►
From YouTube: LAKE WG Interim Meeting, 2020-12-18
Description
LAKE WG Interim Meeting, 2020-12-18
B
So
hello,
everyone,
this
is
the
lake
working
group
virtual
interim
meeting.
My
name
is
malisha
wuchenik
and
my
co-chair
is
steven
farrell
stephen.
Can
you
hear
us.
B
Okay,
great
so
essentially,
we
have
two
hours
allocated
today.
We
have
michael
richardson
and
euron
salander
volunteering
tonight
to
know
to
do
the
note
taking.
Thank
you
both
for
this.
B
B
So
on
the
agenda
today,
we
we
have
the
remaining
discussion
about
the
open
issues
from
the
ipf
109
meeting.
That
john
will
lead
and
we
will
prioritize
this
item
on
the
agenda
in
order
to
to
resolve
as
many
issues
as
possible.
We
have
we
have
a
report
coming
from
francesca.
B
Regarding
the
echo
interrupt
testing
that
happened
last
week,
I
believe-
and
then
I
opened
for
for
bashing
this
agenda.
We
received
one
request
from
renee
strike.
Renee
are
you
there.
B
Yes,
so
you
would
like
to
discuss
essentially
the
elliptic
curve,
cypher
suit,
lightweight
type
of
suit.
Is
that
correct.
D
That's
correct,
so
I
prepared
two
or
three
slides
and
I
think
it
would
be
able
to
provide
a
potential
solution
for
some
overstanding
issues
on
slide
14
to
17.
I
believe,
okay,.
D
That
could
be
done
as
long
as
we
don't
rehash
a
discussion.
I
could
also
just
put
those
two
slides
on
and
then
you
you
can
bury
the
mind
for
the
other
discussion
up
to
you.
B
Yeah,
so
I
would
prefer
to
prioritize
the
issues
and
then
essentially
because
your
slides
to
my
understanding
refer
to
the
last
issue,
which
is
the
mti
suit.
So
let's
not
make
any
decisions
on
that
before
you
present.
Your
slides
is
that
is
that
okay,
perfect,
all
right
perfect.
So,
let's
write
add,
let's
add
in
the
agenda
for
any
strike
after
the
issues
for
10
minutes
for
10
minutes
and
then
we'll
have
any
other
business
at
the
end.
B
So
that
concludes
the
chair
slide
and
the
first
item
on
the
agenda
is,
I.
C
C
B
F
F
F
So
this
is
updates
of
the
issues
that
we
discussed
at
the
last
meeting.
I
also
sent
out
this
is
basically
the
same
text
as
I
sent
out
on
the
list
so
resumption,
nothing
to
do
agreement
and
negotiating
of
parameters.
Here
we
have
added
a
new
appendix
it's
around
one
page
that
describes
everything
that
needs
to
be
agreed
between
the
initiator
and
the
responder,
and
this
was
based
on
a
suggestion
by
michael
richardson.
F
F
Then
we
had
an
issue
on
identifying
certificates
and
appears-
and
here
there
has
been
quite
a
lot
of
discussion
in
the
course
working
group.
There
is
ongoing
thread
how
to
identify
a
certificate
with
a
kid
and
also
there's
been
a
request
offline
to
add
receiver
certificates
to
the
ad
hoc
test
vectors,
so
the
zebra
certificate
zebra
certificate
draws
currently
lack
a
private
key
to
enable
this,
but
this
will
be
added,
and
then
this
will
be
added
to
the
add-on
test.
Vectors
on
github.
F
F
F
F
So
there
was
a
request
last
time
that
we
added
text
on
how
to
distinguish
an
error
message.
This
has
now
been
done,
but
this
issue
has
spawned
several
new
discussions
on
github
marco
has
asked
and
provided
an
answer
for
how
to
distinguish
message,
one
from
message:
three.
This
seems
to
be
more
implementation
guidance,
but
maybe
there's
some
something
test
also
needs
to
be
explained
stricter
in
the
draft.
F
Then
there
has
been
a
request
from
I've
forgot
from
who,
but
to
right
now
the
error
messages
in
ad
hoc
or
undefined
text
string
that
application
can
set
to
whatever
they
want,
except
for
the
list
of
cipher
suits.
The
list
of
cypher
suits
can
be
automatically
acted
on,
but
everything
else
is
cannot,
and
it's
also
not
standardized.
So
there's
a
discussion
on
github.
Whether
ad
hoc
needs
to
provide
standardized
error
messages
in
the
form
of
strings
or
integers.
F
G
So
perhaps
marco
wants
to
say
something
about
distinguishing
error
messages.
The
second
okay,
the
first
bullet
was
from
our
code.
The
first
sabbat
bullet
on
issue.
30
was
from
marco
and
the
second
one
was
from
stefan
ristisol,
who
is
not
here,
so
I
don't
think
he
will
be
able
to
provide
more
than
on
the
issue.
But
marco
maybe
has
something
to
say
about
distinguishing
error
messages,
or
someone
else
may
have
some
input
on
on
what
we
need
to
specify
here.
H
Hi,
marco,
here
just
added
one
more
comment
on
the
github:
it's
definitely
implementation
guidance.
I
don't
think
there's
anything
big
to
fix
in
the
in
the
protocol
itself.
It's
just
that.
There's
a
lot
of
flexibility
in
in
the
roles
that
you
client,
server
or
reversed
can
take.
They
can
have
multiple
ongoing
adult
executions
and
it's
just
important,
I
think,
and
simplifying
to
understand
what
exact
message
it
is
when
received
before
starting
anything
else.
G
I'm
trying
to
understand
why
they
would
have
multiple
I
mean
they
could
have.
I
see,
but
but
is
there
a
use
case
for
for
multiple,
multiple
ad
hoc
sessions
in
parallel.
H
H
H
I
You
should
understand
from
from
from
the
correlations
like
this
is
a
response,
so
you
can
correlate
to
the
request,
which
means
that
you
can
correlate
to
which
to
the
message
like
you
can
okay.
This
is
a
message
too,
because
it's
a
response
to
message:
one
example:
if
you're
using
co-op,
that
would
be
using
the
token
the
co-op
token.
H
H
Maybe
it's
because
just
I'm
structuring
in
terms
of
read
message,
one
read
message
too,
and
I
really
need
to
understand
what
to
invoke
and
which
path
I
should
take
based
on
what
message
it
is.
So
it
seemed
to
me,
like
the
first
thing,
to
understand
really.
F
I
think
it's
a,
I
think.
Any
implementation
experience
here
is
is
great,
just
trying
to
figure
out
if
it's
implementation,
guidance
or
if
you
are
doing
something
specific,
optimization
or
if
we
should
yeah.
G
Good,
we
have
that
in
the
issue
now,
so
we
will
yeah.
We
just
remember
this
and
then
on
the
error
messages.
