►
From YouTube: STIR WG Interim Meeting, 2021-04-14
Description
STIR WG Interim Meeting, 2021-04-14
A
B
It's
right
in
the
document
that
says
b64
and
specifies
the
base64
character
set
in
the
grammar
and
it
should
be
url,
save
base64
and
should
specify
the
url
save
base64
character
set
in
the
grammar,
so
the
characters
are
wrong,
but
the
but
the
incorrect
encoding
is
actually
mentioned
throughout
the
document.
It's
not
the
only
grammar,
but
it's
mentioned
in
like
section
for
one
like
in
other
places,
but
it's
can
be
fixed
by
just
going
through
the
document
and
looking
for
everywhere
where
base64
is
mentioned.
B
B
A
E
I
was
just
going
to
say
I
mean
I
again,
I
I
don't
know
how
deep
we
need
to
go
in
in
the
text.
It's
supposed
to
be
enough.
There
are,
there
may
be
a
couple
of
the
places,
but
just
skimming
through
it.
Now
I
mean
places
they're
like
non-normatively,
referring
to
that
it's
b64
encoded.
I
think
it's
okay,
but
like
yeah,
we
let's
do
that
work,
let's
go
through
and
like
check
them
all
and
figure
out,
which
ones
actually
need
to
be
changed.
F
Right,
I
mean
ultimately
it
points
to
75
19,
which
authoritatively
says
what
a
jwt
base64
url
encoding
needs
to
take
place
so,
but
but
I'm
I'm
I'm
okay
with
going
through,
but
who,
who
is
the
errata
author?
A
So
I'm
willing
to
take
whoever
would
like
to
volunteer
to
propose
what
the
errata
should
be
changed
to
at
this
point,
I
believe
the
chairs
or
ads
are
the
only
people
that
can
go
in
and
change
the
submitted
errata
text
in
the
errata
system,
but
that
shouldn't
dictate.
Who
does
the
work.
E
I
mean
again
there's
there's
like
three
other
instances
where
it's
mentioned,
like
in
the
document.
As
far
as
I
can
see
just
on
a
quick
find
and
like
I'm,
not
super
worried
about
any
of
them.
To
be
honest,
but
I
mean,
is
this
a
discussion
like
roman,
since
you
kind
of
raised
this
point
I
mean:
do
you
feel
that
those
other
references
are
material
like.
E
I
mean
when
I
read
a
piece
of
non-normative
text
of
the
forum.
After
these
two
json
objects,
the
header
and
payload
have
been
constructed
in
base64
encoded.
They
must
be
hashed
and
signed
per
rfc
8225
section
6.
right.
I
don't
believe
that
needs
to
be
fixed
to
say
b64
url
encoded
for
it
to
like
do
its
job.
E
B
E
A
All
right,
then,
that's
our
action
for
that.
So,
let's
move
on
to
our
double
quote
question,
so
we
explicitly
discussed
several
things
in
this
thread
as
the
as
our
core
documents
were
being
put
together.
So
the
conversations
around
whether
or
not
we're
going
to
change
the
grammar
to
allow
comma
separated
values
or
things
that
that
we
actually
reach
consensus
on,
and
I
don't
believe
that
we're
going
to
try
to
open
this
up.
At
this
point
we
did
have
a
discussion
at
iepf101.
A
I
went
back
and
listened
to
the
recording.
There
was
not
a
lot
of
depth
in
that
discussion.
It
was
basically
a
hey.
Let's
make
a
decision,
let's
require
that
we
put
double
quotes
around
things.
Are
everybody?
Is
everybody?
Okay
with
that,
and
the
answer
was
yes,
we've
got
some
feedback
that
there
are
implementations
out
there
that
are
are
mixing
it,
probably
because
of
implementation
through
example,
or
or
just
mistakes,
and
the
question
now
is:
is
it
do
we?
A
You
know
what
what
level
of
adjustment
do
we
make
as
best
I
can
tell
the
conversation
on
the
list
is
trending
towards
requiring
the
quotes
in
the
grammar
and
adding
a
note
that
notes
that
early
implementations
sometimes
don't
provide
them
and
implementers
should
consider
being
lenient
with
what
they
accept.
B
Again
my
suggestion
and
again
I'm
a
little
bit
biased,
it's
just
meek
or
instead
of
quotes
and
no
quotes
just
make
it.
This
match
the
generic
param
saying
that
it
will
take
either
a
token
in
the
grammar
or
the
quoted
string.
B
And
essentially
like
leave
it
at
that,
because
that
way,
all
the
implementation,
like
all
the
implementation,
should
be
working
with
each
other,
but
that
the
downside
of
that
that
all
the
implementations
potentially
will
need
to
change
to
support,
accepting
either
quoted
or
non-quoted
values,
but
they
would
be
able
to
send
whatever
they
prefer.
I
I
I
E
So
that,
if
I
get
in
on
this,
I
mean
I
think
it
would
be
okay,
for
me
at
least
to
do
generic
program,
provided
that
we
also
say
we're
asked
you
know
you
should
send,
quotes
right
and
like
do
the
so
I
mean
what
we
don't
want
to
do
is
create
a.
I
agree.
Abn
f,
that
invalidates,
if
quotes,
aren't
present
that
that,
I
think,
is
the
issue
right,
because
if
we
do
that-
and
there
are
implementations
that
are
for
whatever
reason
sending
without
quotes
then
like
they
would
not
be
compliant.
E
B
E
D
B
D
Yes
bring
the
microphone
closer,
so
my
proposal
would
be
to
not
touch
the
grammar
at
all
to
leave
it
at
it
is
which
is
without
code
and
then
to
add
a
sentence
somewhere.
That
said,
receiving
implementation
should
ignore
if
there
is
a
cut
outside.
