►
From YouTube: IETF-LAMPS-20210830-1730
Description
LAMPS meeting session at IETF
2021/08/30 1730
https://datatracker.ietf.org/meeting//proceedings/
A
C
I
did
not
see
your
slides,
oh,
I
do
now.
C
Yes,
I
was
just,
I
was
just
putting
doing
the
preload
thing,
so
let
me
do
that
for
yours,.
C
All
right
we're
a
little
bit
past
time.
So
let's
get
going
there's
a
couple
people
I
thought
would
be
here
who
are
not,
but
at
the
same
time
I
don't
want
to
waste
everyone
else's
time.
C
So
we
scheduled
this
session
lamps
for
today
and
we
have
just
one
agenda
topic,
which
is
the
est
csr
attributes,
but
before
we
get
to
that,
I
need
to
make
sure
that
you're
aware
of
the
note
well,
so
basically,
please
make
sure
that
you're
aware
of
all
of
these
things,
if
you're
going
to
contribute,
make
sure
what
you're
promising
to
do
and
promising
not
to
do
so.
I
have
slides
from
daniel
and
michael
are
dan.
C
I
think
I'm
going
to
start
with
your
slides
and
then
move
to
mike's
does
that
makes
does
that
meet
the
expectations
of
the
presenters.
B
A
Okay,
thank
you
so
next
slide.
Please.
A
So
there
was
some
discussion
on
the
list
about
what
what
csr
attributes
were
the
whole
point
of
them
is,
and
they
got
added
to
est
because
it
seems
like
there's
a
lot
of
variables
that
need
to
get
settled
when
when
issuing
a
cert-
and
it
was
at
least
our
understanding
that
if
a
client
assumed
a
setting
that
the
ca
didn't
like
that,
it
would
probably
result
in
not
issuing
a
the
certificate
and
that
would
be
kind
of
a
pain
to
diagnose.
A
So
some
of
the
the
the
biggest
things
that
we
we
identified
were
you
know
the
which
crypto
system
do
you
want
to
use.
When
you
generate
your
your
key,
if
it's
ecc
then
which
curve,
and
if
it's
rsa,
you
know
how?
How
big
a
key?
So
you
know
you
don't
the
client
generating
10
24-bit
keys
if
this
ca
is
only
going
to
sign,
2048
and
larger.
A
A
So
the
goal
is
to
match
the
structure
of
you
know
the
csr
the
certificate
as
much
as
possible,
but
of
course
that
that
isn't
exactly
what
what
happened,
but
it
does
have
attributes
and
it
has
standalone
oids.
So
it's
a
sequence
of
attributes
and
oids.
So
next
slide.
Please.
A
So
this
is
being
used
in
a
couple
of
places,
and
you
know
it's
not
a
coincidence
that
these
are
all
the
places
where
I
seem
to
have
my
fingers
involved,
but
dpp
the
device
provisioning
protocol
supports
issuing
x500
inserts
to
things
that
it's
it's
provisioning
and
the
way
it
decides
on
how
to
issue
certs.
Is
it
it
basically
just
we
we
copied
the
csr
attribute
stuff
from
s,
then
the
the
interpretation
of
csr
attributes
that
that
at
least
I
had
for
that
was
an
ask.
A
So
dpp
does
this
and
of
course
s
does
this.
My
reference
implementation
supports
a
pretty
complete
parsing
of
everything
that
I
thought
was
relevant
to
a
csr.
So
next
slide.
Please.
A
A
So
I
would
come
down
somewhere
in
the
middle
of
that
spectrum.
In
my
analysis
of
this
asn.1,
it
is
underspecified
and
kind
of
free
form.
I
I
that's,
you
know,
admitted,
and
it
is
possible
to
give
conflicting
recommendations.
A
So
you
know
you
could
tell
somebody
to
encrypt
with
rsa
encrypt
or
sign
with
rsa
encryption
and
tell
them
to
use
a
ecc
key.
So,
yes,
it
is
possible
to
to
speak
garbage
that
is
not
prevent
prevented,
so
it
does
seem
like
there's
some
desire
to
use
the
csr
attributes
in
ways
that
at
least
I
didn't
think
that
they
would
be
used.
For
instance,
having
the
ra
tell
the
client
what
his
alternate
name
is
and
to
put
that
alternate
name
into
the
csr
that's
being
generated.
