►
From YouTube: TLS WG Interim Meeting, 2020-09-03
Description
TLS WG Interim Meeting, 2020-09-03
A
Okay,
okay,
so
thanks!
This
is
a
virtual
meeting
for
the
tls
working
group
focusing
on
ech.
As
I
just
mentioned,
this
session
is
being
recorded.
We're
experimenting.
If
you
want
to
leave
your
video
on.
A
You
can
try
that
out
and
see
how
it
works
but
make
sure
you're
muting
your
microphone
unless
you're
speaking
just
to
minimize
the
extraneous
noise
we'll
try
to
use
the
queuing
mechanism,
although
with
a
smaller
group
of
people
here,
we
may
not
have
to
be
quite
as
formal
but
I'll
try
to
monitor
the
queue
and
maybe
chris
can
as
well.
There
are
blue
sheets.
The
kodi
md
link
is
in
the
chat
which
you
may
have
access
to.
A
Sometimes
that
doesn't,
if
not
it's
on
the
slides
or
I
think
in
the
meeting
announcement
as
well
or
the
show
sent
in
the
announcement
and
if
somebody's
on
jabber
and
can
relay
any
questions
from
jabra.
That
would
be
great.
A
The
meeting
well,
what
one
they've
just
been
posted
to
the
blue
sheep
to
the
chat.
B
Yes,
good
because
the
problem
is
that
you
can't
click
on
the
slides,
they're
being
displayed
and
they
and
they
don't.
They
don't
have
the
url.
They
just
have
the
subject,
but
I
got
it
thanks.
A
Yeah
and
the
slides
should
be
in
the
meeting
materials
for
this,
but
they
may
not
be
obvious
because
how
to
get
to
that
I
apologize
for
not
including
that
information
in
the
announcement.
So
hopefully
people
can
do
that.
Here's
the
note
well
for
folks
that
are
you've
all
seen
this
before
I'm
sure
so
just
make
sure
you
adhere
to
the
best
practices
and
we're
here
to
talk
about
ech.
So
what
I'm
gonna
do
is
bring
up
the
github
pages
and
then
go
on
mute
and
listen
to
chris.
C
At
cool,
can
you
start
with.
D
C
All
right,
so
the
the
summary
if
you've
not
gone
through
this
issue
is
basically
as
follows.
Right
now,
in
the
current
design,
clients
are
required
to
use
trial
description,
to
figure
out
whether
or
not
the
inner
or
outer
client
hello
was
accepted,
which
is
a
problem
for
a
number
of
reasons.
C
Perhaps
paramount
is
that
it
complicates
the
quick
tls
interface
in
a
needless
web,
so,
ideally,
clients
have
a
way
or
that
the
tl
stack
has
a
way
to
determine
which
of
the
client
hellos
was
chosen
without
consulting
quick
earning
any
part
of
the
protocol.
So
there
are
a
number
of
options
here:
option
zero,
one,
two,
three
three
prime!
C
C
Okay.
Yes,
so
there
are
the
three
proposals:
each
with
a
backing:
tr
the
one
that
seems
to
be
gaining.
The
most
momentum
is
287
number
three
here,
which
adds
an
explicit
signal
confirmation
by
reusing
some
bytes
in
the
circle
random.
C
C
And
I
guess
chris:
do
you
want
to
say
anything
more
about
the
particular
design
or
the
change.
E
Oh,
I
don't
think
so.
I
I
mean
I
don't
I
but
like
like
from
a
from
a
proof,
perspective
or
or
something
else.
E
Yeah,
so
the
idea
is
basically
to
provide
an
explicit
signal
of
acceptance
so
that
you
don't
have
to
that.
You
don't
have
to
do
trial
decryption.
So
what
happens?
Is
the
the
client
sends
an
ech
extension
in
its
client,
hello,
inner,
which
has
this
eight
byte
random
value
that
it
expects
to
see
in
the
server's
server
hello
random?
E
E
From
from
an
analytical
perspective,
it
doesn't
seem
to
do
that
much
damage
because
we're
just
using
eight
bytes.
An
active
attacker
could
of
course,
control
these
eight
bytes
and
and
and
increase
the
probability
of
a
of
a
a
server
random
colliding
with
a
previous
server
random.
But
there
are
still
24
bytes
of
entropy,
so
this
risk
seems
seems
pretty
pretty
minimal.
C
Yeah
and
the
probability
of
false
positives,
that
is
the
eight
bytes,
for
example
the
client
accidentally
interpreting
that
as
rejection
rather
than
acceptance
or
whatever
is
like
small
enough
such
that,
like
tcp
failures,
happen
more
often,
so
I
don't
think
we're
really
concerned
about
that.
B
Yeah
I
mean,
I
think
this
is
probably
I
I
we
spent
a
lot
of
time
on
this.
Obviously
I
think
this
is
probably
the
best
approach.
I
have
some
complaints
about
the
way
it's
spelled,
which
I
can
like
put
in
comments.
Specifically,
I
don't
think
having
two
variants.
The
extension
is
a
good
idea.
We
should
have
two
different
code
points,
but
I
think
this
is
a
fine
general
approach,
and
I
just
I
think,
probably
that's
the
thing
is
people
agree
on
the
normal
approach.
C
Okay,
cool,
that's
the
case,
yeah
chris.
Let's
just
work
through
the
issues,
any
comments
that
happen
to
come
up
on
the
pull
request:
yeah
jonathan,
do
you
wanna,
come
to
the
mic
and
ask
your
question.
F
Okay,
so
I
was
thinking
about
this
a
little
while
ago,
and
the
server
could
in
an
unencrypted
extension,
send
back
a
blob
like
a
number,
and
the
indication
of
acceptance
would
be.
It
would
compute
the
whatever
key
for
the
inner
client,
hello,
hash
it
with
some
label,
and
that
would
be
its
response
and
otherwise,
if
it
was
rejecting
or
if
it
didn't
it
couldn't
decrypt.
F
It
would
just
put
random
data
in
this
unencrypted
extension,
and
that
would
mean
you
end
up
with
the
external
observer,
can't
determine
whether
or
not
you
have
the
server
actually
accepted
and
rejected.