So
we
don't
don't
change
the
meaning,
which
still
said
that
we
should
send
a
token
without
cutter,
but
if
there
is
cut
outside
just
remove
them
and
treat
it
as
a
as
a
token,
and
it
should
work,
fine.
E
E
J
I'm
not
convinced
that's
true,
I'm
hoping
I'm
currently
reading
the
right
email.
But
from
what
I
can
see.
It
says
that
the
json
value
has
to
be
the
quoted
value
of
the
parameter
on
the
identity
header,
which
would
mean
that
I
read
that,
as
you
put
quotes
around
the
value
in
the
identity
header
and
stick
it
in
the
json
field,
which
is
an
odd
way
of
explaining
it.
But.
E
F
B
Again
from
like
the
little
interrupt
that
we
did
is,
as
I
said
right,
for
instance,
if
we
are
dealing
with
an
api
service
for
generating
identity
headers,
if
you're
looking
at
new
star,
they
put
quotes
transnexus,
doesn't
you
look
at
open,
sips
put
quotes,
camellia
doesn't
and
it
kind
of
keeps
going
that
way
throughout
again,
I'm
not
sure,
like
statistics
wise
on
the
deployed
endpoints,
but
like
from
implementation
standpoint,
I'm
seeing
both
quite
evenly.
K
Alec
from
chance
nexus,
just
one
point:
yes,
we
don't
put
quotes,
but
we
do
accept
both
quoted
and
unquoted,
and
you
know
we're
happy
to
change
the
authentication
to
create
quotes
if,
if
needed,
so
don't
we
we
don't
need
any
backwards
compatibility,
but
on
the
receiving
side
we
accept
both
and
we
don't
plan
to
change
that,
regardless
of
what
the
outcome
of
this
is.
B
Yeah,
but
that's
kind
of
my
point
like
if
I'm
looking
at
two
authentication
services
and
one
does
it
and
one
doesn't
index
and
from
what
I'm
seeing
implementation
generally
accept
both.
E
So
no
one
here
has
put
on
the
table
that
implementation
shouldn't
accept
both.
I
think
that's
one
point
we
all
agree
on
right
like
every
example,
the
question
is
really
just
what
is
the
least
intrusive
least
problematic
fix
we
can
make
to
this
so
that
there's
no
more
confusion-
and
you
know
I
think
mark-
may
have
been
barking
up
the
right
trade
on
this.
In
the
sense
of
I
mean
the
the
least
intrusive
and
most
compatible
fix
is
just
to
say
that
implementation
should
treat.
E
This
is
identical,
but
I
still
don't
think
that
take
that
gets
us
off
the
hook
of
having
to
say
here's.
What
you're
supposed
to
do
right
right,
like
I
said
that
we
were
under
some
obligation
to
give
guidance
on
whether
it's
supposed
to
be
quoted
or
unquoted,
even
if
you're
supposed
to
wait
from
what
you're
supposed
to
say.
J
E
Agree
entirely-
and
this
was
exactly
a
discussion
at
itf
101,
which
is
why
that
discussion,
as
robert
said,
was
so
kind
of
you
know
high
level,
because
because
it
doesn't
matter,
I
agree,
and
so
like
you
know,
we
basically
we
flipped
the
coin,
perhaps
and
we're
like
okay,
we'll
do
quoted
and
like
if
we
want
to
keep
flipping
coins
until
we
get
different
results.
We
can
do
that
but,
like
I
don't
think,
that's
a
good
use
of
our
time.
Let's
just
do
quoted.
B
And
just
accept
just
put
optional
quotes
around
the
token
to
update
the
router.
E
Yeah
something
more
like
what
mark
was
suggesting
right
and,
and
you
know
then
then
we
just
have
the
guidance
saying
yes
do
quoted
but,
like
you
know,
change
the
grammar,
so
it
accommodates
either.
F
E
E
D
I
can
it
was
roman
errata,
but
I
can
yes,
I
can
write
something
I.
A
Just
send,
you
know,
send
to
the
list
a
proposal
for
how
it
ought
to
be
changed
and
we'll
see
that
I
think
murray
has
to
do
the
actual
edit.
Oh
yeah.
We
can't
all
right.
I
don't
think
so.
I
think
that's
the
case.
Well
then,
we'll
we'll
we'll
pass
the
recommendation
to
murray.
A
You
I
really
appreciate
it
all
right.
We
are
20
minutes
in.
I
think
we
have
closed
both
of
those
errata
question.
A
lot
of
questions.
A
The
next
thing
that
we
had
on
our
agenda
was
to
go
through
the
stir,
identity,
header
errors,
handling
document
that
we
deferred
discussion
for
my
atf-110
on
chris.
Are
you?
Are
you
ready
to
talk
about
that
document?
A
I
A
A
So
the
what
we're
going
to
do
in
it
mark
is
going
to
work
on
an
update
to
the
errata,
as
it's
currently
posted
to
make
sure
that
the
grammar
allows
both
forms
and
to.
I
Okay
and
what
about
so
so
then,
if
we're
gonna
allow
both
quote
and
unquote,
I
guess
the
value
is
going
to
be
token
even
with
quotes
right.
I
C
Can
you
one
point
of
order?
Could
people
go
to
the
cody
md
and
do
virtual
blue
sheets.
L
A
Webex
roster,
but
I
guess
there's
a
chance
that
we
lose
the
webex
roster
on
the
recording.
So
yes,
please
help
make
sure
that
the
kodi
md
is
correct.
Would
somebody
cover
getting
me
into
that
and
if
it
hasn't
already
been
posted
to
the
webex
chat
yeah,
it
looks
like
russ
posted
the
cody
md
link
to
the
webex
chat.
F
You're,
muted,
chris
sorry,
is
it
possible
for
you
to
screen
share
I'm
noticing
my
mac,
this
mac,
that
I'm
using
doesn't
have
the
system
preference
for
screen
sharing.
