►
From YouTube: TLS WG Interim Meeting, 2020-09-21
Description
TLS WG Interim Meeting, 2020-09-21
A
B
A
A
Okay,
so
you're
all
familiar
with
the
notewell
I'll
just
put
this
up
here
for
a
few
minutes
just
to
remind
everybody
that
we're
under
the
ipr
policy
of
the
ietf,
so
today
we're
going
to
go
over
ech
issues
so
I'll.
Let
chris
kick
that
off
which
issue
would
you
like
to
chat
about?
First.
E
Yeah,
it
doesn't
have
karthik
suggestion,
but
it
has
it's
ben
schwartz's
suggestion.
I
think
that's
where
we
are.
E
We
have
we
kind
of
decide:
oh
okay,
sorry,
okay,
so
trial,
decryption,
trial,
hmac
and
then
the
current
proposal.
C
Yeah
basically,
but
but
hmac
like
there's
a
different
variance
for
how
the
hmac
is
computed.
One
of
them
is
like
mixing
in
client
and
server
hello,
random.
Oh.
E
I
don't
know
what
those
variants
are.
I
was
just
thinking
of
the
I
was
just
thinking
of
the
oh
compute,
an
hmac
over
the
server
hello,
using
a
key
derived
from
the
master
key
or
from
the
main
key.
I
mean
secret
and
and
and
and
and
stick
the
prefix
of
that
hmac
in
the
server
hello
random.
Is
that
what
you're
describing
talking
about.
C
E
So
the
the
pr
for
this
is
converged
on.
Basically
the
proposal
is
you
compute,
you
you,
you
essentially
hash
the
client,
hello,
inner
and
the
the
first
24
bytes
of
the
server
hello,
random,
the
client,
hello,
inner
random
and
the
server
hello,
inner
random,
and
that's
how
you
get
the
that's?
How
you
get
the
confirmation
indication.
C
Right,
thank
you.
Okay,
so
yeah,
there's.
C
The
existing
design,
which
does
nothing
but
trial
decryption
there,
is
this
trial
hmac,
as
you
describe
it,
which
includes
an
hmac
computer
over
the
client,
hello
and
server
hello,
random
or
part
of
it
as
you've
just
described,
and
then
there
is
karthix
design
which
is
not.
F
C
Written
up
in
pr
form
or
documented
in
the
issue,
but
it's
effectively
an
extension
of
this
trial,
hmac
thing
where
you
derive
a
key
from
the
handshake
secret
and
use
that
to
compute
an
h,
mac
and
shove
it
in
the
server
hello,
random,
doing
a
trick
similar
to
how
you
one
computes,
psk
binders.
C
I
guess
trade-off
in
terms
of
complexity,
and
you
know
plugging
the
the
attack
that
we're
concerned
of
and,
as
you
suggested,
the
the
current
pr
converged
on
the
the
simple
you
know
quote
simple
trial,
hmac
variant
that
helps
protect
against
sort
of
trivial,
replays
or
benign
replays
in
the
network,
and
the
the
rationale
for
doing
so-
and
you
can
correct
me
if
I'm
wrong
is
because
any
sort
of
active
attacker
who's
trying
to
learn
whether
or
not
ech
was
actually
negotiated,
has
plenty
of
other
avenues
for
doing
so.
C
And
this
isn't
particularly
this
isn't
like
a
useful
thing
to
address
these
sort
of
replay
text
that
christian
laid
out.
Unfortunately,
he's
not
here
to
speak
for
it.
So
I
I'm
not
sure
how
far
we
can
get,
but
I
guess
I'd
like
to
pause-
and
you
know
ask
the
folks
here
if
they
have,
if
they,
if
they're
familiar
with
christian's
attack
and
if
they
are,
are
they
concerned
about
it
or
whether
or
not
we
can
just
press
onward
with
what's
written
in
the
pr
for
274.
G
Hi,
this
is
eric,
so
I
mean
I
guess
so.
First
of
all,
I
think
it's
pretty
clear
that
like
why?
Don't
you
want
to
call
it,
but
the
trial,
hvac
variants
are
superior.
G
The
trial
encryption
variants
for
the
quick
reasons,
dave
mentioned,
pointed
out
real
quick,
and
I
think
that,
in
terms
of
how
to
spell
it,
it's
also
pretty
clear
to
probably
go
in
the
server
hello,
because
otherwise
it's
like
you've
incredibly
obviously
know
whether
or
not
this
was
whether
or
not
this
was
deployed,
which
is
to
say,
does
the
extension
appear
in
the
server
from
the
investor
from
the
server
which
we'll
call
with
the
reason
for
doing
this
in
the
first
place,
the
I
mean,
I
think
this
goes
to
threat
model.
G
The
question
is:
what
are
we
trying
to
accomplish?
I
think
we're
trying
to
accomplish
it
being,
like
modestly
hard
to
determine
whether
a
given
connection
uses
you
know,
used
dch,
and
I
think
modestly
hard
obviously
is
like
a
you
know.
G
It
is
a
fuzzy
criterion,
but
it
seems
to
me
that
like
either
terminating
every
connection
and
then
allowing
the
client
to
reestablish
them,
which
is
what
with
christian's
attack
or
having
to
like
having
to
scrub
through
dns,
neither
of
which
causes
them
honestly
hard,
and
so
you
know
if
people
want
to
do
either
those
two
things
then,
basically,
as
far
as
I
can
tell
we
don't,
we
have
one
of
the
defenses
in
particular,
we
do
not
have
defense
against
the,
I
guess
the
dns
scripting
one.