A
So
there
is
that
new
work,
I
guess,
and
the
next
slide.
I've
got
a
couple
of
examples
of
how
this
stuff
works.
We
can
just
quickly
run
through
it,
so
people
can
take
a
look
at
what
I'm
talking
about,
but
next
slide.
A
So
you
know
if
the
example
is
you
know,
the
ca
is
signs
with
p384
and
he
probably
wants
to
issue
the
same.
Then
it's
probably
best
to
sign
with
shaw
384
and
if
the
ra
wants
to
get
challenged
password
and
some
additional
information
about
the
the
client,
he
would
generate
this
base64
encoded,
asn.1
blob,
which
decodes
like
this.
A
You
know
it
says
it's
a
sequence
of
an
oid
for
challenge
password,
followed
by
an
object
which
is
easy
public
key
using
p384
and
then
there's
another
attribute
of
an
extension
request
that
has
three
sets
in
there.
One
is
it's
requesting
a
serial
number,
a
subject:
alternative
name
and
the
device's
favorite
drink
and
to
sign
the
whole
thing
with
shop384.
A
So
that
would
produce
a
csr
like
I
I
generated
this
the
other
day
with
my
my
dpp
implementation,
to
just
to
give
an
example.
So
the
device
I
was
provisioning
was
called
biff.
So
that's
his
name,
and
this
is
the
csr
that
he
produced
based
upon
those
csr
attributes.
A
D
Hi,
well,
we
can
hear
you
now,
that's
interesting.
It
tells
you
whether
you
can
hear
you
hi
so
rc-8994,
which
is
the
autonomic
control
plane
in
which
torilis
is
the
lead
author
and
eight
nine
nine
five,
which
is
brewski,
worked
together
to
do
enrollment
for
new
devices.
D
So
I
see
max
on
the
on
the
call
as
well
who's,
also
an
eight
nine,
nine
five
author
and
a
70
30
author,
and
so
for
those
of
you
don't
know
a
lot
about
it.
I
put
a
bunch
of
links
here
that
would
probably
help
you
a
little
bit
to
get
more
familiar,
but
I
don't
propose
to
go
a
great
deal
into
that
next
slide.
Please.
D
So
the
big
thing
about
the
autonomic
control
plane
is
that,
after
a
great
discussion,
you
know
we
have
another
name
that
we
use
for
in
our
subject:
alt
name,
and
it
has
some
structure
in
it.
Specifically,
it
happens
to
encode
an
ipv6.
D
Well,
it's
actually
a
prefix,
not
just
a
an
address
and
provide
some
context
in
the
form
of
a
domain
name
which
is
used
in
a
couple
places,
and
that
address
is
in
fact
used
to
configure
addresses
on
the
devices,
mostly
in
the
case
of
8994,
we're
talking
about
enterprise
isp
routers.
So
so
you
know
big
and
small
iron
that
would
be
drop
shipped
to
locations.
D
There
are
some
iot
uses
of
brewski,
where
the
other
name,
this
other
name
form,
is
not
used,
but
in
some
cases
they
would
like
to
put
a
specific
dns
name
which
is
under
the
control
of
the
registrar
in
it,
and
so
we
in
the
document.
I
think
next
slide,
please
this
said.
D
Well,
we
should
you
know
we
should
put
this
in
the
csr
attributes
and
that's
what
we
understood
from
doing
it,
and
this
is
a
little
close-up
as
to
what
it's
supposed
to
look
like
and
we
wrote
some
code
and
we
seem
to
have
interoperated
at
least
with
a
few
people,
but
obviously
not
with
dan,
because
we
would
have
figured
that
out
immediately
next
slide.
Please.
D
So
what
does
our
csr
attribute?
Look
like
well,
this
is
what
it
looks
like
you
know.
Subject:
alt
name,
there's,
probably
no
id
that
actually
doesn't
say
other
name,
but
rather
dns
name,
but
I
didn't
it
didn't
fix
this
example
and
that's
what
we
kind
of
came
up
with
from
what
we're
reading
of
the
of
7030
as
asn
1.,
that's
what
we
thought
we
were
doing
so
obviously
it
was
wrong
and
the
resulting
csr
next
slide.
