►
From YouTube: OAUTH WG Interim Meeting, 2020-10-26
Description
OAUTH WG Interim Meeting, 2020-10-26
A
This
is
starting:
oh
yeah,
okay,
perfect
yeah!
Thank
you.
Okay,
welcome
everyone.
So
this
is
the
first
day
internet
meeting
the
working
group
enter
meeting
just
as
a
reminder,
and
not
well
applies
here.
So
if
you're
not
familiar
with
this,
please
make
sure
you
understand
what
that
means.
A
A
So
this
is
our
schedule
for
the
coming
a
few
weeks
before
we
switch
it
to
a
give
it
to
daniel.
I
just
want
to
talk
about
one
topic.
A
There
was
some
flair
of
activities
around
there
or
literally
of
discussions
about
just
want
to
make
sure
that
it
is
clear
that
currently,
the
authby
group
is
not
working
on
any
new
version
of
oauth
protocol
and
we
are
working
with
them
with
roman,
to
kind
of
put
the
official
statement
to
clarify
the
proper
way
of
bringing
any
work
to
the
author
group
and
working
on
a
new
version
of
this
protocol,
and
so
this
is
just
a
statement
and
just
to
make
it
clear
what
what
the
status
of
of
any
welcome
name
was
that
the
3.0
here
is
we,
don't
we
don't
while
working
on
any
anything
like
this,
and
we
will
talk
about
a
proper
way
of
doing
this?
A
Okay,
so
that's
a
that's
a
lot.
All
we
have
from
a
kind
of
a
church
perspective.
I
will
hand
it
now
to
to
daniel
to
talk
talk
us
through
stop
sharing
here
to
talk
about
security
bcp.
Thank
you.
B
C
Okay,
you
should
now
see
something:
yes,
excellent,
okay,
welcome
everybody
here
today
we
want
to
talk
about
the
auth
to
security,
best
current
practice
document,
which
is
a
graph
by
torsten,
john
andre,
and
me.
C
We
try
to
incorporate
experience
from
practice,
as
well
as
from
research
and
cover
new
threats
that
are
relevant
to
earth
too,
in
particular
also
those
that
arise
in
high-risk
environments,
for
example,
in
open
banking
environments
or
when
auth
is
used
to
yeah
in
eid
schemes
or
for
electronic
signatures
or
applications
like
that.
C
C
We
got
a
lot
of
feedback
on
that
very
good
feedback,
but
it
also
meant
we
had
to
do
a
lot
of
work
still
now
we
are
at
version
16,
and
I
think
that
things
are
looking
much
better
than
they
did
last
time.
So
yeah.
D
C
Let's,
let's
go
through
the
changes
that
we
made
since
version
13.,
so
what's
new
one
thing
is
that
we
notice
that
you
can
do
something
which
we
called
pixie
downgrade
attacks
relatively
simple:
an
attacker
uses
a
stone,
non-pixie
bound
code
and
injects
it
into
a
flow
where
pixi
is
actually
used.
C
Our
new
recommendation
regarding
this
attack
is
that
authorization
servers
must
ensure
that
if
there
was
no
code
challenge
in
the
authorization
request,
a
request
to
the
token
endpoint
that
contains
a
code
verifier
must
be
rejected.
So
this
is,
as
we
heard,
also
something
that
implementations
actually
or
some
implementations
already
do.
So
I
suspect
this
is
a
relatively
small
range.
C
Then
we
have
some
smaller
changes
regarding
pixie
and
nons,
and
the
recommendations
around
that
a
new
recommendation
is
that
I
think
it's
a
very
natural
thing.
Pixie
is
now
a
must
for
public
clients.
We
kind
of
missed
to
to
state
this
very
clearly
in
the
old
versions.
C
C
These
additional
precautions
are
essentially
that
you
must
ensure
that
the
nonce
is
checked
properly
and
from
the
correct
id
token.
That
is,
if
you
have
an
id
token,
both
at
the
token
endpoint,
as
well
as
in
the
in
the
authorization
response,
then
you
must
also
check
the
nonce
in
the
first
one.
So
that's
that's
something
we
stated
very
clearly
again
in
this
draft
because
it
might
not
be
obvious
to.
C
Implementers
and
then
we
had
another
a
couple
of
other
important
changes,
something
we
discussed
in.
I
think
it
was
the
last
call
regarding
the
security
bcp
somewhere
earlier
in
the
year.