G
So
so
I
think
you
know
like
I'm
on
the
fence
about
like
so
I'm
on
the
fence
about
whether
that
that
the
you
know
following
the
key
in
is
worth
doing.
But
I
I
mean
it's
like
you
know,
there's
always
sort
of
a
building
suspenders
kind
of
like.
Maybe
you
should
make
things
better
kind
of
thing,
so
I
wouldn't
fight
like
vehemently
against
it,
but
I'm
also
like
not
not
sure
we
need
it.
G
It's
worth
noting
that
if
we
decide
we
do
if
we,
if
we
decide
not
to
do
it
now
and
we
decide,
we
watch
it
later,
it's
actually
quite
straightforward
to
add,
because
you
can
simply
put
an
extension
in
the
ech
config
and
doesn't
appear
on
the
tls
on
the
wire
and
tls,
so
the
ech
config
would
just
say
you
know
I
speak.
I
speak
the
variant
in
which
you
know
in,
in
which
you
fold
the
tensions
so.
G
An
extended
handshake
secret
thing,
no,
I
mean
I
mean
you
could
call
it
that,
but
I
mean
I
mean
so,
and
the
ecs
config
has
extensions
in
it
right,
and
so
you
just
say
that
for
this
config,
if
you
offer
this
config-
and
I
take
it,
I'm
going
to
fold
the
handshake
in
in
the
same
in
the
same
block
that
you're
ordinarily,
using
that
you
were
using
without
that.
G
C
Yeah
I
I
agree.
I
think
this
is
the
right
trade-off
in
terms
of
complexity
and
usefulness,
in
terms
of
like
addressing
this
sort
of
modestly
capable
attacker.
G
I
mean
this
is,
I
guess
I
guess
we're
throwing
this
is
like
not
like
you
know.
This
is
not
like
tours
on
it's
like,
not
a
technology
where
we're
attempting
to
like
make
this
completely
invisible.
If
we
were,
we
have
made
a
whole
bunch
of
different
design
choices,
so
it
says
analogy
where
we're
hoping
to
make
it
kind
of
a
pain
in
the
ass
to
determine
connections
using
yet
yeah.
I
think.
F
C
Yeah,
I
agree
that
actually
goes
it
right
into
the
threat
model.
There
is
a
separate
issue
for
actually
writing
down
sort
of
threat
model
and
the
security
goals
against
that
particular
attacker,
and
I
I
put
down
in
that
issue
just
a
high
level
summary
of
what
the
what
I
think
the
threat
model
should
be
and
what
we
should
be
targeting,
and
I
think
it
aligns
with
what
your
you
know
describing.
C
G
I
want
to
say
we
should
merge
this
pr,
because
even.
F
A
And
chris
patton
you're
in
the
queue.
E
Yeah
I
just
wanted
to.
I
just
wanted
to
support
what
ecker
said.
Basically,
I
would
also
be
fine
with
adopting
something
like
karthik's
suggestion,
I'm
skeptical
that
it
actually
solves
the
problem
of
providing
don't
stick
out
security
against
active
attackers.
E
It
does
seem
possible
to
me
to
to
achieve
this
if
for
for
deployments
where
the
ech
configuration
is
not
easily
accessible
to
the
adversary,
but
that's
not
going
to
be
true
for
the
vast
majority
of
deployments,
at
least
initially.
So
I
think
this
is
a
I.
I
just
think
this
is
a
problem
worth
taking
some
time
to
study
before,
and
I
think
in
particular,
because
if
we
implement
something
complex
now
that
we
need
to
to
replace
later,
it's
going
to
be
a
lot
harder.
E
The
thing
the
the
current
pr
is
pretty
simple
and
it's
easy
to
replace
if
we
need
to-
and
I
also
really
liked,
ecker's
suggestion
of
of
using
an
extension
for
this
purpose.
It's
actually
a
pretty
nice
feature
of
the
of
the
of
the
protocol
that
the
signal
is,
you
know
it's
it's
kind
of
it's
kind
of
hidden
in
the
in
the
server
hello
random
already.
So
it's
easy
to
do
something
stronger
if
we
want
to
in
the
future.
E
E
C
Cool
joe,
can
you
go
back
to
the
issue
list
yep.
C
So
chris
pointed
out
that
we
really
haven't
clearly
described
threat
model,
at
least
in
the
introduction
leading
up
to
the
design
or
maybe
in
the
secure
security
considerations.
We
have,
of
course,
documenting
some
of
the
attacks
and
some
of
the
design
flaws
that
we
had
in
earlier
versions
of
esi.
But
we've,
not,
I
guess,
been
a
bit.
We've
not
been
really
crisp
in
terms
of
what
the
attacker
is
and
what
its
goals
are.
C
So
this
is
my
attempt-
or
this
is
our
attempt
to
sort
of
document
the
threat
model
with
respect
to
sort
of
two
general
types
of
attackers,
one
of
which
is
a
passive
attacker,
something
that
can't
probe
is
just
like
looking
at
bytes
flying
back
and
forth
across
the
wire.
