►
From YouTube: IETF-MLS-20221216-1500
Description
MLS meeting session at IETF
2022/12/16 1500
https://datatracker.ietf.org/meeting//proceedings/
B
C
D
C
C
A
You
did
you,
take
them
and
send
them
to
me,
or
did
you
use
the
notepad
tool.
C
A
I'll
have
to
double
check
to
make
sure
that
it
ended
up
there,
but
if
not,
you
ought
to
be
able
to
find
it
somewhere
and
if,
if
it's
yeah,
if
I
can't
find
it
I'll
contact
you
but
yeah,
so
once
you
make
them,
then
to
get
them
actually
posted
as
official
minutes,
I
need
to
click
a
button
and
I
hadn't
done
that
I
was
actually
just
going
to
do
that
and
figured
I'd
just
wait.
D
B
A
D
A
All
right,
I'll
give
everybody
another
minute
and
then
we'll
get
going
some
of
the
some
of
the
people
missing
it's
awful
early
for
them.
So
well,
maybe
not
awful
early
am
I
kidding
seven
o'clock
Pacific
time.
It's
not
that
bad.
C
A
Again,
thanks
for
dialing
in
at
whatever
hour,
it
is
where
you
are.
This
is
an
official
meeting
of
the
ITF,
so
it's
an
ITF
MLS
meeting
I
just
want
to
do
the
no
well.
A
lot
of
this
is
about
IPR
I.
Think
I've,
I
think
I've
seen
everyone
at
one
of
these
meetings
before
so
you
shouldn't
be
new.
This
is
one
of
those
deals.
A
If
you
say
something
you
got
to
submit,
if
you
don't
and
I
find
out
about
it,
I
will,
which
is
actually
what
I
did
in
the
past,
there's
also
some
stuff
about
personal
conduct
Etc.
Luckily,
this
working
group's
not
had
any
of
those
problems,
so
that's
good,
but
if
you
want
to
know
anything
about
these
feel
free
to
click
on
these
I'll
put
them
in
the
meeting
repo.
A
At
some
point,
if
you
have
any
other
questions,
you
can
also
ask
me
all
right
what
is
next
status
code
of
conduct?
This
is
all
true
everybody
with
respect.
Try
to
speak
slowly,
limit
the
use
of
slang.
You
know
just
beat
ideas
by
using
reason:
argument
best
engineering
judgment,
the
best
solution
for
the
whole,
the
internet
and
contribute
all
right.
A
What
else?
Let's
do
the
whole
thing
we're?
Basically,
here
still
the
whole
timeline.
We
had
a
feature
freeze
with
a
working
bus
call,
the
80s
done
some
review
and
then
we're
kind
of
here
and
we're
basically
kind
of
at
the
same
point
with
both
the
protocol
and
the
architecture
document
and
we're
about
looking
like
we're
going
to
be
ready
to
send
a
clean
document
forward
to
iitf
last
call,
which
typically
lasts
two
weeks
because
of
the
holidays.
I
suspect
it
might
go
four.
A
So
mid-January
is
probably
what
I'm
it's
up
to
Paul
but
who's
our
air
director
to
decide
how
long
he
wants
to
be,
but
I
I,
that's
that
seems
pretty
normal
or
he
might
wait
to
start
until
the
first
of
the
New
Year
I'm,
not
really
sure
what
he's
going
to
do.
A
But
then,
after
that,
when
we
kind
of
like
kick
off
a
bunch
of
other
director
reviews,
so
you'll
see
some
reviews
come
in
and
sometimes
they're
good
and
sometimes
they're,
not
good
and
sometimes
they're
purely
editorial,
basically
just
roll
with
the
punches,
because
at
the
end
of
the
at
the
end
of
all
that,
we'll
try
to
make
sure
that
all
the
director
comments
are
addressed
before
it
goes
to
isg
review,
no
matter
how
small
they
are
because
the
area
directors
from
the
other
areas
use
those
directory
reviews
to
make
their
comments
and
discusses
and
not
addressing
them
just
lengthens
the
process.
A
B
Let's
just
discover
the
architecture
document,
there's
nothing
open
on
that
at
this
point,
when
I
went
to
bed
last
night,
there
were
a
couple
of
things
open
that
then,
but
then
Benjamin
got
up
early
on
evetime
and
first
bunch
of
stuff,
but
maybe
click
over
the
pull,
requests
and
recently
closed
ones.
F
A
That
was
definitely
the
one
that
he
said
that
he
was
most
interested
in
which
one
is
that
one.
So.
A
G
So
it
was
actually
quite
trivial
and,
and
mostly
little
like
there
was
nothing
that
we
didn't
discuss
before
the
only
change
I
made
actually
when
I
fixed
some.
Some
remark
after
acre
made
a
comment
that
this
was
not
a
device.
G
It
was
actually
not
a
device
level
authentication,
but
it
was
a
client
level
application,
so
I
fixed
that.
But
apart
from
that,
it's
basically
a
very,
very
simple
thing:
I
also
added
the
accommodation,
that's
on
the
bottom
right
below
the
the
comment
resolved,
which
is
to
avoid
sharing
cryptographic
State
as
much
as
possible.
We
could
basically,
if
you
do,
that,
you
are
putting
yourself
in
the
you're
shooting
yourself
in
the
foot,
because
people
you
know
another
Cricket
has-
can
have
control
over
one
device
and
then
give
itself
a
good.
G
However,
the
keys
of
other
devices.
So
that's
that's
pretty
bad.
Apart
from
that,
like
you
can
read
the
text,
it's
very,
very
Uncle
commercial
and
generally
I
mean
all
the
changes
are
requested
by
Paul
were
mostly
traffic
editorial
clarification,
since
there
is
no
nothing
actually
normative
in
that.
In
that
document
it's
also
much
easier
to
actually
solve
those
problems.
Yeah.
A
G
I
mean
it's
probably
a
like
a
long
like
you
know,
you
could
read
that
document,
so
I'm
gonna.
What
I'm
gonna
do
is
that
I'm
gonna
do
another
full
pass
over
the
entire
document,
because
sometimes
we
like
with
those
many
editorial
changes,
we
actually
introduce
duplications
or
things
like
this,
but
there
isn't
there
is
going
to
be
anywhere
and
nothing.
G
That's
gonna
be
move,
it's
gonna,
be
purely
like
you
know,
duplicate,
duplicated
sentence,
removal
or-
or
things
like
this-
if
there
is
anything,
that's
remotely
controversial,
I
would
anyway
welcome
to
pull
request
and
discuss
it
on
the
list.
A
Yeah
I
mean,
if
there's,
if
there's
minor
things
that
you
note
just
fix
them,
if
it's
any
again
I
I
kind
of
trust.
Your
judgment
that,
if
anything
kind
of
raises
the
level
of
like
hey
I,
need
to
double
check.
That'd,
be
great.
Just
ask
for
a
review
from
somebody
that
that'll
work
too.
But
if
it's,
if
it's
simple
editorial
stuff,
just
fix
it.
A
G
Do
it
up
to
you
whether
we
I
mean
depends
on
when
the
protocol
is
going
to
produce
the
next
draft
I
guess
if
he
publishes
the
next
draft
in
a
week,
I
might
actually
take
the
week
to
to
do
like
a
typo
kind
of
review.
Otherwise
I
could
just
trigger
it
right
now.
It's
like
it's
not
a
powder,
so.
B
B
A
Mean
I
I
would
I.
I
would
say
that
there
there
are
some
other
people,
that'll
catch
duplications
in
the
lake
forest,
but
feel
free
to
if
we
do
publish
at
Benjamin
I
think
it's
okay,
that
you
have
another
working
version
that
that,
like
you,
don't
publish
yet
you
can
point
that
more
more
and
more
reviewers
are
becoming
more
and
more
Savvy
about
GitHub
and
we'll
note
that,
like
oh,
you
know,
the
editors
already
got
one
rolling
and
they
fix
it
over
here.
A
E
B
I
I
hope
you're
you're.
Your
one
character
today
is
going
to
make
the
section.
G
B
C
A
I,
don't
I,
don't
know
Richard,
you
normally
don't
use
the
data
tracker,
but
if
you
do
just
send
them
over
to
me
and
I
can
get
them
uploaded
all
right
appreciate
it
all
right.
Sorry,
so
pull
requests
are
issues.
B
B
You
know
disambiguate
signatures
from
different
contexts.
They
don't
overlap
when
he
pointed
this
out
I.
Maybe
the
the
analogy
occurred
to
me
of
exporter
labels.
Tls
has
an
Explorer
label
registry
I
checked
with
Hecker,
to
say:
hey
was
that
an
accident
or
like?
