►
From YouTube: IETF-KITTEN-20230117-1700
Description
KITTEN meeting session at IETF
2023/01/17 1700
https://datatracker.ietf.org/meeting//proceedings/
A
A
Right,
I'm
hoping
to
see
a
couple
of
more
people
like
Dave,
Cleveland
and
Ben
kadak,
but
let
me
probably
start
slowly
and
just
go
through
the
admin
bits
and
then
hopefully
they
can
join
us
and
catch
up.
A
We
didn't
have
a
meeting
for
quite
a
bit
so
I'm,
trying
to
both
see
how
much
interest
there
is
in
various
topics
as
well
as
kind
of
trying
to
synchronize
what
people
think
are
on
some
of
them.
A
A
A
Right
with
that,
this
session
is
being
recorded,
we
are
using
mitako,
which
is
online
web-based
platform.
We
have
notes
which
are
linked
here.
There
are
I
just
discovered
five
minutes
before
the
meeting
that
the
link
I
used
was
not
the
same
one
using
data
tracker,
so
I
added
a
redirect.
There
can
I
ask
somebody
to
take
notes.
This
doesn't
have
to
be
Blow
by
blow
discussion.
That's
just
main
points
when
there
are
discussions,
no
need
to
write
down,
slides
or
text
of
presentation,
just
basically
questions
answers.
A
Nadia
I
hope
that's
how
you
pronounce
your
name.
That
would
be
great
if
you
can
take
notes
again
just
keep
the
presentations.
If
there
are
any
questions
after
that
or
if
there
are
perfect
excellent
I
know
both
of
you
are
will
be
speaking
or
presenting
bits
so,
but
I
hope
you
can
cover
for
each
other.
So
thank
you
for
that.
A
With
that,
this
is
a
roughly
proposed
agenda.
I
don't
have
timing
of
things,
so
I
suspect
the
first
part
will
take
a
bit
longer
and
then
we
have
a
smaller
presentation
so.
A
Today,
I
will
basically
be
reviewing
various
stuff
around
so-called
social
too,
that
came
out
of
xmpb
software
Foundation
and
whether
there
is
enough
interest
in
doing
something
like
this
in
ITF.
So
it
just
does
that
doesn't
just
cover
xmpp,
but
it
can
be
used
more
generally,
I'll
do
a
quick
update
on
scrap
two-factor
authentication
draft,
we'll
talk
about
faster
authentication
mechanism
and
quick
update
on
OPEC
Sasol
mechanism.
A
Thank
you
so
for
the
social
2.
Actually,
there
are
two
presentations.
There
is
a
bigger
one
and
then
the
rake
asked
about
shared
key
derivation,
so
he
has
a
smaller
one.
So
I
know
it's
not
something
that
necessarily
was
discussed
in
xsf,
but
I
kind
of
group
them
together
because
they
seem
to
belong
together.
A
We're
not
making
decisions
today,
what's
going
to
be
in
Sasol
2
and
whether
I
will
try
to
pull
people
whether
there
is
enough
interest
to
do
something
like
Sasso
2
in
ATF.
But
again
this
is
going
just
going
to
be
a
poll
we'll
go
on
the
mailing
list
and
double
check.
A
Yeah
because
I
couldn't
actually
so
I
added
all
the
documents
related
documents
which
are
ITF
drafts
as
they
relate
to
documents
to
the
meeting,
but
I
couldn't
add
xsf
because
data
tracker
doesn't,
let
me
add
arbitrary
links.
So
I
use
some
of
the
snapshots
of
this
documents.
A
My
apologies,
they
might
not
be
specific
latest
version
of
what's
an
xsf,
so
I
kind
of
got
a
snapshot
and
they
don't
even
point
to
xsf
website.
So
just
but
this
should
give
you
some
idea.
If
you
want
to
further
reading
and
with
this
I
think,
Matthew
will
go
into
more
details
about.
A
Matthew,
do
you
want
to
present
your
slide
yourself?
There
is
a
share
presentation
button,
or
do
you
want
me
to
drive
them.
C
I've
never
presented
on
me
Techo
before,
but
I
can
give
it
a
try.
It
would
be
handy
to
be
able
to
manage
my
own
slides.
A
There
is
a
share.
There
is
a
preloaded
slide
thing
which
is
not
share
screen.
It's
like
a
document.
Okay,
try
that,
and
you
can
pick
one
of
the
for
presentations.
A
A
C
Yeah
so
as
Alexi
was
saying,
and
we've
been
working
on,
xmpp
sassel
2
stuff
over
at
the
xsf,
this
started
quite
a
while
ago
we
had
an
xmpp
Summit
I,
think
it
was
2016.
2017
and
Dave.
Quidland
wrote
up
a
bunch
of
stuff
that
we'd
been
thinking
about
and
invented
some
new
things,
basically
to
solve
a
whole
range
of
issues.
So
we'll
we'll
we'll
have
a
look
at
all
of
those,
so
xmpp
uses
Sasol
for
authentication,
that's
defined
in
the
core
RFC.
C
It's
pretty
much
the
same
as
any
other
protocol
using
Sasol.
We
just
do
a64
encoding
and
but
in
XMP
it's
wrapped
in
XML.
It's
basically
the
only
authentication
method
that
we
use
these
days.