C
C
This
writing
is
now
what
also
can
be
found
in
the
document,
a
smaller
change,
as
you
know,
as
you
probably
know,
we
say
that
you
that
you
should
use
exact
string
matching
for
redirect
your
eyes
because
it
protects
from
a
couple
of
attacks
and
we
we
now
have
one
caveat
to
that
which
we've
taken
from
the
native
apps
pcp.
C
We
say
that
if
you
use
a
localhost
redirect
uri,
you
may
use
variable
port
numbers,
because
native
applications
just
might
need
that
we
also
covered
two
new
topics
regarding
attacks.
First,
one
is
essentially
just
one
paragraph:
what
happens
if
you
have
cross-site
scripting?
Of
course
this
can
undermine
your
token
replay
protection.
If
somebody
can
inject
code
into
your
application-
and
we
also
have
a
section
on
click
checking
attacks,
which
is
essentially
completely
new.
C
In
the
last
call,
we
also
discussed
what
we
want
to
say
regarding
mtls
mtls
is
now
the
kind
of
suggested
method
for
token
replay
protection,
but
it's
not
longer
as
it
used
to
be
the
only
recommended
option.
C
We
have
also
gotten
feedback
that
the
discussions
were
a
bit,
let's
say
lengthy,
so
we
discussed
several
approaches
to
to
mitigate
some
attacks.
Some
of
these
discussions
were
not
very
helpful.
They
discussed
things
yet
that
might
not
be
very
practical,
so
we
tightened
the
text
around
that
and
we
improved
the
examples,
also
feedback
free.
We
got
from
the
working
group
last
call
and,
of
course,
we
made
several
editorial
improvements.
C
So
this
these
are
the
changes
in
a
nutshell
that
we
made
since
the
last
working
group
last
call.
So
what's
there
left
to
discuss,
actually,
I
think
not
too
much.
We
have
two
things
that
I'd
like
to
discuss
today
and,
of
course,
also
on
the
mailing
list.
Afterwards,
this
one
has
already
been
on
the
mailing
list.
C
We
say
that
you
can
have
a
deployment
specific
way
to
communicate,
communicate,
pixie
support,
but
oauth
metadata
is
recommended,
but
this
is
only
for
the
as
side
of
things.
What
we
currently
don't
say
is
that
clients
should
actually
use
this
as
so.
This
came
from
discussion
with
peter
and
the
other
guys
at
the
stuttgart
university.
C
We
found
that
it
might
be
a
good
idea
to
actually
recommend
oauth
metadata
to
clients
for
their
discovery
process.
We
can
reach
several
goals
with
that.
First
one
is.
We
can
promote
automation
in
the
sense
that
you
can
now
use
features
just
based
on
this
discovery
process,
so
you
might
also
be
able
to
use
advanced
features
like
power
or
jar
just
based
on
this
discovery
process.
C
This
also
affects
security
features.
Of
course,
pixi
is
a
prime
example,
but
it
also
reduces
the
chance
for
mistakes,
as
you
might
know,
in
the
frb
in
the
current
floppy
specification,
there's
a
paragraph
that
says
that
one
venue
for
attackers
might
be
a
misconfigured
token
endpoint.
C
Of
course,
this
is
is
something
that
can
happen
if
you
configure
the
token
endpoint
manually,
but
it's
less
likely
to
happen.
If
you
have
a
metadata
document
that
you
can
pull
this
information
from,
so
I
think
it's
a
it
would
be
very
useful
if
we
would
see
a
broader
adoption
of
auth
metadata
and
it
actually
improves
security
if
we,
if
we
recommend
each
client
to
use
auth
metadata,
if
available.
C
Of
course,
it
just
makes
all
also
easier
to
deploy,
but
it
also
makes
security
features
easier
to
deploy.
You
have
essentially
solved
one
one
part
of
your
key
exchange
problem.
If
you
want
to
use
signed
or
encrypted
messages,
and
it
might
also
promote
the
use
or
the
concept
of
the
oauth
issuer,
which
can
also
help
to
mitigate
or
mix-up
attacks,
speaking
of
which,
regarding
mix-up
attacks,
so
this
is
the
second
topic
I'd
like
to
discuss
today.
C
The
current
recommendation,
as
you
probably
know,
is
that
you
should
use
so
you
must
mitigate
mix-up
mitigation
and
one
way
to
do
that
is
to
use
separate,
redirect
uris
per
issue.