Is
that
something
you
do
again?
If
you
had
the
chance
I
mean
he
said
this
is
a
good
thing
to
have
so
I
added
an
exporter
label
registry
as
well.
So
this
just
makes
two
two
new
Registries
points
to
them
from
the
text.
B
Oh
the
other
change
here,
I
did
you'll
notice.
These
recommended
changes
in
all
the
other
registries.
All
the
Registries
were
copying
and
pasting
the
recommended
text
from
sniper,
Suites
and
so
I
just
made
it
point
back
to
that
section
instead
of
copying.
So
hopefully,
that's
okay,
the
only
thing
that
seemed
like
it
might
be
interesting
or
controversial
on
the
Registries
themselves
is
I
put
a
provision
in
here
for
private
use.
B
Those
who've
hunger
on
the
ATF
might
remember
the
x-header
stuff
for
HTTP,
where
and
stuff
started
out
as
private,
and
then
it
turned
not
private
and
so
having
the
x
dash
prefix
was
was
troublesome,
so
I
don't
know
if
people
wanted
to
reserve
private
space
that
way
or
not
how
much
on
your
thoughts
on
this
is
somebody
who's
dealt
with
the
same
or
ruined
someone
who's
still
playing
and
stuff
in
the
past.
A
I
mean
some
people
are
gonna,
love
it.
Some
people
are
going
to
hate
it,
it's
something
we
could
bike
on
for
a
while,
but
if
it's
a
functionality
we
need
or
want,
then
I
think
we
just
have
to
be
like
all
right.
Well,
you
tell
us
what's
the
way,
what's
the
the
quote-unquote
right
way
to
do
it
and
we'll
do
that?
This
is
just
our
suggestion.
So
I
don't
think
you're
looking
you're,
not
looking
for
a
hill
to
die
on
here,
you're,
just
looking
for
a
mechanism
right,
so
yeah
yeah,
you
gotta,
be
fine.
F
E
If
you
you
know,
if
you
wanted
to
have
so,
if
you
really
wanted
people
to
go
and
expected
people
to
do
stuff
in
in
a
private
space,
you
could
ask
them
to
use
the
reverse
domain
name,
but
I
don't
have
a
strong
feeling.
I
I
think
this
is
fine.
I'm,
not
sure
that
saying
you
know
begin
with.
Private
colon
is
necessary,
but
the
the
problem
that
we've
had,
though,
is
when
we
when
somebody
started
off
and
did
something
that
was
private
and
that
it
became
something
that
was
standard.
E
And
so
then
you
have
like
multiple
versions
of
the
thing
you
know.
So
you
have
the
label
that
is
with
private
and
the
label
without
private.
B
D
B
I
think
the
the
other,
the
other
thing,
the
contrast
with
this,
these
strain
values,
as
opposed
to
integers
with
finite
size,
is
that
these
aren't
really
contentious
right
like
if
someone
gets
you
know,
X
forwarded
for
or
just
defines
forwarded
for.
You
can
Define,
you
know
forward
and
on
behalf
of
or
some
some
like
language
variant
of
it.
B
A
So
I
will
note
that
in
the
most
recent
discussion
about
exporters
in
TLS
was
that
a
discussion
about
making
the
registry
specification
required,
so
the
designated
expert
can
so
there's.
There's
there's
no
need
and
they
actually
don't
have
that
for
exporters
right
like
I,
don't
think
they
actually
have
a
private
label
in
the
front.
So
maybe
I
don't
know.
A
B
Yeah
and
then
all
the
all
the
Registries
we
have
here
are
specification
required.
B
A
A
I
mean
I.
Just
again,
like
you
said
it's,
you
know
we're
we're
gonna.
You
know
we're
gonna
spell
the
name
wrong
and
be
cool
right
on
purpose
like
that
to
to
differentiate
it.
So
if
it's
not
a
resource
constraint,
I
feel
like
maybe
we
can
just
drop
it
granted.
This
is
probably
opening
us
up
for
a
gen
art
comment,
but
you
know
at
least
we've
talked
about
it
now.
So
I
think
that
will
happen
either
way
correct.
A
My
crystal
ball
is
so
cloudy
with
those
reviews,
but
yeah
I
guess
I'll
go
ahead
and
just
delete
it.
B
Yeah,
okay,
I'll.
Remove
that
one
other
thing
to
note
here:
if
you
scroll
down
in
the
exporter
label
registry
definition,
there's
nothing
there
in
the
initial
contents,
there
are
no
initial
Contents
I,
don't
know
if
that'll
trip
anything
up
and
I'm
Sean.
Do
you
remember
having
issues
with
defining
empty
Regis
Registries
that
are
empty
to.
A
Start
the
only
thing
I
think
is
just
I
think
you
you
can
have
an
empty
table,
just
preserve
the
first
value,
zero
is
reserved
or
whatever,
like
I,
think
you
have
to
give
them
like
the
rows
of
the
column.
You
want
and
just
give
them
a
call
and
make
it
empty.
A
H
Martha
and
I
have
a
suggestion
for
an
export
label.
We
were
gonna
anyway,
suggest
an
extension
that
uses
an
exporter
key.
So
if
it's
really
an
issue,
then
we
would
have
an
initial
exporter
label
to
suggest.
B
Well,
I
mean
I,
I
mean
I've
also
got
one
for
the
the
S
frame
extension.
But
the
question
is,
you
know
whatever
we
put
in
this
initial
table,
we'd
want
to
have
in
the
in
the
base.
Spec
yeah.
A
A
B
A
B
All
right
next
one
I
guess
we
can
look
at
839
all
right
again,
not
super
interesting.
This
is
just
a
terminology
one.
B
There
was
some
discussion
on
the
issue.
I
guess:
Chrisman
developer
was
looking
at
this
and
noticed
that
very
sprinkling.
This
MLS
prefix
on
a
bunch
of
struts
and
so
I,
went
through
and
just
did
a
search
and
replace
to
change
the
names
to
things
that
don't
have
MLS
and
are
a
bit
clearer.
B
I
noticed
this
morning
that
so
there
is
I
think
brought
a
pretty
broad
agreement
on
that
mapping
in
the
p
in
the
issue,
yeah
the
one
people
seem
to
be
unhappy
with
his
group
content,
so
Conrad
suggested
message.
Contents
I
think
Benjamin
suggested
frame
content
a
little
lower
I,
it's
just
a
name:
I,
don't
care
so
who
wants
to
fight
it
out.
G
G
G
G
I,
don't
know
group
is
a
bit
tricky,
though
I
don't
think
I
agree
with
with
you
know:
I,
don't
particularly
care
about
the
name,
but
group
is
a
bit
misleading.
I.
Think.
B
D
H
E
I
I
have
a
slight
preference
of
for
the
public
message:
private
message:
instead
calling
those
signed,
signed
message
and
encrypted
message
just
because
I
think
that
for
non
-crypto
folks,
I
think
it'll
be
clear.
C
Well,
I
mean
this.
The
encrypted
message
is
also
assigned
so
right,
but
yeah
I
don't
have
a
preference
like
either
message
or
frame,
not
a
huge
fan
of
the
group
content,
maybe
also
because
it
sounds
a
bit
more
like
group
context.
But
then
again
that's
maybe
it's
it's
not
bad
that
bad
in
terms
of
confusing
myself.
A
I'm
not
hearing
anybody
really
objecting
to
frame.
B
So
I
I
might
make
one
minor
Amendment
there
and
call
it
framed
content
with
a
with
a
d
for
the
past
tense.
So
so
there's
this
content
that
has
been
framed.
Yeah.
B
I
mean
it
well,
I
mean
it
is
content
that
has
been
encoded
in
the
the
MLS
framing,
in
the
sense
that
it's
been.
You
know
framed
for
a
group
I
group
in
Epoch
and
then
on
the
receive
side,
your
your
plan,
framing
it
but
you're
still
yeah.
C
B
Okay,
on
Rowan's
point
about
public
private
yeah,
I,
I
kind
of
enjoyed
the
ambiguity.
The
public
and
private
gave
you,
because
you
know
it's
as
Conrad
points
out,
it's
a
little
tough
to
get
into
specifics
and
still
be
concise,
so
I'm
kind
of
inclined
to
keep
public
and
private.
So
anyone
else
kind
of
share
around
his
concerns
there
or
have
different
suggestions.
G
A
B
B
Okay,
let's
see,
that's
838
is
probably
the
back.
Why
don't
we
go
to
8,
36
actually,
I
think
that's!
The
next
goes
in
8
37-38,
good
together.
