at
happy
Q,
so
other
people
could
have
PQ.
That's
basically
things
I
think
that's!
The
principle
is
bow
to
you,
rather
than
the
principle
being
sort
of
on
like
sort
of
like
person,
money
yeah.
How
do
we
formulate
that
I?
E
So
I
don't
see
that
is
I
you
pay
for
what
you're
used
and
I
think
that's
a
really
good
principle,
and
maybe
that's
the
right
words
to
use,
to
my
mind
that
the
cost
of
the
extensibility
is
not
and
whether
in
the
encoding
or
or
that
the
user
needs
to
pay.
For
it
my
mind,
the
the
cost
and
extensibility
is
in
the
know
that
does
not
receive
or
support
it.
E
That
receives
a
message
that
includes
the
extension
arm
and
discovers
that
it
can't
proceed
because
there's
nothing
that's
compatible
with
it
and
and
then
we
get
into
the
question
of
well.
Is
this
the
result
of
a
bid
down
attack
or
something?
And
what
does
it
do
right?
It's
the
it's
a!
What
does
it
really
mean
to
have
version
2.1
of
a
protocol?
Why
would
we?
E
E
D
Great
then,
going
back
to
issue
five,
which
is
basically
just
the
question
about
eqc.
Maybe
this
is
actually
the
same
well,
this
is
this.
Is
the
question?
Do
we
need
two
different
statements
about
postpartum?
So
what
we
say
is
that
we
seem
to
agree
that
this
is
ample
scope
for
this
version,
but
I'm
not
sure
if
we
agreed
on
the
formulation
on
how
we're
going
to
support
it
in
a
later
version,
I
think.
B
This
text
is
good
and
I.
Think
I
guess
like
it's
like
like
what
would
what
would
it
mean?
I
guess
the
quite.
This
is
about
something
Michael's
point
actually
is:
what
would
it
mean
to
say
might
be
afforded
a
later
version,
namely
does
it
mean
we
should
be
able
to
automatically
discover
that?
B
Like
did
you
know
if
we
have
two
people
that
do
not
do
to
do
like
one
and
like
one
does
not
have
those
qualms,
and
then
we
add
to
awake
1.1,
whether
it's
like
an
extension
or
a
new
code,
point
number
or
whatever
like?
Should
they
be
able
to
automatically
discover
that
fact,
or
should
they
just
be
like
we're
dead,
like
that?
That
seems
like.
Actually
that
will
open
the
relevant
point
for
any
of
these
things.
Yeah.
D
Good
then
we
go
to
number
six.
This
is
also
editorial
or
or
or
I
hope,
so
we
have
a
listing
of
specific
attacks
in
external,
neutral
authentication.
This
was
reported
on
on
Kartik
slate.
This
input
and
and
yeah
I
just
wanted
to
check.
If
people
have
any
objections
to
this,
we
are
basically
releasing
a
set
of
attacks
here,
and
this
list
could
be
longer
or
it
could
be
shorter.
Are
we
happy
with
this
set.
C
D
D
We
already
have
two
statement
in
section
two
for
that
we
should
be
able
to
support
different,
a
ad
Mac
algorithms
for
a
KN
and
all
school,
and
one
question
is
what
other
highlights
children
highlight.
Other
related
security
problems,
for
example,
on
the
HK
DF,
but,
and
also
here,
comes
the
relationship
of
the
master
secret
and
it's
its
dependence
on
on
a
ke
secrets
and
connection
IDs.
B
Now
go
ahead,
please
I'm!
Sorry,
I
didn't
realize
you
weren't
gonna.
Let
go
em
they're,
both
Goods
Lambos
out.
He
wants
to
say
something.
I
know
I,
think
you
work
late,
but
I
didn't
really
I
thought
you
were
pausing.
So
what
now
I
realize
you're
laying
out
both
issues
wanting
to
lay
them
out
together,
cuz
I
think
they're
getting
great
they're
good
together.
D
It
is
sort
of
the
basic
question
of
what
integrity
do
we
require
for
the
aka
and
there
is
there
obviously
a
trade-off
with
overhead
here
if
we
want
to
have
a
full
context
to
check,
that's,
certainly
adding
preventing
certain
certain
frame
sizes
to
put
that
transport,
a
piece
of
transport
in
one
frame
size.