G
E
Even
when
you
read
the
logs
on
the
server,
you
often
had
no
idea
until
you
turned
debug
on
and
in
many
cases
people
were
unable
to
make
things
like
ordinary
people
were
unable
to
make
things
work
without
getting
an
expert
involved
because
simple
things
like
you
used,
the
wrong
key
were
never
revealed
and-
and
I
think
that
contributed
to
the
failure
of
of
ipsec
to
be
ubiquitous.
G
So
can
can
someone
provide
someone
who
has
been
working
with
the
implementation,
provide
some
input
on
what
in
which
situations,
this
an
error
message
would
be
good
or
what
kind
of
error
message
we
need?
How
should
we
get
to
that
set.
G
J
Generally
you
when
you
design
error
messages,
you
need
to
be
aware
of
whether
the
error
message
has
an
influence
on
the
state
machine
or
not,
and
if
it
has
an
influence
on
the
state
machine,
then
you
need
to
standardize
it,
and
if
it
doesn't
you
don't
so,
I'm
I'm
trying
to
understand
what
what
kind
of
distinction
people
are
making
here.
Certainly,
there
should
be
an
admonition
to
provide
good
diagnostics,
but
that's
different
from
standardizing
error
messages.
F
E
So
maybe
this
is
less
of
an
issue
given
google
translate,
but
one
of
the
issues
was
in
ike
at
least
was
dealing
with
local
translation
of
error
messages
and
that's
where
it
would
have
been
nice
to
have
them
defined.
E
G
So,
michael
this,
this
translation-
I
don't
know
if
I
got
you
right,
but
I
don't
think
there
is
any
need
for
for
for
deviating
from
english
here
in
this
setting.
What's
that,
no,
the
point.
E
Is
that
the
point
is
that
if
you
have
an
error
number,
then
that
number
can
be
looked
up
in
a
table
and
can
be
tran
can
provide.
You
know
local
information
in
a
local
language,
about
what
you
did
wrong,
whereas
the
english
text
string
is,
of
course
something
that
the
other
implementer
made
up
and
therefore
isn't.
E
It
could
mean
anything
right
so
that
that's
that's
the
that's
the
the
thing
I'm
trying
to
say:
okay,
there's
an
smtp
right,
I
mean
we
did
we
we
we,
we
wound
up
with
the
situation
where
we
got
nationalized
bounce
messages
which
people
realized
they
couldn't
read.
They
didn't
know
what
was
wrong,
and
so
we
had
to
really
be
careful.
We
had
came
back
and
added
these
dotted
error
messages
that
had
more
meaning
so
that
you
actually
could
actually
know.
F
C
So
just
I
put
this
in
jabra
just
as
a
time
check
where
nearly
25
percent
of
the
meeting
passed
and
yeah.
F
F
We
have
done
the
transformation
from
hkdf
to
more
general
extract
than
expand
and
for
short,
two
hkdf
is
used
for
shake
kmac
is
used
and
got
several
questions
on
this,
and
the
intention
is
not
to
standardize
any
new
cypher
suits
but
like
any
all
cosy.
Algorith
can
be
used
with
a
private
cyber
suit,
and
this
change
does
not
affect
any
current
implementation.
F
F
The
only
difference
is
that
hpke
force
extract
and
expand
in
one
step
inside
the
hpk
functions,
while
adhoc
used
them
as
two
different
functions
and
use
the
intermediate
keys
for
four
things
and
derive
several
expand,
use
expand
several
times
on
the
same
intermediate
key,
then
the
static,
the
helmet
does
not
map
well
to
hp
key
at
all,
unfortunately,
or
it
it
it
could
be
made
to
map.
F
F
So
I
don't
think
this
should
be
done.
I
think
it
might
be
worth
considering
to
to
look
at
how
in
the
future
so
that
it's
possible
to
expand
it
to
to
use
pqc
algorithms,
but
don't
think
it's
essential
it
looking
at
the
pqc
outwards.
I
think
there
might
not
be
a
strong
use
case
to
use
chem
malgrids
at
all.
It
might
be
more
lightweight
or
equally
lightweight,
with
the
pqc
signatures,
depending
on
the
requirement
and
limitation
of
the
pqc
algoriths.
D
Yes,
mr
renee,
wouldn't
it
be
better
to
rule
pqc
the
races
out
of
scope
for
now,
and
then
you
can
always
add
another
other
suite
id
to
accommodate
that
in
the
future
right,
because
otherwise
you
have
to
already
anticipate
design,
picks
right.
F
Yes,
I
think
the
only
is
what
I
was
considering
here
is
that
maybe
with
pkc,
you
need
to
send
an
array
of
of
byte
strings
instead,
instead
of
a
single
byte
string.
So
I
don't
know
if
it
even
would
be
any
changes
to
the
protocol
messages,
but
it
would
be
good
to
make
sure
that
if
somebody
wants
to
use
a
pqc
algorithm
in
the
in
the
future,
they
can
define
such
a
scifi
suite.
F
F
So
here
is
a
issue
that
was
not
discussed
last
time
but
has
been
implemented
in
zero.
Three.
At
the
last
meeting,
we
had
received
a
request
to
register
cypher
suits
with
high
security
following
aligning
with
cnsa,
and
after
that
we
have
received
a
second
independent
request
to
do
exactly
the
same
thing.
F
There's
also
a
request
to
make
a
more
general
non-constrained,
but
not
high
security,
cipher
suit.
So
zero
three
adds
two
new
cypher
suits
one
aligning
with
cnsa
it's
the
as256,
and
then
it
has
an
a
second
cypher
suit
with
asgcm
and
curve245519
is
aligns
nicely
with
what
is
used
very
commonly
on
the
web.
Maybe
it's
not
absolutely
most
common,
because
rsa
is
probably
more
common
than
ecdsa,
but
this
would
probably
be
the
second
most
common
used.
Algorithm
combination
on
the
web
today.
D
One
question
here
like
actually
two,
but
so
the
the
first
dash
item
on
the
switch
the
csnh
cnsa
suite.
Would
it
make
sense
to
also
kind
of
to
codify
some
of
what
pack
is
on
the
byte
count.
D
And
then
I'm
asking
is
because
in
the
past
I
got
it.
I
understood
that
the
51
bytes
was
a
very
hard
limit
for
some
applications,
but
yeah.
Some
of
these
definitely
don't
accommodate
that
right.
F
D
F
D
Because
if
the
let's
say,
if
you
go
for
for
cnsa
suites,
some
of
the
optimization
techniques
that,
in
my
kind
of
layman,
version
of
looking
at
the
lake
effort
have
less
impact
right
because
yes,
like
some
of
the
optimizations,
that
they
have
a
diminishing
return.
If
the
buy
initial
byte
type
is
already
higher
right.