D
You
know
it
looks
like
that
right,
utf
string
in
the
right
hand,
side
there,
so
that's
a
little
bit
hard
too
hard
to
see
and
and
we
get
a
certificate
out
of
that.
That
has
the
right
thing
from
it
and
I
guess
I'll
point
out
that
the
csr
is
pretty
much
the
only
interface
to
some
cas
which,
for
instance,
that
use
eight
five
five
five,
which
is
the
acme,
let's
encrypt
kind
of
process.
D
D
So
the
options
as
we
kind
of
see
it
right
is
one
is
70
30s.
It
was
intended
to
do
what
we
want
and
dan
says:
that's
not
the
case,
but
that's
one
option.
We
could
fix
it
to
say
to
include
something
like
what
we
want
and
continue
on.
We
could
extend
it
to
do
something
else
in
some
other
way.
Using
asn1.
D
This
could
be
a
different
call.
It
could
be
a
different
attributes
could
be
something
else
we
could
do
number
three,
which
at
one
point
I
think
elliott
was
you
know
discussing
when
this
started.
This
came
up
with
that
you
know.
Couldn't
we
do
something
based
upon
jason,
because
he
was
his
developers
were
having
a
hard
time
trying
to
make
this
stuff
work
in
the
current
library,
and
it
didn't
appear
that
they
could
do
what
they
what
what
he
wanted.
D
I
didn't
have
any
library
when
I
implemented
csr
attributes
I
had
to
basically
you
know,
manipulate
asn1
objects
from
underneath
from
openssl,
and
so
I
didn't
have
anything
to
go
against.
That
was
wrong.
I
basically
validated
I
could
run
the
examples
in
the
70
30
and
went
from
there.
D
So
we
could
another
possibility,
is
we
could
have
89.95
94.95
just
do
something
else,
that's
very
specific
to
our
environment
and
not
try
and
create
any
kind
of
json
or
c
bar
update
to
70
30
for
others.
In
that
case,
I
suppose
we
do
whatever
we
like
and
we
could
ignore
the
rest
of
you,
and
I
think
that
was
my
last
slide.
D
That's
why
I
think
we
need
a
meeting.
Is
that
that
I
think
that
we
need
to
at
least
agree
on
which
ones
we
don't
want
to
do,
and
I
think
we
need
to
figure
out.
You
know
of
the
of
the
choices
which
ones
people
prefer
and
recognizing
that
this
is
clearly
errata
on
eight
nine,
nine,
four
and
eight
nine
nine
five
already
so
whoever's,
okay,.
A
D
Is
the
asn
one
in
the
document
is
wrong
and
we
clear-
and
you
clearly
intended
my
interpretation
but
the
ace
and
one
did
not
express
that
now.
You've
just
told
us,
that's
not
the
case.
D
D
D
E
Hey
yeah,
so
I'm
I'm
I'm
trying
to
wrap
my
head
around
dan's
presentation
right,
and
so
I
think
I
didn't
get
from
the
presentation.
Any
proof
to
you
know
what
is
is
really
intended
from
70
30
from
from
from
the
spec
right,
which
is
why,
obviously,
we
we
got
to
where
we
are
with
anima
right
and
just
the
point
that
you
know
other
systems
like
dpp
are
doing.
You
know
a
different
set
of
things
in
csr
etra.
E
Just
you
know,
I
mean
they
they
did
what
they
wanted
to
have,
and
I
don't
think
that
that
proves
by
itself
that
other
uses
of
csr
etra
are
prohibited,
and
I
also
don't
think
that
there
was
any
showing
of
why
what
anima
does
would
do
harm,
and
I
don't
even
see
a
big
difference
in
what
dan
claims
to
be
appropriate
for
csr
edward,
to
include
about
the
certificates
to
be
appropriate
for
enrollment
in
terms
of
the
the
crypto
parameters,
for
example,
that
that
is,
you
know
significantly
different
from
what
we're
doing
so.
A
Well,
I
I
just
wrote
in
the
in
the
chat
that
I'm
not
I'm
if,
if,
if
anyone
is
thinking
that
I'm
opposed
to
what
brewski
was
doing,
I'm
not,
I
was
just
trying
to
explain
at
least
what
I
thought
we
were
doing
when
we
wrote
70
30..
But
that's
you
know
clearly.