A
So
is
it
the
slides
that
were
at
the
110
meeting
that
you'd
like
to
go
through
yeah.
A
E
A
A
A
A
F
Okay,
so
yeah
this
is,
I
forget
if
this
is
the
first
time
talking
about
it,
it's
I
think,
the
first
time
formally
talking
about
this.
This
draft
essentially
defines
two
new
error
technique.
F
Two
new
additions
to
error
handling
one
is
directly
adapted
from
some
of
the
addis
specs
that
I
thought
would
be
useful
to
define
over
an
ietf
side
and
then
the
other
one
is
something
new.
So
first
one
is
essentially
the
mechanism
that
the
way
we
have
it
in
82,
20,
sorry
80
to
24,
is
that
for
the
400
errors
that
will
that
that
is
essentially
killing
the
call.
F
So
we
wanted
to
allow
for
not
having
to
kill
the
call,
even
if
you
have
an
error
with
verifying
the
the
the
identity
header.
So
we
define
the
mechanism
that
you
should
send
the
reason
header
with
the
error
code
in
provisional
responses
or
final
responses
back
to
the
authentication
service
just
to
let
them
know,
but
in
general,
in
the
shaken
world
we
didn't
want
to,
and
we
still
don't
necessarily
want
to
kill
calls
because
of
the
verification
status
would
may
have
failed.
F
F
Okay,
I'll
go
to
the
next
slide,
the
next
one.
This
was
sort
of
thought
about
in
the
world
of
having
multiple
identity
headers.
F
So
this
was
sort
of
a
proposal
to
solve
the
case
where
you
might
have
some
identity,
headers
that
pass
verification
and
some
that
may
not
pass
verification,
and
if
you
send
the
reason
code
back,
how
do
you
identify
which
ones
have
errors
and
which
ones
don't
have
errors
and
sort
of
thought
through?
You
know
like?
Is
there
some
way
we
can
identify
it?
We
just
thought
the
easiest
and
best
way
to
do.
F
This
was
to
actually
send
the
passport
itself
as
the
identifier
of
of
the
air,
and
that
could
be
useful
for
operators
of
authentication
services
to
quickly.
F
D
D
D
Yes,
in
the
content
type,
I
think
only
the
signature
would
be
enough
to
to
match
it
with
the
original
passport
right.
F
E
E
F
B
That's
that's
correct,
plus
you
will
probably
like
is
that
being
carried
in
200k
response,
because
if
it's
200k,
it
will
also
have
a
application
sdp
as
one
of
the
parts
right.
K
F
Yeah,
I
I
think
I
thought
about
that.
I
think
the
only
thing
was:
is
it
useful
to
have
the
entire
passport
so
that
you
can
inspect
it
and
correlate
it
back
to
a
call
more
easily,
although
I
guess
you're
getting
it
in
the
context
of
a
console?
So
maybe
that's
not
too
necessary.
B
F
Yeah
you
mean
the
x5u,
yes
url
yeah.
That
would
be
very
high
because
it's
especially
going
back
to
the
same
service
provider,
the
url's
probably
used
across
multiple
calls
for
sure.
F
B
Yes,
the
I'm
just
saying
like:
would
it
the
same
identity,
the
same
certificate
be
used
to
assign
multiple
identities
within
the
same
goal.
F
Well,
yeah,
most
or
at
least
I
would
say,
a
large
percentage
are
using
they're
not
using
a
certificate
per
telephone
number,
at
least
for
shaken.
Now
that
that's
not
the
case
for
some
of
the
other
like
delegate
certificate
and
other
techniques.
But
so
that's
quite
common.
F
Actually,
I
I'll
I'll
think
I
think
the
jeff
providing
this
signature
might
be
a
good
one
to
think
about.
B
B
E
It
would
it
could
potentially
at
least
give
you
an
insight
into
where
else
in
the
network
for
forensic
purposes,
things
were
dysfunctional
now
what
I
can
see
both
sides
of
that
coin.
It
could
be,
you
know,
there's
a
privacy
revelation
or
something
people
are
concerned
about
from
that,
but
like
that,
that
would
be
the
case.
It
would
be
something
where
a
passport
was
subsequently
added.
You
know
this.
This
could
be
like
a
delegate,
cert
originally
signed
it,
and
then
the
second
passport
was
added
for
shaken
purposes.
F
E
F
Well,
that's
what
I
was
just
thinking
like
how
how
relevant
is
that
in
these
cases
and
can-
and
that
would
be
my
concern-
are
we
missing
an
opportunity
to
have
the
other
information
there?
So
let
me
verify.
E
Yeah,
that's
unbalanced.
I
could
see
doing
compact.
For
that
reason
you
know
I
mean
if
we
want
to
get
fancy,
we
could
also
put
rules
right
about
what
you're
supposed
to
do
when
you're
generating
this
object.
As
the
the
sender
that,
like
for
div,
for
example,
you
only
only
send
compact
form
and
there's
there's
a
bunch
of
things
like
that.
We
could
do
if
we
felt
like
a.
D
J
E
I
I
mean,
I
think
the
risk
for
compact
form
is
is
pretty
low.
We
need
to
do
an
analysis,
but,
like
I'd,
be
interested
in
what
what
the
you
know,
actual
risk
of
that
is.
F
I
want
to
make
sure
I'm
on
the
same
page.
So
when
we
say
upstream
beyond
the
communication
service
or
because
you're
sending
the
passport
from
the
authentication
service
to
the
termination
side.
Or
is
this
just
a
diversion
cases
that
we're
talking
about.
J
E
That's
that's
we're
considering
now
so
we're
considering
case
service
like,
for
example,
where
you
know
three
diff
passports
have
been
added
right
and
like
one
of
them
fails,
and
so
you
get
back
here's
the
thing
that
failed
and
like,
but
you
know
you're
revealing.