F
F
F
G
D
F
D
D
F
F
F
There
might
be
an
update
and
there
might
be
an
up
optimized
update
of
this,
and
then
the
discussion
has
been
that
it
would
be
good
with
lightweight
forward
secrecy,
for
example,
I
hashane
at
some
level,
and
one
comment
was
that
it
would
be
good
if
this
is
done
in
ad
hoc.
You
have
since
received
some
other
comments.
That
might
maybe
it's
good
to
do
it
in
or
score.
I
think
both
are
good
are
possible.
F
F
I
think
it's
still
for
far
to
start
whether
it
is
known
this
counter
around
a
number
or
a
counter
plus
random
number,
but
in
high
level
the
cryptographic
principles
of
this.
Now,
when
I
look
I
happen
to,
they
agree
quite
very
well
with
what
kartik
suggested
already
a
year
ago.
I
think,
and
I
think
the
whole
idea
with
a
lightweight
forward
secrecy
is
based
on
that,
but
yeah
any
comments
on
this.
B
So
and
john
this
is
militia.
I
just
have
a
clarification
question
the
nonce.
You
say
that
the
nonce
comes.
It
can
be
a
counter
random
number
or
counter
plus
random
number.
So
I'm
wondering
how
do
you
synchronize
this?
Between
I
mean?
Do
you
explain
the
messages?
I'm
not
clear
on
the
mechanism
exactly
how
it
works.
F
So
basically
that
idea
here
would
be
that
you
you
do
that,
and
then
both
parties
reach
out
to
oscor
and
get
a
new
key
with
forward
secrecy
and
the
random
numbers
and
all
the
message
whole
oscar
messages
sent
by
the
by
the
initiator
and
the
client
that
could
be
the
nonce
to
the
ad
hoc
exporter
or
or
it
could
be
a
you
could
do
it
with
a
counter
in
ad
hoc
and
then
score.
F
B
Okay,
but
I'm
confused
about
the
whole
mixing
of
ad
hoc
and
oscar
part,
because
appendix
v2
to
my
knowledge
is
oscar.
So
this
is
the
exchange
of
nonsense
that
happened,
and
now
you
are
saying
essentially
that
these
nonsense
get
used
in
the
ad
hoc
exporter
interface
to
generate
a
new
key
for
us.
Is
this
correct.
F
Yes,
so
what
oscar
would?
What
oscar
normally
do
is
that
it
it
calls
the
ad
hoc
exporter
interface.
Give
me
a
key
in
this
case,
although
oscar
would
call
ad
hoc
exporter,
and
then
it
would
call
at
some
point
later.
It
would
call
this
ad
hoc
exporter
forward
secrecy
function
with
the
nonce
to
update
the
key
in
ad
hoc,
and
then
it
would
call
the
ad
hoc
exporter
again
to
get
a
new
key,
that
that
is
the
second
key
in
this
prk
forex
3m
hashtag,
okay,.
B
F
A
counter
yeah,
but
yes,
you
need
the
reason
that
you
want
unknowns
in
this
is
because
otherwise
it
might,
if
you
have
really
bad
luck
in
practice,
is
probably
work
anyway.
But
theoretically
the
hash
of
the
key
could
be
the
same
key
again,
and
then
you
have
a
cycle
of
length,
one
which
just
repeat
itself,
so
typically
in
cryptographic,
primitives,
you
want
to
add
something
so
that
you
can
guarantee
a
long
cycle.
B
Okay,
and
do
we
need
any
review
of
the
cryptographic
construction
of
this.
F
It
doesn't
hurt,
but
right
now
I
think,
let's,
let's
work
more
on
the
practical
details,
I
think
the
cryptographic
parts
are
not
the
hard
part
here.
Maybe
it's
more
synchronization
problems
and
so
on,
but
but
absolutely
all
cryptographic
review
of
this
at
a
later
at
a
little
bit
later,
state
or
or
right
now,
also
and
for
the
cs-
is
of
course
welcome.
B
Okay,
so
essentially
we're
proposing
to
move
on
to
work
out
the
details
about
the
synchronization
of
counters
and
then
to
come
back
to
the
review
of
the
crypto
mechanism.
G
I
think
I
think
if
someone
wants
to
be
involved
in
the
discussion.
That's
that's
very
welcome
right
now,
if
you
want
to
contribute
or
or
part
of
be
part
of
this
fleshing
out
the
details
that
that's
definitely
welcome.
So
it's
no,
no
reason
to
wait.
If
you
have
an
opinion
here,
I
think,
but
it's
not.
F
E
E
G
F
B
F
My
feeling
is
that
this
make
the
specification
a
bit.
It
add
complexity
to
the
specification,
but
also
add
complexity,
to
develop
this,
which
would
be
bad
basically,
a
developer.
Only
having
access
to
a
code
c
library
would
have
to
dig
into
the
implementation
of
the
because
the
algorithms
dig
out,
aes
and
cha-cha
and
then
probably
implement
a
stream
cipher
mode
of
these
on
their
own.
F
So
I
think
I
would
like
to
not
do
that
and
instead
going
back
and
doing
either
suggestion
one
or
suggestion
two
and
suggestion
one
is
how
ad
hoc
zero
two
looked
like.
Basically,
you
generate
key
stream
with
hkdf
expand
option.
Two
would
be
to
encrypt
message
tree.
F
No,
not
really
I
yeah,
but
option
two
is
implemented
in
their
dog
zero
three
option.
One
here
is
implemented
in
addox
zero.
Two
we
got
some
previous
version
wrote
that
we
use
the
source
cipher,
which
is
associated
with
bad
security,
because
people
use
it
with
a
short
key
and
so
on,
but
I
think
so
if
we
use
that
we
should
fine-tune
the
text
a
little
bit
to
not
to
get
less
negative
comments.
B
Github,
so
just
a
clarification
question:
what
a
e
a
d
algorithms
do
not
have
a
well-defined
tag
exactly
so.
F
F
You
can
do
that
if
you
have
some
to
pass
encryption
algorithm,
but
I
think
none
of
the
common
algorithms
have
all
the
commonly
used.
Algorithms
have
a
well-defined
tag.
Yeah
and
if
it
doesn't,
you
don't
need
to.
The
tag
here
needs
to
be
removed
to
fit
in
the
46
bytes
in
laura1
and
so
on.
There
is
no
problem
if
the
tag
is
left.
If
you
don't
have
this,
if
you
don't
need
this
very,
very
optimized
messages,
but
the
tag
itself
here
does
not
provide
any
security,
as
explained
in
the
sigma
paper.
B
Yeah,
so
in
summary,
essentially,
we
would
be
good
enough
with
option
number
two.
If
we
were
if
we
had
only
the
cyphers
with
the
well-defined
tag,
but
you
are
saying
in
future
someone
might
standardize
ad
hoc
with
one
of
these
pipers
that
do
not
have
a
well-defined
tag
and
no,
I
think,
that's
very
unlikely.
Yeah.
F
This
was
one
of
the
option
discussed
at
the
last
meeting.