B
So
I'll
open
it
out
that
we
have
this
Center
data
construction,
where
we
grab
a
sample
of
the
ciphertext
and
use
that
to
create
the
key
and
notes
to
encrypt
the
sender
data,
and
you
know
that
correctly
set
off.
You
know
some
flags
for
him,
because
there
wasn't
much
analysis
showing
you
know
of.
Why
that
you
know
taking
a
sample
of
the
subvertext
is
secure
like
what
the
ciphertext
is.
You
know
non.
It
was
maliciously
crafted
to
have
a
specific
prefix.
B
To
give
you
a
specific
key,
you
might
need
to
reuse
nonsense
or
something
so
this
prose
I
added
basically
takes
so
recall
the
scheme.
The
sender
data
scheme
is
inspired
by
the
scheme.
That
quick
does,
which
was
in
turn
inspired
by
this
announces
or
noticed
paper
from
from
Bel
Air
at
all.
B
So
the
quick
this
is,
this
section
is
effectively
just
a
copy
pasted
into
adaptation
of
the
text
in
RFC
9001
kind
of
pointing
out
how
this
Maps
over
to
to
that
paper
and
its
analysis,
and
that
you
know
the
paper
analyzes
this.
This
hn1
construction,
which
is
which
is
effectively
what
we're
doing
here
and
shows
that
if
the
primary
aad
is
indistinguishable
from
random
data,
then
the
the
sample
and
derive
key
and
and
obviously
the
sender
data
scheme
also
protects
the
sender
data.
B
So
oh,
this
section
is,
is
pointing
out
to
you
know
that
that
analogy
and
thanks
to
Conrad
for
helping
you
know,
get
the
terminology
tuned
up,
because
the
I
was
drawing
from
the
quick
text
on
which
is
a
little
ambiguous.
I
think
we've
got
actually
a
tighter
description
here.
B
So
I
just
want
to
put
this
in
front
of
folks
to
see
if
folks
thought
it
was
a
clear
description.
This
is
really
just
explanation
for
for
the
sender,
data
protection
scheme.
B
So
I
think
Conrad
did
a
pretty
thorough
review
on
this
I
think
he
had
approved
it.
I
I
think
I
think
this
is
pretty
clear
to
me.
So
I
think
most
folks
have
concerns
about
it.
I
think
this
is
ready
to
emerge.
H
I
haven't
really
dug
into
it,
but
I
did
read
over
it
from
what
I
could
tell
it.
Looked
okay,
yeah
I
didn't
really
dig
into
it.
Super
deep
I
was
just
reading
the
the
other
paper
to
try
and
reconstruct.
A
All
right
so
I
think
what
I'm
the
nice
thing
about
this
Joel
is
that
there's
always
more
time
until
it
actually
gets
a
number
slapped
on
it.
So
I
feel
like
we
should
merge
this
and
then,
if
there's
any
any
issues
that
arise
later,
we
can
go
ahead
and
get
them
fixed.
I
I
was
at
the
same
here:
I
I.
It
sounds
reasonable,
so
I
I
didn't
read
that
paper
thoroughly
as
well,
but
I
can
look
at
it
a
bit
closer
and
it
looks
fine.
So
I
think
this
one
is
fine.
If
there
are
issues
I'll
follow
up.
G
H
Be
fair,
I
think
it's
a
part
that
wasn't
analyzed
too
often
I
think
that's
why
this
Assumption
of
prf
hasn't
shown
up
in
in
a
fair
number
of
the
MLS
papers
that
I've
seen
I
don't
know
Benjamin
did
you
guys
include
this
part
like
hiding
the
sender
data
and
the
analysis
you
guys
did.
G
H
C
Guess
the
thing
to
know
is
that
we're
not
exactly
doing
what's
in
the
paper,
but
we're
do
you
like?
We
are
dividing
a
bit
and
that
we
don't
like
in
the
paper
they
use
soar,
we
use
aad
and
then
the
paper
they
use
the
ciphertext
to
like
as
the
nons,
and
we
only
use
the
ciphertexts
to
as
as
kind
of
as
context
input
to
a
prf
that,
in
addition
to
a
proper
key,
derives
the
nouns
and
the
key.
C
I
B
All
right
so
I'll
go
I've
got
that
marked
as
ready
to
merge
in
the
notes.
So
thanks
for
the
for
folks
taking
a
look
all
right.
So
that
brings
us
to
the
last
two
here:
seven,
eight
thirty,
seven,
eight
thirty
eight,
which
are
results
of
a
suggestion
from
Tiff.
You
know
actually
Sean.
You
want
to
click
over
to
the
issues
for
a
second.
D
D
D
I
mean
it's
just
an
idea
that
I
had
what,
while
I
was
trying
to
sleep
so
at
least
with
others
to
it,
but
still
I
thought
it
would
be
interesting
to
to.
B
Well,
I
think
we
may
have
lost
Airfield
if
I
could
I'll
try
and
pick
up
where
he
was
leaving
off
I.
Think.
The
idea
of
this
idea
is
that
we
have
this
unmerged
construct
and
we
use
it
when
we
add
new
members,
but
it
can
actually
be
used
at
remove
time
as
well,
in
the
sense
that
if
a
leaf
is
unmerged
at
a
parent
node,
that
means
that
the
leaf
holder
doesn't
know
the
private
key
for
that
parent
node.
B
Raphael
noted
in
the
issue,
though,
that
unmergedly
the
Integrity
of
Technology
Mercedes
consistent.
It
could
be
so
a
malicious
Adder,
so
he's
adding
some
a
new
member
to
the
group
could
construct
a
tree
that
has
unmerged
leaves
that,
where
you
know
a
leaf
that
is
marked
as
unmerged
when,
in
fact
it
actually
knows
the
private
key.
B
And
so,
if
you
followed
the
logic
here,
you
would
remove
them
from
the
emerged
leaves
and
the
about
the
number
would
still
be
joined
if
effectively,
because
they
know
the
private
key
for
the
node
and
that
nerve
would
still
be
in
the
tree.
I
think
with
some
additional
validation
rules
we
can.
We
can
get
to
where
that's
not
an
issue,
but
you
know
we
need
to
have
those
validation
rules
and
the
curves
that
they
actually
accomplish
the
properties
we
need
here.
B
So
the
the
concern
I
think
here
is
that
this
this
is
an
appealing
kind
of
symmetry
property.
It's
a
billing
efficiency
property,
but
there
was
some
concern
that
more
analysis
was
needed.
B
So
in
light
of
that,
I
went
ahead
and
wrote
up
two
PRS,
one
of
which
adds
some
validation
rules
to
the
the
tree.
Validation,
the
Integrity
validation
that
incorporate
that
enforces.
Some
stricter
rules
on
emerged
leaves
and
I
also
wrote
a
PR
that
implements
this
in
terms
of
removing
from
unmergedly
it's
effectively
the
stiff,
I
posted.
F
So
there's
one
one
comment
I
made
on
the
pr
itself,
actually
not
in
the
issue,
and
that
is
that
the
scope
is
actually
much
smaller
than
I,
initially
thought.
So
this
is
only
for
new
joiners
who
have
not
yet
done
an
update.
F
That
is
not
quite
the
same
as
if
you
had
done
the
update
so
and
then
so
you
only
get
an
optimization
when
a
new
journalists
that
haven't
done
the
update
are
being
removed,
and
my
question
is
How
likely.
Is
that
ever
to
happen
in
some
very
specific
scenarios
it?
It
could
be
more
frequent
where
a
lot
of
people
constantly
join
and
a
lot
of
them
get
removed
by
somebody
else,
but
in
general
this
is
not
likely
to
happen
at
all.
F
G
This,
this
exact
thing
was
actually
discussed
when
I,
don't
remember
if
you
I'm,
not
sure
if
you
remember
when
I,
when
I
was
a
dhff
just
introducing
the
the
unmerged
leaves
and
passing
with
Gothic
that
that's
the
exact
discussion
that
we
are
like
on
the
first
day
when
we
introduced
emerges
like
because
we
can
remove
that
as
fast
as
we
add
them.
Basically,
but
that
said,
I
do
agree
with
you
that,
from
my
point
of
view,
it's
not
really
the
theoretical
problem
that
that
that
can
occur
in
terms
of
security.
G
But
it's
more
like
an
implementation
thing
where
people
will
will
mess
up
the
bookkeeping
and
I
would
prefer
to
write
actually
I
think
it
was
avoiding
that
because
I
think
it
complexifies
the
implementation
somehow
for,
as
you
say,
something
that's
not
necessarily
a
very
large
performance
swing,
so
you
know
I
I
think
the
idea
is
even
trivial
right.