You
can
tell
if
the
server
doesn't
support,
but
it
can
tell
that
anyway,
you
can
tell
if
the
server
accepted
or
rejected,
and
otherwise,
but
it
can't,
but
the
excel
episode
can't
tell
sorry
the
external
observer
can't
tell
whether
acceptor
rejects,
but
the
clients
can.
B
F
A
problem
we've
we've.
Well,
if
I
understand
this
correctly
this
proposal,
we
already
have
that
problem.
B
F
Well,
actually,
yeah,
we
could
do
the
same
thing.
We
could
smuggle
it
in
the
server
hello
random
as
well,
actually,
because
that
that
actually
follows
the
same
protocol.
C
Nope,
this
is
taking
basically
a
secret
value
that
the
client
sends
in
the
inner
client,
hello
and
putting
it
in
the
server
hello,
random
and,
from
the
midwest
perspective,
that's
not
actively
probing
to
figure
out
whether
it's
not
just
ech
is
supported.
It
just
looks
like
any
other
random
names,
so
I.
B
Actually,
I
do
think
jonathan's
onto
something
here
a
little
bit,
which
is
that.
Well,
I
can't
what
the
issue
number
is
when
we
get
to
ech
knots.
B
If
we
get
rid
of
vch
knots,
then
then
we
can
just
have
the
low
eight
bytes
be
a
digest
of
client
random,
which
line
runner
has
to
be
random
anyway,
and
then
we
can
dispense
with
the
signal
in
the
client,
hello,
yep
good
point,
so
I
mean
it's
just
distributed
optimization,
but
it's
it'll
make
life.
It
makes
life
somewhat
simpler.
B
I
mean
you
could
echo
it
too,
but
but
echoing
is
visible
worse,
I
just
I
actually
well,
oh
I
won't.
It
can't
just
be
a
digest
because
it's
a
problem
yeah,
I
do
have
to
keep
it
somehow
that
won't
work.
C
By
the
way,
I
think
I
think
we
know
like
what
are
the
properties
that
I
think
that
need
to
go
in
the
server
hello,
random
and
we
can
like
white
shed
on
like
the
details
later
on
potential
optimizations.
But
yeah
ben.
G
F
B
Yeah,
I
think
I
think
I
think
that
would
be
quite
difficult
because,
because,
given
that
you're,
probably
quite
possibly
offering
different
client
different
different
key
shares
in
the
two
client
hellos,
then
you're
effectively
having
to
try
out
the
crypt
at
that
point
so
as
you're
trying
to
do
to
feed
humans.
Like
I
mean
I,
I
think
it's
certainly
this
only
idea
worth
iterating
on,
but
after
after
like
after,
like
five
minutes
at
one
full
start,
I'm
less
confident
we
can
make
it
work.
B
But
if
someone
I
mean
I
certainly
I
like.
I
don't
like
that.
I
don't
love
the.
I
don't
love
the
thing
in
the
client
hello,
so
we
can
finally
get
rid
of
it.
I'm
certainly
in
favor
of
doing
that.
C
Okay,
unless
there's
any
other
objections,
chris,
let's
just
work
forward,
closing
out
this
pr
incorporating
all
the
suggestions
from
everyone.
So
again,
the
pr
is
linked
here,
number
287!
You
have
specific
comments
on
how
it's
spelled
by
chatting
whatever.
Please
take
a
look
at
your
comments.
There,
your
feedback
there
we'd
like
to
close
on
this
one
soon,
because
it's
one
of
the
big
things
that's
blocking
implementation,
going
forward.
C
All
right,
yeah
and
we'll
close
out
the
other
two.
Thank
you
joe.
Can
we
go
back?
Actually,
I
think
it'd
be
good
to
talk
about
the
non-saying,
yet
next
so
number
253.
I
think
it
is.
C
Okay,
so
thanks
ben
for
filing
this,
the
the
channel
sort
of
carried
over
from
previous
incarnations
of
design
back
when
it
was
just
esni
and
it
had
a
valid
use
at
the
time
in
preventing
this
client
reaction
attack.
C
But
given
how
the
design
has
morphed
lately
and
the
fact
that
the
interclan
hello
presumably
has
a
different
secret
random
value
than
that
which
is
in
the
outer
client,
hello,
it
may
be
redundant
and
we
might
consider
removing
it
rather
than
clarifying
its
existence.
There
are
a
couple
caveats
here.
C
In
particular,
it
does
need
to
remain
secret
in
order
for
this
to
be
like
effective,
that's
a
key
property
of
the
echoes
right
now
like
if
it's
revealed,
then
this
reaction
attack
is
potentially
possible
and
there
may
be
servers
that
somehow
leak.
You
know
bits
of
the
client
hello
at
the
client,
hello,
random
or,
like
maybe
even
other
extension,
values
like
the
ech
nonce.
C
So,
if
we're
reasonably
sure
that
the
a
the
random
values
from
the
inner
outer
claim,
hello
are
different,
that
is
independently
generated
at
random
and
that
the
inner
hello,
client
random,
is
never
leaked
by
any
entity
who's.
Actually,
who
has
visibility
into
it?
Then
we
may
be
able
to
remove
it
after
discussions
with
karthik
and
some
others,
so
ecker.
E
Hi,
so
I
just
wanted
to
make
people
aware
of
the
pr
for
this,
so
this
pr
removes
the
ech
nonce
and
it
clarifies
the
server
the
the
client
behavior
around
generating
the
the
the
inner
client
hello,
random.
E
E
I
changed
the
I
updated
the
the
the
discussion
in
security
considerations
about
this
client
reaction
attack
to
say
that
the
secrecy
of
the
client,
hello,
the
inner
client,
hello,
random,
prevents
that
attack.
I
guess
we
should
all
you
know
we
should
all
agree.
We
should
all
try
to
agree
that
that's
actually
the
case
worth
talking
about.
B
Yeah
so
yeah
I
mean,
I
think
chris
aren't
hurting
this
chris
wood
and
I
was
again
this
morning.