Option
number
three
here
associate
an
encryption
without
integrity,
algorithm
with
each
aad
algorithm.
F
Okay,
then,
I
think,
if
there's
no
more
comments
directly,
I
think
we
invite
more
people
developing
ad
hoc
to
come
with
input
if
they
would
prefer
to
go
back
to
solution
one
instead
of
two,
but
right
now,
number
two
is
implemented
in
zero.
Three.
B
But
this
is
more
of
a
cryptographic
decision
right
so
I
mean
I
think
it
would
be
good
to
discuss
this
in
the
terms
of
the
working
of
not
only
developers,
so
it
might
make
sense
to
maybe
send
an
email
to
the
list
opening
this
for
for
discussion,
proposing
option
number
two
and
seeing
if
there
are
any
objections
to
it.
F
F
F
B
D
D
Adjustment
specification
like
oh,
these
are
the
cryptographic
constraints
and
then
maybe
I
can
see
whether
something
else
would
also
be
a
feasible
option
from
a
crypto
perspective.
F
So
now
we
have
new
issues.
Should
we
take
them
in
order
or
should
we
take
this
cypher
suit
issue
first,
but
also
renee
have
slides
on.
B
So
we
have
one
hour
and
five
minutes
to
go,
so
I
think
that
is
enough
time
that
we
go
through
the
remaining
seven
of
your
slides
and
they
run
that
wide
okay.
So
I
propose
that
we
just
keep
going
in
order.
Yeah.
F
F
F
But
looking
more
of
that,
I
think
it
basically,
the
same
things
apply
for
also
for
the
signature
and
also
for
tls.
Basically,
after
sending
the
third
message,
the
initiator
does
not
know
if
the
responder
has
or
can
calculate
this
session
key,
and
it
can
go
wrong
in
call
norman
at
all,
showed
it
in
a
very
theoretical
way,
but
you
can
also,
for
example,
the
responder
might
not
like
the
certificate
of
the
initiator
and
refuse
the
message.
F
F
There
is
an
draft
in
core
draw
of
palombino
core
oscor
ad
hoc
that
allows
the
messages,
the
application,
data
and
message
three
to
be
sent
together
this,
and
if
you
then
require
response,
this
solves
some
of
the
this
problem
in
some
of
the
scenarios,
but
not
all,
and
the
question
is
if
so,
basically
to
basically
to
you,
don't
need
to
get
key
in
confirmation
in
ad
hoc,
as
it's
well
known,
any
application
data
with
a
mac
can
basically
be
used
for
so
as
long
as
they
initiate
the
get
au
score
from
the
responder.
F
He
has
key
confirmation,
or-
or
you
can
imagine,
co-op
use
cases
where
the
data
are
only
going
in
one
direction.
So
one
suggestion
has
been
to
add
optional.
Fourth
message
to
ad
hoc-
and
this
should
probably
not
be
it-
should
be
communicated
somehow
or
requested
by
the
initiator.
If
this
should
be
sent.
F
E
It
seems
like
maybe
that
in
some
cases
it's
completely
not
mandatory
to
implement,
and
but
in
other
cases
you
wouldn't
know
because
who
wants
to
re-key
first,
so
everyone
would
have
to
implement
it.
E
E
Well,
so,
if,
if
you
have
a
case
where
you
have
a
responder
who's,
always
a
server
and
therefore
the
point
you
know
where
was
the
point
about
the
initiator
is
not
the
os
core
client.
If
that's
always
the
case
that
the
ad
hoc
initiator
is
always
the
os
core
client
and
therefore
the
ad
hoc
responder
is
always
the
os
core
server,
then
we
never
need
it
right.
G
E
G
E
G
Is
that
that
what
you're
saying
that
was
one
scenario
I
don't
know,
if
that's
the
scope
of
I
mean,
I
think
we
should,
but
in
the
case
of
this
draft
mentioned
here
in
the
third
dash,
I
think
which
it
should
be
required
to
send
the
response.
E
Will
solve
that
problem,
but
it
solves
the
problem
without
adding
any
complexity
to
ad
hoc,
just
make
sure
there's
always
a
response
right.
So
if
we're
in
agreement
with
that,
then
it's
only
the
case
when
that
point
is
not
true
when
the
ad
hoc
initiator
is
not
the
os
core
client
that
we
need
to
worry
about
about
the
question
of
whether
we
need
to
make
this
mandatory
to
implement.
E
F
E
B
So
maybe
just
a
silly
question
on
my
side,
because
when
I
was
going
through
the
github
issue,
I
saw
one
proposed
resolution,
which
is,
I
quote,
the
recommendation
is
to
wait
with
starting
the
king
material
long
term
until
key
confirmation
has
been
shared.
B
Where
we
expect
the
application,
the
application
traffic
and
the
mac
to
be
received,
and
once
that
is
once
the
application
traffic
is
received
with
the
corresponding
max,
we
consider
the
key
as
confirmed
and
we
started
long-term.
B
G
B
B
Essentially
we
can
just
bypass
this
by
having
by
waiting
with
storing
the
king
material
until
the
key
confirmation
has
been
assured-
and
that's
to
me
means
like
a
timeout
mechanism
that
that
is
triggered
at
one
side
before
the
key
is
confirmed
and
the
key
is
considered
confirmed
once
application
traffic
is
received.
G
I
G
Or
have
an
sort
of
a
mandatory
text
about
not
using
the
keys
until
confirmation
seems
independent
to
me.
G
Well,
no,
I
mean
the
problem
is
that
we
don't
really
know
about
the
applications
and-
and
we
don't
know
whether
applications
is
able
to
confirm
within
within
the
time
frame.
So
maybe
that's
that
message
four
would
be
the
right
way
to
get
key
confirmation
at
this
point
and
then
at
some
later
unknown
time
this
is
actually
used,
so
maybe
the
application
doesn't
really
know
cannot
really
say
for
a
long
time.
You
need
to
wait
before
before
the
application
is
actually
using
the
keys,
but
you
want.
F
F
F
B
So
yeah,
I
guess
I
if
the
cost
of
of
adding
message,
four
as
optional
as
michael
said,
is
not
too
high.
I
guess
we
can
go
and
then
make
it
stand
alone.
Make
catholics
stand
alone
and
not
rely
on
the
application?
Trafficker,
because
that's
good.
B
No,
no!
No!
No,
I
said
in
case
there
is
no
implicit
confirmation
application.
We
have
message
four
at
our
disposal
to
confirm
the
key.
F
B
K
F
So
here's
the
issue
about
t-e-e
assumption
this
was
also
raised
by
the
formula
verification.
They
wanted
more
clearer
assumption
on
where
ad
hoc
and
oscorp
were
implemented,
and
basically
the
trusted
execution
environment
has
gone
from,
basically
only
being
as
key
storage
like
tpm
to
being
a
general
execution
environment
like
intel,
stx
and
so
on
or
in
the
arm
trust
zone.