C
These
might
be
our
stupid,
ossifying
middle
boxes,
things
that
can't
look
at
dns,
so
on
and
so
forth,
and
then
you
have
just
a
general
class
of
active
attackers
that
can
probe
do
all
sorts
of
crazy
things
and
these
are
more
or
less
sensors
and
and
the
goals
I
think
of
the
ech
are
to
I
guess.
First
and
foremost
not
you
know
negatively
affect
any
existing
security
properties.
Tls
1.3,
it
was
without
saying,
like
you,
shouldn't,
worsen
any
any
any
security
aspect
of
the
protocol.
C
It
should
be
from
a
privacy
perspective.
The
goal
is
to
make
it
so
that
every
ech
server
or
name
in
the
same
on
a
reset.
Our
connection
to
any
of
these
particular
servers
in
the
same
manner
reset
is
indistinguishable
from
one
another.
Much
of
the
traffic
analysis,
this
padding
might
change.
Padding
might
be
done
on
the
server
side.
It
might
not
be.
C
This
is
more
like
from
cleartext
signals
whether
or
not
you
can
distinguish
elements
from
the
set
support
from
eca
or
support
of
ech
like
whether
or
not
a
particular
server.
Actually
like
will
decrypt
something
if
you
send
a
valid
ech
config
remain
secret.
C
Unless
you
know
the
ech
configuration
for
passive
attackers,
because
you
can
imagine
like
programming
a
middle
box
with
a
known
ech
configuration
and
then
it's
just
like
looking
at
the
the
record
or
the
config
digest
as
it
flies
by
and
seeing
whether
or
not
it's
meant
to
be
an
actual
ech
connection.
C
Moreover,
negotiation
of
ech
or
actual
usage
of
it
for
a
particular
connection,
a
secret
from
a
passive
attacker,
like
you
can't
figure
out
whether
or
not
ech
was
actually
used,
which
is
what
the
pr
that
chris
put
together
allows
us
to
do
similar
to
how
the
you
know.
Existing
trial,
decryption
and
functionality
works.
But
again
it's
not
meant
to
be
secret
against
active
attackers
and
there's
various
you
know
subcases
broken
down,
but
I
think
this
captures
the
gist.
C
G
Yeah
ecker
yeah.
I
think
this
was
really
good.
The
one
thing
I
would
change
is
that
in
the
second
bullet
point
under
under
under
under
goals,
you
should
know
that
this
is
including
active
attackers.
G
Yes,
yes,
very
good
point
I
mean,
I
think,
a
good
way
to
put
this
is
like
the
the
usage
of
uch.
I
mean,
I
think
you
have
this
here
perfectly,
but
the
usage
of
uch
is
secret
from
passive
attackers,
but
the
the
but
the
but
the
contents
of
the
ech
are
secret
from
everybody.
G
Yeah,
this
is
great
dude.
I
I'm
sorry,
but
do
we.
C
Does
anyone
else
have
any
sort
of
comments
or
feelings
about
this
shirt
model?
Does
this
more
or
less
capture
what
folks
think.
F
So
so
chris
hey,
this
is
sean.
The
only
thing
I
can
think
of
is
that
we
need
to
make
sure
that
whatever
was
in
the
requirements
document
that
we're
not
doing
also
gets
captured
so
like.
If
there's,
if
there's
anything,
that's
different
between
the
two.
I
think
we
just
have
to
make
sure
that
we
document
that
does
that
make
sense.
C
Yeah
yeah
and
there
is
like
in
the
document
there's
a
section
on
going
through.
You
know
the
different
requirements
from
that
draft
and
and
commenting
as
to
why
we've
deviated
or
not.
But
I
I
don't
know
right
now,
whether
or
not
that's
up
to
date,
like
one
good
example
is
like.
I
think
the
the
requirements
document
says
that
you
know:
thou
shalt
not
stand
out,
though
clearly.
C
Stand
out
a
little
bit
yeah
the
fact
that
the
extension
is
there
is
a
pretty
good
indicator
right,
so
yeah,
yeah
I'll
I'll,
keep
a
note
of
that
and
I'll
I'll
review.
That
particular
section
to
see
whether
or
not
it's
still
relevant
or
needs
to
be
updated.
F
So
I
guess
my
only
thought
about
this
is
whether
we
should
be
more
explicit
about
what
the
things
that
we're
not
doing.
I
I
do
agree
that
I
think
this
is
a
this
is
this
is
gets
the
gist
of
it.
C
So
one
thing
that
as
zekker
was
sort
of
hinting
at
earlier
like
this,
is
not
meant
to
be
something
like
tor.
C
As
an
extension,
it's
not
meant
to
circumvent
censorship.
I
often
hear
that
you
know
this
is
a
you
know,
a
mechanism
or
a
technology
for
allowing
that,
although
I
think
that
is
a
bit
misleading
and
wrong,
given
that
the
current
design
app
doesn't
actually
allow
that.
C
So
I'm
hopeful
that
the
text
here
with
this
particular
throttle
model
makes
it
clear
that
this
is
not
a
censorship
circumvention
technology,
but,
if
not
like,
like
maybe
we
need
to
add
it,
although
I'm
kind
of
hesitant
about
even
using
that
word
in
this
document,
I
I
understand.