That
means
that
if
a
client
can
work
with
multiple
authorization
servers,
the
client
should
have
a
different
redirect
uri
uri
registered
at
each
of
the
authorization
servers.
C
This
was
a
result
of
the
discussion
on
how
to
solve
the
mix-up
attack,
and
I
think
we
settled
on
that
because
it's
this
solution
is
based
on
existing
wealth
features,
but
it
turns
out
that
it's
not
always
the
best
solution.
I
think,
for
example-
and
this
is
a
problem
that
we
actually
have
at
yes.com,
this
solution
is
not
suitable
for
schemes
where
you
have
a
centralized,
client
registration,
so
the
client
just
registers
once
and
can
use
many
or
authorization
servers
or
issuers.
So
to
say,
I
I
think
this
is
a
pattern.
C
This
solution,
also,
as
you
can
tell
from
the
text
that
we
have
in
the
bcp,
needs
a
lot
of
explanation
to
developers.
So
what
do
they
need
to
do
so?
Why
do
they
need
to
use
a
separate
redirect
uri
per
issuer?
What
is
an
issuer
is
a
separate
redirect
uri
per
authorization
server,
okay,
or
is
it
not
okay?
What's
the
difference
between
the
authorization
server
and
issuer?
What
exactly
to
to
pull
what
to
put
into
that
uri
and
so
on?
C
And
it's
also
easy
to
get
wrong
and
I
think
the
the
best
argument
against
this
solution
actually
is
it's
very
hard
to
automate
in
libraries,
because
library
might
not
know
about
your
uri
how
your
uris
are
built,
what
you
put
into
that
into
these
uris
and
so
on?
So
it's
a.
I
still
think
it's
a
valuable
thing
to
have,
but
I
think
there
are
better
solutions
and
one
such
solution
is
something
where
also
discussed
very
early
on
in
this.
C
This
whole
mix-up
topic
is
to
put
an
iss
parameter
into
the
authorization
response
that
tells
the
client
which
issuer
the
authorization
server
thinks
it
belongs
to
and
which
was
used
in
that
authorization
process.
C
This
iss
parameter
is
something
that
again,
we
discussed
very
early
on
already
in
the
process,
so
it's
actually
the
solution
that
we
have
in
the
first
paper
where
we
described
the
mix-up
attack,
we
already
had
the
solution
with
the
issuer
parameter,
and
we
already
proved
formally
that
it
actually
solves
the
mix-up
attack.
C
So
it's
a
very
good
mechanism
against
mix-up
attacks,
carson
who's
cast
meyer
to
zelhausen,
who
is
also
in
the
call.
Today
he
wrote
he
created
a
new
draft
which
specifies
exactly
that
an
iss
parameter
for
the
authorization
response.
I
think
he
also
already
posted
on
the
mailing
list.
Today
the
draft
defines
the
iss
parameter
and
an
respective
metadata
flag.
Of
course,
it's
a
very
short
draft.
I
think
most
of
the
parts
most
of
the
things
in
the
draft
tell
about
how
this
source
mix
up
it's
again.
C
E
This
this
is
mike
jones.
Can
I
reply
to
that
sure
if
you're
using
an
id
token,
you
already
have
the
issue
a
parameter
or
the
issue
or
value,
so
you
don't
need
the
parameter
so
just
like
we
did
with
nonce.
You
should
describe
that.
If
you
have
an
id
token
in
your
flow,
then
you
already
have
the
issuer
and
can
use
it.
F
C
Well,
the
the
the
client,
so
the
client
just
gets
a
an
authorization
response
and
it
just
doesn't
see
where
it
comes
from.
So
the
client
just
gets
it
from
the
browser,
and
this
is
just
a
redirect
to
the
client
containing
a
code
and
since,
of
course,
the
code
is
opaque,
can't
tell
where
this.
If
this
code
is
coming
from
the
attacker
as
or
the
honest
as.
F
I
guess
my
point
is
that
it
already
has
to
store
state.
It
already
has
to
store
the
pixie
code
verifier
to
know
to
no
defend
that
in
with
your
authorization
code,
so
it
seems
like
it
could
also
store
where
it
expects
the
code
to
come
from,
and
if
the
code
is
coming
from
an
attacker,
the
attacker
could
just
as
well
swap
out
the
iss
parameter.