The
reason
we
kept
this
was
because
there
was
some
fear
that
servers
might
leak
declining
a
little
random,
for
instance,
a
ticket
so
and
bear
in
mind
that,
like
the
the
the
ticket
doesn't,
the
ticket
does
not
currently
have
a
secrecy
requirement.
The
so
I
mean
like,
for
instance,
you
might.
B
I
mean
I
don't
know
why
you
do
this,
but
you
might
like
basically
embed
the
entire
client
hello
in
the
in
the
in
in
the
ticket
and
obviously,
if
that
were
the
case,
then
you
would
that
wouldn't
work.
They
always
had
that
with
the
case
that
this
would
not
work.
But
with
that
said,
if
you
leave
the
client
hello
in
the
ticket
and
you
leak
the.
D
C
So
ecker,
you
were
breaking
up
quite
a
lot,
but
what
I
think
I
heard
you
say
is
that
if
you
expect
a
server
to
leak,
the
client,
hello,
random,
it's
presumably
it's
plausible
that
that
same
server
would
also
leak.
Potentially
other
information
about
the
extensions,
including
the
ech
nods.
B
I
B
Okay,
so
what
I
was
saying
was
that,
given
that
we're
hypothesizing
servers,
which
have
which
have
unknown
behavior
and
leaked
parts
of
things,
the
only
way
to
fix
that
is
by
pulling
stuff
out
of
the
key
schedule
and
shoving
it
back
in,
and
we
can't
do
that
without
making
major
modifications
like
the
clock.
The
communication
between
the
facing
and
the
back
end
server.
C
Okay,
so
I
guess
the
question
on
the
table
is:
do
we
believe
that,
with
this
sort
of
change
where
in
which
we
make
it
clear
that
the
the
two
client
hello
randoms
need
to
be
different
and
that
the
inner
one
needs
to
remain
secret,
whether
or
not
that's
sufficient,
or
we
need
something?
A
bit
stronger.
E
I
think
the
question
is:
how
long
does
it
need
to
be
secret?
It
needs
to
be
secret.
It
needs
to
be
unpredictable
to
the
adversary
prior
to
the
client,
consuming
the
servers,
the
the
server's
first
flight.
C
I
I
mean
yeah,
I
don't
really.
I
don't.
I
don't
know
if
that's
a
useful
distinction,
but
perhaps
it
is
but
yes
it
like
it
cannot
be
revealed
up
before
that
point.
Certainly
so.
F
D
B
So
we
do
end
up
with
some
hack
where
server
hello,
random
is
derived
from
client
all
random.
Then
that
of
course
has
to
be
to
client
leverage
as
a
secretary.
G
Right
so
actually
I'm
an
independent
of
of
anything
to
do
with
encrypted
client
hello.
If,
if
session
resumption
is,
is
revealing
the
the
client,
hello
random
in
clear
text,
then
an
observer
now
can
can
link
the
resumptions
back
to
the
original
session.
G
Like
which
seems
like
you
know,
a
problem,
bad
enough
that
we
might
want
to
prohibit
that
if
we're
worried
that
it
might
be
a
behavior
in
the
wild.
C
Yeah,
okay,
does
anyone
have
any
objections
to
this?
I
guess
proposal
going
forward
with
the
added
clarity.
C
What
proposal
two
independently
generated
random
values?
Language
around
the
inner
one,
saying
that
it
must
be
kept
secret.
C
Are
you
asking
like?
Are
you
suggesting
a
way
to
generate
the
two
random
values?
Oh
yeah,
I
mean
I
mean
it
seems
like
an
implementation
detail
that.
F
You
can
do
it
without
having
to
have
three
sorry.
If
you
derive
it
from
three
different
labels,
then
you
can
have
one
that
remains
secret,
because
it's
never
transmitted
and
one
that's
the
outer
and
one
that's
the
other.
B
For
example,
yeah
I
mean,
let's,
let's
this
seems
like
a
detail
of
how
one
writes
when
it's
prng.
C
C
C
Christian,
do
you
want
to
comment
at
the
mic
regarding
287?
I
know
it's.
We
kind
of
moved
past
that,
but
I'm
not
sure.
I
Yeah
I
I
I
was
looking
at
that
I
was
going
to
add
a
me
too.
Yes,
I
like
it
to
287,
and
then
I
think
I
have
an
attack
against
that
and
the
attack
is
suppose
a
man
in
the
middle
observes
the
client
hello
forwards
it
to
the
server
receives
the
server's.
Hello,
blocks
it
and
sends
and
creates
its
own
response,
as
if
it
was
a
server
responding
to
the
outer
initial
client
hello,
but
does
copy
the
first
eight
byte
of
the
server
hello
random
into
its
own
server,
hello,
random.
I
Then
I
think
you
have
an
oracle.
Is
that
the
the
client
will
cda?
If
the
client
is
doing
ech,
it
will
react
to
the
eight
bytes
and
try
to
use
the
the
ech
secret
and
the
connection
will
fail,
and
thus
the
server
can
see
that,
because
the
question
doesn't
progress.
Your
client
with
and
the
server
are
doing,
the
ech.
C
Yeah,
I
don't
think
this
design
is
specifically
intended
to
prevent
that
sort
of
active
attack.
I
mean
there's
certainly
other
ways
to
figure
out
whether
or
not
a
particular
connection
it
makes
use
of
ech,
depending
on
like
what
sort
of
capabilities
you
assume
the
beyond
path
attacker
to
have
and
how
much
active
probing
or
what
not
it's
willing
to
do.
C
I
So
that
means
that
it's
observed
by
outsider
and
it
can
be
used
in
a
variety
of
replay
attacks,
and
I
just
draw
one
that
would
not
happen
if
the
eight
bytes
were
somehow
constructed
so
that
they
could
not
be
guessed
by
a
third
party,
for
example,
if
changing
in
a
but
I
mean
maybe
I'm
just
over
concerned.
C
I
think
it's
good
to
think
these
things
through.
Clearly,
perhaps
if
you
could
articulate
the
attack
in
a
bit
more
detail
on
the
issue
of
the
pull
request,
further
examine
it,
there.