G
It's
like
it's
quite
good,
but
I'm,
not
sure
if
it
if
it
was
doing
simply
because
of
the
of
the
additional
complexity
of
the
bookkeeping
of
making
sure
that
you,
you
keep
tracker
by
saying
that
someone,
you
know
if
you
lose
State.
What
does
that?
What
what
happens?
If
you
look
at
the
wrong
node
in
the
chain,
you
say:
oh
maybe
you
know
there
is
no
animals
live
there.
So
there
is
no
mercy
anywhere,
but
maybe
that's
wrong.
G
F
It
shouldn't
be
called
fast,
remove
or
faster
remove.
It
should
be
called
undo.
Unmerge
leave
essentially.
I
Yeah
I
was
just
going
to
say
that
I.
That
was
also
my
suggestion
to
make
it
an
extension,
maybe
because
I
I'm-
it's
really
not
clear
to
me
at
this
point.
How
secure
this
thing
is.
It's
like
can
like
I
I,
don't
really
fully
understand
why
some
malicious
member
can't
undo
remove
off
of
himself.
Somehow
I
would
have
to
look
at
this
like
much
stronger
and
none
of
the
existing
analysis
has
this
they're
not
going
to
be
updated,
so
I'm
a
bit
reluctant
to
make
it
part
of
the
standard
extension
is
fine.
G
Yeah
I
think
it
was
covered
by
some
proof
that
we,
like
some
some
prove
what
we
did
but,
like
still
I,
think
that's
for
the
complexity
and
for
the
potential
problems.
You
should
just
not
include
that
yeah.
A
B
B
Or
I
can
hit
the
close
in
a
second
now
you
want
the
837.
B
D
B
B
B
This
just
adds
the
additional
check
that
everything
between
the
parent,
node
and
any
non-blank
I
should
add
non-blank
to
the
intermediate
notes,
but
everything
between
the
parent
in
question
and
the
leaf
node
also
has
the
leaf
node
as
as
unverged,
which
is
a
property
that
you
have
in
all
the
real
cases
of
on
merged
leads,
so
anything
that
violated
this
invariant
would
be
synthetic
and
maliciously
crafted
and
not
something
that
came
about.
Naturally,
right.
H
Checks
seem
seem
to
make
sense
to
me.
My
take
is
you
know,
we're
not
going
to
harm
anything
by
introducing
more
checks
as
long
as
we're
not
breaking
correctness,
and
they
don't
seem
to
break
correctness.
So
unless
there's
you
know
counter
arguments
in
terms
of
oh,
this
imposes
a
lot
of
whatever
computation
or
something
like
that.
It
seems
like
pretty
clear
sailing
for
me.
That's
my
initial.
Take.
F
F
Rules
are
not
redundant
because
so
yeah
I
stumbled
upon
this
I
think
ninja
equation
is
how
so,
if
we
put
it,
my
question
is
whether
this
is
redundant
or
not,
and
that's
what
I
cannot
receive
time
right
now.
Yeah.
B
F
B
Little
there's
a
little
bit
of
redundancy
in
that
the
the
parent
hash
rules
check
this
property.
This
you
know
the
continuity
property,
a
downward
continuity
property
within
a
parent
hash
chain,
but
if,
if
it
crosses
it,
doesn't
the
parent
has
chain
validation,
it
doesn't
enforce
this
property
across
parent
hash
chains.
So,
if
you're
at
the
bottom
of
a
deep
tree-
and
you
know,
there's
Crossing
chains
above
you-
this
adds
an
explicit
check.
H
H
B
H
F
I
I
I
B
Cool
all
right,
yeah,
no
I
I
encourage
you
all.
That's
it's
a
good
good
point
that,
like
I,
don't
think
this
Harm's
correct
it's
it's
not
super
inefficient
and
I,
don't
see
how
this
could
harm
security
so
yeah.
That
seems
like
pretty
clear
argument
for
going
and
merging
right
any
thoughts
here
since
you
just
popped
up
on
video,
okay
thumbs
up
all
right.
I
think
this
is
ready
to
merge
them.
B
B
Yeah
I
think
I
can
make
that
I.
Think
I
can
make
the
tweaks
here
in
Fairly
short
order
and
get
things
merged
this
afternoon
and
then
yeah
I
think
if
it's
ready
to
pull
the
trigger
anytime.
A
You
might
already
be
home,
let's
go
ahead
and
get
that
get
get
them
both
out
the
door
and
then
because
then
that'll
kick
off
the
revised
ID.
That
Paul
asked
for
so
he'll
know
that
the
ball
moved
back
to
him,
but
I'll
make
sure
to
send
an
email
to
let
him
know.
A
Yeah
so
I
guess
the
next
big
question
is:
what
do
you
guys
want
to
talk
about
next?
We
still
got
an
hour
and
10
minutes.
Do
you
want
to
move
over
to
extensions
or
Federation,
or
do
you
want
to
take
an
hour
back
and
go
to
the
pub.
F
So
yeah
going
over
the
trigger
stuff
so
after
some
initial
analysis
from
Francisco's
I
merged
the
targeted
messages,
PR
I
botched
the
the
formatting
a
bit
so
I'm
correcting
that
now
and
I
released
a
new
version
of
it.
F
So
I
think
at
some
point,
tearfield
started
looking
also
into
the
security
of
the
targeted
messages,
but
there
was
some
some
part
missing
at
the
time,
so
that
should
be
there
now
yeah,
then
I
think
the
only
other
thing
that
needs
discussing
in
general
is
Ron's
PR
that
so
the
context
is
either.
We
add
that
here
in
the
extensions
document,
or
we
make
it
a
separate
document
that
was
an
open
question
and
I
think
the
idea
was
to
discuss
it
at
the
mentoring.
D
H
I'm
not
sure,
if
now's
the
time
to
talk
about
it,
it's
it's
kind
of
a
suggestion,
basically
for
doing
things
a
bit
different
and
I
wanted
to,
and
you
know
and
a
justification
for
why
we
think
that
might
be.
Maybe
a
better
approach
and
I
wanted
to
know
what
you
guys
think.
H
Yeah
I
mean
it's,
I
can
I.
Think
I
can
summarize
it
quite
quickly.
I
mean
at
what
the
core
idea
is
not
the
details,
but
I
just
wanted
to
know.
H
If
the
core
idea
is
appealing
or
if
you
guys
have
immediate
objections,
or
essentially
when
Martha
and
I
read
this
this
PR
one
thing
that
that
struck
us
both
independently
was
that
it
reuses
the
leaf,
hpke
keys
right,
yes
and,
and
it
kind
of
generally
that's
a
bit
of
a
risky
thing
right,
because
now
we're
using
these
we've
got
ciphertext
encrypted
to
keep
to
these
Keys,
which
actually
come
from
two
different
contexts.
H
You
can't
use
ciphertext
from
one
like
generated
in
one
setting
and
plug
it
in,
and
it
gets
decrypted
successfully
in
the
other
setting
that
that
wouldn't
be
good
right,
that
that
leads
to
problems,
and
indeed
it
doesn't
it's
not
possible,
but
it's
not
possible
kind
of
almost
as
a
side
effect
of
how
the
psk
thing
works
in
hpke,
which
I
don't
I,
don't
feel
like.
That
was
really
the
intention,
and
so,
for
example,
one
thing
one
could
do
is
one
could
create
an
extension
that
says.
H
Oh
I
want
to
do
psks
in
MLS,
because
whatever
I'm
worried
about
post
Quantum
I
have
some
external
post,
Quantum,
secure,
psk
and
the
way
I'm
going
to
do
it.
Why
not
I'm
going
to
use
psks
into
hpk
ciphertext
as
well,
like
whatever
I'm
I'm?
What
I'm?
What
I'm
showing
with
this
is
suddenly
this
extension
that
you've
defined
for
targeted
messaging
is
no
longer
secure
if,
depending
on
how
that
psk
extension
is
written
because
there's
an
interplay
there
with
the
psks.
H
I
C
H
It's
more
like
if
I
see
you
know,
somebody
sends
an
update
path
and
I
can
take
the
ciphertext
that
was
in
that
update
path
encrypted
to
that
leaf
and
create
a
new
targeted
message
that
I
send
where
I
just
drop
in
that
ciphertext
and
I
use
the.
H
I
So
it
it's
good.
You
mentioned
the
labels
in
signatures.
Actually,
that's
why
it's
okay
to
reuse
the
signature
key,
because
we
use
labels,
we
separate
everything
by
this
label.
So
that's
why
we're
not
so
concerned
about
reusing
the
signature
key
in
the
lead
for
that
for
this
extension.