C
Yeah
exactly
so,
this
is
so
the
client
in
when
using
this
this
mitigation,
the
client
would
need
to
do
exactly
that,
so
the
client
would
need
to
know
which
is
parameter
it
expects
in
response,
and
the
nature
of
the
mix-up
attack
is
that
the
authorization
response
always
comes
from
the
honest
as
directly
from
the
honest
as
and
the
attacker
cannot
intercept
the
the
authorization
response
from
the
honest
as
because,
of
course,
if
the
attacker
could
intercept
that
that
authorization
response,
then
the
attacker
wouldn't
need
to
do
the
mix-up
attack
in
the
first
place.
B
C
Sure
sure,
okay,
how
would
we
pull
off
a
mix-up
attack?
Let's
say
you're
using
oauth
metadata,
so
the
whole
thing
starts
with.
As
you
know,
in
the
mix-up
attack,
you
have
one
client
and
at
least
two
issuers,
so
one
issuer
is
honest.com
and
one
is
attacker.com.
C
These
are
the
issuers
and
the
user
would
go
to
the
client
and
say
I'd
like
to
use
attacker.com
as
an
issuer.
So,
for
example,
by
pressing
a
button
I
don't
know
authorize
with
attacker.com.
I
don't
know
so.
The
client
starts
the
interaction
with
attacker.com
retweets,
the
metadata
document
and
in
the
metadata
document,
the
client,
the
the
attacker
acting
under
the
issuer,
attacker.com
would
say
my
authorization,
endpoint
is
honest.com
auth
and
my
token
endpoint
is
attacker.com
token.
C
So
the
user
sees
honest.com
authorization
endpoint
logs
in
authorizes
the
client
for
access
and
then
gets
sent
back
to
the
client,
so
the
client
receives
an
authorization
response
which
comes
from
honest.com
contains
a
code
for
honors.com,
but
the
client
of
course
still
thinks
that
all
these
things
are
happening
with
the
issuer.
Attacker.Com.
C
And
now
the
client
will,
of
course,
want
to
re-redeem
that
code
for
an
access
token,
so
the
client
goes
to
the
token
endpoint.
The
token
endpoint,
of
course,
is
attacker.com
token.
So
what
happens?
Is
the
client
sends
the
code
that
it
acquired
from
honest.com
to
the
token
endpoint
attacker.com,
and
at
this
point
the
attacker
knows
the
code
and
yeah.
So
essentially
it's
it's
game
over.
At
this
point,
of
course,
you
have
then
features
like
pixi
making
this
attack
harder
and
and
other
things,
but
still
to
get
defense
in
depth.
C
C
So
if
you
had
the
iss
parameter
in
the
authorization
response,
then
of
course
in
the
scenario
that
I
just
showed,
the
honest
dot
com,
slash,
auth
authorization
endpoint
would
put
into
the
authorization
response
the
issuer
honest.com,
because
the
honest.com
authorization
server
knows
that
it's
acting
under
the
issuer
on
a
sidecar,
so
the
authorization
response
arrives
at
the
client
and
the
client
sees
okay.
This
response
comes
from
honest.com
while
me,
while
I
as
a
client,
I'm
thinking
I'm
acting
or
I'm
interacting
with
attacker.com.
C
And
the
whole
thing
also
works.
If
you
don't
have
metadata,
but
then
you
need
to
essentially
you
need
to
need
a
deployment
specific
way
to
to
say
what
is
the
issuer
so
to
say
in
that
case,
which
can
be
as
easy
as
a
fixed
string
that
you
know
that
facebook
always
sends
this
string,
and
google
always
sends
this
string.
C
Well,
pxe
kind
of
does
so
with
pixi.
The
code
would
arrive
at
the
wrong
token
endpoint,
but
of
course
the
the
the
the
attacker
wouldn't
know
which
pxe
verifier
to
use
for
that
code
problem
is
that,
first
of
all,
we
don't
know
if
pixel
was
used.
Of
course,
if
you
follow
all
the
recommendation,
pixel
was
used,
but
if
you
don't,
then
you
still
have
the
mixer
problem.
C
Second,
is
that
there
might
have
been
a
chance
for
the
attacker
to
influence
the
authorization
request
in
the
first
place,
for
example,
by
by
kind
of
proxying
that
through
his
own
server,
and
that
means
that
the
attacker
could
know
which
code
challenge
was
used.
C
F
I
think
I
see
that
last
question
if
a
client
is
only
ever
interacting
with
one
authorization
server,
none
of
this
is
necessary.
Is
that
correct
and
if
so,
can
that
be
explicitly
stated.