I
J
Yeah,
I'm
just
a
little
confused
was
that
a
because
of
the
eight
by
is
that
about
two
seven
four
or
the
one
we're
discussing
now
253,
where
there's
a
concern
about
the
attack.
C
That
was
the
previous
one.
I
believe
287.
C
C
Yeah,
okay,
so
let's
follow
up
on
the
pr
there
and
think
through
that
case,
just
to
make
sure
that
there's
no
inherent
problems
but
yeah
thanks
again
for
flagging
it.
So
back
to
this
one,
that's
open
right
now
it
doesn't
look
like
there's
any
particular
strong
objections
to
it.
So,
chris,
your
pr
is
linked
from
this
issue.
Right.
C
An
actual
comment
in
it:
okay,
yeah,
let's
similar
to
that
one,
let's
just
review
it
and
then
move
it
forward
and
then
close
it
out
and
thanks
again
to
ben
for
filing
the
issue.
C
All
right,
number
264.
C
C
All
right,
okay,
so
one
of
the
details
we
lay
on
the
spec
is
that
endpoints
must
pad
parts
of
their
handshake
flight.
In
order
to
hide,
you
know
metadata
that
would
leak
otherwise
like
size
certificate
that
might
depend
on
the
s
and
I
or
other
things
we
can't
rely
on
record
layer
padding
to
do
so,
but,
as
david
lays
out
on
the
issue,
this
could
be
problematic
for
quick
implementations.
C
There's
also
a
potential
to
do
it
with
extensions
on
certain
messages
in
the
handshake,
like
you
could
add,
it
make
an
exception
for
padding
being
added
to
the
certificate
message
or
to
ee
or
whatever.
There
are
some
comments
in
here
that
suggests
that
doing
it
you
do
going
down.
The
extension
route
is
perhaps
not
the
best
or
best
path,
particularly
if
you
consider
what
happens
with
certificate
compression.
C
So
I
think
the
the
proposal
here
is
to
add
a
new
handshake
message.
That's
specifically
designed
for
to
carry
padding
bytes
and
the
part
of
the
record
layer
that
looks
at
the
handshake
message
and
dispatches
it
to
the
state
machine
similar
to
ccs.
We
just
you
know,
consume
this
padding
message
and
drop.
It
on
the
floor.
Unfortunately,
david
is
not
here
to
speak
to
it.
I
don't
think
so.
C
B
Becker
yeah,
I'm
really
not
enthusiastic
about
adding
a
new,
a
new
padding,
a
a
new
padding,
investing
message,
yeah
that
seems
like
gross.
So
I
guess
I
don't
quite
understand
why
we
can't
add
all
the
padding
in
ee.
If
we
have
dad
padding.
B
C
I
guess
I
mean
from
the
server's
flight,
it's
I
guess
I
don't
see
an
issue
with
it
either.
I
don't
know
if,
like
the
client,
doesn't
have
any.
B
Because,
like
you
know,
if
the
problem
is
that
we
like
need
to
put
things
in
other
places
like
the
idea
that
we're
going
to
add
a
new
handshake
message
and
we
use
a
state
machine,
especially
for
the
purpose
of
like
saying
nothing
like-
does
not
work
well.
For
me,.
B
Because
it's,
it
just
seems.
C
B
Seems
like
it
seems
like
extremely
a
point:
fixer
lynn
should
have
a
generic
solution.
B
C
Okay,
nick.
K
Sorry,
I
added
myself
to
the
queue
to
comment
that,
from
the
quick
perspective,
managing
padding
at
the
quick
layer
will
be
horribly
complicated,
so
we
need
some
sort
of
padding
in
the
tls
layer.
I
don't
have
strong
opinions
on
where
tls
puts
that
padding
in
so
what
ecker
was
suggesting
of
putting
an
e
instead
of
in
a
new
handshake
message,
I
think,
sounds
fine
yeah.
B
But
we
also,
I
don't,
because
I
don't
understand
why
you
would
need
to
add
clients
or
we're
clients
of
our
padding.
Are
you
talking
about
the
the
client
hello
or
about
the
client
certificate.
C
B
But
I
mean
I
guess
right.
I
think
that's
certainly
true,
but
bear
in
mind
that,
like
I
mean
like
lots
of
things,
are
going
to
vary
based
on
what
server
it
is
right.
You
know
once
talking
like
my
message.
High
traffic
analysis,
like
what
you
know
is,
is
the
uri
gonna
vary.
So
I
don't
think
that's
actually
that
helpful,
but
in
any
case
so
I
think
yeah.
I
think
that's
that's
that,
like
this
seems
like
a
separate
problem.
C
Yeah
I
I
guess
we
can
go
to
differing
extremes
here
with
humber.
Well.
B
I
guess
because
let
me
point
out
that,
like
the
seems
like
it
seems,
the
client
certificate
leakage
has
like
much
more
serious
problems
than
than
then
with
sni,
because
you
know
you
have
multiple
clients
going
into
the
same
known
server
and
you're,
apparently
looking
at
any
of
those.
So
it
seems
like
if
that's
an
issue
like
that's,
that's
a
solution
which
can
be
detached
from
this
particular
problem.
C
Yeah,
I
would
agree
with
that,
like
whatever
mechanism
you
happen
to
use
to
address,
the
padding
for
ech
could
probably
be
used
to
solve
that
particular
problem
as
well,
be
it
like
an
extension
somewhere
on
the
client's
flight
after
ee
or
after
the
service
fight
or
a
handshake
message
like
I,
too,
don't
really
have
a
strong
preference
as
long
as
it's
not
in
the
record
layer,
as
nick
and
david
has
pointed
out,
I
agree.
C
Yeah.
Does
anyone
have
a
strong
opinion.
E
Chris,
I
just
wanted
to
mention
the
thing.
One
thing
we're
not
talking
about,
which
is
definitely
less
of
a
risk
than
leaking
the
sni
is
there's
a
lot
of
there's
a
lot
of
things
in
the
spec
about
don't
stick
out
like
padding
to
make
sure
like
on
ech
rejection,
you
pad,
like
it's
optional,
for
non-ech
servers
to
pad
to
hide
the
fact
that
ech
rejection
has
happened.