But
we
should
do
something
similar
for
hpke
somehow,
but.
F
F
Sure
that's
fair,
so
yeah
I
mean,
of
course,
having
having
a
separate
key.
That's
intuitively
makes
a
lot
of
sense.
How
that's
an
separate,
but
it's
also
a
bit
like
the
sledgehammer
approach
of
Separation
here,
because
one.
C
I
Yeah
I
think
we
could,
but
we
would
have
to
write
the
protocol
in
a
way
that
it
allows
reuse
of
its
key
to
for
different
purposes.
As
long
as
the
info
is
different,
it
would
have
to
be
explicit
in
the
protocol
as
well.
I
think
it's
now
explicit
for
signatures.
That's
you
know
your
giving
all
these
labels
so
that
if
an
extension
wants
to
use
the
signature
key,
it
can
as
long
as
it
uses
a
different
label.
I
F
But
so
what
you
just
said
about
the
protocol,
that
would
only
be
like
some
some
pros
in
the
protocol
saying
that
the
keys
could
be
reused
if
another
info
is
being
used
right
or
or
does
it
actually
mechanically?
Are
you
proposing
any
mechanical
changes
to
the
protocol.
I
H
F
I
I
F
To
me,
I
mean,
first
of
all,
you
know
thanks
for
bringing
it
up.
I
think
it's
a
very
valid
point,
but
it
feels
like
we
have
a
chance
to
to.
You
know
fix
this
in
a
better
way,
because
if,
if
we
have
this
ambiguity
in
the
protocol,
maybe
now's
the
the
time
to
fix
that,
since
we
already
have
that
for
the
signatures
one
or
two
here,
this
might
not
be
the
last
extension
that
wants
to
reuse,
hpke,
keys.
G
We
should
still
fix
the
we
should
still
fix
the
problem
and
by
like
disavigating,
somehow
the
the
use
case
of
that
key
with
an
explicit
level.
It
doesn't
solve
that
problem
right
because
you
know
it's
an
Insider
attack
anyway,
but
the
I
think
it's
it's
worth
thinking
about
it,
at
least
because
we
could
make
sure
you
know
like
we
have
a
differentiator
for
mistakes
more
than
for
active
managers.
Insiders,
you
know,
like
some
external
protocol,
is
gonna
use
that
key
for
something.
C
Why
sorry,
maybe
I
missed
this,
but
why
doesn't
the
edit
label
or
info
not
solve
this
issue.
G
No
I
think
that
is
enough,
but
that
we
need
to
do
it
right.
Yeah,
I,
don't
think
there
is
anything
right
so.
H
I
think
your
suggestion
works,
it's
I
think
it
would
work,
it
could
be
made
to
work.
I
think
right
now,
the
only
time
we're
putting
in
a
label
in
the
extension
that
specifies
oh,
this
is
actually
a
targeted
message
that
goes
into
the
psk
derivation
part,
but
not
into
the
hpkey
I.
Think
you're
right.
If
we
put
in
more
context
that
specifies
the
purpose
of
the
ciphertext,
it
probably
would
address
the
problem.
G
It
no
I
mean
I
completely
agree
with
you
with
you
on
that
we
should
probably
use
different
Keys
I
mean
it's
more
storage
for
sure,
but
so,
let's,
let's
see
what
we
could
do
like
for
our
image
problem
is
to
add
this
label
thing
and
think
later
of
whether
we
want
to
allow
or
not
allow
the
ReUse
of
the
keys.
My
take
would
be
would
be
to
have
an
extension
and
I
have
a
different
key,
but
we
can
think
about
it
later
in
some
sense
like
this.
F
But
a
sorry
go
ahead.
Martin
would.
I
It
make
sense
to
say
in
the
protocol
that
in
the
protocol
document
that
the
key
should
not
or
must
not
be
reused
if
we
decide
that
it
shouldn't
be,
like
just
add
an
explicit
text,
because
we
so
at
least
I
always
assume
that
it's
not
reused,
it's
just
for
MLS
and
then
no
one
should
use
it
for
any
other.
Other
purpose.
H
Indeed,
and
the
analysis
take
that
into
account,
but
that
is
the
only
thing
like
the
analysis
works.
If
you
exactly
quantify
or
or
you
know
it
make
explicit
how
this
key
is
going
to
work
and
you're
right
that
it
does
get
used
for
different
update
secrets,
but
it
doesn't
get
used
for
something
completely
different.
H
So
I'm
saying
I
think
it
would
work,
but
if
we
open
the
door
to
people
allow
allowing
the
construction
of
extensions,
the
definition
of
extensions
that
use
this
hpke
key
forevermore,
we
will
have
to
worry
that
every
such
extension
actually
does
good
domain
separation
with
all
existing
applications
of
this
key,
because
otherwise
they
might
start
breaking
existing
applications
and
that's
the
door
we're
opening
here
and
so
for
this
extension,
it
could
work
you're
right.
We
could
make
it
work
without
introducing
a
new
key.
It's
just
that's!
That's
the
that's!
What
makes
me
uneasy!
H
C
Sorry
can
I
make
a
make
a
proposal.
I
think
I,
understand
your
concern
now
and
I
agree
that
there
should
be
like
a
clear
boundary,
because
between
protocol
and
extensions
and
yeah,
maybe
we
should
add
another
key.
One.
Alternative
approach
would
be
akin
to
the
signature
approach,
have
a
kind
of
encrypt
to
leave
key
function
that
must
be
used
if
you
want
to
encrypt
to
the
leaf
key,
even
by
extension,
so
extension,
so
that
you
cannot
use
the
key
directly.
C
C
H
F
The
thing
is
we,
we
probably
cannot
guarantee
absolutely
everything,
but
if
we
don't
do
anything
about
it,
then
there's
a
high
likelihood
that
people
will,
you
know,
come
to
existing
hpk
public
keys
without
any
guidance
whatsoever
and
then
effectively
damage
the
core
protocol.
Whereas
here
we
have
a
chance
to
give
as
much
guidances
as
humanly
possible.
H
The
reason
I
said
before
this
changes
the
interface
to
the
protocols,
because
up
till
now,
I've
always
thought
about
this
key
being
the
internal,
an
internal
secret
to
the
protocol.
State,
it's
like
you.
It's
like
saying
we're
gonna
pick
some
Secret
inside
TLS,
that's
at
some
point
in
the
key
schedule
and
start
doing
things
with
that.
The
TLs
never
considered
like
yeah
people
might
do
that.
But
that's
really
not
what
you're
supposed
to
do.
H
I
H
C
H
F
F
What
I
meant
so
this
this
is
bound
to
happen
anyway,
at
least
here
we
have
a
chance
to
give
some
guidance
and
and
improve
it.
There
is
no
guarantee
either
way,
but
it's
more
likely
to
go
right
if
we
are
very
explicit
about
it,.
B
So
I
mean
it
sounded
to
me
like
and
I'm.
Clearly,
not
the
expert
here
like
either.
What
we
should
do
here
in
the
main
document
is
say
that
these
hpk
Keys
must
not
be
reused,
especially
in
the
leads
I
I
think
I'm
I'm
probably
inclined
to
play
whatever
the
provision
is
uniformly
to
the
leave
keys
or
the
intermediate
keys
either
they
must
not
be
used
or
we
need
to
have
some
sort
of
separator
of,
like
you
know,
encrypt
with
label
like
sign
with
label.
G
D
B
Have
confidence
that
the
keys
will
not
be
reused,
then
there's
not
much
points
to
having
a
label,
but
you
you
could
say,
like
you
shouldn't,
you
should
use
different
keys
and
not
reuse
keys.
But
if
you
do
here's
how
to
make
it
safe.
G
So,
like
okay,
let
me
phrase
it
otherwise
like
what
does
it
cost
to
actually
add
or
disobey
grater
anyway,
so
that
you
know
if,
if
you
want
later
on,
we
can
do
whatever
we
want
with
that
separation
with
that
label,
but
at
least
we
have
it,
which
means
that
you
know.
F
And
I
don't
think
it.
It
is
a
problem
with
existing
analysis
because
it
shouldn't
invalidate
any
of
that.
H
It's
the
same
Principle
as
as
before,
with
with
those
extra
checks,
we're
just
adding
we're
just
the
only
thing
we're
doing
by
adding
context,
making
it
even
harder
to
do
attacks
we're,
certainly
not
going
to
bring
as
long
as
we
don't
break
correctness,
we
can
only
make
things
better
or
not
change
anything.
B
B
B
Write
up
here
that
does
that,
if
folks
could
take
a
look
later
today,
it
won't
slow
us
down
too
much.