F
C
E
Chris
yeah,
I
just
comment
that
I
I
think
that
the
document
that
that
lays
out
that
don't
stick
out
requirements
is
not
is
is
a
little
less
precise
than
we're
trying
to
be
here
because
we're
you
know
we're
kind
of
trying
to
grab
the
problem,
so
I
think
I
think
yeah
we
should
we
should
document
what
what
what's
different,
but
I
really
don't
think
that
there's
much
that's
different.
I
also
want
to.
E
E
It's
just
that
it's
not
going
to
be
the
main.
At
least
you
know
it's
not
going
to
be
the
main
way
this
thing
is
deployed,
so
I
think
I
think
we
don't
want
to
rule
out
future
use
uses
of
ech
which
do
provide
a
stronger,
don't
stick
out
property.
C
Yeah,
let's
see
if
we
can
frame
the
text
in
that
way,
I
think
we
we
sort
of
make
it
clear
that
the
intended
deployment
for
this
is
obviously
via
the
dns
like
we've
referenced,
the
service
record
use
the
term
dns
but
you're
right,
and
that
it
would
be
a
shame
if
you
know
whatever
broke
down
like
did
not
reflect
other
deployment
models
so
yeah
as
we
put
together
the
pr.
We
can
just
keep
an
eye
towards
that
to
make
sure
we're
future
proofing.
It
correctly
rich.
H
Yeah
yeah,
I
I
agree
with
the
others.
This
is
a
really
nice
piece
I
mean
even
just
if
they
exported
his
markdown
cut
and
paste
it
right
into
the
you
know.
This
is
the
pr,
but
I
do
think
that
we
should
say
some
words
about
censorship,
because
the
popular
technical
press
will
do
it
if
we
don't-
and
we
don't
have
to
spend
all
our
time
saying.
No.
This
is
not
a
censorship
prevention
tool,
censorship,
evasion,
tool
right.
C
I
I
guess
my
my
only
allergy
is
to
using
that
word.
I
I
don't,
but
that
I
don't
have
a
strong.
You
know
reason
as
to
not
use
it
other
than
it
could
potentially
pollute
the
draft.
I
don't
know.
H
C
G
C
Okay,
cool
I'll
create
a
pr
soon.
Then
we
can
land
this
and
then
I'll
send
a
message
to
the
list
following
up
on
it.
You
know
particularly
raising
this
issue,
whether
we
want
to
or
how
we
want
to
work
in
the
topic
of
censorship,
okay,
cool.
C
Right
this
is
something
we
talked
about
last
time.
The
the
idea
was
that
we
have
this
ech
nonsense.
Currently
it's
kind
of
redundant
with
the
client,
hello,
random,
that's
also
secret
by
virtue
of
being
encrypted
in
the
inner
client
hello.
So
the
proposal
that
would
converge
towards
was
removing
the
ach
nonce
entirely
and
just
relying
on
the
randoms
in
the
inner
and
outer
clan
hello
being
different
generated
independently.
C
C
Yeah,
so
I
I
just
wanted
to
raise
this
and
and
pause
to
see
if
folks
have
had
a
chance
to
review
this,
the
the
text
is
fairly
self-explanatory.
It
does
the
associate
deaths,
it
removes
the
nonce
from
the
inner
client,
hello
extension
and
it
more
carefully
describes
how
to
specifically
construct
the
inner
and
outer
client
hello.
C
I
think
one
thing
that
came
up
during
this
particular
pr
that
is
sort
of-
I
guess
it's
not
directly
relevant
to
the
the
nonce
itself,
which
we've
agreed
to
remove
more.
So
it's
on
the
the
inclusion
of
padding
inside
the
inner
client
hello.
Can
you
scroll
on
just
a
little
bit
more
well?
Okay,
I
I
forget
where
it
is.
Oh
there
it
is
the
last
online
452.
C
Yeah,
I
I
don't
I
I
reviewed
this
pr
earlier
there
is.
This
must
include
padding
clause
specifically
using
this
particular
technique,
described
in
this
padding
section.
I
was
recommending
to
drop
it
from
a
must
to
a
should,
under
the
assumption
that
some
people
might
not
want
to
pad
a
particular
way,
or
they
might
not
want
to
pad
at
all,
depending
on
what
their
deployment
scenario
is.
Whatever
I'm,
I
think,
it'd
be
useful
just
to
like
quickly
flush
this
out.
G
I
mean
the
the
the
the
padding
there's
like
a
padding
section
and
if
you
wanted
to
use
padding
to
go
to
the
batting
section,
so
I
think,
like
I,
I
think
sure,
is
the
right
thing
here
or
even
may
I
mean
I
mean
the
key.
The
key
point
here
is
this
is
how
we
think
you
probably
ought
to
pad
if
you're
gonna
pad,
but
if
we're
gonna
tell
you
to
pad,
if
we're
gonna
say
you
have
to
pad.
If
you
go
to
padding
sessions.
C
Yeah,
basically,
I'd
be
fine
with
that.
So
I
think
a
shirt
is
right
here,
whatever
yeah
the
other.
Okay,
wasn't
just
anyone
else,
the
other
point
in
this
pr
christian,
I'm
sorry,
I
I
don't
mean
to
like
nitpick
your
pr
in
real
time,
but
these
are
just
like
things
that
we've
talked
about
in
various
places
of
different
threads.
That
I
think,
would
be
useful
to
just
air
right
now.