Potentially,
if
you
put
the
full
form
passport
in
something
about
the
service
logic
that
led
to
that
diversion
and.
F
E
K
Well,
so
if
let's
say
just
talking
about
service
providers,
service
provider,
a
creates,
a
shaken
passport
sends
the
call
to
service
letter
b,
who
creates
a
div
passport
who
sends
it
to
c
search
letter
a
never
had
the
div
password.
I
never
saw
it
so
if
search
letter
c
sends
back
a
response,
you
know
200
whatever
response
code
with
both
passports.
If
service
letter
b
leaves
that
in
and
sends
the
200
to
a
then
service
fighter,
a
now
sees
the
div
passport.
E
E
Level
error
codes
as
well.
These
precise
concerns
have
right
when
you're
projecting
calls
or
expressing
the
treatment
as
you're
giving
them.
So
I
mean,
I
think
that
this
is
recognized
as
a
trade-off.
E
I
mean
operationally:
is
it
useful
to
be
able?
I
guess
this
is
maybe
a
point
in
just
the
a
to
b
case,
like
if
b
feels
like
sharing
this
information
in
the
backwards
direction,
because
it's
helpful
to
a
like,
I
think,
having
a
mechanism
like
this
is
worth
doing.
That's
kind
of
how
I
felt
about
the
600
error
codes
as
well.
J
F
I
I
I
do
agree
with
adding
some
something
about
the
framework
where
the
authentication
service
that
we
that
sent
that
passport
should
terminate
the
reason
and
or
strip
the.
I
guess,
we'd
want
to
just
remove
the
the
reason
header
right
and
the
multi-part
mine
body
that
would
be
the
stripping
would
be
essentially
right.
B
B
F
Specifically
into
that,
but
I
did
know
that
it
was
something
that
we
do
need
to
solve
in
this
document.
B
E
We
could
consider
that
yeah
that
plus
some
guidance
as
jack
was
suggesting,
I
think,
would
get
us
a
pretty
long
way
in
terms
of
covering
privacy
for
service
logic
when
it
matters
and
still
having
the
flexibility
to
be
able
to
do
this.
I
I
think
it
is
actually
quite
valuable
to
be
able
to
do
this,
especially
for
success
cases
where
you
know
you
just
want
to
be
able
to
express
in
the
backwards
direction.
Sorry,
this
didn't
work
to
the
people
that
generated
it
and
here's.
Why.
B
F
K
Not
to
derail
this,
but
you
know
one
interesting,
maybe
thought
might
be,
does
it
make
sense
to
put
it
in
the
reason,
header
and
not
use
a
custom
header?
I
know
we
right
now
use
like
an
x,
authentication
or
verification
failure.
Reason,
because
we
sometimes
you
want
to
have
the
reason
be
for
other
purposes,
and
it
makes
it
more
clear
that
you
know
this
is
the
shaken
reason
that
the
call
may
have
been
accepted,
but
some
other
reason
for
some
other
failure.
You
know
analytics
or
you
know
whatever
thing
you
know,
using
the
reason.
B
K
We
we
don't,
you
know,
we're
not
really
operating
a
switch,
so
kind
of
that's
up
to
a
service
provider
we,
but
we
in
the
vs,
with
a
sip
interface,
respond
back
with
a
custom
x
header
for
verification
response.
That
is
frequently
proxy
backed,
but
you
can't
you
could
so
I
can't
really
answer
that
because
we
don't
really
specifically
do
anything,
but
we
provide
an
x
editor
that
is
frequently
used.
Okay,.
B
Okay,
I'm
just
looking
at
current
examples
like
the
all
the
exam
all
the
examples.
The
typica
for
the
reason
here
are
typically
used
with
error
responses
or
the
buy
messages
like
the
final
responses,
something
foot
dialogue
termination.
B
So
I'm
not
sure
there
is
much
intersection
with
200k,
but
it
probably
would
make
it
cleaner
if
it
would
be
a
new
header.
F
But
then
that
would
mean
switching
to
that
in
general
and
I
think
the
guidance
we
already
have
is
to
use
reason.
Header.
F
I
think
we'd
want
to
make
that
consistent.
That
would
be
confusing.
B
F
Okay,
yeah,
I
think
that's
good,
but
maybe
the
bigger
question
here
is:
are
people
interested
in
this
and
you
know
I'd
be
interested
in
asking
if
we
can
adopt
this
document.
A
Well,
so
I'm
definitely
hearing
interest
and
people
making
suggestions.
I'm
hearing
that
there
is
a
problem
that
there
are
several
people
here
that
are
willing
to
work
on.
If
there's
somebody
that
thinks
that
the
general
direction
of
this
discussion
is
going
the
wrong
way.
Please
speak
up
now.
A
So
I
also
heard
that
the
direction
that
people
were
suggesting
is
probably
different
enough
from
what's
in
this
document
that
adopting
this
particular
document
as
a
starting
point
may
not
be
the
right
thing
to
do,
and
you
might
want
to
make
that
call
on
the
next
revision
that
incorporates
some
of
this
discussion.
C
A
Okay,
so
I'm
going
to
attempt
to
stop
sharing.
Has
that
done
the
right
thing?
Yes,
yes,
all
right!
My
apologies
for
the
errant
application
behavior.
I
will
review
the
recording.
I
may
have
to
ask
the
secretariat
to
redact
some
of
the
other
things
that
popped
up
before
the
recording
is
posted
and
again
my
apologies.
A
C
Okay,
so
I
think
ben
raised
a
question
about
matches
within
the
values
for
the
must
include
or
must
exclude,
and
so
to
address
those.
I
think
that
most
of
the
actual
use
cases
use
simple
values,
strings
or
numbers,
and
we
can
deal
with
some
simple
text
about
that.
Like
numbers,
you
need
to
compare
the
numbers,
not
the
string
that
carries
the
number
so
that
leading
zeros
and
stuff
like
that
are
not
an.