F
Then
then,
you
get
better
properties
if
that
is
in
ad
hoc,
then
or
score,
for
example,
if
the
assumption
is
that
ad
hoc
is
in
a
t,
e
and
o
score
is
outside
of
dte,
and
I,
based
on
the
discussion
in
in
on
github,
I
think
basically,
it's
possible
to
implement
the
whole
ad
hoc
protocols,
but
maybe
every
assumption
could
be
that
the
ad
hoc
keys
are
stored
in
in
a
tee.
There
are
keys
and
any
cryptographic
operations
on
them.
G
Yeah,
I
think
this.
This
is
what
what
the
reviewers
or
the
the
the
people
who
work
on
formal
verification
would
want.
Is
the
security
considerations
around
this
sort
of
what
what
benefits
do
we
get
from
storing
certain
keys
or
secrets
in
the
te?
What
what
other
properties
we
we
we
will
get
out
of
the
protocol.
So
that's
it's
more
like
an
understanding
of
how
to
use
te
in
the
context
of
ad
hoc
and
writing
that
down
in
the
security
consideration.
F
Yeah,
but
I
think
it
it
came
from
the
formal
verific,
but
I
think
it's
it's
not
so
they
they
will
not
use
ad
hoc.
I
think
what
is
interesting
is
how
should
we
give
guidance
to
people
using
ad
hoc?
Not
people
really
doing,
even
if
that's
also
good,
to
have
clear
assumption
for
people
doing
formal
verification,
but
I
think
no,
no
all
the
time
it's
a
bit
broader
than
that.
G
That's
I
mean
for
for
explaining
what
parameters
should
be
stored
where
so,
it's
not
only
for
them
it's
for,
and
we
could
have
this
as
an
implementation
guidance,
if
that's
that's
a
better
place,
but
basically
it
should
be
clear
what
parameter
what
benefits
is
is
obtained
by
storing
certain
secrets
in
in
a
trusted
execution,
environment.
G
E
I
think
yep
go
ahead,
so
I
I
think
that
there's
clearly
a
a
pyramid
of
you
know
benefit
right.
There's
no
point
in
putting
the
the
ephemeral
public
keys
in
the
tee
and
not
the
long-term
public
authentication
key
right.
That's
a
that's,
probably
a
silly
thing
to
do
so.
I
I
think
that
should
be
documented.
More
specific
advice
really
depends
like
the
the
ephemeral
public
key.
If
it
lets
you
blow
up
the
nuclear
reactor,
then
maybe
it
should
go
in
the
t-e-e.
E
E
So
I
think
that's
going
to
be
very
specific
and
I
don't
think
our
document
can
really
say
that
I
think
it
should
simply
say
make
it
clear
what
keys
are
related
to
what
other
are.
Are
they
derived
from
or
or
related
to
something
and
the
loss
of
certain
keys?
What
does
that
result
in
and
that's
all
and
by
loss
I
mean
not
compromise.
I
mean
like
it
like
the
key
gets,
destroyed
or
or
can't
be
used
anymore
for
some.
E
F
I
think
I
I
think
what
michael's
said
is
a
good
start.
I
think,
unless
we
have
any
very
clear
I
I
don't
think
we
will
have
any.
I
think
the
implementations
will
look
very
different
and
we
we
have
to
allow
any
type
of
implementation.
I
think
we
can
only
give
guidance
as
michael
says,
explain
what
happens
in
in
different
cases.
If
you.
F
Mica
talk
about
destroy
keys,
but
one
thing
is:
if
key:
if
x
is
compromised,
then
storing
then
y
is
not
compromised.
If
it's
stored
in
a
t,
e
e,
I
didn't
where,
where
would
the
key
speed
destroyed?
E
If,
like
like,
imagine
if
I
do
a
firmware
update
and
it
decides
to
reinitialize
the
keys
right
so
that
that
that
may
be,
it
may
be
perfectly
acceptable
for
the
ephemeral
public
key
to
be
regenerated
at
a
firmware
update,
but
that
the
the
long-term
public
authentication
key
is
in
the
tee
and
therefore
is
never
affected.
E
E
It
sure
is
if
it
leads
to
somebody
deciding
that
they
can't
deploy
this
or
that
they
want
to
use
something
weaker
right:
okay,
okay,
yes,.
C
So
can
I
jump
in
with
a
time
check,
I
think
we're
waiting
for
about
40
minutes
left.
I'm
not
sure
this
issue
is
really
on
the
critical
path.
No.
F
Let's
move
on,
then
we
have
forward
and
backward
secrecy.
These
are,
I
think
we
have
this.
We
have
already
discussed
this
in
the
aad
key
thing,
but
basically
re-running
one
option
to
get
forward
and
backward
secrecy
or
post-compromise
secrecy
is
to
re-run
ad
hoc
with
the
new
dfe
helmand.
Then
you
get
both
of
these
properties.
F
F
F
Is
that
it
it
periodically
for
signal
every
message,
but
you
could
do
it
every
nth
message
or
something
you
could
send
generate
a
new
ephemeral
if
a
helmet
key
and
send
to
the
other
person
who
just
calculates
a
new
key
but
doesn't
really
send
any
back.
So
you
have
ephemeral
static
if
a
helman
ping
back
and
forth,
and
this
requires
two
asymmetric
operations
on
the
initiator
and
one
on
the
responder,
and
this
would
then
be
a
little
bit
but
not
much
cheaper
than
rerunning
ad
hoc.
F
It
requires
one
message,
and
maybe
two:
if
you
want
to
have
a
ack
and
basically
half
the
amount
of
asymmetric
operations.
Comments
on
github
so
far.
Is
that,
let's
not
do
it,
the
trade-offs
are
or
not
worth
it.
That's
too
much
much
complexity,
and
if
you
want
good
security,
you
rerun
ad
hoc
instead.
F
Doesn't
seem
to
a
bit
complicated,
I
can
not
really
explain
either
exactly
what
security
properties
you
would
get
from
this,
and
it
might
also
lead
to
a
lot
of
synchronization
problems
that
are
might
be
easy
or
hard
to
fix.
So
I
think,
if
there's
no
comments,
we
go
to
the
next
slide
and
have
the
conclusion
that
we
don't
do
any
form
of
ratcheting.
F
So-
and
here
is
these
are
several
slides
and
this
is
a
complicated
issue,
a
lot
of
discussion
and
I
don't
think,
there's
any
easy
answer
to
a
lot
of
these
questions.
So
this
is
related
to
the
cypher
suit,
with
different
shaw,
algoriths.
F
And
the
use
of
sha
512
in
constrained
iot,
which
is
not
implemented
everywhere
and
then
also
discussion,
of
which
cypher
suit
should
be
mandatory
to
implement
if
any
selfish
suit
should
be
mandatory
to
implement
and
there's
a
lot
of
comments
on
this.