If,
if
there
is
another
use
for
this,
then
I
you
know,
I'm
completely
on
board
with
either
one
or
two
depending
upon
what
the
the
group
wants
to
to
do.
C
F
Hi
good
afternoon,
good
evening
and
good
morning
to
those
who,
where
it
is
still
morning,
there
were
two
problems
that
that
we
ran
into
the
first
that
when
we're
looking
at
this
and
and
there's
sort
of
a
number
five
that
that
probably
we
need
to
at
least
discuss
problem
number
one,
as
I
mentioned
in
the
chat,
was
that
clients
were
having
difficulty
implementing
csr
attributes.
I
realized
we
said
we're
not
going
to
quite
scope
the
work
for
today
for
that,
but
I
I
don't
want
to.
I
don't.
F
I
don't
want
to
understate
the
library
issue,
because
you
know
we
don't
have
control
of
the
clients,
often
and
so
they're
using
high-level
languages.
The
high-level
languages
don't
have
expressions
for
csr
attributes.
They
end
up
having
to
bring
in
rather
large
additional
libraries
to
to
parse
asn
1..
They
do
a
poor
job
of
it.
It's.
F
This
is
one
issue
that
we
have
the
second
problem
that
we
had
was
more
around
just
our
own
understanding
of
how
to
get
values
in,
and
so
we
we
can,
if
we
do
number
one
which
is
fine
dan,
had
also
a
perfectly
fine
suggestion
that
we
should
investigate,
which
he
put.
I
think
he
posted
it
yesterday,
your
time
dan,
which
is
to
explore
the
the
possibility
of
a
side
channel
for
between
the
ra
and
the
ca
to
add
additional
information.
F
I
I
replied
to
that
note
indicating
that
there
might
be
points
in
time
where
you
want
to
do
one
or
the
other,
and
there
are
some
challenges
with
the
side
channel,
but
I
do
think
it's
worth
at
least
having
the
discussion.
If
we
can
get
the
right
people
in
the
room-
and
I
apologize
I'll
need
to
disappear
for
five
minutes
at
the
top
five
ten
minutes
at
the
top
of
the
hour
and
then
I'll
be
back.
C
B
Greetings,
I
I
think
I'm
I'm
falling
in
along
with
lines
of
taurulis
here,
in
that
my
understanding
and
recollection
from
the
the
section
we're
really
talking
about
from
70
30,
where
we're
we're
indicating
csr
attributes.
There's
multiple
paragraphs
here
where
we're
indicating
the
ability
to
to
indicate
to
the
client
specifics
and
there
is
as
it
is
under
specified,
but
it
is
clearly
indicates
csr.
Attributes
response
should
reflect
the
structure
of
the
csr
that
it
is
hoping
to
get
back
and
in
the
example
of
crypto
algorithms,
etc.
B
What
we're
doing
is
we're
sending
information
down
to
the
client
and
saying
use,
use
this
information
to
form
your
response,
and
so
that
seems
consistent
with
the
conversation
here,
and
so
I
I
would
lean
towards
there's
some
point
in
number
three,
which
is
to
say
that
there's
clearly
some
under
misunderstandings
about
how
to
how
to
create
and
parse
the
csr
attributes,
and
I
agree
that
we
can
clarify
a
lot
of
that.
B
But
I'm
not
seeing
a
real
conflict
so
much
as
some
work
to
be
done
to
clarify
that
a
little
bit
to
the
point
that
was
just
made
about
an
outer
band.
I
don't
have
any
problems
with
that.
I
I
don't
have
any
preference
towards
it
either.
So
I
kind
of
don't
care,
but
my
I
feel,
like
part
of
this
all
comes
back
around
to
the
asn
1
and
confusions
about
how
it
looks,
and
so
maybe
that's
a
way
forward
is
kind
of
towards
that
rethinking
of
it.
C
What
I
think
max
just
said
is
that
a
clarification
document
that
updates
70
30
and
explains
how
to
use
the
existing
syntax
for
both
both
as
dan
has
described
and
as
brewski
has
been
using
it
would
would
be
a
way
forward.
Is
that
correct.
B
Thank
you
for
for
fixing
my
my
language.
Yes,
that
would
be
correct.