I
don't
I
don't
know.
I
don't
know
how
that
concern
relates
to
the
questions
on
the
table.
I
just
wanted
to
bring
that
up
all
right.
B
I
think
one
more
point:
you
know
david
ben
points
out
that
the
reason
you
can't
do
just
a
gen
extension.
The
certificate
message
is
because
the
certificate
compression
draft
you
know
compresses
the
entire
method,
exactly
like
we
could
just
pull
out
of
the
rfc
or
can
fix
that.
I
mean
if
we
decide
that
was
the
wrong
answer
like
we
need
to
fix
that.
B
So
I
I
I
guess,
I'm
not
sure
it
is
the
right
answer,
but
I
guess
what
I'm
saying
is:
if
people
think
that's
off
the
table,
because
the
documents
approved
that's
off
the
table.
B
48
yeah,
okay,
but
I
mean
so
like.
Maybe
the
chair
could
put
press
the
plus
button.
H
Okay,
I
will
push
the
pause
button
for
certification.
Thank
you.
C
C
But
all
this
is
sort
of
like
extra
anyways,
I
mean
different
implementations
might
go
to
different
degrees
of
how
much
padding
they're
willing
to
do
to
hide
these
things,
like
padding's
not
required
to
make
the
protocol
work.
So
I
don't
consider
this
a
real
blocker,
but
it's
something
which
should
grow.
E
One
thing
is
that
if
we
should,
we
should
double
check
the
draft
to
see
if
there's
any
must
pads.
I
don't
know
that
there
are,
but
that's
worth
that's
worth
following
up
on
just
in
case.
You
know
we
don't.
Actually
you
know
if
we
don't
actually,
if,
if,
if
yeah
yeah,
basically,
if,
if
implementations
do
different
things,
we
still
want
to
make
sure
that
the
standard
they're
standard
compliant.
So
it's
worth
coming
through
the
spec.
I
think.
C
Yeah
agreed,
would
you
mind
chris
if
you're
in
that
issue
right
now,
could
you
make
a
note
of
what
we
just
talked
about?
Basically,
people
are
in
favor
of
not
record
layer
yep.
Thank
you.
G
All
right
can
we
go
to
263
next
ben
schwartz.
I
just
wanted
to
on
the
on
the
topic
of
unsolicited
padding
extensions.
I
just
wanted
to
ask:
is
there
a
way
to
to
implement
the
client,
hello,
the
inner
client
low,
padding
using
the
unencrypted
client,
hello,
padding
extension,
which
would
then
be
encrypted
by
ech.
B
Yeah,
I
think
that's
exactly
right.
I
think
that
the
client
pads,
so
my
thesis
would
be
that
the
client
pads
with
the
standard,
padding
extension
and
the
server
then
and
then
we
remove
the
restriction.
The
server
can't
add
their
own
padding
extension
and
they
put
it
in
the
e
and
then
it's
not
unsolicited
and
we're
good
to
go
and
then
there's
an
edge
case
where
the
client
doesn't
have
what
the
server
wants
to.
B
But
that's
just
don't
because,
like
the
you
know,
because
the
supply
was
too
lazy
to
pad
and
the
server
padding
is
not
going
to
help
us.
So
that's
that
that
seems
like
the
easiest
solution.
C
Yeah
I
would
like
to
find
a
good
place,
for
I
mean
to
solve
the
I
mean
the
separate
problem
of
perhaps
hiding
what
the
client
serve
is
by
the
size.
I
would
like
to
at
least
have
an
answer
to
that
as
well,
even
if
it
is
orthogonal
to
this
particular
issue,.
B
I
I
think
I
mean
but
bear
in
mind
that
you
could
solve
actually
by
having
that
you
can
actually
solve
by
having
a
by
by
pat.
So
I
mean
that
this
is
why
super
compression
thing
is
relevant
right
because
that
you
could
solve
by
having
a
certificate
in
the
second
message
having
the
server
and
although
unsolicited
certificate
extensions,
I
think,
are
forbidden
that
this,
because
that's
a
response
to
certificate
request,
you
could,
you
could
have
the
extension
there.
Yeah.
C
C
Okay,
well
with
ben,
putting
the
pause
on
I'm
sorry,
too,
victor
and
alexander
over
here.
We
can
sort
that
out.
C
Okay,
so
this
next
issue-
oh
right,
so
for
the
extension
compression
mechanism
that
we
have
in
the
spec
right
now
there
is
this
hash,
that's
included
of
the
what
should
be
the
effectively
reconstructed,
client,
hello
and
chris
is
asking
here
whether
or
not
that's
actually
useful.
Chris.
Do
you
want
to
elaborate.
E
Yeah,
so
from
where
I
from
where
I
stand,
it
seems
to
be
redundant,
at
least
in
so
far
as
if
the
client
hello,
if
the
outer
extensions
are
manipulated.
It's
going
to
change
the
client,
hello,
inner,
the
client
and
and
back-end
server
aren't
going
to
agree
on
that
value.
So
that's
basically
just
an
active
attack.
That's
what
it
amounts
to,
but
ecker
pointed
out.
This
kind
of
you
know
kind
of
weird
corner
case.
E
Where
there's
you
know
you,
you
have
these
sort
of
it's
it's
it's
possible
to
come
up
with
contrived
examples
of
extensions
that
that
kind
of
break
the
privacy
of
s
I
and
the
this
this
mechanism.
Basically
this
this
this
this
binding
of
the
outer
extensions
to
the
client,
hello,
inner,
prevents
this
attack.
So
basically,
what
we
have
is
a
strictly
stronger
security
property
for
the
client,
hello,
inner,
that's
consumed
by
the
back-end
server
than
what
is
usual
for
like
tls.
E
So
I
you
know,
I'm
not
opposed
to
leaving
the
mechanism
in
there.
I
would
just
I
thought
it
warranted
discussion
like
are
there?
Are
there
more
natural
examples
of
extensions
that
would,
for
which
this
stronger
security
property
would
be
useful.
B
So
I
don't
have
a
more
natural
example.