This
has
been
discussed
for
a
long
time
and
there's
comments
in
a
lot
of
different
direction.
F
F
F
F
Maybe
I
think
we
go
through
all
the
slides.
Unless
there's
any
comments,
then
performance,
several
people
have
pointed
out
that
they
want
they
have.
They
are
depending
on
low
latency
and
with
modern
devices.
It
starts
to
be
less
and
less
of
a
problem
but
curve
they
say:
curve25519
is
significantly
faster.
F
F
Is
a
number
I
got
from
a
company
recently?
If
you
search
on
the
internet,
you
can
find
very
different
differences,
but
it's
hard
to
compare.
Often
they
compare
unoptimized
code
for
p256,
so
I
think
the
difference
have
shrunk.
The
last
five
years.
You
could
see
larger
differences
five
years
ago
than
you
see
now
then
third
trade-off
here
is
security.
F
And
the
I
don't
know
exactly
why
renee's
set
up,
but
one
thing
is
that
deterministic
signature,
algorithms
are
not
very
good
for
accessible
iot
devices
because
of
side
channel
attacks.
John,
can
I
have
a
comment
for
a
second
absolutely
do
that?
I
don't
think
I
despise
it
like
that.
Okay,
yeah,
you
you,
you
use
quite
hard
words.
Sometimes
yeah.
F
D
So
I
I
think
both
ec
dsa
and
at
255
at
the
dsa
are
theoretically
they're
fine
monsters,
norske,
even
the
other
one
was
easy,
dsa,
the
only
problem.
The
main
problem
I
think
with
ed25519,
is
now
that
it's
deterministic
and
it's
basically
there
are
lots
of
papers.
There's
a
recent
one
in
the
ssr
standardization
crypto
conference
about
taming
the
many
versions
of
at
255.9,
and
I
think
that's
the
main
problem.
D
F
There
is
a
risk,
quite
new
cfrg
draft
on
threshold
cryptography
with
with
curb
2519,
and
they
said
that
they
can
do
with
curve25519,
but
not
with
p256,
at
least
not
in
an
easy
way.
F
Then
so
question
here
is:
what
should
we
have
as
the
mti
cipher
suit?
If
anything,
it
does
not
seem
to
be
an
ideal
people.
Support
is
important.
So
if
you
have
a
single,
it
seems
that
ecdsa
p256
might
be
the
option,
but
other
people
has
there's
a
lot
of
people.
Also
wanting
the
security
and
performance
of
ed2519
different
group
of
people
wanting
different
things,
and
but
the
question
is:
do
we
do
we
have
to
have
a
mandatory
to
implement
algorithm
cosi?
Has
the
text
that
applications
using
codes
needs
to
define
the
set
of
security?
F
Algorithms
that
are
to
be
used?
Ad
hoc
is
not
an
application.
It's
it
would
be
used
by
applications,
so
maybe
we
could
have
the
same
text
or
we
could
have
both
of
these
algorithms
mandatory
to
implement.
So
I
think
this
is
the
technical
question,
but
it's
also
a
political
idf
question.
I
know
I
don't
think
the
ad
is
here
and
I
think
if
we,
if
we
don't
want
to
have
a
mandatory
to
implement,
then
I
think
we
need
to
confirm
with
the
80
that
that
would
be
acceptable.
F
B
Okay,
so
other
than
these
two
options,
I
believe
renee
had
his
slides
presenting
a
third
option,
so
I
propose
that
rena
goes
ahead
with
his
slide
and
then
we
come
back
to
this
and
make
and
discuss
this
in
more
details.
Yes,
does
anyone
object
that.
F
F
F
Renee
has
suggested
a
wire
strass
version
of
ker
255
with
shaw
2056
that
solves
some
of
the
problems
with,
but
not
all
problems
with
the
other
two
hillary
started
talking
about
that.
Atf
should
maybe
look
at
standardizing
something
even
more
optimized
called
qdsa
and
there's
also
a
question
whether
shaw
256
will
be
the.
F
F
D
Hello,
I
just
wanted
to
ask
for
some
time
and
and
I'm
grateful
that
I
was
given
the
opportunity
to
discuss
a
potential
option
for
a
cypher
suite
in
the
the
adult
protocol.
So
let's
go
to
the
next
slide.
I
don't
think
I
can
do
that
myself
right.
D
Oh
yeah
yeah,
so
this
slide
looks
very
busy,
but
essentially,
if
you
look
at
the
first
column
that
uses
that
is
listed
as
ecdsa256
and
ecdh256,
that
is
cypher
suite.
That's
currently
supported
in
ad
hoc
as
option
two
or
three
with
some
symmetric
component
as
well,
and
it
uses
the
well-known
list
p256
curve,
sha-256
and
ecdsa
or
vector
diffie-hellman
with
kdf
based
on
xia256,
the
second
column
it.
It
is
addox
suite
zero
one.
D
It
uses
the
at
two
five
five,
one
nine
sixty
scheme
and
it
uses
x25519
as
the
diffie-hellman
key
agreement
protocol.
And
if
you
look
at
those
two
columns,
you
will
see
that
there
are
some
sticking
points.
So
one
of
them
is
it's
not
clearly
visible.
Is
that
in?
If
you
use
the
second
column,
then
you
have
to
use
shout
512,
because
it's
used
as
the
fixed
building
block
in
that
signature
scheme.
D
What
I
would
like
to
suggest
considering
is
maybe
there's
room
for
another
suite.
That
looks
a
little
bit
more
like
the
nist,
well-known
ecdsa
and
co-factor
davie
hellman
in
terms
of
formatting
and
in
terms
of
the
curve
equations,
because
I
think
that
would
actually
lower
the
implementation
cost,
especially
for
implementation
that
either
want
to
implement
both
or
maybe
they
already
have
the
x2559
under
the
hood
or
they
have
already
existing
hardware.
So,
let's
go
to
the
next
slide.
D
So
the
next
slide
is
just
basically
rephrasing
the
scythe
suites
that
are
currently
suggested
in
ad.
I
D
And
I
suggest
basically
adding
as
another
suite
and
I
only
focus
on
the
public
key
components
where
essentially,
instead
of
using
the
nist
curve,
we
use
an
equivalent
of
curve25519,
but
it's
whipped
into
a
format
that
is
fits
right
into
the
nit
specifications
and
it's
called
in
in
the
speak
of
the
elvic
draft.
I
have
on
this
y25519
where
y
stands
for
ifstras
and
the
main
features
of
that
is
are
that
devices
that
are
currently
out
there.
D
They
may
have
a
generic
implementation
that
features
the
that
allows
implementing
this
curves
and
all
kind
of
other
curves
like
a
brain
tool,
for
example,
so
they
can
just
run
it
on
an
existing
hardware.