C
A
Okay,
so
so
daniel,
like
do,
do
you
think
you
you
want
to
wait
for
this
document
to
kind
of
progress
and
then
kind
of
see
how
that
goes
before
you
kind
of
continue
to
move
this
document
along.
C
That's
an
excellent
question.
I
think
it's
it's
it's
time
that
we
publish
the
security
bcp
and
I
think,
by
putting
the
iss
parameter
into
a
separate
document,
we've
kind
of
decoupled
those
that's
at
least
what
I
hope.
Of
course.
I
know
that
it's
it's.
It
could
be
a
problem
to
link
to
to
reference.
C
What
is
right
now
an
individual
draft,
so
I
think
it
would
be
great
if
we
would
find
a
way
to
proceed
with
the
security
bcp
more
or
less
independent
of
the
other
document.
A
G
A
So
that
it
seems
that
what
what
daniel
is
trying
to
do
here
is
he's
trying
to
describe
an
attack
and
refer
to
an
individual
draft,
which
is
just,
was
there
a
lot
of
noise
on
that
on
the
bridge?
So
if
you
are
not
team,
can
you
please
go.
D
G
Sure,
I
think
a
couple
of
things
matter.
It
depends
on
the
track.
We
want
to
publish
this
particular
document
in
you
know.
Ultimately
what
will
happen
is
if
you
have
a
document
that
has
a
normative
reference
on
another
document
that
is
not
yet
published.
It'll
sit
in
the
rfc
editor
queue
as
a
misref
until
until
they're
deconflicted
and
then,
depending
on
the
track
of
that
other
document.
G
D
Harness
here
I
was
wondering
like
I
was
listening
to
mike's
comment
early
on
with.
He
was
saying
that
the
id
token,
so,
if
you
use
id
token,
you
essentially
have
that
parameter
in
there
already.
Is
that
or
something
that
we
need
to
take
into
account
in
this
whole
debate,
our
write-up.
E
D
Like
if
it
depends
on
how
we
reference
that
solution,
specifically
in
the
document,
if
it's
referenced
as
a
informative,
then
obviously
that
would
it
wouldn't
be
blocked,
but
otherwise,
clearly,
as
roman
explained,
it
would
be
sort
of
stalled
till
this
other
document
is
completed.
Yeah.
C
Yeah
I
mean
this
could
be
a
chance
right,
so
it
looks
like
we
have
kind
of
two
ways
to
transport:
the
iss,
not
the
not
the
space
station
in
the
authorization
response.
One
is
the
id
token.
One
is
a
separate
parameter,
so
this
could
be,
in
my
opinion,
an
informative
reference.
At
least.
G
I
mean
as
long
as
the
solution
is
described
in
the
pcp
text.
I
could
also
see
the
you
know
further
details
on
the
attack
as
being
informational,
because
they
would
not
be
required
to
be
known
to
implement
the
solution
and
as
long
as
we
keep
to
that
line,
I
think
we
can
have
that
that
arrangement.
C
Not
the
not
the
attacks,
but
we
we
would,
I
mean
in
the
in
the
security
bcp
we
would.
We
could
say
if
you
have
a
way
of
sending
the
issuer
from
the
authorization
endpoint
to
the
client,
then
that
also
solves
the
problem
and
one
way
could
be
the
id
token
and
informative
reference.
This
other
draft.
D
Yeah
that
that
could
I
think
that
could
then
make
it
a
normative,
informative
reference
and
that
that
would
be
good.
A
D
Yeah
yeah,
but
at
least
yeah.
F
No,
it
sounds
like
the
security
bcp
would
be
saying
you
need
to
solve
this
attack
and
there
are
several
options
to
do
that.
You
could
also
make
up
your
own
solution.
However,
it
would
then
point
people
toward
the
standardized
the
intended
to
be
standardized
version
of
that,
which
is
this
iss
parameter.
C
H
Wasn't
speaking
you
could
you
could
see
that
way,
the
security
pcp
states,
the
parameter,
could
be
a
solution
and
the
new
draft
picks
up
on
that
point
and
makes
an
interpretable
standard.
I
J
A
J
It's
not
clear
to
me
that
that's
the
case
just
including
a
one
additional
parameter
and
and
how
it's
used.
I
guess
I
would
defer
to
that.
G
J
That
that's
fair,
it
just
seemed
like,
potentially
it's
less
awkward
than
all
these
various
attempts
to
downplay
a
down
ref
or
back
rough
to
an
individual
draft
document.