So
it's
implemented
in
every
xmpp
server.
Every
xmpp
client
in
practice,
everyone's
using
scram,
Shell
One,
mostly
at
the
moment,
and
some
deployments
use
plane
for
reasons.
C
And
so
so,
Dave
Quinlan
wrote
Zep
388,
which
is
called
the
extensible
Sasol
profile
rather
than
Sasol
II
I.
Don't
think
Sasson
2
actually
shows
up
anywhere
in
in
writing
because
it
could
get
confusing.
C
Dave
also
wrote
some
initial
implementations
and,
and
then
it
kind
of
sat
for
five
years
with
no
one
in
the
community
really
interested
in
it
and
then
in
2022
I'm,
not
sure
what
happened
this,
the
Stars
aligned
I
I,
got
a
grant
to
work
on
some
stuff
related
to
authentication
and
authorization,
including
two-factor,
authors
and
and
stuff
like
that,
and
so
I
immediately
Revisited.
This
extensible
Sasol
profile
and
I
thought.
C
You
know
this
is
exactly
the
foundation
that
I
need
and
then
at
the
same
time,
I
got
speaking
to
xmpp
client
developers,
who
are
also
interested
in
implementing
some
new
stuff
as
well.
So
it's
been
the
foundation
for
various
new
things
that
we've
done
in
xmpp,
which
we'll
go
into
next.
C
So
some
of
the
changes
are
after
authentication,
so
you
do
the
usual
Sasol
exchange
the
server
can,
if
you
offer
the
client
or
rather
request
the
client
perform
some
additional
tasks,
so
these
are
sort
of
after
authentication,
but
before
it's
actually
completed
the
other
thing
we
added
was
stable,
client
identifiers,
so
that
the
client
can
identify
itself
before
it
authenticates
and
also
Channel
binding
negotiation,
so
we're
still
using
Sasol
as
it
was.
C
But
we
have
all
these
things
around
it
now
sort
of
bolted
on
we've
tried
to
as
much
as
possible
keep
an
open
mind
as
to
whether
things
will
progress
at
the
ietf
and
therefore
you
know
be
adaptable
to
xmpp
again
it's
It's
Tricky,
so
there's
lots
of
things
to
talk
about
there.
So
I
think
I
think
we'll
have
to
have
a
discussion
about
that.
C
So
this
is
the
traditional
flow
which
again
will
be
familiar
to
anyone
who's
familiar
with
Sasol
in
any
other
protocol,
and
so
the
the
new
extensible
version
with
the
tasks
ads
the
failure.
C
So,
instead
of
Successful
Failure,
you
can
also
have
the
server
respond
with
a
continue
and
the
continue
contains
a
list
of
tasks
and
the
client
must
select
one
to
proceed
with
Authentication
and
the
tasks
can
be
used
for
a
range
of
things,
and
then
we
use
the
next
element
to
say
this
is
some
task
data
from
the
client
to
the
server.
C
So,
for
example,
multi-factor
authentication
is
an
obvious
place
where
this
applies.
So
you
provide
credentials
using
your
chosen
Sasol
mechanism
and
then
the
server
replies.
C
Okay,
but
please
provide
me
a
one-time
password
and,
and
that
would
appear
as
a
task
like
provide
OTP
or
whatever,
and
then
the
clients
submits
that
using
our
next
element,
with
whatever
format
the
specification
says,
and
then
we
want
to
so
part
of
what
I'm
working
on
at
the
moment
is
trying
to
add
in
two-factor
author
checks
and
PP
in
in
various
ways,
and
this
simple
flow
where
you
just
provide
an
OTP
is:
is
the
nice
happy
path,
but
there
are
lots
of
complicated
ones
where,
for
example,
you
have
out-of-band
challenges
where
you
have
to
approve
a
push
notification
on
your
mobile
device,
or
things
like
that,
and
we
also
have
the
502
staff,
which
is
a
whole
other
kind
of
worms
and
pretty
complicated
foreign
part
of
working
on
this.
C
We
changed
some
things
about
Dave's
original
draft,
rather
than
the
challenge
response
within
tasks
we
changed
to
bi-directional.
Any
site
can
speak
at
any
time
thing
which
we
may
or
may
not
want
to
keep.
The
reason
for
this
was
in
some
cases
we
had
the
client
waiting
for
the
server
to
say
that
authentication
could
proceed
and
in
other
cases
we
had
the
server
waiting
for
the
client
to
say
you
know
the
provide
some
information,
basically
so,
for
example,
in
SMS
code,
you
would
want
to
wait.
C
So.
The
other
thing
to
note
about
this
is
we
change
from
a
simple
base64
payload
in
the
tasks
to
just
structured
XML.
That
was
partly
because
I
found
I
was
trying
to
shoehorn
all
this
information
about
different
tasks
into
something
that
could
be
serialized
and
then
put
into
base64
and
all
this
structured
data,
just
it
really
fit
nicely
as
XML.
C
Obviously,
we
might
not
want
to
mandate
XML
for
use
in
other
protocols,
but
it's
definitely
something
to
think
about
how
we
could
represent
stuff
in
in
a
nice
way
inside
the
tasks
themselves
and
I.