D
Implementation
example
is
nxp,
has
done
that
so
there's
something
on
that
in
a
document
oops,
I
think,
there's
an
oops,
and
the
other
feature
is
that
if
we
actually
would
use
that
way,
so
essentially
reuse
nist
compliance
as
wanted
criteria,
it
may
be
possible
to
get
fips
142
accreditation
for
essentially
on
the
root
curve
25519,
except
that
we
just
represented
in
the
virus
transform.
D
So
one
other
thing
I
want
to
mention
on
this
slide
is
the
the
last
kind
of
brown
colored
thing
it's.
If
people
already
implemented
curve
255
online
using
the
so-called
montgomery
letter,
they
can
just
reuse
99.9
percent
of
that
code,
just
to
add
a
little
wrapper
to
implement
what
I
suggest,
and
I
think
it
goes
too
far
to
go
into
the
details,
but
I
have
some
further
reading
on
the
next
slide.
D
So
one
thing
is
some
idf
draft
material
that's
listed
on
the
bottom,
so
I
have
a
draft
specifying
how
all
these
so-called
curve
models
that
have
been
floating
around
the
last
five
years
in
idf,
how
they
are
all
related
like
viastras,
montgomery
and
twisted
attributes
curves
and
it's
currently.
D
I
think
it
should
go
to
iesg
soon,
hopefully-
and
I
have
also
some
background
information
that
explains
it
without
having
to
read
through
the
draft-
and
I
presented
that
already
like
two
and
a
half
years
ago.
So
that's
the
last
item
here
then
this
bias
trust
version
has
been
specified
in
some
form
in
some
nist
draft
implement
specifications.
So
if
they
get
issued
then-
and
we
see
it's
compatible,
we
can
just
basically
make
sure
it's
the
same.
D
So
then,
if
we
use
this
viastras
curve
version
of,
I
think
everybody
loves
curve25519
for
speed,
but
in
a
slightly
stricter
way,
then
we
have
something:
that's
compliant
with
nist
specification.
D
We
can
use
fips
documentation
and
ultimately,
I
think
the
main
benefit
would
be
that
we
would
be
able
to
have
a
device
that
is
able
to
stick
to
fips
142
requirements,
and
I've
looked
at
that
yesterday
and
I
actually
updated
the
elvik
document
a
little
bit
because
of
that
at
all
the
requirements
in
the
fibs
142
document
and
the
latest
version
is,
has
all
kinds
of
requirements
on
how
random
number
generators
would
work
and
which
checks
should
be
all
be
carried
out
and
from
the
way
I
read
it.
D
We
can
satisfy
that
if
we
would
go
for
something
like
this,
so
that's
that's
all.
I
wanted
to
bring.
D
It
depends
on
the
on
the
group
you
know
like
I,
I
I
have
no,
I'm
not
building
devices.
I
I
just
think
this
is
a
viable
option
where
devices
that
either
want
to
speak
only
curve25519
stuff.
They
can
do
it
in
this
compliant
way.
D
If
we
use
this
approach
or
if
devices
want
to
speak,
both
nist
curve,
p256
and
curve255l9,
they
can
do
it
in
a
lower
cost
manner
and
we
don't
have
to
implement
xiao
256,
because,
most
I
I
spoke
with
some
people
at
synopsis,
for
example,
and
they
they
don't
do
one
or
they
go
they.
They
only
implement
things
that
are
not
tailored
to
one
implementation.
They
just
do.
D
One
thing
that
is
is
more
generic,
but
maybe
others
will
right
and
obviously
there's
a
there's,
a
huge
development
base
of
things
that
are
curve2551
related,
but
it
can
be
leveraged
in
by
just
using
this
little
mapping
from
montgomery
to
vias
rosenbach.
G
I
have
one
question
here:
I
mean
john
listed
in
his
slides,
the
three
things
we
are
sort
of
discussing
the
device
support
the
performance
and
the
security
is,
I
suppose,
that's
covered
in
in
some
of
these
publications.
D
D
Yeah,
the
transformations
step
is
essentially
just
a
field
edition,
and
it's
it's
it's
depending
on,
of
course,
how
the
how
the
code
is
being
implemented,
but
if
it's
software
based
it's
just
a
one-line,
call
to
a
field
edition
and
then
an
online
call
to
a
filter
dish
in
the
other
way
around
to
go
back
so
but
yeah.
So
if,
if
you
want,
I
can
I
there's
lots
of
material
in
this
elvic
draft
to
to
support
those
kind
of
claims
right.
D
D
The
performance,
I
think
the
main
performance
is
the
scalar
multiplication
in
electric
curve
crypto,
although
in
easy
dsa
the
you
have
to
also
do
a
snowballed,
inversion
step,
which
makes
it
slightly
more
expensive,
but
not
that
much
so
then
so.
Obviously,
it's
the
performance
goes
down
a
little
bit,
but
it's
only
a
few
percent.
C
One
sorry
when
I
I
just
conscious
of
time
we're
at
the
15
minutes
remaining,
so
I
mean
I
guess
we
want
to
discuss
the
concept
of
mandatory
to
implement.
Yes,
yes,
stephen
and,
and
then
you
know
whether
a
new
cypher
sweeper
from
an
rfc
yet
is
an
appropriate
choice.
Is
probably
the
second
question
not
first.
F
D
So
I
I
just
want
to
comment
on
the
last,
because
there
was
a
question
that
girl
and
about
the
security
as
well.
I
think
there
are
at
least
to
my
knowledge.
There
are
no
security
issues
with
ecdsa
nor
snore,
if
used
properly.
D
The
main
difference
is
that
the
the
ddsa
spec
this
this
this
wire
straps
version
of
curve2559.
D
B
G
Well,
I
think,
as
we've
seen
there's
a
lot
of.
There
are
basically
two
camps
here,
so
if
we
could
avoid
saying
that
you
need
you
need
to
have
just
this
curve
or
or
this
algorithm,
that
that
would
be
the
best
solution.
F
F
So
I
think
I
think
doing
like
couples.
It
sounds
like
you
have
two
very
strong
camps
with
different
opinions
here.
So
I
think
doing
acoustic
would
be
good,
but
we
probably
need
to
talk
to
ben
to
confirm
that
that
would
be
an
he
thinks.
That's
an
acceptable
option.
So
we
we
don't
get
stuck
in
isd
later.
D
F
D
D
So
the
thing
that
I've
been
looking
at
yesterday
is
whether
the
x25519
protocol
would
be
able
to
get
a
fip
stamp,
and
currently
I
don't
know
so-
maybe
if
you
want
to
have
a
look
at
that
as
well,
because
I
think
it's
important
that
some
of
these
devices
that
you're
targeting
that
you
don't
block
out
a
particular
market
and
use
government
market
is
not
huge.
But
it's
usually
it's
perceived
to
be
a
good
thing.
If
you
are
also
compliant
with
niched
things
right.
C
C
B
That
was
a
question
I
mean,
I
thought
the
question.