One
of
the
the
instructions
for
generating
the
hour
client,
hello,
is
to
be
careful.
C
If
you
scroll
up
joe,
is
to
be
careful
on
how
you
actually
or
what
extensions
you
actually
include.
It
has
been
asked
whether
or
not
it
makes
sense
to
include
a
psk
binder
in
the
outer
client
hello.
C
So
I
guess
that
I
I
am
of
the
opinion
that
there
doesn't
really
make
much
sense
to
include
a
psk
binder
in
the
other
client
hello,
because
the
only
time
you'd
actually
be
making
use
of
the
outer
clan.
Hello
is,
if
you
are
going
to
retry
and
establish
a
fresh
connection
with
new
ech
keys,
and
it
just
it
seems
like
it's
easier
from
a
client's
perspective.
If
you
only
ever
attach
a
binder
to
one
client
hello
though
I
yeah,
okay,
I'm
from
the
chat,
I
think
that
makes
sense.
C
The
oddity
is
like
I
guess.
If
you
had
a
ticket
to
you,
know
poster.com
or
whatever.
C
C
Great
okay,
very
good
cool.
C
Jonathan,
the
the
issue
there
was
with
the
earlier
esi
design.
You
would
that
there
was
no
distinction
between
which
client,
oh,
that
you
were
actually
consuming,
because
there
was
only
one
client
hello
with
the
encrypted
sni
and
the
the
the
server
reaction
attack
or
the
ticket
or
oracle
attack
was
when,
like
the
ticket
might
encapsulate.
C
You
know,
like
the
actual
sni
that
was
used
to
fetch
the
ticket
and
if
the
server
checked
to
see
that
you
know
this
particular
ticket
sni
does
not
match
the
sni
inside
the
encrypted
ech
value
that
it
might
behave
differently
so
effectively
giving
an
active
adversary
in
oracle.
But
this
design,
like
the
server,
will
only
consume
either
the
inner
client
holo
or
the
outer
client
hello,
and
since
the
attacker
can't
augment
the
inner
client
hello
due
to
encryption.
D
C
Great,
it's
the
only
other
one
that
I
would
like
to
get
to
is
264..
This
again
is
something
that
we
talked
about
last
time,
but
now
we
have
david
here,
so
I
think
we
can
david
and
alessandro,
thankfully,
so
we
can
hopefully
get
through
this
pretty
quickly.
C
C
It
was
pointed
out
that
you
might
be
able
to
use
certificate
extensions
to
add
padding
on
the
server
side
that
doesn't
work
well
currently
with
the
certificate
compression
draft,
which
takes
like
the
whole
certificate
message
and
just
shoves
it
into
a
compressor
so
that,
like
as
a
result
of
the
last
interim,
we
quickly
put
a
pause
on
that
document
to
make
sure
we
want
to
work
through
this
or
to
make
sure
we
work
through
this
issue
before
you
know
designing
ourselves
into
a
corner,
and
I
guess
we
didn't
really
come
to
a
a
conclusion
as
to
you
know
what
should
be
the
right
mechanism
for
padding.
C
So
I
I
thought
it'd
be
good
just
now
that
everyone's
here
on
the
call
we
could
chat
about
it
david.
Do
you
want
to
say
a
few
words
about
this.
I
Am
I
unbeated?
Maybe
you
are
unmuted
cool
yeah
I
mean,
I
think
you
basically
summarized
it.
I
The
the
padding
thing
into
over
tos
records,
padding
for
the
quickest
sort
of
stucco
little
like
abstraction
boundary
between
the
handshake
and
the
record
layer,
which
means
that,
like
interactions
between
the
handshake
and
the
record
layer,
are
suddenly
much
more
complicated
than
they
used
to
be
and
yeah
there's
a
so
if
we
ended
up
moving
the
padding
into
the
handshake,
which
seems
to
be
consistent
with
what
quik
has
done
elsewhere,
then
that
would
keep
that
interface,
nice
and
simple.
G
Yeah,
so
I
think
I
I
agree
with
david
as
the
fundamentals,
I
think
I
think
I
guess
my
put
is.
I
think
we
have
a
straightforward
solution
for
this
for
sni,
which
is
to
either
invent
or
use
the
old
padding
extension
and
and
then
just
perm
and
then
unwind
the
restriction.
It
can't
be
an
ee
and
then
as
long
as
you're
able
to
project
how
long
the
circuit
will
be.
G
You
can
pad
it
as
much
as
you
want
me
and
remember
that
the
remember
that
the
boundary,
the
message
boundaries
should
be
should
be
concealed
in
any
case
that
that
doesn't
solve
the
problem
of
the
client
to
server
padding.
But,
as
I
said,
that's
a
problem,
that's
actually
a
problem,
irrespective
of
sni,
so
I
think
we
should
solve
that
separately.
G
C
Yeah
certificate
impression
is
very
far
along
at
this
point
and
we'd
have
to
like
burn
a
code
point
and
do
all
sorts
of
things.
If
we
were
going
to
change
that
alessandro
speaking
as
an
implementer
on
the
server
side,
how
allergic
are
you
to
you
know
using
padding
extension
in
ee
and
to
cover
or
hide
the
the
size
of
the
server's
flight?