I
think
part
of
what
happened
here
is
that
you
know
we
found
it
so
hard
to
reason
about
everything
involving
ech,
that
that
I
decided
that
when
I
th
that
this
was
a
sketchy
enough
kind
of
like
situation
that
that
that
it
was
better
to
be
there
on
the
safe
side,
I
think
is
basically
what
happened
here
that
you
know
a
lot
of.
I
mean.
B
Basically,
we
have
a
lot
of
problems
with
the
substitution
of
individual
parts
of
the
internet,
hello
and
the
advantage,
and
so
like
here.
Here's
how
you
get
to
this
point
is
you
say:
look
we've
had
problems
substituting
inner
parts
to
client,
hello
and
so
now
we're
gonna
we're
gonna,
we're
gonna,
take
the
entire
thing
and
bundle
an
ech,
and
that
provides
both
confidentiality
and
integrity
for
the
entire
thing.
And
so
like
that's
a
good
property
and
we
agree,
we
can
analyze
that
easily
and
then
you
say:
okay,
but
that's
too
big
how
you
compress
it.
B
And
so,
when
you
compress
it,
you
don't
want
to
remove
the
property
of
having
integrity
for
the
entire
thing,
and
so
that
that
that
means
binding
between
the
inner
hour.
So
I
guess,
unless
we
had
a
very
like
this-
is
a
complicated
system
that
it
seems
like
like
leaving
the
door
open
for
obvious
mistakes.
Later
is
not
a
good
idea.
B
E
I
don't
I
don't
necessarily
I
don't
I
don't.
This
is
kind
of
maybe
nitpicky,
so
I
I'm
not
gonna,
I'm
not
really.
I
don't
really
have
a
strong
opinion
about
this
at
this
point.
I
think
that
though,
basically
I
don't
know
that
it's
providing
additional
integrity,
but
it's
certainly
it's
kind
of
like
it's
kind
of
like
encryption
with
associated
data.
E
So
it's
if
you're,
if
you're
you
know,
if
you're
so
so,
basically
what
we
have,
what
we
need
from
the
from
the
from
the
encrypted
client
hello
encryption
mechanism
is
indcca
security
and
this
amounts
to
an
attack
on
the
ind
cca
security
of
the
thing
when
you
have
associated
data,
so
the
what
we're
effectively
like
what
we're
effectively
in
endowing
hpke
with
is
public
key
encryption
with
associated
data
and
whether
that's
necessary
or
not,
I
think,
depends
on
how
you're,
how
you're,
using
how
you're,
using
the
outer
extensions
I'm
happy
with
the
revolut
the
resolution
being.
E
Let's
just
do
the
conservative
thing,
it
doesn't
hurt
anything,
it's
not
that
expensive.
So
I'm
happy
to
to
to
leave
the
mechanism
as
it
is
and
close
the.
E
C
That
sounds
good.
Are
there
any.
C
C
C
Please,
okay,
chris,
I'm
just
going
to
turn
this
over
to
you
to
talk
about
the
issue.
E
Oh
yeah,
okay,
so
yeah.
Where
are
we?
Basically,
we
wanna
what
we
want,
what
the
so
the
people
who
have
like
chimed
in
on
this
issue.
We
all
basically
agree
that
we
would
like
for
the
extension
compression
compression
mechanism
to
preserve
the
order
of
the
extensions
which
the
current
mechanism
doesn't
so
there's
a
proposal
for
doing
this
and
we
haven't
gotten
much
feedback,
there's
some
pushback
from
martin
thompson.
If
he's
here,
he
he
can.
E
He
can
comment
on
it,
but
basically
there's
a
proposal
and
for
fixing
this
and
I'm
looking
for
feedback.
I'm
waiting
for
feedback.
B
So
your
proposal
is
to
have
multiple,
multiple
extensions.
E
Yeah,
so
right
now
the
idea
is
we
have
so
this,
so
this
sort
of
this
sort
of
okay,
I
this
sort
of
breaks
the
semantics
of
of
extensions
as
usual.
My
thinking
is
that
client,
hello,
inner,
isn't
a
real
handshake
message.
Sure
it's
it's
something
that
you
need
to
actually
inflate
and
send
to
the
back
end
server.
So
I
figured
that
it
would
be
okay
to
violate
that
rule.
Sure
yes,
you're
triumphantly.
B
E
B
So,
okay,
so
I
guess
I
I
have
to
say
this
so
syria,
so
do
you
have
n
hashes
then.
E
No
so
there's
two
extension
points
for
this
for
this
mechanism:
there's
outer
outer
extension
and
for
each
for
each
extension.
You
want
to
shallow
copy
into
the
client,
hello
inner.
You
replace
that
extension
with
that
extension
point
and
then
the
payload
is
just
the
the
extension
type.
That's
right.
Yeah
pointed
to
okay,
yeah,
okay
and
then
there's.
B
Right,
okay,
yeah,
because
that
was
the
objection
to
my
design,
which
is,
I
had
n
hashes,
which
my
thesis
was
by
the
way
that
like
why
not
because
you're
not
so
so
my
original
design
was
each
each
hash
was
the
hash
of
the
thing
you
were
plugging
in
as
opposed
to
being
a
total
hash,
and
so
so
I
think
I
think
the
objection
was
so.
I
think
I
think
the
question
here
is
is:
is:
are
there
yeah?
So
this
is
fine.
E
Yeah,
I'd
like
to
I'd
be
curious.
Okay,
I
mean,
because
I
know
that
martin
thompson
has
so
he's.
You
know
he's
suggesting
something
that
actually
provides
better
compression.
So
this
my
mech,
the
current
proposal
is,
is
really
simple.
It
only
actually
provides
a
benefit
if
you
compress
enough
extensions,
so
there's
a
threshold
that
you
need
to
cross
for
it
to
be
valuable,
which
is
worth
discussing,
and
I
think
the
other
issue
is
whether
people
are
going
to
be
fine
with
using
multiple
extension
points
in
the
same
synthetic
message.
D
B
B
Right,
it's
only
barely
worth
it,
though
I
mean
so
you're.