Don't
know
whether
that's
you
know
something,
we
want
to
standardize
for
all
tasks
or
maybe
on
a
task
by
task
basis
and
just
say
what
the
the
payload
type
is.
C
So
the
other
thing
we
did
was
client
identifiers
and-
and
this
is
a
new
one-
we
added.
There
are
a
few
reasons
we
wanted
to
be
able.
So
we
have
things
like
we
have
questions
like
which
clients
are
trying
to
use
these
outdated
Satchel
mechanisms
like
digest,
md5
and
such,
and
we
didn't
really
have
any
kind
of
user
agent
pre
sassle
in
in
xmpp.
So
we
wanted
to
include
that,
along
with
the
initial
Authentication,
it's
it's
optional
from
the
client's
perspective.
C
So
it's
up
to
them.
You
know
what
what
information
they
give
and
the
second
one
was
a
stable,
unique
identifier.
So
this
is
a
uuid
or
something
like
that,
and
that
was
useful
for
knowing
for
the
server
to
know
which
which
tokens
to
compare
with
on
the
server
side.
So
I
think
we're
going
to
talk
about
that
a
bit
later.
This
is
using
the
Satchel
HT
yeah
I
I
yeah
I
I.
C
Note
that
browsers
are
trying
to
deprecate
user
agent
and
I've
tried
to
be
mindful
of
that
in
in
the
zep,
with
the
wording
like
regarding
privacy
and
so
on.
It's
not
quite
the
same
because
you
are
obviously
only
sending
it
to
the
party
that
you're
authenticating
to
and
so
on,
but
but
yeah
I
think
there
are
definitely
things
that
we
could
discuss
there.
C
C
So
one
of
the
other
things
that
we
used
the
tasks
mechanism
for
was,
as
I
mentioned
before
xmpp
is
very
much
stuck
on
scram
Shell
One
servers
have
been
storing
hashed
versions
of
credentials
for
a
long
time,
and
so
we
can't
simply
upgrade
on
the
server
side,
and
so
one
way
to
sort
of
upgrade
to
say
shell
256
is
to
ask
the
user
to
reset
their
password.
But
this
is
awkward.
C
We
I
think
we
do
have
a
spec
for
that,
but
the
user
experience
isn't
great
because
they're,
probably
just
you
know,
think
why
can't
I
just
enter
the
same
password.
That
kind
of
thing.
So
we
wanted
to
see
if
we
could
do
something
a
bit
more
automatic
with
the
cooperation
of
the
client,
and
so
we
worked
on
this
defining
these
upgrade
tasks,
and
this
has
mostly
been
the
work
of
tilo
who's
who's
on
the
call
foreign.
C
And
yes,
that's
a
good
point:
they
the
upgrade
tasks,
avoid
sending
resending
the
password
in
the
clear
which
the
password
reset
mechanism
does.
C
So
these
are
just
some
examples,
the
so
this
is
the
interesting
part.
So
this
is
a
normal
authenticate,
so
we're
starting
scram
authentication
the
upgrade
task
that
the
client
recognizes
has
been
selected
up
front
as
well.
C
That's
so
that
after
the
credentials
are
verified,
the
server
knows
that
the
client
supports
this
upgrade
mechanism,
because
otherwise
it
might
because
the
tasks
are
mandatory.
The
server
should
only
send
back
upgrade
mechanisms
that
the
client
is
known
to
support,
and
you
know
actually
is
able
to
complete
foreign,
so
I'll
skip
through
most
of
these,
but
you
can
review
the
slides
if
you
need
to
so.
This
is
declined
executing
the
upgrade
task,
providing
the
information.
C
C
The
other
thing
that
we've
had
in
xmpp
is
we
had
scram
plus
widely
ish
implemented,
but
we
haven't
really
had
much
success
with
it
on
the
network.
I
think
it's
used
in
Pockets
around
and
about
because
largely
because
we
sort
of
introduced
it
just
as
TLS
1.2
was
going
away
and
we
had
standardized
on
the
TLs.
Unique
I
forgot
the
right
way
around.
That
was
only
defined
for
TLS
1.2
and
not
for
TLS
1.3.
C
So
implementations
have
started
now
supporting
TLS
exporter,
which
is
supported
in
TLS
1.3.
However,
because
scram
doesn't
include,
for
example,
in
the
mechanism
mechanism
name
or
any
advertisement
about
what
Channel
binding
methods
the
server
supports.
If
the
client
picks
the
wrong
one,
then
the
authentication
just
fails
and
the
client
doesn't
really
know
why
it
failed
and
doesn't
really
know
what
other
avenues
it
can
take
like.
Should
it
try
again
with
a
different
Channel,
binding
mechanism
or
what
so?
C
This
is
a
real
problem
that
we've
encountered
interoperability,
issues
between
clients
and
servers,
and
so
we
had
to
create
this
method.
Where
the
server
can
advertise
to
the
client
which
channel
binding
methods
it
supports,
and
this
can
change
per
connection
depending
on,
for
example,
if
the
client
connects
with
TLS
1.2
or
1.3.
C
C
C
We
don't
have
any
server
implementations
currently
I
think
but
I
think
tilo
has
worked
on
at
least
a
client
implementation,
so
we'll
probably
get
to
that
soon.
Foreign.
C
And
that's
more
or
less
it
I
hope.