G
C
B
So
if
certificate
compression
is
used,
then
the
padding
might
depend
like
the
size
of
the
padding
might
depend
on
the
result
of
the
compression
of
the
certificate
right.
But
presumably
you
would
know
if
certificate
compression
is
in
use
right,
yeah.
No,
what
I'm
saying
is
you
don't
know
how
big
the
certificate
is
going
to
be
before
you
actually
compress
it
right,
so
you
need
the
certificate
in
hand.
Basically,
let
me
see
the
compressed
certification.
G
B
I'm
saying
is
you
you
send
you
set
whatever
ee
and
then
later
the
certificate
is
sent
and
the
compression
might
happen
like
just
in
time.
So
when
you're
setting
the
ee,
you
don't
know
how
big
the
certificate
message
is
going
to
be
and
the
size
of
the
you
know
the
compressed
certificate
might
change
depending
on.
I
don't
know
the
the
common
names,
the
the
alternative
names
or
whatever
I
don't
know.
B
If
that's
actually
a
problem,
it
could
just
simply
be
you,
you
add
whatever
like
a
fixed
amount
of
padding
and
then
that
would
cover
whatever
compression
you
use.
G
Yeah,
that
makes
sense-
I
I
mean
just
a
practical
matter
either
you
have
to
put
the
padding
you
know
here,
or
you
have
to
put
it
in
some
some
location
that
is
after
that
is,
you
know,
after
the
civic
is
being
compressed
right
and
so
that
either
means
and
so
and
and
so
like
you
know,
that
means
so
so,
as
far
as
I
can
tell
they'll
turn
given
that
david's
right
and
we
don't
want
to
like,
have
it
in
the
record
layer,
the
alternatives
are
stuff
it
in
stuff,
at
an
ee
stuff,
with
a
different
message,
revised
to
victim
impression
or
invent
some
new
message.
B
Yeah,
so
I
guess
I
I'm
not
really
sure
I
understand
how
an
implementation
would
choose
the
size
of
the
padding.
I'm
I'm
fine
with
the
with
the
ee
solution.
Putting
it
in
the
in
the
actual
certificate
message
might
be
problematic
if
you
pre-compress
the
certificate
message,
rather
than
doing
it
just
in
time,
because
then
you
wouldn't
be
able
to
actually
add
additional
extensions
later.
B
So
the
the
solution
is
probably
the
more
flexible.
I
guess
from
an
implementation
perspective,
it
just
kind
of
the
the
complexity
comes
down
to
how
you
choose
the
actual
size
of
the
padding.
I
agree
it's
yucky,
so
I'm
fine
with
this
complexity
is
what
I'm
saying.
C
Okay,
david,
can
you
speak
on
behalf
of
the
server
for
boring.
I
Yeah,
so
I
guess
to
answer
alejandro's
point
real,
quick.
I
I've
been
sort
of
assuming
that
the
way
you
choose
the
padding
is
that
you
have
some
target
size
or
something,
and
then
you'd
like
subtract,
like
the
padding,
would
be
like
size
of
the
certificate
message,
minus
target
size
or
something
along
those
lines,
some
function
of
of
the
of
the
size
of
the
final
certificate.
I
So
you
would
need
to
assemble
the
certificate
message
and
like
or
at
least
measure
all
the
links
and
then
go
back
and
like
fill
in
all
the
other
stuff,
which
is
certainly
doable
like
I'm
looking
at
our
implementation,
and
we
certainly
have
the
certificate
available
by
then
and
we
actually
assemble
it
all
in
like
one
function
all
at
once,
so
we
have
been
pondering
some
stuff,
some
some
like
designs,
where
we
do
something
where
like
because
like,
if
you
end
up
having
to
do
like
an
rpc,
to
look
up
the
server
certificate
and
then
you
separately
need
to
do
an
rpc
to
do
like
the
signature.
I
If
you
could
like
do
one
rpc
and
get
them
both
at
once,
and
so
you
could
imagine
doing
something
where,
like
oh,
because
the
certificate
and
the
certificate
verify
are
so
close
together,
you
could
like
hand
the
thing
over
like
the
transcript
so
far
and
ask
it
to
produce
just
the
certificate
message
and
that,
like
cuts
down
on
the
amount
of
like
places
where
you've
got
to
like
cut
a
line
in
between
tls,
and
so
this
would
kind
of
mess
that
that
sort
of
thing
up
where
you
now
have
to
like
the
the
the
thing,
that's
looking
up
the
certificate
and
doing
the
signature
needs
to
be
able
to
like
compute
the
padding
for
you
and
like
inject
the
padding
back
into
the
encrypted
extensions,
because
once
the
signature
has
been
made
like
you
can't
go
back
and
change
it.
I
So
that's
a
little
annoying.
I
think
it's
probably
workable,
so
I'm
not
like
hugely
opposed
to
it.
It
does
sort
of
like
make
me
raise
my
eyebrows
slightly,
but
oh
well,
on
the
client
certificate
side
somewhat
tangentially
we've
been
looking
at.
I
think
ecker
suggested
for
the
alps
draft
that
we
switch.
The
message
that
we
added
to
an
encrypted
extensions-
and
so,
if
that
all
ends
up
going.
F
I
Which
is
not
even
adopted
yet
so
like
who
knows
like
that
could
be
one
solution
for
generalizing
the
client,
this
this
mechanism
for
client
certificates.