F
Okay,
it
sounds
like
we
have
consensus
on
on
that
part
for
the
MLS
protocol
and
then
it's
still
an
open
issue,
whether
we
use
new
keys
for
targeted
messages
or
we
we
have
another
input
like
I
mean
I,
clearly
understand
Jordan
martyr.
You
lean
towards
introducing
separate
keys
for
that,
but
for
the
sake
of
discussion,
that
is
then
a
separate,
open
issue
right.
F
H
No
sorry
that
wasn't
for
targeted
messages
that
was
just
a
another
extension.
We
had
an
idea.
We
wanted
to
I.
Guess
I
just
wanted
to
run
it
by
you
guys
by
everybody
to
just
know.
If,
if
there's
interest
in
this
or
not
in
a
nutshell,
it's
send
send
to
group,
but
from
external
and
the
core
ideas
exporter
key
use,
the
exported
key
to
derive
a
chem
key
pair.
That's
sort
of
a
group
chem
key
specifically
for
the
purpose
of
external
people,
will
want
to
send
application
messages
to
the
group.
H
F
This
is
one
one
of
the
first
things
we
discussed
a
long
time
ago,
yeah
and
I
think
it
was
even
in
the
main
protocol
at
some
point
and
that
got
discarded
could
do
some
archeology
there,
but
yeah
essentially
a
light
version
of
that
has
been
reused,
for
example
commits
because
it
essentially
can
a
new
any
secret
to
our
group,
yeah
and
yeah
I
think
when,
when
we
got
rid
of
it
we
said
you
know
this
could
be
an
extension
someday,
because
there
was
not
enough
consensus
to
keep
it
in
the
main
protocol,
but
so.
F
I
E
Okay,
so
if
if
if
we've
got,
if
we're
done
with
this
one,
I'd
I'd
like
to
go.
B
Ahead
and
talk
about
on
the
on
the
previous
one,
I
would
note
that
there's
also
an
authentication
issue
in
the
other
direction
in
terms
of
authenticating
that
the
public
key
belongs
to
the
group.
F
B
Yeah
yeah,
you
you
can
do
things
like
you
know,
I've
had
proofs
and
signer
is,
is
in
the
tree
that
it
claims
to.
The
signer
claims
is
that
the
tree
hash
for
the
group,
all
the
things
can
get
a
little
circular.
There.
F
But
yeah
I
think
long
story
short
I
think
this
is
definitely
something
we
could
discuss.
A
F
Yeah
go
ahead,
Ron.
E
All
right,
so
basically,
I
wrote
this
as
two
versions:
I
wrote
a
standalone
document
or
I
updated
the
Standalone
document
and
then
I
wrote
a
and
then
I
wrote
APR
to
add
this
to
the
extensions
document.
So
the
working
group
has
a
an
easy
choice.
E
I
do
have
one
concern
about
the
extensions
document,
which
is
that
the
the
relative
you
know
who
would
who
would
use
each
extension
and
the
relative
maturity
and
complexity
of
of
each
of
the
you
know.
Three
extensions
if
it
were
in
there
can
be
quite
could
be
quite
different.
A
That
and
at
some
point
we
have
to
be
like
all
right.
We
got
six
we're
done
like
We're
Not,
Gonna
Leave,
the
document
open
forever
right
at
some
point.
You
have
to
decide
all
right
now
we're
going
to
publish
so
that's
the
other
thing.
You'd
have
to
think
about.
I,
don't
know
so,
if
you're
to
your
point
about
the
varying
deployment,
deployability
or
deployment
status
of
the
various
extensions
I,
don't
know
if
that
matters
as
long
as
everybody
thinks
that
they're
not
affecting
security.
A
If,
if
there's
some
need
there
and
there's
like
two
or
more
people
that
are
willing
to
do
it,
then
maybe
we're
like
two
people,
then
maybe
we're
good
I
I,
don't
know
what
do
others
think
about
just
because
I
don't
want
this
just
to
be
a
bucket
where
everything
goes
right.
We
have
to
have
some
kind
of
like
you
know
litmus
test
for
like
why
something
got
in
here
and
like
is
there
general
interest
would
more
than
a
couple.
People
use
it
even
if
they're,
just
using
it
internally
in
their
own
implementations,.
A
Yeah
I
mean
that's
one
of
the
reasons
why
I
mean
it's
a
lame
thing,
but,
like
we
have
a
recommended
column
right
for
these
extensions,
and
it's
not
there's,
there's
no
strength
to
that
at
all
right,
because
I
think
you're,
right,
I
think
we
allowed
the
extensions
mechanisms
to
be
able
to
go
and
change
anything
right.
E
So
maybe
maybe
a
question
here
for
you
Joel
is
Joel
is:
do
you
think
that
there's
any
any
concern
about
the
content
type
advertisement
extension
like
if
we
take
these
sort
of
one
by
one.
H
I
I,
don't
know
it
well
enough,
I'm
not
familiar
enough
to
be
able
to
say
that
I
do
want
to
just
add,
though,
that
one
by
one
analysis
is
not
enough.
Any
kind
of
actual
security
analysis
will
always
have
to
be
with
exactly
the
set
of
extensions
that
are
all
being
used
at
the
same
time.
It's
not
enough
to
analyze
them
one
by
one.
They
have
to
be
analyzed
together
with
all
everything
else,
that's
getting
used
because
they're,
because
we
have
no
restrictions
on
what
an
extension
can
do
so
I
do
I
I.
G
So
I
have
a
more
general
question,
so
I'm
going
to
dive
out
slightly
but
I'm
going
to
go
back
to
the
content,
I
promise.
So
should
we
actually
use
the
document
to
exactly
and
show
what
you
said
like
to
like
have
one
document
where
we
have.
We
can
basically
socialize
the
main,
the
most
important
extension
for
functionality
that
don't
affect
the
security
of
the
Corp
protocol,
and
you
know
like.
G
G
G
Now
we
should
put
in
that
document.
I
don't
know
so
maybe
you
should
have
this
discussion
later
and
back
to
the
content.
Advertisements,
I
I,
don't
I,
don't
have
a
strong
opinion,
I
guess
I
would
say
Juan.
Do
you
think
we
need
to
change
that?
Always
how
much
do
you
think
we
should
change
the
document?
How
much
will
it
require
updates?
So
if
it's
something
that
is
you
know,
pretty
stable,
I
would
say,
I
would
I
think
it
would
be
fine
to
have
it
in
the
core
in
the
core
extension
document.
G
If
it's
something
that
we
want
to,
you
know
update
with
nfcbs
who
is
like
whatever
like
something
that
we
are
posted,
we
updates,
or
at
least
a
few
times,
maybe
that's
worth
having
its
own
document
that
we
can
refer
to
in
the
extensions
document.
I,
don't
know,
I,
don't
particularly
mind
right.
So
in
the
architectural
document
we
do
refer
to
the
external
graph
funnel.
So
do
you
think
it?
You
know
it
will
change
much
or
do
you
anticipate
something
like
this.
E
I
mean
I
think
that
the
set
of
people
who
are
interested
in
this
will
be
tend
to
be
more.
You
know
application
me
people
because
it
does
have
to
do
with
it,
does
have
to
do
with
how
you
how
you
advertise
content
types.
E
A
A
E
No
I
mean
the
Mimi
Charter,
which
was
reviewed
on,
which
was
reviewed
yesterday.
I
think
it's
I
think
they're
ready
to
send
it
off
to
ITF.
For,
for
you
know
the
two
week
review
or
whatever,
but
the
the
the
there.
It
says
specifically
in
the
charter
that
no
MLS
extensions
will
be
done
in
Mimi,
like
MLS
extensions
will
be
done
in
MLS.
E
G
We
should
keep
it
in
there.
It's
fine
I,
think.
E
So
the
the
main
open
issue,
which
can
be
done
and
can
be
done
separately,
is
do
we
have
a
way
to
do
the
equivalent
of
multi-part
multi-part
alternative
that
people
like
and
so
the
appendix,
which
was
the
one.
You
know.
One
of
the
major
changes
in
this
in
this
document
from
the
last
version
is
a
TLS
presentation.
Language
sort
of
you
know
Syntax
for
effective
for
the
same
semantics,
almost
the
same
semantics
as
multi-part
alternative
that
just
doesn't
rely
on
having
to
use
boundary
markers
it
uses.
You
know,
sizes.
E
So
if
you
want
I
mean
I
like
it
might
be
easier
to
look
at
the
document,
it
formatted
in
the
the
Standalone
document,
which
I'm
pasting
a
link
into
the
chat.
But
you
know
right
now:
I
can
go
and
send
an
HTTP
message.