Although
I
presume
that
this
discussion
sort
of
presupposes
the
adoption
of
the
other
document
and
attempts
to
progress
it
quickly,.
C
I
mean
this
is
something
we
could
also
just
just
try
to.
We
could
just
try
to
progress
with
the
security
bcp
and
see
how
much
need
for
discussion.
There
is
with
the
other
document.
It
is
a
relatively
short
document
and
very
concise.
So
maybe
maybe
this
progress
is
quick
enough.
Otherwise
we
could
still
think
about
how
to
reference
that.
A
Let's
update
this
document
based
on
the
feedback
you
got
today
and
see
if
we
can
have
some
discussion
about
this
new
draft
and
if
we
can
make
a
progress
on
that
in
parallel
and
see
how
far
we
can
go
with
this
exactly
sounds
good,
okay,
okay,
any
any
other
questions
for
danielle.
A
A
I
Okay,
it's
a
topic
that
I've
already
raised
on
the
version
15.
Currently
the
section
3
states,
the
updated,
auto
article
model
is
supposed
to
have
been
updated
to
account
the
potentially
involving
multiple,
multiple
parties.
However,
he
still
misses
to
address
the
case
of
dynamic
relationship
between
clients,
which
includes
scenario
of
collaborative
clients.
I
C
Yeah,
I
think
we've
discussed
this
attack
a
number
of
times,
also
in
different
working
groups,
and
it
seems
that
there's
so
I
still
stand
by
what
dennis
quoted
that
this
seems
to
break
something
that
nobody
really
expect
or
to
provide,
which
is
also
kind
of
supported
by
the.
I
don't
know
the
my
general
impression
that
that
this
this
discussion
of
the
attack
has
not
brought
us
really
to
to
to
the
conclusion
that
this
is
an
interesting
attack,
so
to
say
just
one.
C
One
thing
that
I
also
pointed
out
before
this
attack
is
covered
by
the
attacker
model.
Collaborative
clients
is
something
that
can
happen.
The
thing
is,
it
is
not
covered
by
the
kind
of
security
goals
that
people
expect
oauth
to
fulfill
and
yeah.
So
I
don't
really
think
that
this
is
something
we
should
cover
in
the
security
bcp.
I
Well
collaborative
is
not
a
word
that
exists
in
the
current
bcp,
so
collaborative
clients
do
not
exist
as
well.
As
you
mentioned,
this
kind
of
attack
can
happen
and
we
should
say
what
should
be
done
in
case.
That
attack
happened
and
mentioned
that
there
is
a
way
to
counter
that
attack,
and
this
should
be
mentioned.
C
Then
collaborative
clients
are
covered
by
the
attacker
model,
because
clients
can
of
course
send
messages
to
each
other.
This
is
also
something
that
we
covered
in
the
formal
analysis
where
this
attacker
model
kind
of
is
derived
from
where
clients
can
collaborate,
so
they
can
collaborate
to
reach
a
common
goal.
C
I
So
it's
much
more
than
that,
it's
not
sending
messages
is
making
cryptographic
computation
for
the
benefit
of
the
other
client,
and
this
is
never
mentioned
in
the
document.
C
D
Yeah
this
is
this
harness
here
yeah.
I
wonder
I
so
I
I
see
two
aspects
here.
One
is
to
the
question
of
like
how
well
is
this
aspect
covered
right
in
the
document
itself
rather
than
in
in
reference
documents,
and
can
we
can
we
do
a
better
job
in
in
pointing
these
things
out
on
what's
covered
and
what's
not
covered?
D
The
other
aspect
is
I'm
sort
of
talking
about
solution
aspects
and
having
an
agreement
on
a
group,
but
this
is
something
they
worry
about
in
in
oas,
and
I
I
I
know
that
in
like
what
people
care
about
in
a
group
in
terms
of
attacks
changes
from
time
to
time,
but
maybe
maybe
that's
something
to
to
think
about,
and-
and
I
can
kick
off
an
email
to
discuss
this
aspect
as
we
as
you
are
then,
as
you
are
updating
the
document
for
the
other
issue
we
discussed
before,
is
that
how
does
that
sound.
C
Yeah,
I
think
we
should
also
in
the
interest
of
publishing
the
security
bcp,
consider
this
maybe
for
a
future
update.
A
Okay,
then,
I
think
we're
done
for
for
today
and
we'll
we'll
see
you
next
week
guys
we
still
have
a
another
interim
next
week
next
monday
same
time.
Okay,
thank
you
all.