So
that's
that's.
Basically
the
two
issues
and
yeah
go
ahead.
D
B
Iii
think
I
think
there
are
perhaps
you
know
there
are
two
related
issues
but
I
think
not
not
not.
The
same
I
know
Karthik
as
well,
just
a
so
like
I'm
like
the
FIR.
B
But
on
there's,
like
the
question
of,
should
you
be
able
to
support
on
different
algorithms
as
a
general
matter
and
the
question
of
trivial
support
like
different
strength,
algorithms,
on
and
given
the
basically
I?
Think
that,
like
given
the
way
we've
constructed
these
by
and
large
I,
don't
think
it's
necessary
to
like
there's
a
general
matter
of
support.
Like
you
know,
H
KDF
were
like
shouts
physics
on
you
know,
on
on
on
the
eight
and
then
support
you
achieved
the
shot.
B
Three
four
I'm
like
I,
like
OS
Korra,
seems
like
max,
cooperate
helpful
and
like
really
look
at
like
quick
than
building.
Do
that
for
essence,
but
I
think
what
is
important
is
given
that
we
want
to
cut
some
corners
on
the
strength
of
the
cryptographic
of
like
the
gravity,
algorithms,
in
the
sort
of
opportunity
to
transport.
It
does
not
does
not
compromise
security
of,
like
the
you
know,
of
a
Cassell
that
you
want
to
be
able
on.
B
The
guarantee
you
want
is
a
like,
essentially
no
matter
how
compromise
like,
like
at
the
end
of
the
day,
you're
gonna
grow.
She
ate
like
no
one
Christian
on
for,
like
the
application
data
and
like
the
a
quick,
an
equal
like
guaranteed
that
happen
and
not
not
give
you
these
edit
acts
now
that
the
requirements
that
I
think
hashed
it
has
to
work
on
and
I
think
given
as
a
practical
matter,
UN
up
on
I
think
like
that
is
a
multiple
sort
of
ways
to
do
that.
B
I
Think,
yes,
so
as
as
far
as
possible,
if
you
can
separate
out
the
and
provide
service
guarantees
for
the
handshake,
which
are
completely
independent
of
transport.
Here,
concerns
that
simplifies,
modularity
modularity
improves
for
the
egg,
much
much
more
so
so.
The
integrity
current.
So
I,
don't
know
what
the
integrity
guarantees,
but
certainly
we
it
would
be
nice
not
to
rely
on
when
even
well,
yes,
so
to
be
able
to
state
the
guarantees
for
the
handshake,
independent.
D
G
B
B
I'm
Athena
D
like
so
so
things
like
the
relevant
point,
I
think
is
like
if
you
go
at
like
you
know,
directly
beginning
your
time
and
you
look
like
SSL
version,
two
right,
I
guess:
low
version
to
do
not
have
like
independent
on
a
can
shake
integrity
check
and
the
consequence
was
that,
like,
if
you
had,
if
you
negotiate
like
a
super
resizer,
then
like
basically
at
horrible
bachata
tax
and
so
I
think
the
property
we're
trying
to
get
at
is
like
that.
B
I
Speaking
concretely,
here
I
mean
for
the
application
data
we
might
be.
Okay
with
like
an
8
byte
tag
for
the
integrity
of
subscription
data,
but
for
the
handshake
messages
the
main
fact
want
say
a
full
H
macro,
something
it's
very
possible
that
the
requirement
that
you
put
on
the
handshake
integrity
is
strictly
stronger
than
then
the
integrity
checks
that
we
get
from
Oscar
and
things
like
that.
So.
E
I
E
A
so
this
is
Michael,
so
I,
I'm,
I,
guess
I'm
a
little
bit
surprised
by
this
desire
to
change
things.
It
sounds
very
like
IPSec,
ish
and-
and
that
was
driven
primarily
by
the
belief
that
the
book,
the
cost
of
doing
some
of
the
you
know
in
the
olden
days
of
doing
Triple
DES
on
on
on
in
Hardware
for
the
book.