An
HTTP
post
or
get
with
with
two
different
formats
and
I
can
and
I
can
enclose
them
in
a
multi-part
alternative,
and
you
know
the
the
semantics
of
that
is
clear.
E
E
F
Thank
you
so
how
about
the
following
compromise?
We
get
this
started
in
the
extensions
document
which
I
think
is
going
to
be
left
open
for
a
while
anyway,
because
we
need
people
to
give
a
chance
to
add
more
things
as
they
integrate
MLS
into
their
applications
and
realize
something
is
missing
and
after
a
while,
then
you
would
have
a
better
feeling
Ron
if
that's
really
finalized
or
not,
and
if
there's
a
chance
it's
not,
then
you
can
always
make
it
a
separate
document.
G
Actually,
what
you
said
that
makes
me
think
we
should
do
the
reverse,
because,
like
you
know,
we
have
the
core
protocol
now
and
the
ex
the
the
you
know,
Juan's
in
the
craft
could
be
done
no,
basically
right,
so
people
could
already
use
that.
That's
also
like
having
it
in
the
in
the
extension
document
actually
forces
us
to
wait,
which
is
not,
is
a
super
great,
so
so
I'm
like
ping-ponging
between
the
two
positions
but.
A
I
mean
so,
if
there's
parts
of
it
that
are
are
stable,
we
could
get
a
provisional
sorry.
We
could
try
to
get
a
provisional
registration.
E
D
E
With
you
know,
after
protocol
and
after
protocol
and
architecture
and
Federation,
you
know
maybe
like
at
the
same
time
as
Federation
or
something
right
and
it's
something
that
will
be
there'll,
be
a
dependency
in
Mimi.
It's
also
referenced
in
architecture
that
can
be
if
that
changes
that
can
be
fixed
in
in
our
in
in
auth
48,
but
it's
sort
of
nicer.
If
it's
already,
you
know
if
it's
already
a
stable
reference.
If
you
know
that
that's
the
reference
it's
going
to
be.
E
So
I
mean
my
my
preference
would
be
to
make
it
to
make
it
a
separate
document,
but
you
know
maybe
some
other
folks
should
weigh
in
that
haven't
said
anything
yet.
G
F
The
discussion
was
mostly
about
whether
every
extension
should
have
its
own
document
or
whether
we
have
one
document
where
we
can
collect
some
of
them
most
likely
extensions
that
are
more
likely
to
be
used
by
by
several
parties
and
the
the
guidance
there
was
TLS,
which
also
has
a
similar
document.
F
It
doesn't
preclude
extensions
to
have
their
own
document,
it's
just
where
we
start
to
to
set
an
example
on
how
to
do
extensions.
Obviously,
Joy
brought
up
some
good
points
today
that
this
discussion
never
took
place
before,
but
that
was
roughly
what
we
discussed
so
far.
G
G
I'm,
like
I'm,
largely
thinking
that
we
should
have
the
extension
document.
That
basically
says
here
is
what
you
can
a
guidance
for
all
the
other
extensions
saying.
You
know
this
thing,
you
cannot
touch,
because
if
you
touch
it
that
involves
security.
That
thing
you
can
do
whatever
you
want,
but
but.
G
You
know
in
some
sense
in
that
document
things
should
be
in
my
mind,
it
should
be
yeah.
It
should
be
like
thing
that
everyone
will
use
basically,
so
if
we
have
good
use
cases
for
that,
we
should
put
them
in
there,
but
if
we
don't
have
good
good
cases
for
that,
we
should
just
like
you
know,
be
a
guidance
document
and
have
separate
documents
for
the
for
those
things
that
people
will
use.
Sometimes.
F
G
A
The
other
idea
is
that
we
just
go
all
right.
We
got
three,
we
think
these
are
good,
we've
actually
got.
We
got
some
general
consensus
to
ship
these
things,
do
it
and
then
yeah
other
ones
come
along,
they
can
get
added
and
you
can
update
this
document
or
you
know
whatever
to
to
add
them
in
is
the
you
know
the
core
extension
so
to
speak.
A
So
there's
there's
multiple
ways
to
handle
this
I'm.
Just
kind
of
the
sense
is
if
we
have
like
a
couple
that
are
good,
that's
great.
We
don't
necessarily
have
to
stay
open
like
leave.
The
document
open
for
others
to
get
added.
I
do
feel
Raphael's
point
about
as
this
stuff
as
MLS
gets
integrated
more
into
applications,
they're
going
to
be
people
showing
up
being
like
we
need
this
and
it
could
be
broadly
applicable.
The
question
is:
how
long
would
we
wait,
and
maybe
we
don't?
Maybe
we
don't
need
to
wait
that
long.
G
I
would
follow
you
on
that.
You
are
the
experienced
one
yeah.
A
Yeah
I
mean
like
I,
mean
like
again,
because
it's
like
you
know
how
long
do
you
wait
and
it's
it's
going
to
cause
problems
because
Rowan
needs
this
and
the
Mimi
people
are
going
to
be
beaten
down
like.
Why
are
we
waiting
for
those
guys
you
know
like?
So
if
we
can
solve
some
problems?
Maybe
we
just
merge
this.
Maybe
we
merge
this
content,
one
in
and
just
be
like
all
right.
You
know
how
do
people
feel
about
just
progressing
it
with
the
the
few
that
we
have
now.
A
And
if
Joel's
got
a
great
one
ready
to
go
and
he's
going
to
launch
40
he's
like
oh
wait,
I
got
one,
that's
great
that'll
give
us.
You
know,
impetus
and
motivations
to
review
it
and
get
it
in
the
document
or
put
it
in
its
own.
F
So,
but
just
from
understanding
for
Mimi,
it
would
be
good
enough
that
that
stuff
is
in
a
draft
right.
It
doesn't
have
to
to
be
an
RFC
for
me
to
use
it.
E
A
Group
I
think
maybe
what
Raphael's
getting
at
is
Mimi's
not
going
to
be
done,
quick
right.
So
the
idea,
like
I,
think
you
can
get
down
the
like.
If
you
want
to
do
the
use
case,
requirements
thing
like
you,
could
throw
out
the
use
case
document
pretty
quickly
like
get
it
through
the
door
and
get
it
published,
but
like
the
actual
protocol,
spec
is
probably
not
going
to
happen
in
a
year
right.
It's
going
to
take
a
bit
unless
you've
got
magic,
pixie
dust
that
I
don't
know
about
Rowan,
it's
gonna
take
a
while.
A
A
Situation
so
let's
go
ahead
and
let's
go
ahead
and
merge
the
let's
go
ahead
and
get
this
this
this
PR
merged
in
then,
and
go
from
there
and
we'll
we'll
wait
for
Joel's
new
great
extension
and
I
do
I.
A
Do
I
do
resonate
a
little
bit
with
his
statements
about
you
need
to
kind
of
put
guard
rails
and
security
considerations
in
about
each
one
of
the
extensions
and
I'm
good
to
see
I'm
glad
to
see
you
did
that
rolling
with
yours
right
away,
and
then
motherhood
and
apple
pie
in
the
beginning.
Part
of
the
document
is
needed
as
well,
but
I'll
be
honest.
I
haven't
read
it
in
like
in
a
little
while
so
okay.
E
What
one
last
thing
that
I
just
wanted
to
mention:
it's
just
that
in
terms
of
a
structure,
the
extensions
document
it
has
security
considerations
underneath
targeted
messages,
but
I
think
that
there
should
be
a
Securities
consideration
section
that
has
subsections
that
talk
about
the
individual
extensions
security
considerations.
Yeah.
A
E
Right
and
that's
also
how,
for
my
for
my
thing
that
I
did
for
the
Ayana
considerations
as
well,
so.
A
Okay,
yep
I
think
that's
good,
that's
good!
That's
formatting,
stuff
that
we
can
take
care
of
so
that's
great
cool.
What
is.
F
A
That
was
going
to
be
my
next
Point.
Is
there
anything
to
say
other
than
people
want
it.
F
G
About
that
document
that
he
never
made.
G
Is
so
for
me
and
for
Federation?
Actually,
we
need
to
think
about
early.
We
need
to
think
a
lot
about
privacy.
G
I
think
we'll
have
I'm
not
sure
where
to
put
the
Privacy
thing,
those
the
way
I
see
it.
We
left
the
delivery
like
the
the
authentication,
Service
and
the
delivery
service.
We
actually
made
them
pretty
abstract,
even
in
the
architecture
documents
so
that
you
know
we
can
have
different
variations
about
those,
but
we
need
at
some
point
to
speak
about,
like
the
state
of
the
art
of
of
or
do
you
make
delivery
service
private
or
how
do
you
make
it.