K
C
Regarding
more
complex
structures,
where
you
could
have
things
in
different
orders,
I
don't
think
we
have
many
of
those
cases,
but
we
can
put
some
warning
text
in
here
about
how
to
deal
with
them.
Basically,
you
know
if
you
have
something
where
red
green
blue
can
appear
in
any
order.
If
you
really
want
to
exclude
it,
you'll
have
to
put
all
the
permutations
yuck
hope
we
don't
ever
actually
have
to
do
that.
C
That's
the
kind
of
thing
that
we
have
to
deal
with
and
then
there's
white
space
that
comes
about
as
well.
Red,
comma,
green,
comma,
blue,
you
know
is
our
white
space
after
the
comma,
so
the
suggestion
would
be.
We
say
when,
when
that
occurs,
you
know
compressed
white
space.
C
So
so
that's
my
suggestion
for
dealing
with
it.
I
don't
think
well
rcd
which
we're
going
to
talk
about.
Next
is
the
thing
that's
actually
using
this,
and
so
I
believe
that
what
I've
just
suggested
deals
with
the
cases
that
rcd
has.
L
L
I'm
not
sure
I
see
one
for
rcd
and
the
reason
for
that
is
is
there's
so
many
ways.
A
bad
actor
could
evade
and
exclude
value,
given
that
a
lot
of
rcd
is
aimed
for
human
consumption,
and
so
you
run
into
the
fusible
string
problem,
you
run
into
all
the
string
identifier,
problems
with
confusable
strings
and
things
like
that.
That
are
ways
that
you
can
just
trivially
sneak
past
the
verifier.
That's
trying
to
verify
and
exclude
values
things
I
wonder
to
me.
Absolute
values
makes
a
lot
more
sense.
L
If
you
have
a
claim
whose
values
are
a
strict
enumeration,
you
know
maybe
rph
or
something
like
that
where
you
have
known
values,
people
can't
just
make
up
so
the
example
I
had
I
was
sharing
with
robert
earlier
is
so
I'm
a
bad
actor,
and
I
want
people
to
answer
my
call.
So
I'm
going
to
stick
potus,
president
of
the
u.s
photos
in
my
display
name.
I
can't
remember
the
claim
off
hand,
and
oh
so
you
put
in
a
musty,
exclude
value
for
potus.
L
A
Yeah,
so
this
is
where
I
want
to
interject
a
question
as
an
individual,
given
the
discussion
that
has
gone
by
do
we
really
have
enough
motivation
for
a
use
of
this
now
that
we
recognize
that
there
are
potentially
severe
issues
with
using
it
that
it
makes
sense
to
to
even
define
it
at
all,
would
would
it
be
a
reasonable
path
forward
to
to
just
take
excluded
values
out
of
the
set
of
things
that
we're
defining.
C
A
C
A
E
I
mean
the
point
is,
I
would
put
a
little
differently
for
most
of
the
cases
where
there
are
a
constrained
set
of
things
you
want
to
exclude
what
you
actually
want
is
included
values
right
absolutely
like
I
want
to
say
your
included
values.
Level
of
attestation
is
b
and
c,
and
don't
include
that
right
and
so
like
both
must
include
and
must
exclude.
Have
you
know
effectively
the
same
properties,
for
those
values,
except
must
include,
is
an
additive
permission
that
is
very
clear
about
what
you're
assigning
and
the
other
one
is
not.
Chris.
F
Yeah,
I
I
agree
with
the
conclusion
there
that
excluded
claimed
is
definitely
needed,
but
how
do
you
there
is
a
lot
of
loopholes?
I
agree
with
ben
on
that
point,
but
there
may
be
some
so
I
I
could
go
either
way
really
on
whether
we
keep
it
or
not
keep
it.
But
I
think
you
would
have
to
put
some
pretty
explicit
security
concerns
about
you
know
trying
to
found
things
or
eliminating
it
to
its
explicit
values.
E
L
So
I
was
trying
to
think
about
it.
I
was
trying
to
think
about
this
just
earlier
today
and
thought.
Well,
maybe
there's
some
case
where
we
have
this
set
of
permitted
values
except
you're
not
allowed
to
use
one
of
the
permitted
values,
and
then
I
convince
myself.
No,
that's
dumb
you,
you
wouldn't
ever
do
that.
L
So
I
agree
with
you
and
unless
there
was
some
case
where
the
exclu,
where
the
the
only
thing
I
could
think
of,
if
the
enumeration
is
really
really
big
but
still
constrained,
you
might
not
want
to
put
the
whole
enumeration
in
just
a
safe
space,
but
that's
otherwise.
I
think
this
is
a
attractive
hazard
feature.
E
Yeah,
it's
also
not
a
very
forward
compatible
approach
to
it
is
the
other
thing
that
you
know,
because
if
you
are
then
defined
values,
for
example,
you
need
to
exclude
those
explicitly
rather
I'd.
Rather,
you
know
then
force
people
to
change
the
certs
to
introduce
new
things
to
exclude
like
in
an
on
an
emergency
basis.
You
know
the
day
after
a
new
value
is
approved
for
this,
do
it
the
other
way.
E
C
Okay,
so
I
will
remove
the
excluded
values
and
repost.
K
L
C
K
M
K
You
you
know
if
you,
if
you
excluded
rph,
but
you
also
wanted
to
exclude
this
new
claim,
you're
kind
of
in
the
same
position.
So
is
it
not
better
to
say
if
this
user
is
not
allowed
to
do
any
claim,
including
all
future
claims,
here's
the
ones
they're
allowed
to
do
so
that
it
fails
closed?
They
can't
do
that
new
claim.
Otherwise,
you
have
to
redefine
the
search.
H
F
It
it
did
come
up
in
conversation,
whether
or
not
we
should
have
like
may
include
and
announce
where
may
include
would
be.