I
was
on
time
and
yeah.
So
I
I
think
Alexi's
list
of
specifications
was
a
bit
more
complete
and
had
links,
but
yeah.
B
Okay
is.
B
Yes,
great
so
I
guess
we
sort
of
started
talking
about
this
in
the
chat
already,
but
when
we
were
doing
the
TLs
exporter
Channel
binding
type.
My
understanding
was
that
the
party
that
speaks
first,
which
I
think
is
the
client
here-
would
look
at
the
TLs
Channel
and
say
if
it's
TLS,
1.2
I
will
use
the
TLs
unique
Channel,
binding
type
and.
D
B
C
I
suspect
that
the
client
that
I
was
dealing
with
which
I
forget,
which
one
it
was
because
TLX
export
it
can
technically
be
used
on
1.2
I,
believe
I
think
that's
what
they
were
doing,
but
I
yeah
I'm,
not
I'm,
not
sure
I,
don't
remember
the
details.
This
was
at
some
point
last
year,
so
I
can
try
and
dig
that
up
for
you.
If
you
like
and
figure
out
exactly
what
was
going
on.
E
I
I
think
it
was.
It
was
in
fact
my
client
I
tried
to
use
team
X
TLS
exporter
on
each
body
for
TLS
1.2
and
it
failed.
If
I
recall
correctly,
we.
B
E
C
B
To
put
some
text
in
respect
to
have
you
not
tried
to
use
TLS
exporter
when
there
is
an
existing
ecosystem?
What
maybe
that
didn't.
E
Work
yeah,
even
if
even
if
you
put
the
TLs
export
things
aside,
some
server
setups
can
only
provide
TLS
server,
endpoint
or
some
such
and
if
I
have
such
a
server,
it
would
be
better
to
do
this.
Tls
server
endpoint
Channel
binding
instead
of
the
not
supported
TLS
exporter
than
nothing.
C
Okay,
Dave
yeah
I
think
that's
what
I
was
thinking
of
I
I
just
remembered,
so
we
had
a
server
that
was
doing
server,
endpoint
and
then
yeah
it.
It
kind
of
falls.
Apart
with
that
negotiation.
F
I
was
just
going
to
where
to
reiterate
the
that,
as
I
said
in
chat,
the
the
xmpp
community
has
used
Channel
binding,
quite
heavily
more
heavily
I,
think
than
most
other
communities
of
this
kind
of
nature.
I've
never
seen
it
in
email,
for
instance,
but
it
means
that
we've
experienced
cases
where
TLS
exporter
is
great.
F
That
came
out
of
the
xmpp
community.
Indeed,
there
is
some
use
of
of
the
endpoint
as
well,
and
that
is
often
the
only
thing,
that's
possible
if
you
have
early
TLS
termination-
and
we
also
have
plenty
of
experience
in
cases
where
you
can't
use
any
channel
binding
at
all,
because
the
the
client
is,
for
example,
a
web
client
where
there
is
no
Channel
binding
data
available.
So
I
think
there
is
a
need
for
negotiation,
even
though
it's
not
the
the
ideal
situation
in
a
in
a
purist
sense.
C
A
Do
people
feel
enthusiastic
about
too
I
know
we
probably
have
majority
of
xsf
on
the
call,
but
I'm
still
interested
to
see
what
are
other
interests.
Other
people,
it's
a
it's
a
interesting
collection
of
ideas
and
we
don't
necessarily
have
to
take
all
of
them.
But
if
anybody
wants
to
speak
up.
F
Just
make
one
one
other
comment:
I
did
spend
a
little
time
sketching
out,
but
not
publishing,
because
I
didn't
get
around
to
it
a
an
idea
for
taking
most
of
what
was
then
sassel
II,
which
was
in
a
previous
version
of
the
spec,
but
wrapping
that
up
such
that
you
had
a
nested
saddle
profile
Within.
A
This
might
be
just
one
way
of
kind
of
implementing
this.
F
F
We
can
do
both
if
we
want
the
the
feature
successful
too,
but
the
extensibility
in
particular,
but
the
that
that
would
give
you
that
would
give
you
the
the
mechanisms
that
would
give
you
tasks
and
I
think
it
would
also
potentially
give
you
some
of
the
some
of
the
additional
parts
that
Matthew
and
Tila
have
added
like
client
identifiers
and
things
like
that.
Right.
A
Okay,
let's
move
on.
A
A
Yeah
I
can
see
slides
now.
One
thing
that
occurred
to
me
is
that
actually
some
of
their
pre-authentication
stuff
can
possibly
be
done
by
from
Key
derivation.
If
we
had
a
facility
for
saying
that
you
know
an
extended
social
profile,
you
know
if
there
is
a
social
mechanism
that
satisfies
it
and
it
has
key
derivation
function
at
the
end
of
authentication.
It
can
be
used
for
your
authentication,
for
example,
and
I.
Think
correct
will
talk
about
other
cases
that
he
had
in
mind.
A
Well,
I
can
show
you
you
can
flip
through
your
slides
but
I'm
afraid
you
kind
of
need
to
explain
them.
A
D
D
D
So
this
is
mostly
an
idea,
just
a
thought
that
came
up
with
Cecil.