E
Both
data
was
high
enough
that
it
was
worth
having
different
algorithms
negotiated
for
the
data
than
the
than
the
ache
arm,
but
I,
don't
I
can't
imagine
that
to
be
the
case
from
the
devices
that
I
think
we're
targeting
that
they
either
can
do
certain
things
or
they
can't
and
that
they
there's
not
really
a
lot
of
differences,
but
the
business
about
how
many
bytes
of
integrity
is
almost
a
network
optimization
rather
than
a
compute
optimization
and
is
not
not
sort
of
the
difference
between
the
different
sha-256
truncation
modes.
That's
not
my!
B
So
I
think
the
issue
in
this
case
right
is
that
the
is
the
extent
to
which
on
look
at
a
typical
Sigma
protocol,
the
identity,
miss
binding
defense
on
to
a
great
greatest
independent
security
than
integrity
check
and
so
on.
If
you
have
very,
very
short
integrity
check
when
you're
attending
the
spying
defense,
much
weaker
and
fine.
B
And
so
like
that
in
got
this
I
think
that's
the
kind
of
concern
I'm
glad
that
happened.
Unkar
thing
I
think
can
also
mimic
babblers
ever
lost,
but.
E
But
but
but
is
there,
is
there
a
strong
requirement
that
people
would
like
to
have
further
truncated?
Oh
s,
core
integrity
check,
that's
what
I
think
I'm
hearing
is
that
I
don't
think
we
would
ever
want
to
truncate
the
ache
its
integrity
check.
E
The
reason
you
just
gave
we
would
want
to
use
the
full
strength
of
the
algorithm
that
we
bothered
to
spend
the
compute
cycles
to
do,
but
I
guess
it
makes
sense
that
you
might
want
to
truncate
it
for
the
for
the
the
both
data
for
network,
simply
because
of
network
byte
account
hey.
G
E
G
G
E
H
E
Said
that
the
the
bulk
is
out
of
out
of
scope,
but
I
see
point
issue
9
asking
the
question
exactly
that
question.
Maybe
I
don't
understand
the
issue,
but
that's
what
I
see
the
a
issue
so
then
you're
asking
you're
saying
in
addition
to
that
being
too
big,
you
also
think
that
the
full
size
is
too
big
for
the
the
a
Caswell
which
is
point
it,
which
is
issue
8.
I
Yeah
one
way,
I
would
phrase.
This
is
that,
of
course,
we
want
to
trade
off
over
here
versus
security
here
and
find
the
right
balance
point.
That's
for
sure.
The
only
I
think
at
this
for
this
at
this
stage
for
the
requirements,
the
only
thing
to
kind
of
recall
is
that
the
handshake
integrity
is
its
own
thing
and
it
may
have
a
slightly
different
security
requirement.
Then,
whatever
it
is,
gets
read
providing
for
the
application
data
on
the
side
of
the
a
ke
or
as
on
the
side
of
even
on
the
side
of
Oscar.
I
So
just
because
some
particular
tagging
mechanism
is
sufficient
for
protecting
application.
We
shouldn't
assume
that
that
will
also
be
sufficient
behind
check
integrity
because
it
does
establish
one
and
I
think
that's
kind
of
in
a
way
we
don't
I
mean,
of
course
it
may
end
up
being
the
case
if
it's
the
same
plank
of
tags,
for
everything
and
so
on,
but
that
this
this
this
appears
in
a
different
place
in
the
proof
and
has
a
different
requirement.
That's
that's.
The
only
point.
I
think
that
is
so
there's
a.
C
I
I
So
it
will
basically
be
that
how
many
connections
I
mean
after
a
certain
number
of
connections,
you're
gonna,
start
getting
collisions
on
on
the
handshake
tags
and
you're
going
to
have
to
make
a
decision
whether
that
number
of
connections
is
acceptable
and
it's
compatible
with
the
similar
kind
of
bounds
that
you
are
accepting
in
other
parts
of
the
protocol
of
the
the
kind
of
things
that
you
do
for
Ald
among
the
80
tax
is
kind
of
different
from
the
thing
that
you
do
for
the
Mac
in
the
Sigma
protocol.
Earlier.
D
So
this
this
is
an
input
and
try
to
get
a
spot
define
protocol
design,
but
you
need
to
have
it
right
now.