I
assume
usually
56
effectively.
E
B
So
this
is
only
so
in
this
scenario,
where
you're,
offering
p256
and
and
two
five
five
one
nine
by
nine,
you
save
about
50
bytes
right
right.
G
B
E
B
B
If
you
have
post
quantum,
then
then,
then,
then
your
design
is
pretty
good
or
even
my
design
was
pretty
good
right
right,
so
I
mean
the
rationale
for
doing
the
rationale
for
having
something
more
complicated
is
you've
got
a
lot
of
big
things,
yeah
a
number
of
sort
of
modest
sized
things,
each
of
which
needs
to
compress
right,
and
I
think
that-
and
so
you
know
I
just
like-
I
just
think
like
before,
like
like,
rather
than
sort
of
designing
in
a
vacuum,
we
should
actually
go
look
and
like
see
like
a
typical
client
hold
on
how
many
things
are
going
to
benefit
from
this
treatment.
E
And
it's
a
good
idea,
so
I'm
working
on
a
prototype
and
go
and
I'll
I'll
I'll
I'll,
implement
this
mechanism
and
and
see
if
it
makes
sense
and
report
back.
C
Chris
ben,
I
think
you're
next
schwartz.
G
I
just
want
to
try
to
understand
whether
this
is
motivated
by
allowing
the
representation
of
arbitrary
extension
orders
or,
if
there's
some
other
reason,
why.
You
think
the
current
model
is
insufficient,
because
I'm
not
aware
of
a
reason
that
we
need
to
be
able
to
represent
extensions
in
an
arbitrary
order.
E
That's
a
good
question.
The
thing
I
worry
about
is
there's
already
a
rule
in
8446
that
says
when
like
when,
when
that,
when
you
can
send
a
pre-shared
key
extension
like
in
what
order
in
this
in
the
in
the
client
hello,
I
worry
about
messing
things
up,
if
which,
if
the
the
order,
like
somehow
our
transformation
of
client
hello,
enter
to
compressed
client,
hello,
inner
if
it
changes
the
orders
of
things
that
could
change
the
expectations
of
the
client
and
mess
up
mess
up
logic
on
the
client
side.
E
So
basically,
I'm
worried
about
ossification
of
ex
around
extension
order
on
on
on
the
client
side
that
I
mean
so
that
the
issue
like
I
mean
there.
I
think
that
people
generally
seem.
That's
generally
seem
to
agree
that
that's
a
that's
a
that's
a
safe
thing
to
do.
I
forget,
if
you,
if
you
chimed
in
on
this
issue
or
not.
G
E
But
there
then
there's
also
like,
like
eight
four
four
six
makes
an
ex
like
you
know
it.
Doesn't
it
doesn't
assign
the
order
of
extensions
except
for
one
I
forget
which
one
it
was,
but
I'm
pretty
sure
it's
pre-shared
key
yeah.
It
has
to
appear
last.
So,
if
you're,
if
somehow
you
use,
if
somehow
your
implementation
of
client,
hello,
inner
compression,
messed
up
that
order,
then
you
would
end
up
with
a
non-compliant
client.
So
it's
something
to
be
careful
of
it
for
a
particular
implementation
of
the
the
compression
mechanism.
E
I
think
it
makes
sense
to
simplify
the
spec
and
that's
what
I'm
that's,
what
I'm
aiming
to
do
with
this?
It's
basically
to
you,
know
it's
it's
it's
it.
It's
it
prevents
preventing
preventing
the
order
of
extensions
from
changing,
ensures
that
it
it
no
logic
anywhere
else
in
the
stack
is
screwed
up
and
that's
kind
of
my
aim.
B
Yeah
so
I
think
like
to
put
my
cards
on
the
table.
My
suggestion
is
for
people
asking
at
psk,
even
if
there
is
psk
psk's,
clearly
not
compressible,
because
because
the
binders
prefer
the
rest
of
the
rest
of
the
handshake
right.
So
that's
like
that's
not
going
to
work
anyway,
so
I'm
not
worried
about
that
one.
B
I
probably
just
go
with
the
simplest
thing,
which
is
the
thing
currently
in
the
spec
and
say
that
you
know
if
there
are
other
extensions
about
to
be
continuous,
and
if
we,
if
we
have
two,
then
I
think
we
maybe
it's
worth
we're
gonna
be
being
decontiguous,
so
yeah
ben
aopn
is
compressible
in
some
sense,
but
airplanes
are
typically
very
short,
and
so,
given
that
the
minimum
size,
this
extension
is
like
you
know,
there's
like
four
octets
you're,
not
getting
much
value
at
it,
you're
getting
like
five
bytes,
so
the
so
I
think
like
like.
B
Let's
do
that
research
and
then
do
that
simple
thing,
and
the
thing
I
would
note
is
that
this
is
not
like
an
all-time
commitment
in
the
sense
that
that,
because
there's
a
an
effectively
a
negotiation
when
ech
is
done,
if
we
end
up
with
some
other
extension,
then
we
can
just
we
can
effectively
rev
the
ech
back
or
have
a
way
for
the
server
to
indicate.
I
speak
compression
v2
and
has
a
more
fancier
thing.
E
That's
fine,
I
think
one
thing
about
like
just
just
requiring
the
compressed
extensions
to
be
contiguous.
You
want
to
put
the
outer
extension
extension
in
the
right
order,
so
if,
if
you're
gonna,
if
you're,
if
the
extensions
are
a
b
c
and
d
and
you're
gonna
compress,
b
and
c,
then
in
the
the
representation
of
the
client
in
the
client,
hello
enter
needs
to
be
a
and
and
then
outer
extensions
for,
b
and
c
and
then
d.
B
If
we
already
have
a
bunch
of
implementations
which
serializes
some
random
order
or
if
you
have
for
some
reason,
extensions
which
really-
which
for
some
reason,
don't
want
to
be
contiguous
right
like
in
the
same
ways
the
same
way
as
psk
psk
is
now,
and
so
I
guess
what
I'm
saying
is
unless
we,
unless
we
find
ourselves
in
that
situation,
now
like,
let's
like
burn
that
bridge,
I
think
that's
fair
so
see.