We
usually
don't
use
the
security
layer,
but
that's
because
we
consider
it
encryption
when
it's
used
in
a
profits
and
force
I
think
that's
a
very
potent
possibility,
because
Sasol
protocols
usually
run
over
TLS
and
TLS
basically
does.
D
D
Usually
what's
being
done,
then,
is
to
look
for
some
entropy
to
mix
that
with
the
different
Helmet
Key
exchange,
so
that
you
get
something.
That's
at
least
also
needs
the
secret
to
be
known,
as
well
as
the
cracked
diffie-high
Cecil
usually
has
entropy
or
sorry
a
secret,
that's
shared
by
by
the
two
endpoints
already,
and
it
used
it
to
derive
authentication.
D
But
if
you
could
also
derive
a
key,
you
might
mix
that
with
whatever
you're
doing
at
a
transport,
for
example
your
TLS,
and
to
benefit
from
that,
and
one
place
where
this
came
up
is
when
I
looked
into
opaque,
which
has
a
great
possibility
for
extracting
key
material,
but
to
use
that
for
encryption
is
a
bit
silly
if
you
run
it
over
TLs,
but
to
use
it
for
all
sorts
of
other
purposes.
I
think
in
general
is
a
useful
purpose.
So
I
added
this
to
a
spec
that
I
wrote
it's
a
different
example.
D
It's
not
TLS
next
slide,
please.
This
is
realm
crossover,
basically
a
client
on
the
left
and
a
remote
domain,
which
is
their
domain
where
they
have
an
account.
They
they
exchange
a
key,
and
they
do
that
beforehand.
If,
with
that,
an
end-to-end
encryption
tunnel
can
be
set
up
and
S6
over
plus
does
exactly
that.
It
passes
plain
to
social
authentication
inside
the
tunnel.
The
client
program
will
pass
it
to
wherever
the
server
is.
D
Some
third
party
that
doesn't
know
about
the
account
it
mentions
the
domain
name
and
then,
with
that
saso
can
be
ported
back
to
the
client's
domain
to
the
remote
domain
over
diameter
and
that's
basically,
the
assessor
tokens
are
passed
back
and
forth
until
the
domain
says
either
it's
rejected,
or
it's
accepted
as
this
user
identity.
D
Next
slide
please.
So
this
can
be
done
with
just
about
any
protocol.
It's
basically
just
Sasol
used
in
a
in
an
awkward
way
in
a
different
way
that
can
be
done
with
all
Sesso
mechanisms
and
basically
all
Sasso
protocols.
It
just
sits
in
between
this
is
one
of
the
most
wild
examples
that
that
I
have
thought
of
and
that
I
think
might
be
really
cool
to
use,
and
that
is
when
you
go
to
a
cafe
or
something
you
want
to
use
the
Wi-Fi.
D
Why
not
use
Satchel
to
log
on
to
it
extract
the
key?
Have
that
key,
delivered
back
alongside
with
the
diameter
stuff
and
use
that
to
have
your
local
Wi-Fi
connection,
secured
and
then
parcel
the
traffic
to
your
home
network,
where
you
have
an
RP
address
in
your
room
home
in
your
home
network,
so
that
nobody
really
is
bothered
by
oh
gosh
I'm
I'm,
giving
away
bandwidth
because
it's
not
within
the
RP
range
or
anything
scary
you
might
be
doing-
is
not
all
the
responsibility
of
the
IP
address
owner.
D
This
is
just
an
idea.
Just
a
possible
application.
I
think
there
are
many
more,
including,
of
course,
the
plane,
encryptions
security
layer,
stuff,
that's
sometimes
used,
but
in
general
I
think
the
entropy
that
we
have
in
the
secrets
that
we
share
with
Sasol
can
be
a
very
useful
benefit
in
a
time
that
we
have
quantum
computers
and
needs
some
form
of
entropy
to
be
able
to
derive
all
sorts
of
things.
So
that's
why
I'm?
Basically,
it
could
be
very
useful
to
use
that
and
think
about
key
extraction
mechanisms
for
Cecil
methods.
F
I
put
this
in
the
in
the
chat
anyway,
but
when
you
say
defi
Hellman
I
assumes
we
really
mean
elliptic
curve
if
he
heldman,
probably
yeah.
Possibly
the
screen
algorithm,
definitely,
which
ironically,
is
slightly
more
secure
against
Quantum
Computing
as
I
as
I
recall,
probably
because
it's
bigger,
but
there
are
other
diffie-hellman
possibilities.
I
know
that
there
was
I
know,
that's
been
at
least
one
Quantum
proof
version
thrown
around
based
on
lattices
by
no
cryptographer.
F
So
in
principle,
all
of
the
post,
quantum
or
Quantum
proof.
Problems
can
be
addressed
at
the
TLs
layer
by
changing
the
diffie-hellman.
Whatever
it
is,
it's
a
generative
group
or
something
like
that,
isn't
it,
but
that
that
mechanism.
D
Okay,
that's
news
to
me
I'm
very
happy
with
that.
I
still
think
that
you,
so
it
basically
says
that
this
example
might
not
be
applicable.
D
I
still
believe
that
in
general,
since
we
have
the
entropy
available,
or
at
least
the
secret
available,
that's
shared
between
two
parties,
Crypt
of
cryptographically
beneficial,
to
be
able
to
extract
key
material
from
that,
especially
with
something
like
opaque.