You
know
you
could
include
one
of
a
set,
but
not
outside
of
that
set
of
claims.
F
B
M
I
guess
the
case
we
have
is
for
base
passports,
where
no
claims
are
permitted
right.
We're
we
want
somebody
to
sign
base
passports
to
prove
they
are
authorized,
use
the
calling
tn
and
that's
it-
they're
not
authorized
to
do
rcd
or
rph
or
anything
else.
K
K
Because
if
you
do
exclude
and
then
a
new
claim
is
defined,
you
know
they've
now
got
additional
permissions
versus.
If
you
do
a
permitted
of
nothing.
That's
what
I'm
saying
you
know
not
that
excluding
claims
is
not
important,
but
isn't
the
better
way
to
exclude
claims
to
list
the
allowed
claims
well
even
base.
E
You
know
we're
really
in
an
environment
now
where
people
arbitrarily
have
claims,
I
mean
it's
kind
of
assumed.
You
could,
like
you
know
if
you
felt
like
it
it
just
it's
a
jot
right.
E
L
F
No,
I
think
we
do
allow
you
to
put
whatever
you
want
in
terms
of
claims,
and
the
idea
is
that
you
know,
if
you
don't
understand
those
you
just
ignore
them,
but
there's,
I
think,
we're
talking
about
the
critical
ones
like
rph,
for
example,
or
other
ones,
that
sort
of
provide
you
some
authority
that
you
don't
have.
E
I
bet,
but
if
we
introduced
something
that
was
like
you
know,
these
are
the
only
claims
they're
allowed
to
be
in
the
passport
right
and
like
that.
That's
the
way
we
frame
this.
We
would
be
running
a
valve
ben's
innovation
argument,
precisely
so
like
the
criticality
of
certain
things
that
we're
adding.
I
agree
that
with
alec,
this
is
an
issue.
E
If
we
did
define
something
had
the
same
impact
as
our
ph
or
potentially
our
cd
like
you
would
need
to
be
able
to
put
those
constraints
into
sort
of
post-facto,
but
I
feel
like
those
things,
are
uncommon,
or
at
least
that
I
don't
imagine
we're
going
to
be
doing
a
lot
more
of
those,
but
I
could
be
wrong
so.
F
I
I
think
it's
definitely
a
good
point
to
think
about.
Can
we
solve
the
base
passport
null
set
and
still
have
exclude
and,
and
that
sort
of
gives
us
the
space
that
works
there.
F
C
K
C
K
L
So
I
brought
up
the
issue
on
excluded
value
because
I
thought
it
was
hard
to
use
it
in
a
useful
way.
I
I
don't
think
that
problem
applies
to
excluded
claims.
L
L
L
The
way
that
alec
is
modeling,
things
will
allow
that.
E
Yeah,
I
think
I
think
I
agree
that
there
is
some
value
actually
in
being
able
to
do
that,
even
though
it's
not
future
proof
like
I
said,
and
I
I'm
kind
of
wary
of
the
the
implication
that,
like
you,
can't
have
proprietary
things,
for
example,
or
just
non-standard
things
that
you
choose
to
add
to
the
job.
That's
yeah.
F
Does
prevent
that,
but
is
there
any
mechanism
that
we
can
use
that
says
like
you
can
use
whatever
you
want
as
long
as
it's
not
ayana
defined,
or
something
like
that?
You
know
like
special
ones
that
that
have
special
uses,
but
you
know,
if
you
have
something
outside
of
that
set,
you
know,
go
go
for
it.
Should
we
put
some
rule
like
that,
keep
in
mind
that.
L
E
A
potential
rule.
E
I
mean
we
still
want
to
have
shaken
passports
that
have,
you
know,
ran
well
rcd
and
them
are,
for
example,
right,
but
like
that
aren't
necessarily
passports,
but
the
yeah.
My
point
was
more
if
it
has
a
ppt.
In
other
words,
if
we,
if
we
separate
claims
into
two
buckets
one
that
is
special
super
claims,
we're
concerned
about-
and
the
other
is
like
you
know
not
so
much
then,
and
that
the
bar
between
those
two
could
be.
Does
it
have
a
ppt.
K
I
mean,
if
you
do,
let's
say
we
created
may
include,
which
is
the
list
of
claims
that
you
may
include,
but
we
treat
that
as
if
you
include
something
outside
of
that
list,
the
vs
should
not
interpret
that
as
you
had
authority
over
it,
but
that
doesn't
mean
it
can't
trust
the
passport.
It
just
needs
to
be
aware
of
that
value.
So,
for
example,
let's
say
you
know
just
here's
a
thing
that
I
think
would
be
useful
passports
had
a
jti
parameter
to
uniquely
identify
them.
K
You
could
include
that
that
doesn't
need
to
be
trusted
by
the
other
end.
It's
just
for
you
know,
traceback
kind
of
whatever
you
want
to
use
it,
for
that
may
include,
may
not
specify
that,
and
that
just
means
the
vs
shouldn't.
Take
that
as
authoritative
information
doesn't
mean
that
they
should
just
outright
reject
the
passport,
because
it
has
a
claim
that
wasn't
in
the
may
include
list.
L
E
A
F
Yeah,
so
I
think
I
can
just
give
an
update
we
in
the
last
meeting
we
did
discuss
the
major
changes
to
the
integrity.
I
haven't
gotten
a
lot.
We
we
had
good
discussion.
I
think
on
that
call,
but
I
haven't
gotten
any
real
further
feedback
on
it.
So
you
know
I
don't
know
if
we
want
to
wait
for
any
more
feedback
or
if
we
want
to
proceed
with
that
document.
Any
comments
that
anybody
has
in
this
forum.
E
E
This
is
how
the
isfield
like
what
the
value
of
this
field
is,
and
we
kind
of
had
some
it
should
be.