C
Yeah,
I
think
ecker's
right
in
that
treating
these
discord
two
separate
cases
like
the
the
client
side,
size,
leak
being
orthogonal
from
server
side
size
league,
treating
those
two
separate
things
and
potentially
trying
to
address
the
second
or
the
first
one
later
via
alps
or
ee,
or
new
handshake
message.
Whatever
makes
sense,
it
moves
us
forward.
C
We'll
know
right
now,
also
that
this
is
like
totally
optional
on
the
server
side
you
don't
have
to
pad,
but
you
should,
but,
like
I
mean
you
could
also
just
it
doesn't
have
to
be
like
for
super
precise
either
it
might
not
have
to
be.
You
could
imagine
just
like
padding
to
some
obnoxiously
large
size
and
then
just
like
running
with
that.
G
Yeah
I
want
to
fly
one
more
point
in
case
it
hasn't.
People
haven't
noticed
that
you
also
may.
If
you
have
multiple
sizes
of
of
server
keys,
you
also
have
to
pad
that
out
so
say
you
have
rsa
and
you
have
ecdsa.
G
Then
you
have
to
you
have
to,
of
course,
pad
out
or
or
not,
but
you're
leaking
information.
If
you
don't
so
it's
not
it's
not
just
a
certificate.
It's
also.
It's
all
certificate
verified.
It
can
be
different
size.
I
Oh,
that's
the
worst.
I
don't
know
if
you
actually
want
to
hide
rsa
versus
ecdsa,
but
that's
another
matter,
but
if
you
did,
I
think
the
encrypted
extensions
design
would
explode.
C
Okay,
so
I
think
what
I'm
hearing
is
that
the
ee
approach
right
now
is
is
not
too
onerous.
We,
it
might
require
us
to
revisit
some
things
depending
on
you
know,
future
server
side,
design
deployments
going
on
that
might
happen
later
down
the
road,
and
this
padding
of
the
certificate
verify
issue
might
be
a
little
bit
tricky,
but
on
balance,
perhaps
it's
the
right
approach.
It
allows
us
to
treat
separately
the
client
side
in
either
this
draft,
or
even
in
a
fallout
draft
like
alps,
or
something
david.
I
F
I
Okay
with
this
design
as
well
but
like
it
seemed
to
me,
the
new
message
was
sort
of
like
fairly
straightforward
to
process
and
it
was
analogous
to
like,
if
I
imagine,
sticking
in
the
quick
layer.
Probably
what
I
would
do
is
like
change
the
crypto
frames
so
that,
like,
rather
than
being
a
stream
of
bytes,
it's
like
a
stream
of
like
bytes
from
two
streams
that
didn't
make
a
whole
lot
of
sense,
and
that
is
approximately
what
happens
when
you
stick
like
a
padding
message
inside
the
handshake.
C
All
right,
I
made
a
note
on
the
issue
to
reflect
this
and
we
can
work
on
a
pr
to
enact
it
and
then
land
it
all
right.
So
there's
only
two
other
things.
I'd
like
to
go
through.
Can
you
go
to
the
poll
requests
joe.
C
C
Yeah,
the
change
is
fine,
yeah
have
folks,
did
this,
and,
and
if
so,
do
we
want
to
allow.
G
G
I
don't
like
object
to
it.
Who
wants
to
do
it.
C
Yeah,
I
I
don't
know,
unfortunately
I
I
guess
it
would
be
better
famous
here,
maybe
there's
a
particular
use
case
in
mind.
I
Like
if
we
were
to
do
this,
then
it
ends
up
like
like
a
client
that
wants
to
do
this
ends
up
having
to
pay
for
like
three
extra
rounds
of
three.
It's
super
expensive,
three
extra
round
trips
for
every
connection
which
like
if
we
want
to
build
a
way
to
do
ech
without
like
it
seems
the
use
case
for
this
is
for
a
server
to
deploy
ech
without
having
to
as
tightly
synchronize
their
server
their
server
configuration
with
dns,
which
seems
like
potentially
a
useful
thing
for
deployments.
I
But
if
we
were
to
do
that
like
I
don't
think
we
would
want
to
do
it
with
a
three-round
trip
penalty
when
we
could
actually,
when
like,
we
could
do
it
with
a
one-round
trip
penalty.
In
principle,
if
you
know
you
like
like
effectively,
all
of
ech
is
an
optimization
around
like
you,
you
you
do
the
client,
hello
and
server
hello,
and
then
once
you've
got
the
handshake
keys,
you
like
actually
send
the
sni
and
various
other
client
hello
bits,
which
is
a
one
round
trip
penalty.
I
We
don't
really
want
a
one
round
trip
penalty,
so
hence
the
dns
stuff.
But
if
you
are
conceding
the
dns
stuff
anyway,
you
probably
don't
want
a
three
ranger
penalty.
That
seems
pretty
significant
and
it
seems
we
shouldn't
be
encouraging
that.
B
G
C
I
mean
could
be
also
like
following
the
other
issues
and
possible
ideas
like
just
throw
this
in
the
extension
in
the
ech
config
like
allow
clients
to
do
this.
If
the
server
deems
it
worthwhile
and
then
an.
C
Okay,
so
I'll
make
a
note
in
the
issue
that
not
there's
not
a
lot
of
enthusiasm
for
this
particular
change.