That
is
so
very
good
at
doing
that,
but
that's
yeah.
A
Yeah
my
as
I
mentioned
quickly,
my
use
case
is
a
bit
different
is
for
the
authentication
you
can
extract.
If
you
have
key
derivation
in
both
scram
and
OPEC,
then
you
just
say
created
authentication
token
using
key
derivation
and
you
say
it's
in
direct
generic
way
and
then
the
authentication
mechanism
can
be
used
with
eight
of
them.
Basically,
that's
that's.
That's
the
benefit.
I
see
so
kind
of
glue
that
can
be
used
for
multiple
things.
A
I
will
quickly
do
update
on
on
scram
to
factor
authentication
I've
just
done
it
last
week,
Simon
so
initially
I
added
gltp
that
was
basically
stolen
from
Dave
krillin's
zap.
So
thank
you
for
that
and
then
Simon
Josephson
said
well
what
about
Fighter,
2
or
Fido
stuff,
for
you
know,
working
with
USB
devices,
NFC,
Bluetooth,
low
energy
and
stuff
like
that,
so
basically
I
think
he
mentioned
it
last
summer.
It
took
me
a
couple
of
months
to
actually
go
through
various
specs
to
figure
out
what
it
was
all
about.
A
A
You
can
see
details
in
the
document
if,
if
you
dealt
with
Fido
stuff
in
any
of
your
projects,
if
you
can
read
what
I
wrote
and
double
check,
whether
it
makes
sense
and
whether
it's
detailed
enough,
if
you
haven't
but
want
to
give
it
a
try,
also
try
to
implement
from
what
I
wrote
and
see
if
it
works,
and
let
me
know
obviously
so
the
other
bit
that
I
had
already
had
in
the
document
was.
A
I
was
thinking
about
you
know
it's
nice
to
have
Cecil
2
framework,
but
if,
if
you
are
using
a
different
protocol
and
it's
not
available
and
If
deployment
will
take
you,
you
know
five
years,
maybe
I'm
a
bit
pessimistic,
but
you
know
then
I
would
like
to
have
inbound
way
for.
A
Returning
authentication
token-
and
basically
there
is
an
attribute
for
this
and
then
this
authentication
token
can
be
used
directly
with
HT
subtle
mechanisms
without
any
protocol
machinery
for
requesting
them
explicitly
and
then
basically,
if
client,
so
server
will
return.
One
of
these,
if
clients
wants
to
do
quicker,
authentication
recognize
this
extension.
It
will
use
the
token
and
then
we'll
use
HT
making
this
one
after
that,
so
yeah
have
a
read.
Let
me
know
what
it's
understandable.
If
you
want
to
cut
and
paste
the
text
to
any
of
your
documents
feel
free.
A
A
Can
you
imagine
that
every
time
you
reconnect
you
get
a
prompt
to
for
SMS,
this
will
drive
you
as
crazy,
so
I
think
the
idea
here
is
once
you
authenticated
and
did
two-factor
authentication.
You
can
get
re-authentication
token,
and
then
you
will
do
quick,
reauthentication
mechanism
that,
firstly,
it
will
be,
it
will
bypass
the
fact
authentication
and
second,
it
will
be
just
one
round
trip,
so
it
will
be
quicker
to
do
and
probably
will
be
less
CPU
intensive
than
the
full
scram
or
or
pack
Exchange.
D
Yeah
first,
first
of
all,
lovely
developments,
I'm,
always
a
bit
afraid
of
re-authentication
we've
seen
as
delicious.
It's
very
difficult
to
do
it
well,
and
then
it
becomes
a
problem,
but
I
have
on
another
path.
I've
tried
to
embed
social
in
HTTP
as
you've
tried
before
and
I'm
now
trying
and
yes,
it
drove
me
mad
to
have
to
log
on
with
every
different
page
or
with
every
TLS
connection
draw
because
there,
of
course,
it
might
happen
anytime
that
you
need
to
set
up
a
new
connection
so
yeah.
A
Right
and
the
way
it
works
you
know,
server
can
decide
that
it
will
allow
the
authentication
for,
like
so
many
times
so
for
a
certain
period
of
time
and
then
at
some
point
it
can.
It
can
reject
and
then
it
will
force
the
client
to
re-authenticate.
You
know
using
the
original
mechanism
or
similar
mechanism,
so
yeah
it's
another
component
in
the
toolbox.
A
F
F
If
someone
obtains
that
token
there's
been
a
number
of
of
HTTP
based
session
token,
stealing
attacks
recently
Circle
CI
and
last
past
were
both
at
that
later,
I
believe,
and
so
obviously
you
you,
there
is
a
lot
of
risk
in
in
these.
These
tokens
I
think
it's
very
important
that
those
that
the
token
issuing
is
also
combined
with
the
token
listing
and
and
other
token
management
and
token
revocation
solutions
for
that
are
available
to
the
user.
F
Now
I
know
that
the
original
designs
around
around
HT
that
Florian
did
maybe
Florian
can
talk
about
them
more
around
ISR,
for
instance
in
the
xmpp
world,
also
included
the
ability
to
to
track
which
device
it's
already
used
by
the
by
the
user,
which
which
had
a
token
I
believe
that
was
all
part
of
it
and
I
think
that's
a
lot
of
the
driving
force.