Like
you
know,
reflecting
the
subject
we
had
something
saying
was
the
organization
I
at
least
recall
for
addis
purposes
set
crooked.
One
way,
do
you
remember
which
way
this
was
set
crooked.
M
K
E
That's
always
the
best.
I
thought
we
got
this
broken.
I
mean,
I
think
I
think
we
were
leaning
towards
it.
Just
being
oh
right
organization,.
J
K
Sorry
I
haven't
been
as
caught
up
on
this.
The
the
oh
are
you
saying
the
ish
iss
claim
in
the
rcd
passport
would
have
to
match
the
organization
attribute
in
the
subject
the
end
of
the
certificate
that
signed
it
yeah,
one
one
problem
with
that
that
I
was
dealing
with
in
the
ad
is
kind
of
looking
at
one
of
those
documents.
At
least
the
way
it's
currently
defined.
K
A
potential
problem
is
that
there
can
be
non-unique
organization
names
like
I
know
there
are
many
service
fighters
that
have
the
same
name
across
different
states.
So
does
that
you
know
if
you
mandated
that
it
has
to
be
the
o.
The
way
that
some
of
the
addis
documents
say
kind
of
the
o
would
be
duplicated,
potentially
across
different
organizations.
E
Yeah,
but
I
mean
the
good
news
about
addis-
is,
of
course,
that
it
has
this
whole
like
certificate,
issuing
structure
and
guidance
around
that
right,
and
so
I
mean
there
are
all
kinds
of
things
that
could
be
done
to
ensure
the
uniqueness
of
oh
in
a
constrained
context
like
that
now
out
in
the
open
world
beyond
the
stij
scope.
This
is
an
entirely
different
issue,
but
I
think
for
average
that
should
that
that
should
be
doable
right
like
you
would
just
have
some
different
way.
You
would
describe
entities
that
are
different.
E
F
K
No
they're
kind
of
yeah
outside
of
addis
there
kind
of
can't
be
because
the
within
you
know
with
subject
not
issuer.
If
you,
if
you
combine
both
subject
and
issuer,
then
it's
not
a
problem,
but
you
have
multiple
cas,
so
they
they
can't
really
necessarily
do
anything
to
ensure
that
there's
uniqueness
across
the
cas
the
advantage.
K
What
addis
has,
though,
is
that
there's
this
ocn
that
if
you
include
the
ocn,
then
you
know
you
have
a
reasonable
sense
that
you
know
it's
not
duplicates,
although
technically
I
guess
a
service
writer
could
get
assert
from
two
different
cases
right,
but
but
that
is
still
the
same
entity.
If
you
include
the
ocn,
it's
I
mean
it's
still
the
same
issuer
entity.
The
problem
is
just
that
the
organization
does
that
necessarily
include
the
ocn
that
gets
funny
when
you
have.
F
F
Yeah,
I
think
that
that's
exactly
what
we've
banked
on
for
for
guaranteeing
uniqueness
that,
within
the
context
of
the
certificate
with
a
specific
spc,
there
should
be
hopefully
that
the
entity
representing
that
spc
is
maintaining
uniqueness.
Among
subject
names.
E
L
So
I
was
under
the
impression-
and
maybe
I'm
wrong,
because
other
people
know
the
added
stuff
better
than
I
do
that
the
addis
definition
of
the
o
in
a
certificate
was
just
kind
of
informational
to
make
it
easier
for
troubleshooting
and
stuff
and
people
looking
at
it
to
understand.
I
it's
important
to
me.
They
would
ever
try
to
match
against
it.
G
Well,
we
said,
though,
ben
that
it
needs
to
be.
You
know,
a
known
organization
right
that
it's
used
in
the
you
know
in
other
places
right,
it's
not
just
some
random
text
string.
G
E
E
And
all
we
want
in
this
value
is
to
have
something
like
that.
That's
the
point
we
want
to
have
something
that
says
the
entity
issued.
This
is
canonically
known
as
this.
We
don't
want
people
to
just
be
able
to
arbitrarily
set
that,
so
there
has
to
be
some
process
right,
like
the
ca
process
and
at
us
that
you
know
at
least
it
doesn't.
Let
nustar
claim
that
it's
yeah,
you
know
as
long
as
that
exists
and
there's
like
a
human,
readable
field
in
the
s
that
indicates
who
this
entity
broadly
is.
K
I
think
it's
okay,
just
commenting
you
know,
maybe
a
potential
solution,
just
having
ish
be
the
subject,
the
end
in
its
entirety,
in
a
string
form
that
would
have.
K
E
And
honestly,
I
I
don't
think,
there's
there's
a
ton
of
practical
difference.
I
mean
it
like.
I
said
I
think
the
intention
was
just
that
there'd
be
something
human
readable
in
the
passport
that
indicates
roughly
who
the
organization
is
and,
like
you
know,
doing
the
whole
subject.
Yeah
might
be
overkill
for
that,
but
like
if
people
think
there's
some
material
distinction.
Certainly
we
can
look
at
that.
E
I
mean
not
maybe
a
little
really
like
in
the
sense
of
I
think.
Like
I
said
it's
it's
useful.
It's
certainly
useful
that
nustar
not
trying
to
be
able
to
pass
itself
off
as
a
t
right,
so
I
mean
I
want
something:
that's
human
readable
that
has
some
forensics
around
it.
That
indicates
yeah
like
this.
This
is
the
entity
is
supposed
to
be,
and
yeah
be
good.
If
you
check
that
against
the
o
field
in
the
actual
cert.
F
The
important
part
is
that
it's
representing
that
the
information
came
from
a
third
party,
not
the
so
and-
and
you
know,
will
you
want
to
represent
that
to
the
user?
Somehow,
maybe
will
you
want
to
have
reputation
over
those
third
parties?
Maybe,
but
I
think,
that's
part
of
the
whole
framework
that
people
have
to
figure
out
going
forward.