My
personal
opinion
is
that
doing
the
cause
is
more
of
a
generic
rfc
than
standard
the
net
hockey
is
and
that
we
will
be
losing
in
terms
of
interrupt
interoperability
between
the
between
the
implementations.
If
we
go
that
way
again,
that
is
my
personal
opinion,
so
I'm
intending
to
vote
for
having
an
mpi
street,
but
I
understand
that
there
are
different
opinions
involved.
C
So
just
I
think,
in
terms
of
the
process
of
one
thing,
to
notice
it's
kind
of
unpredictable
as
to
whether
you
get
given
out
whether
you
get
problems
from
the
isg
or
at
ease
with
respect
to
this
or
not
it's
some.
You
know
you're
trying
to
predict
the
future
and
the
personnel
on
the
isg
at
the
time
is
not
always
predictable.
C
Second
thing
to
just
offer,
as
an
input
is
in
this
case
there
might
be
an
option
to
say
something:
like
you
know,
if
a
device
is
less
constrained,
then
it
should
implement
both
these
two
cypher
suites
and
if
it
is
constrained,
then
we'd
encourage
use
of
one
of
them,
but
we
know
that
you
know
not.
Everybody's
gonna
do
that.
So
there
might
be
some
halfway
house
here.
That
makes
sense.
C
And
michael,
you
had
a
comment
in
jabber
that
that
sounds
like
it
might
be
worth
getting
onto
the
record.
E
Okay,
so
my
suggestion
is
that
I
think
we
should
allocate
a
code
point,
that's
fine,
and
particularly
if
we
can
do
that
without
causing
a
down
ref.
If
not,
then
I
believe
that
the
elwig
document
should
allocate
the
code
point
in
our
registry.
That's
fine
by
the
way
it
works.
Let's
not
decide
on
mandatory
to
implement
in
this
document
is
not
going
to
fly
it
is
there
are
so
many
different
considerations.
E
Ipsec
uses
an
rfc
820
8221
is
the
the
latest
one
with
a
series
of
should
plus
and
must
and
should
minus
so,
for
instance,
p
256
suites
are
probably
should
minus,
because
they're
hardware
accelerated
right
now,
but
many
people
don't
like
them
and
this
algorithm
may
be
as
a
should,
plus
and
maybe
ed
2519
is
a
must
or
not,
but
put
that
in
a
different
document.
That's
going
to
change
over.
G
C
I
I
think
it
might
be:
there
may
be
middle
ground
there.
That
makes
sense
for
implementers,
because
I
think
a
lot
of
people
write.
Generic
libraries
will
implement
everything
and
it's
people
on
the
constrained
side.
Who'll
have
to
pick
down
to
one
or
two
things,
and
I
think
we
could
give
them
good
should
level
guidance
that
would
work
for
lots
of
them,
even
though
some
will
do
weird
things.
G
E
Should
is,
should
you
have
a
good
reason
not
to
implement
it?
Okay,
sorry
right
should
is
you
should
do.
I
E
Okay,
if
you
have
a
good
reason,
then
there's
a
a
reason
like
none
of
my
none
of
my
my
vertical
that
I'm
in
cares
about
it
right.
Okay,.
I
E
E
So
what
happens
in
in
in
many
places
is
that
there
are
other
entities
like,
for
instance,
zigbee,
which
will
say,
and
the
mandatory
to
implement
algorithm
is
x.
E
If
you
want
to
be
within
our
conformance
list
and
it's
way
beyond
the
the
cipher
right,
you
have
to
get
the
frequencies
right,
you
have
to
get
all
sorts
of
other
stuff
right
or
it
won't
interoperate
forget
about
the
crypto
so
specifying
the
crypto
is
relatively
easy
for
them
and
they
are
going
to
do
a
compliance
check
on
that,
so
they're
going
to
make
sure
it
works.
E
C
Again,
time
check
we're
down
to
four
minutes
and
we
had
francesca
who
I
think
we
pushed
last
time
and
so
and
we
probably
won't
sort
out
this
issue
in
four
minutes
anyway.
So
maybe
suggest
we
switch
over
to
francesca's
report
sounds
good
and
then
we'll
we'll
talk,
then
at
the
very
end
about
whether
to
have
another
interim.
I
Good,
thank
you.
So
I
just
wanted
to
report
quickly
about
our
first
edoc
interrupt
next
slide,
so
we
organized
something
very
shortly
with
two
implementers.
So
there
was
timothy
and
stefan
and
a
tweak.
We
had
two
hours
interrupt
to
test
those
two
implementation
implementations
against
each
other
and
we
tested
only
based
on
the
exchange
that
is
described
right
now
in
the
in
the
draft
in
appendix
b1.
I
So
that
was
the
signature
authentication
x,
509
certificates
with
the
method
0
and
the
selected
cipher
suite
was
the
number
zero.
So
these
are
the
algorithms
that
were
used
and
the
result
is
that
it
was
successful
in
one
direction
and
so
the
exchange
passed
all
verification
and
then
the
messages
were
created
and
verified,
etc,
but
on
the
other
direction
it
was
not
successful,
but
not
because
of
adoc
implementation,
but
because
of
connection
problems.
I
So
next
slide,
please
so
next
steps
already
we
the
good
feedback
for
for
us
authors
about
the
test
vectors
to
be
so
the
feedback
to
be
incorporated,
and
we
want
to
add
more
details
to
the
test
vectors
and
we
created
an
issue,
a
github
issue
into
into
the
about
that
into
the
github
repo,
and
it's
both
about
the
draft
so
adding
some
details
to
the
draft
and
more
test
vector
and
also
about
the
vectors.txt.
I
That
is
contains
more
test
vectors
than
those
that
are
in
the
draft
and
also,
as
you
might
have
seen.
I
I
started
doodle
about
an
interrupt
after
the
holidays,
possibly
in
the
third
week
of
january,
and
if
you're
interested
to
participate
would
be
great,
please
go
and
let
us
know
so.
We
can
pick
the
best
date
for
everybody
and
that's.
B
C
Well,
yeah:
do
people
want
one?
Yes,
please
if
people
do
want
one
I'm
guessing
late
january
early
february
is
the
only
sensible
choice
to
to
yeah.
C
C
Okay,
all
right,
so
we
will
take
it
to
the
list.
We'll
suggest
some
dates
in,
like
I
said
late
january
or
early
february,
because
the
next
ietf
meeting
110
is
that
early
march
this
year.
So
it's
a
bit
earlier.
B
So
that
would
be
all
thank
you
all
for
attending.
I
hope
yeah,
I'm
recording
when
fine.
So,
let's
enjoy
the
holidays,
let's
think
on
and
think
up
on
the
mailing
list
and
on
github.
Regarding
the
specific
issues,
we
will
launch
the
poll
this
time
about
the
the
dates
for
the
next
interim
and
yeah.
I
guess
that's
it.
Even
if
you
want
to
add
up
something.