Maybe
Matthew
and
T
Logan
will
correct
me,
but
I
think
there's
a
lot
of
the
driving
force
behind
having
device
identifiers
in
in
the
newscastle
too.
G
G
Okay,
okay
I
can
only
checks
this
pre-selected,
slides
Okay,
so
hello,
I'm
Florian,
thanks
for
having
me
and
I
think
I
have
to
continue
with
the
tradition
of
disappointing
Dave
by
saying
that
the
is
Eric
step
actually
has
no
mechanism
for
tracking
or
managing
tokens,
but
I
agree
that
something
like
that
would
be
nice
to
have.
Certainly
with
that
I'm
going
to
talk
about
the
mechanism.
G
And
I
start
with
its
origin
story,
and
the
original
motivation
is
except
I
wrote
also
many
years
ago.
That
seems
to
be
a
common
topic
today.
G
That's
called
instant
stream
resumption
and
instant
stream
assumption
is
actually
motivated
by
XMP
peace,
long
reconnect,
delay
I
gave
a
talk
at
fostem
2015
about
that,
but
the
gist
of
it
is
that
just
like
a
two
to
three
seconds,
delays
that
you
always
have
until
the
xmpp
session
is
usable,
using
techniques
that
were
available
back
then-
and
this
was
probably
fine
in
the
non-mobile
age,
but
today,
with
mobile
devices
that
encounter
frequent
reconnects,
we
have
to
do
better.
G
So
initially,
HT
mechanism
was
part
of
this
ISR
specification
and
I
think
it
was
Dave
who
encouraged
me
to
out
Factor
the
sussel
parts
into
an
extra
ID
and
to
put
it
into
the
kitten
working
group
for
review
and
comments
and
of
course,
I'm
always
happy
about
feedback
says.
The
current
state
of
the
ID
is
a
working
draft
and
it's
there's
probably
many
things
that
can
be
improved.
G
So
what
is
Cecil
HT?
It's
a
very
simple
set
of
mechanisms
for
Bureau
tokens
and
the
basic
idea
is
just
to
be
a
little
bit
better
than
using
Sasol
plane.
So
you
you
obfuscate,
the
actual
token.
By
using
an
hmax
to
construct,
you
can
borrow
some
IDs
from
scram
to
get
Mutual
authentication
and
if
you
mix
in
Channel
binding,
that's
always
a
good
idea.
G
Channel
binding
was
initially
mandatory
in
the
ID,
but
Matthew
asked
me.
Matthew
antilo
asked
me
to
also
add
support
for
a
channel
binding,
less
flavor,
yeah
well,
and
the
reason
is
web
clients
So
Below
on
the
slide.
You
see
Cecil
HD
score,
which
is
a
very
simple
construct.
G
So
the
idea
was
to
to
don't
have
multiple
sassal
round
trips
because
we
want
fast
or
instant
authentication.
Basically,
so
the
current
situation
is
the
is
Eric's
app
and
by
set
I
also
mean
the
HT
mechanism
was
written
before
GLS
1.3
was
standard,
standardized
and
backsense.
There
was
a
lot
of
Buzz
about
TLS
1.3
early
data
and
when
I
looked
at
it,
it
appeared
as
a
good
fit
for
Cecil
hd's.
G
First
message
to
show
off
this
message
into
TLS
early
data,
but
I
think
it
was
Nadia
ever
pointed
out
that
TLS
requires
that
early
data
requires
the
usage
of
a
pre-shade
gear,
pre-shared
key,
so
the
ID
currently
talks
a
little
bit
about
early
data,
but
I
basically
think
that
it's
not
really
what
you
want
to
do.
If
you
want
really
fast
re-authentication,
you
could
also
think
about
using
TLS,
PS
key
and
maybe
sussel
external
I'm,
not
sure
if
it
would
work
I'm,
not
absolutely
sure
if
it
would
work
on
a
technical
perspective.
G
So
this
is
something
one
has
to
figure
out,
but
I've
looked
at
various
TLS
psk
implementations
and
their
apis
and
I
think
it
looks
promise
promising
and
doable.
But
if
those
ingredients
are
not
available,
not
every
TLS
library,
May
Provide
support
for
psk,
then
you
can
always
fall
back
to
performing
a
Cecil
HT,
which
should
always
work
because
it
doesn't
require
anything
from
from
the
TLs
library
and
from
the
TLs
layer.
If
you
don't
do
Channel
binding
so
well,
more
or
less.
Unfortunately,
my
instant
screen
resumption
zap
did
not
catch
on.
G
However,
we
see
current
there's
currently
much
traction
in
the
xmpp
community
for
an
alternative
sap.
That's
accept
fast
by
messian
tilo,
and
that
also
uses
Sasol
HT
and
whatever
gets
us
fast.
Reconnects
is
what
we
should
do,
because
that's
something
mobile
xmpp
users
certainly
suffer
from
so
the
set
I.
Thank
you
for
your
attention.
B
B
It
was
a
it
was
a
statement.
Okay,
sure.
The
way
you
described
it,
sort
of
swept
that
part
onto
the
rug,
so
I
wanted
to
make
sure
that
the
whole
audience
knew
that.