K
E
If
you're
doing
reputation,
you
would
do
it
from
the
cert.
That's
the
point.
This
is
just
like
a
human
readable
hint
that
we're
embedding
into
the
passport
like
you,
you
reputation
should
be
based
on
rights
like
signed
it
and
that
should
be
based
on
the
cert
itself
and
so
again
I
look
at
look
at
this
as
just
an
indication
that
it
is
a
third
party
source.
F
F
J
Was
my
point
right
like
it
just
matters,
we
fix
it
one
way
or
the
other.
It
was
very
unclear
to
me
when
I
read
it
that
the
verifier
should
not
be
machine.
Checking
that
iss.
It
seemed
like
the
that
that
claim
needed
to
be
checked
in
order
to
know
whether
or
not
to
trust
the
rcd.
I
think
I
agree
that
that
that's
not
true,
you
should
just
be
checking
the
certificate,
but
it
hadn't
quite
occurred
to
me.
While
I
was
reading
it.
C
So
as
the
shepherd
for
this
document,
I'm
a
little
bit
confused
about
what
change
people
want
and-
and
I
warn
you
that
ldap
went
down
this
path
of
taking
a
subject-
name
and
converting
it
to
a
text
form
and
back
and
forth
and
they're,
not
always
one
to
one
and
onto
so.
I
think
we're
much
safer
if
we're
able
to
pick
a
portion
of
the
name
that
must
be
used
here.
K
I
think
I
think
so
long
to
john's
point
so
long
as
it's
clear
that
it's
not
used.
You
know
the
the
iss
claim
is
not
used
by
a
machine,
it's
purely
for
a
human.
It
doesn't
really
matter
as
long
as
people
don't
interpret
the
document
as
oh
I'm
going
to
use
that.
For
my
you
know,
reputation
analytics.
No,
that's
a
bad
idea,
then
yeah.
I
agree.
I
don't
think
it
matters.
F
K
K
F
Certainly
agree
with
that
approach.
If
everybody
agrees
with
that,
I
can
clar.
I
can
try
to
clarify
that.
C
Okay,
with
five
minutes
left,
I
think
we
have
a
way
forward
on
this
one.
Chris
are
there
other
issues
from
working
group
last
call
that
we
discussed.
F
Not
specifically,
unless
folks
have
any
further
comments,
but
so,
as
far
as
I'm
concerned,
I
got
the
initial
feedback
I
was
looking
for,
so
we
can
extend
it
a
little
more
or
we
can
continue
working
groups
last
call
either
way.
A
My
guide:
is
it
we're
going
to
need
a
rev
that
will
do
at
least
another
abbreviated
last
call
on,
depending
on
what
the
rev
looks
like.
F
Okay,
yeah
and
I'll
fix
that
that
specific
issue,
but
otherwise
I
don't
have
any
other
specific
changes.
A
So
I've
got
a
question
for
the
people
on
the
call,
given
the
conversations
that
we've
had
about
what
the
state
of
implementation
really
is
and
that
there
has
been
peer-to-peer
in
interrupt
testing
that
has
been
showing
up.
Issues
that
are
are
coming
back
to
us
to
address.
A
B
I
would
be
strongly
for
that
because
again
that's
romance
bounces
to
based
on
again
my
experience,
I'm
just
starting
to
see
a
lot
more
issues
when
then
versus
what
I've
expected
at
this
stage
of
implementation.
A
Silly
so
david
jack,
john
any
chris
anybody
else
with
you
know
big
implementations.
Would
it
be
something
that
you
would
you
would
attend
and
find
useful.
A
A
C
E
It
is
that's
that's
why
I
was
kind
of
hesitating
on
this
as
well
yeah,
I
feel
like
the
addis
test.
Bed
is
specific
to
shaken
right
and
like
if
the
itf
is
doing
this,
I
don't
really
feel
like.
We
should
be
measuring
shaking
compliance,
not
that
that's
the
the
hard
edge
on
this,
but,
like
I
mean
in
principle,
there's
nothing
I
think
precluding
us
getting
together
and
just
making
sure
implementations
work
together.
It
just
would
not
be
we're
going
to
make
this
compliant
with
like
this
out
of
spec.
C
F
I
was
going
to
say
that
I
was
going
to
ask
you
robert,
if
anybody
reached
out,
because
we
were
literally
talking
about
that
two
weeks
ago.
I.
G
J
B
Again,
at
the
very
least,
we
can
put
something
which
is
based
on
one
of
the
open
source
products
like
something
like
again
camellia,
open,
sips,
we'll
will
talk
to
http
api
and
use
your
headers.
That
should
be
very
straightforward.
D
Yeah,
I
just
posted
a
link
there
with
an
open
cp
in
in
europe,
which
is
doing
also
stir
and
chicken,
which
is
right
now
this
last
two
days
or
something
like
like
this,
so
it
would
be
interesting
to
see
what
brazil
they
got
from
this
event,
but
I
agree
that
would
be
a
great
idea
to
have
an
interrupt
because
as
more
people
are
developing
are
implementing
this,
I
think
more
issue
will
be
discovered.
B
Well,
one
of
the
things
that
I
see
and
then
again
I'm
not
sure
how
to
address
that,
like
the
issues
that
I
see
are
from
like
big
sbc
vendors
like
ribbon
and
I'm
not
sure
they
participate
in
the
ietf
directly.
At
least
I
haven't
seen
anybody
from
them
and
just
there
should
be
a
way
to
get
figure
out
a
way
to
get
them
involved.
B
C
Okay,
I
think
we've
run
over
a
minute.
Thank
you
all
for
your
active
participation.
I
think
we
got
some
good
issues
put
behind
us
and
the
next
thing,
if
we'd
had
more
time
to
talk
about,
was
the
messaging
doc
that
we
adopted
john,
I
think
we're
waiting
for
you
to
post
the
working.