If
we,
I
guess
like
what
I'm
saying
is
like
someone
should
go.
Look
some
clown,
hellos
and
like
see.
Is
there
anything
else.
C
Yeah
we'll
take
an
action
to
do
that
with
our
prototype
and
we
can
talk
about
this
vertical
money
as
well,
and
then
we
can
report
back
on
the
issue
to
see
what's
actually
useful,
all
right.
We
only
have
a
few
more
minutes
left.
So,
let's
move
on
to
297.
E
Yeah
thanks
so
what's
going
on
here
is
right.
So
if
the
structure
of
the
encrypted
client
hello,
that
is
the
payload
that's
sent
in
the
outer
client
hello,
if
that
changes,
then
if,
if
that's
changed
in
future
versions
of
ech,
then
th
that'll
break
backwards.
Compatibility
because
of
the
because
of.
E
Because
oh
well
hold
on
a
second
so
because,
okay,
so
the
there
there's
a
version
negotiation
for
which
draft
of
ech
you
want
to
use,
and
it's
based
on
the
version
indicated
in
the
configuration,
so
the
server
indicates
which
versions
it
supports
and
the
client
chooses
a
version
effectively
if
in
future
versions,
this
the
structure
of
the
client
encrypted
c
structure
changes,
then
that
will
break
that
will
break
backwards
compatibility.
E
So
I
was
suggesting
we
should
put
the
version
in
the
client
encrypted
ch
structure
david
benjamin
pointed
out.
Why
do
we
need
this
in
the
first
place?
And
I
I
wanted
to
talk
about
that-
I
don't
really
have
an
informed
opinion
on
whether
it's
useful
to
be
able
to
negotiate
the
version
of
ech.
E
So
I
was
wondering
if
people
would
would
chime
in
on
that.
I
wish
david
was
here
because
he
brought
this
up,
but.
B
So
what
what
you
need
on
the
server
side
is
to
be
able
to
determine
which,
because
the
versions
and
the
configs
are
one-to-one,
you
need
to
determine
which
config
was
used
and
in
order
to
do
that,
you'd
be
able
to
process
the
first
two
fields,
namely
the,
namely
the
sephora
sweet
field,
to
tell
you
which,
which
hash
to
use,
and
then
the
and
the
in
the
next
field,
with
the
has
the
hashtag
and
everything
else
can
be
freeform
right.
So
what
we're
committing
to
I
mean
what
we're
commit.
B
What
we're
committing
to
now
is
the
is
those
first
two
fields
unchangeable
right,
and
I
think
I
think
what
you'll
be
proposing
is
to
be
convenient,
something
else
which
is
the
first
field
being
changed.
It
will
be
virgin
right.
I
B
So
I
think
I
guess,
like
I
think,
I'm
with
david
in
the
sense
that
like
if
we,
if
we
really
decided,
we
were
like
sad
about
like
that.
This
isn't
the
first
two
field
structure.
Then
we
could
just
invent
some
nukes
instead
of
code
points.
So
I
think
I
I
am
balanced
performance
remove
version,
but
I
mean
if
it
were
there,
I'm
like.
If
we
were
in
last
call
over
there.
I
probably
wouldn't
fight
about
it.
C
I
think
I
would
agree
as
well
like
the
first
two
fields.
Being
an
invariant
seems
pretty
much
are
pretty
insane
to
me.
I
don't
think
it's
documented
anywhere
in
particular
that,
like
these
two,
we
expect
these
two
to
not
change,
but
we
could
do
that
and
then,
if
we
need
to
make
something
new
down
the
line,
because
we
want
to
share
the
variance,
we
just
use
a
different
code
point
well
very.
E
You
know
we
people
have
discussed
various
ways
of
of
indicating
which
configuration
was
used
basically,
like
you
know,
like
nick
sullivan,
once
proposed,
like,
let's
just
let's
have
like
a
super
truncated
hash,
which
I
guess
I
guess
is
the
same.
Like
you
know
it's
still,
it's
still
a
config
hash
technically,
but
I
guess
I'm
concerned
that,
in
order
to
you
know
as
a
as
an
anti-ossification
measure
we
these
might,
these
might
change
in
the
future.
E
So,
like
I'm,
not
sure
that
we
want,
we
want
to
commit
to
them.
I'm
happy,
I
don't
see
a
reason
to
change
them
from
where
I
sit
like
it
seems.
Like
a
you
know,
this
is
like
the
necessary
information
for
picking
the
configuration
today.
We
just
can't
change
the
way
the
configuration
is
picked.
So
if
anyone
can
envision
changing
that
in
the
future,
I
think
then
we
should
add
the
version.
C
I
mean
to
your
point:
the
proposal
from
david
that
nick
was
mentioning,
does
allow
you
to
truncate
because
it's
variable-like.
But
yes,
I
agree
with
the
general
sentiment
ben.
G
Ben
schwartz,
I
don't
really
understand
the
ossification
concern
that
you're
mentioning
here,
because
the
only
way
that
this
ever
gets
used
with
a
future
version
is
with
clients
and
servers
that
are
that
are
both
aware
of
this
new
version,
like
the
server
has
to
advertise
a
new,
a
configuration
with
the
new
version,
and
the
client
has
to
has
to
adopt
that
one
so
like
who
is
the
ossified
party
who's
who's,
not
playing
ball?
G
The
only
thing
I
can
think
of
is
maybe,
if
there
were
a
middle
box
that
is
trying
to
parse
this
extension,
even
though
it
can't
understand
it.
Maybe
that
is
something
to
worry
about,
but
well.
A
G
A
We're
we're
out
of
time
and
so
to
respect
everybody's
time.
I
think
we'll
call
it
here
and
take
some
of
this
discussion
of
the
list.
I
think
we'll
also
try
to
schedule
another
one
of
these
in
roughly
a
week,
maybe
a
little
bit
longer
to
get
rid
of
it
to
find
a
good
time
or
two
weeks.
Okay,
two
weeks
and
yeah
thanks
for
joining
and
remember
to
sign
the
attendance
sheets.