G
So
maybe
I
can,
since,
since
we
have
many
knowledgeable
people
here
using,
for
example,
Alexis
o
attribute
to
obtain
a
token,
could
I
feed
this
token
into
the
TLs
psk
and
use
subtle
external?
Would
that
be
feasible.
B
I
think
that
the
protocol
pieces
are
all
there.
You
would
have
to
ensure
that
the
token
you
get
has
you
know
the
right
amount
of
entropy
and
whatnot
doesn't
have
any
like
identifiable
personal
data
or
something
that's
in
the
clear
but
I
think
at
the
protocol
level.
That
would
work.
B
Yeah,
your
server-side
implementation
would
be
a
little
bit
complicated
to
you
know,
hook
the
pieces
together
where
you're
looking
to
your
database
of
issue
tokens
in
the
TLs
layer
as
the
pre-shared
keys,
but
I
think
that
most
implementations
would
at
least
give
you
the
Rope
to
build
that.
Even
if
it's
a
bit
clunky
to
to.
G
E
Okay,
quick
question:
why
show
the
token
in
into
the
psk,
if
you
could
just
use
the
TLs
1.3
mechanism
to
generate
the
psk
for
the
early
data
in
the
first
connection
and
then
use
early
data
in
having
the
talk
in
the
early
data
in
the
second
connection?
G
E
No,
you,
you
generate
a
random
token
store
that
on
the
server-
and
this
is
the
first
TLS
connection,
so
this
generates
the
psk
for
the
second
connection,
using
early
data
and
then
in
this
early
data
you
just
sent
over
the
random
token.
The
client
and
server
agreed
upon
in
the
first
connection
and
this
I'll
take
authenticates
the
client
to
the
server
in
the
second
connection.
B
A
Okay,
sorry
can
I
can
I
I'm
just
mindful
that
there
are
two
minutes
left
and
some
people
will
disappear
at
the
end
of
this.
That's
a
great
discussion.
I
wish.
We
have
more
time,
can
I
move
to
the
last
slide.
I
just
want
to
kind
of
figure
out
what
the
next
steps
are,
whether
we
want
another,
you
know
meeting
you
know,
etc,
etc.
A
A
What
I
would
like
to
know
if,
first
there
is
enough
interest
to
work
on
re-authentication
mechanism
in
the
kitchen
to
take
it
to
the
kitchen
and
try
to
adopt
it
as
a
document
and
do
this
work
and
then
also
if
people
are
interested
in
starting
subtle,
2
type
draft,
which
is
more
generic
than
just
XMP
and
again
try
to
adopt
a
10
kitchen.
C
I
can
say
that
the
two-factor
Earth
in
scram,
well
clever,
probably
doesn't
satisfy
my
requirements,
as
is
I,
don't
know
I
I,
it
does
tie
us
to.
Obviously
it
doesn't
tie
us
specifically
describing
the
same
thing
can
be
done
and
repeated
in
other
mechanisms,
but
it
does,
for
example,
roll
out
using
plane
and
then
using
two
factors
which
you
know
some
deployments
in
xmpp
definitely
do
have
playing
and
like
I,
can't
see
that
changing
anytime.
A
Soon,
I
I
think
I
propose,
will
kind
of
pursue
both
for
people
who
couldn't
wait
for
social
to.
There
is
an
example
how
to
do
this
with
scram
and
it
works
for
OPEC
as
well,
because
of
the
same
syntactic
structure,
but
I'm.
Definitely
up
to
working
on
the
you
know,
two-factor
within
the
social
2
framework.
A
B
Yeah
I
think
I'm
in
a
similar
boat,
where
you
know
the
scrim
dedicated
to
factor
Roth
is
potentially
useful
for
some
cases,
but
I
would
prefer
to
have
the
two-factor
support,
be
sort
of
more
generic
dropped,
and
so
the
bits
about
doing
a
slimmed
down
sassle
to
you
that
would
include
two-factor
stuff
seems
a
little
bit
more
appealing
to
me.
Okay,.
A
Yeah
I
think
for
me,
is
I,
probably
will
Implement
both,
but
in
short
term
I
probably
need
something
Quake
that
doesn't
because
I
will
need
to
to
make
this
work
in
SMTP,
IMAP
and
ldap,
probably,
which
is
probably
quite
a
bit
more
work
than
you
know,
and
first
we
need
to
Define
what
susselt2
is
right.
A
Okay,
any
other
comments.
A
Yes,
Dave,
we
can
always
layer
another
thing
on
top
of
another
layer.
Another
thing
all
right,
thank
you
all.
Nadia
I'm.
Sorry,
we
kind
of
ran
out
of
time
for
OPEC.
Would
people
be
interested
in
another
in
three
meeting
in
a
couple
of
months
or
should
I
start?
Shall
we
start
with
adoption,
calls
first
for
other
authentication
mechanisms,
for
example,
foreign.
A
I'm
not
sure
it
might
not.
Okay,.
G
G
F
Alexa
is
an
obscure
question.
If
we
are
moving
to
a
BBB
server,
I
assumed
with
them
know,
Well
no
longer
apply.
What
does
it.
A
Well,
How
likely
of
a
problem.
This
is
going
to
be.