C
D
So
it's
not
clear
that
it
helps
elliot's
issue
with
library
support,
but
I
guess
with
that
clarifying
document
it
might
be
easier
to
get
libraries
to
to
implement
the
right
thing
rather
than
having
to
code
it
directly
in
their
in
their
client.
B
I
I'm
I'm
thinking
that
way
as
well.
I'm
not
seeing
a
conflict,
just
confusion,
and
so
clarification
resolves
that
without
going
to
the
the
greater
extents
that
have
been
proposed,
so
yes,
I
think
that
approach
works
unless
there's
a
conflict.
I
missed.
F
E
That's
my
best
friend,
okay.
E
C
I
was
thinking
about
a
document
that
is
an
update
and
is
at
the
same
track
as
70
30
itself,
which
I
believe
is
a
proposed
standard.
E
C
C
There's
there's
always
the
problem
that
once
you
have
the
patient
open
somebody
says
hey
while
we're
in
there
yeah,
but
hopefully
we
can
keep
the
scope
to
getting
this.
One
thing
clarified
so
that
we
can
get
everybody
moving
in
the
same
direction.
B
So,
in
fact
there
are
things
that
need
to
be
six
and
seven
thirty.
Unfortunately,
referencing
pls
one
point
one,
I
mean
there's
a
bunch.
E
C
C
We're
waiting
for
deb
to
get
audio
back,
so
you
want
to
go.
B
Commented
in
the
chat
session
as
well,
so
she
might
just
be
typing
at
this
point,
I
I
think
that
I,
like
the
point
of
of
just
clarifying
this
one
issue.
There
are
other
and
plenty
of
other
issues,
but
I
like
the
input
that
maintaining
focus
would
be
useful.
C
Okay,
so
deb
you're
not
gonna,
come
back,
but
your
hands
still
up
tourless.
E
Sorry
mute
buttons,
it's
it's
always
slow
yeah.
So
I
think,
with
respect
to
tls,
I
think
I
wouldn't
have
an
issue
of
of
updating
it
to
to
include
the
you
know,
obsoletion
of
1.1,
but
I
in
in
anima.
We
we
had
also
the
very
long
debate
about
you
know
the
mandate
of
1.3
versus
because
we're
a
lot
in
the
embedded
environment
and
libraries
and
hardware
you
know
bound
software.
Very
often
you
know,
are
still
only
1.2
so
that
that's
something
I'd
be
worried
about.
C
Tls
has
not
deprecated
1.2
yet
so
we
would
be
in
line
with
them
to
say
1.2
or
higher
yeah.
Okay,
max.
D
It
sounded
like
deb
was
suggesting
what
what
might
be
a
there's
a
whole
bunch
of
other
fixes
in
70
30
that
some
people
would
like
to
do,
and
so
that
kind
of
gets
into
the
70
30
bis,
which
I
think
is
probably
okay,
maybe
not
a
whole
bunch.
She
says,
but
just
that
one
okay,
you
know
we
already
did
update
it
once
with
one
document.
So
I
I
I
think
that
we
could
write
a
a
reasonable.
D
You
know
five
to
twelve
page
csr,
attributes
and
examples
document,
and
I
think
that
would
be
fine.
It's
I
I
I
I'm.
I
would
have
thought
the
text
says
you
know
tls
1.1
or
better,
and
maybe
we
don't
need
to
fix
that
so
badly.
But
anyway
I
I.
I
think
there
are
lots
of
other
places
that
could
be
fixed,
but
I
think
that
the
right
answer
is
just
an
updates
document
and
that's
it
and
I
don't
think
we
should
try
to
go
beyond
that
point.
D
C
C
And
mike
points
out
in
chat
that
7030
has
already
been
updated
by
rfc
8996
deprecating,
tls,
1
and
1
1.
C
Okay,
so
I
think
michael
and
dan
are
going
to
take
the
lead
on
the
document
and
I
think
it
I
guess
I
want
to
know
with
roman.
Do
you
think
this
requires
a
recharter?
My
guess
is
it
does
not,
but
I
want
your
assessment
now
before
we
send
you,
the
other
recharger
stuff.
G
C
Okay,
I
think
we're
done
unless
somebody
has
any
other
business
they
wanted
to
raise
today.
C
Awesome.
Thank
you
all.
Let's
go
ahead
and
wrap
this
up
then,
and
thank
you
very
much
deb
for
for
taking
the
minutes.