Use
case
is
not
clear,
and
this
also
something
that
could
be
addressed
with
an
extension
so
good
to
punt
great
only
one
other
issue.
Then,
if
you
go
back
to
the
issue
list,
joe.
C
And
while
you're
pulling
it
up,
it's
way
down
at
the
bottom,
251.
C
So
fred,
the
question
whether
or
not
we
should
have
basically
mandatory
to
implement
comes
so
that
clients
know
which
one
to
choose.
I
know
when
discussion
with
people
who
are
working
on
ech,
that
the
choice
of
chem
is
fairly
obvious
and
like
people
are
probably
going
to
use
the
same
thing,
but
certain
people
don't
really
care
for
mandatory
to
implement
cypher
suites.
So
I
I'm
just
curious
to
hear
what
folks
think
about
this
particular
proposal.
G
C
I
guess
okay.
F
Go
ahead.
Sorry,
chris,
I
was
just
thinking
like
from
a
getting
through
the
process
perspective.
I
understand
why
people
might
not
want
to
pick
one,
but
I
can
understand
the
isg
saying
you
know.
Why
didn't
you
pick
one?
Well,
you
know
you
picked
them
elsewhere.
Why
couldn't
you
pick
it
here?
Something
we'd
have
to
answer.
So
if
we
don't,
we
have
to
come
up
with
a
reason
why
it
seems
like
it
might
be
easier
just
to
pick
one,
because,
typically
that's
what
you
do.
C
So
so
I
guess
that
raises
the
question
which
chem
in
particular,
I
know
that
of
the
chems
that
people
are
implementing,
most
of
them
are
based
on
x2509.
However,
I
think
the
mandatory
suites
or
key
exchange
groups
inside
a46
are
like
p256
and
not
two
five.
One
nine
is
that
right,
eckerd.
C
It's
like
a
should
so
does
that
mean
we
should
also
have
p2v6
as
a
mandatory
to
implement
one.
If
so,
that
would
change
people's
plans
right
now,
as
I
understand
it,
what
did.
G
Mls,
do
that's
a
great
question.
I
don't
know
I've
been
trying
to
figure
out.
Like
I
mean
when
we
do
p256,
it
was
like
on
the
edge
of
like
two
five
five
one,
nine
being
like.
You
know
the
thing
yeah
and
so
hp
things
have
changed,
but
that's
why
I'm
curious,
how
like
it
lost?
How
much
addressed
it
they
just
decided
to
fight
following
that.
C
They
did
oh,
they
did
yes,
yes,
so
for
sweets.
G
I
mean
I
don't
think,
having
these
being
consistent
is
like
a
disaster
they're
like
no
they're,
not
connected,
I
mean
back
it
like
when
you
first
did
this.
They
were
like
really
connected,
but
now
they're
completely
disconnected.
So
I
mean
yes,
it
would
mean
you
do
two
five,
five
nine
stack
and
it
is
exact
but
like
so
what.
G
C
Okay,
so
I
guess,
unless
there's
objections
to
this,
we
can
propose
a
vr,
and
I
would
pick
account
based
on
x259.
Fred
is
here
actually
so
fred.
Is
that
the
chem
that
you
would
like
to
choose.
J
Yeah,
I
think
it
makes
sense.
It
would
also
make
sense
to
prevent,
having
based
on
other,
like
mandatory
cypher
suites,
an
algorithm
that
wouldn't
be
present
elsewhere.
But
to
me
they
were
fine.
F
C
Yeah
I'll
note
that
hpke
doesn't
specify
any
mandatory
to
implement
things,
so
I
don't
know
if
that's
relevant
or
not
it's
just.
It's
like
this
random
collection
of
you
know,
arbitrarily
composable,
chems
and
kdfs
effectively.
G
G
Well,
okay,
maybe
I
don't
track
that,
but
I
mean
like
putting
people
teaching
people
which
one
to
use
here
is
like
valuable,
because
it's
like
you,
don't
you
don't
get
a
lot
of
feedback
right
like
you
just
find
out
that
nobody
like
like
if
you
broadcast,
if
you
decide
to
do
you
know
if
you
decide
to
do
sex,
sex,
p256,
k1
and
and
no
one
decides
to
connect
to
you,
you
don't
know
like
there's,
nobody
who
did
nobody
do
ech
or
they
just
not
like
756k
one
right
so.
F
G
G
C
Yeah,
that
makes
sense
chris.
E
H
C
That's
it
for
the
issues
I
wanted
to
cover.
We
have
seven
minutes
left.
Is
there
anything
else
folks
would
like
to
talk
about
before
we
conclude
I'll
note
that
with
landing,
these
changes,
we're
probably
a
good
enough
state
to
ship
draft
8,
which
would
be
the
target
for
implementation
for
folks
and
all
the
remaining
issues
that
have
not
yet
been
resolved
are
mostly
editorial
in
nature,
so
we
can
address
them
separately
with
lower
priority.
E
C
Okay,
I
mean-
let's-
let's
I
guess,
address
that
later
after
you
know
you
get
through
the
change
and
we
have
some
sort
of
more
experience
to
draw
on,
but
I
certainly
think
that's
like
not
essential,
for
you
know
shipping
this
to
start.
E
C
Good,
that's
all
that,
like
I
said,
that's
all
I
have
joe
sean
anything
else.