B
I
think
we
may
actually
have
why
me
I,
think
we're
going
to
have
to
at
some
point
try
to
provide
some
sort
of
rubric
for
how
one
makes
a
decision
really
wise,
like
otherwise
there's
like
a
real
temptation
to
like
just
shrink.
This
number
down
to
zero,
which
will
obviously
with
the
protocol
smaller
and
so
like
I,
think,
are
some
programs
so
I'm
not
quite
sure
what
the
answer
is,
but
I
think
we
can
like.
We
hope
you
leave
it
like
completely
out
of
scope,
but
I
think
we
probably
like
we
wait.
B
I,
don't
know
I,
think
I
think
what
well?
Why
don't?
We
start
by
having
Karthik
write
down
like
how
one
reasons
about
this,
and
then
we
can
figure
out
from
there
like
how
we
actually
write
down
it
like
like
once
you
know
how
to
reason
about
it.
Then
we
can
pair
up
what
we
have
like
putting
in
a
real
requirement.
Yes,.
D
D
D
D
C
A
A
The
idea
with
this
graph
is
not
to
turn
it
into
an
RFC,
but
that
it
should
just
we
would
probably
run
a
working
group
as
a
call
and
then
parkus
and
then-
and
so
my
question
for
now
is:
do
people
have
suggestions
or
did
I
just
want
to
start
thinking
about?
How
do
we
proceed
after
we
think
worth?
This
draft
is
stable,
which
is
not
today,
but
assuming
that
we
can
get
to
where
this
draft
is
stable
enough
and
the
working
group
are
happy
enough
with
us.
How
do
people
suggest
we
want
to
proceed
thereafter?
A
A
D
Have
an
idea
here:
what
would
it
be
reasonable?
You
said
three
weeks
or
so
for
for
doing
the
completing
the
assignments
and
if
we
then
could
have
another
round
over
mail
and
if
there
are
no
more
issues,
but
we
then
be
finished
is
that
is
that
a
reasonable
I
mean
we
with
go
for
working
group
last
call
yeah.
A
D
I
mean
this
is
just
reminding
people
that
this
is
a
long
overdue
process.
We've
wanted
to
have
a
solution
to
this
problem
for
for
a
long
time,
and
we
basically
discussed
this
for
a
year,
I'd
like
to
progress
as
soon
as
possible
to
discussing
solution,
candidates
and
and
according
to
the
schedule
of
the
milestones,
I
think
that
that
would
be
the
next
step
present
of
alternatives
discussed
in
solution,
candidates
in
advance
and
then
move
on
from
there.
A
A
Okay,
well,
general
think
that
so
we
have
I
mean
I,
guess
you
know,
ekor
have
to
do
and
the
people
working
on
cts
wouldn't
need
to
think
about
it.
The
people
who
are
working
on
previous
things
are
already
two
atoms.
You
know
planning
to
get
started
and
we
don't
have
any
third
suggestions
that
I
can
hear
today,
and
so
we
put
that
in
the
minutes
and
we'll
see
what
people
under
this
nycos
I.
D
A
D
A
I
A
Sure
I
think
virtual
interim.
We
I
don't
think
we
need
next
week
unless
somebody
wants
to
contradict
me,
so
we
won't
until
next
week.
If,
if
we
want
another
one
before
Vancouver,
we
can
organize
that
on
the
list.
Does
I
Nancy
you
Sean,
it
does.
Thank
you
and
Michel.
Did
you
have
a
concrete
proposal
for
hackathon
type
things
to
do
in
Vancouver,
or
do
you
want
to
you
know,
think
about
it
and
propose
something
on
the
list?
I.
E
Don't
have
anything
concrete
to
proposed
because
we're
not
at
that
point
but
I
wanted
to
ask
sure.
A
You
somewhere
yeah,
that
might
be
maybe
more
for
the
summer
IDs
that
might
be
I,
think
think
of
it.
I
guess
that
works
for
me
okey-dokey,
and
with
that
thanks
to
our
minute
takers
and
if
there's
no
any
other
business,
which
appears
to
be
the
case,
I
think
we're
done
so
thanks,
everybody
for
turning
up
and
we'll
take
a
bunch
of
actions
and
take
it
on
the
list.