G
Authentication
Service
private,
especially
in
the
context
of
federation,
because
in
the
in
the
Federation
case,
basically,
you
know
you
need
to
transfer
some
information
about
about.
You
know
the
users
that,
under
your
umbrella,
to
the
others,
to
and
talk
to
the
other
to
the
other
users
that
are
in
a
different
envelope
so
like
what
do
each
system
do
and
basically
there
there
is
like
a
very
big
privacy
Gap
that
we
didn't
solve
anywhere.
G
Basically,
so
I
wonder
where
we
should
do
that,
work,
whether
it
should
be
like
completely
separate
or
whether
we
should
do
this
kind
of
document
under
the
Federation.
G
That
might
be
the
best
solution
actually
but
I'm,
not
sure
I'm,
not
clear
with
that.
Where
do
you
think
we
should
do
that?
Rafael.
F
Yeah
I
think
you
bring
up
a
good
point
because,
as
you
said
in
the
architecture
document,
we
were
very
vague
on
purpose,
but
then
with
Mimi.
We
want
to
be
very
concrete
on
purpose.
Otherwise
we
don't
get
interrupt
so
yeah.
We
could
definitely
extend
the
Federation
document
in
that
sense,
to
talk
about
MLS,
specific
things
and
be
much
more
concrete
than
we
are
in
the
architecture
document
I
mean
there
is
some
start
for
the
delivery
service
that
is
not
fleshed
out
at
all.
G
G
So
my
intuition
is
that
we
actually
need
another
document
which
should
be
like
you
know.
Here
is
the
best
thing
that
you
can
actually
achieve,
and
here
are
the
secretion
privacy
goes
for
that
thing
and
then
on
the
Federation
document
you
say,
oh
by
the
way,
you
need
to
relax
that
spot,
that
particular
poverty
because
for
Federation
you
are,
you
know
interacting
with
another
device
or
another
authentication
Service,
that's
my
intuition,
but.
F
I
mean
I
I
agree
with
the
idea.
The
thing
is,
the
most
privacy
programs
are
to
be
expected
with
the
delivery
service,
not
so
much
with
the
authentication
Service,
and
so
what
you
just
described
ideally
will
be
in
the
Mimi
delivery
service
document
as
well.
It's
not
there!
Yet
it's
just.
You
know
alluding
to
that.
It
needs
to
be
fleshed
out.
F
Obviously,
but
since
that
document
describes
how
a
privacy
preserving
delivery
service
can
work,
we
need
a
lot
of
meat
in
there
anyway,
with
security
concerns
and
and
privacy
considerations
and
whatnot,
and
for
the
stuff
that
we
cannot
have
in
there.
We
could
still
have
that
in
the
Federation
document,
but
now
we're
talking
more
about
the
Mimi
document
and
about
the
the
MLS
document.
G
Not
really
right,
because
you
want
like
independently
of
me,
you
want
those
things
you
want
to
be
able
to
say,
oh
by
the
way
here.
So
you
you
write
a
delivery
service
that
is
preserving
privacy
is
here,
are
the
problems
with
the
so
I
mean
most
of
the
information
is
already
encoded.
G
I
include
a
lot
of
that
information
with
the
architecture
documentary,
because
you
know
I'm
talking
about
push
notifications
about
all
those
things,
but
there
is
no
consideration,
for
instance,
for
things
where
you
know,
you
locally
store
group
States
encrypted
that
only
for
unto
an
encrypted
folder
group,
and
then
you
know,
maybe
the
the
key,
the
FML
key
to
to
decrypt,
that
for
getting
the
the
push
tokens
or
whatever
is
going.
F
To
be
like,
but
I
love
that
this
is
something
we
want
to
propose
in
Mimi.
G
G
So,
okay,.
F
F
Reference
have
made
me
reference
that
right,
Mimi.
G
Would
say
you
know
this
property,
you
got
all
it
because
you
need
that
functionality
basically,
and
you
know
so
here,
is
how
you
do
it
in
the
context
of
interoperable
things
or
Federation,
or
you
know,
but
like
the
strongest
thing
is
really
related.
Is
like
unrelated
to
me
really
it's
like
about.
Oh,
you
actually
implement
the
delivery
service.
Implement,
like
you
know,
we
do
design
a
deliverable
service,
so
I
think
that
should
be
in
the
EMS
working
group,
but.
F
G
G
Because
it's
not
specific
to
Federation
like
if
you
are
socialized
and
you
have
only
one
it
should.
We
should
have
like
a
best
practice
like
state
of
the
art
privacy,
so
Federation
will
relax.
That
and
Federation
across
infrastructures
like
for
me,
will
even
further
relax
that.
G
F
F
I
mean
I
fully
agree
with
you
regarding
specifying
more,
but
then
coming
back
to
the
Federation
documents.
That's
definitely
not
the
place
to
do
it.
I
think
if
it's
specific
to
the
delivery
service
I'm
not
particularly
specific
to
Federation.
G
Not
sure
we
will
know
for
sure
when
we
actually
designed
this
thing.
But
oh.
F
F
G
So
is
there
something
that's
for
sure
not
going
to
be
covered
by
Mimi
is
the
Federation
of,
like
you
know,
in
Mimi.
Typically,
the
authentication
services
are
from
different
providers,
which
is
not
the
case
from
the
Federation
from
the
base
case.
Federation
document
so
I
think
it's
yeah,
it's
not
clear.
Well,
we
should
do
that.
A
G
A
To
get
the
information
written
down
and
if
we
gotta
rip
it
out
later,
we
do
that.
That's
that's!
That
might
be
better
because
we
have
this
document
and,
if
you're
willing
to
write
the
text,
it
helps
right,
as
opposed
to
like
hey
Raphael,
go
off
and
think
about
this
and
write
a
bunch
of
text
and
stick
in
the
documentaries.
F
So
yeah,
the
only
question
is:
should
we
should
I
resubmit
it
without
any
content,
modification
yeah.
A
So
so
doing
doing,
what's
called
a
keep
alive
version
is
totally
fine.
Basically,
all
you
update
is
the
dates
and
just
submit
a
new
version.
That's
totally
fine
just
to
keep
the
draft
like
available
and
in
the
data
tracker
so
feel
free
to
do
that.
A
Excellent
okie
dokie,
if
that's
it,
we're
about
50
minutes
early
I.
Thank
you
for
your
time
and
I'm.
Looking
forward
to
a
very
quiet,
ITF
last
call.
A
And
hopefully,
we'll
be
wrapping
up.
My
hope
is
that
if
we
get
done
with
an
ITF
last
call
and
directorates
Richard
and
Benjamin,
if
you
guys,
are
like
kind
of
not
going
to
disappear
for
like
January,
we
ought
to
be
able
to
get
through
the
comments
that
we'll
receive
anything.
That's
discussed
worthy,
that's
where,
like
it's,
it's
better
to
get
on
it
early
than
it
is
to
let
it
Fester,
because
the
ads
will
lose
State
and
they
will
not
remember
what
they
said.
A
A
That's
where
we
want
to
make
sure
we
get
discusses
emails
in
their
inboxes
before
the
meeting
basically
happens,
so
that
they-
and
it
might
actually
happen
like
quick,
so
I'll,
let
you
know
when
it's
going
to
happen
and
it'll
be
great.
A
If
we
can,
you
know,
respond
as
quickly
as
possible
because
that
that
Smooths,
the
process
of
getting
through
the
through
the
process
better
like
if
you
let
it
faster
and
it
takes
six
months-
they're,
not
gonna,
remember
what
they
said
and
they're
going
to
re-review
the
document,
and
it's
just
going
to
be
more
painful,
so
but
I'm
I'm,
looking
forward
to
the
possibility
of
wrapping
this
up
in
the
first
quarter.
Actually
getting
numbers
assigned
to
these
rfcs
in
the
first
quarter,
2023
be
nice.
E
I
just
wanted
to
make
one
one
sort
of
note
for
editors.
If
you
ever
rename
a
document,
please
make
the
rename
an
atomic
an
atomic
commit.
It
just
makes
life
for
anybody
who
has
a
PR
to
merge
a
lot
easier.
A
All
right,
thank
you
very
much
Richard
when
you
have
a
chance
shoot
me,
your
notes,
Conrad
I,
see
that
you
were
going
to
send
me
some
notes.
I
think
you
could
see
some
stuff
that
I
couldn't,
which
was
weird
but
I'll,
get
those
uploaded
and
again,
thank
you.
We'll
see
you
next
time
have
a
safe
and
happy
set
of
holidays
whatever
it
is
that
you
celebrate.