►
From YouTube: IETF-LAMPS-20210830-1730
Description
LAMPS meeting session at IETF
2021/08/30 1730
https://datatracker.ietf.org/meeting//proceedings/
A
C
C
So
we
scheduled
this
session
lamps
for
today
and
we
have
just
one
agenda
topic,
which
is
the
est
csr
attributes,
but
before
we
get
to
that,
I
need
to
make
sure
that
you're
aware
of
the
note
well,
so
basically,
please
make
sure
that
you're
aware
of
all
of
these
things,
if
you're
going
to
contribute,
make
sure
what
you're
promising
to
do
and
promising
not
to
do
so.
I
have
slides
from
daniel
and
michael
are
dan.
B
A
So
some
of
the
the
the
biggest
things
that
we
we
identified
were
you
know
the
which
crypto
system
do
you
want
to
use.
When
you
generate
your
your
key,
if
it's
ecc
then
which
curve,
and
if
it's
rsa,
you
know
how?
How
big
a
key?
So
you
know
you
don't
the
client
generating
10
24-bit
keys
if
this
ca
is
only
going
to
sign,
2048
and
larger.
A
A
A
So
this
is
being
used
in
a
couple
of
places,
and
you
know
it's
not
a
coincidence
that
these
are
all
the
places
where
I
seem
to
have
my
fingers
involved,
but
dpp
the
device
provisioning
protocol
supports
issuing
x500
inserts
to
things
that
it's
it's
provisioning
and
the
way
it
decides
on
how
to
issue
certs.
Is
it
it
basically
just
we
we
copied
the
csr
attribute
stuff
from
s,
then
the
the
interpretation
of
csr
attributes
that
that
at
least
I
had
for
that
was
an
ask.
A
A
A
A
So
you
know
you
could
tell
somebody
to
encrypt
with
rsa
encrypt
or
sign
with
rsa
encryption
and
tell
them
to
use
a
ecc
key.
So,
yes,
it
is
possible
to
to
speak
garbage
that
is
not
prevent
prevented,
so
it
does
seem
like
there's
some
desire
to
use
the
csr
attributes
in
ways
that
at
least
I
didn't
think
that
they
would
be
used.
For
instance,
having
the
ra
tell
the
client
what
his
alternate
name
is
and
to
put
that
alternate
name
into
the
csr
that's
being
generated.
A
A
So
you
know
if
the
example
is
you
know,
the
ca
is
signs
with
p384
and
he
probably
wants
to
issue
the
same.
Then
it's
probably
best
to
sign
with
shaw
384
and
if
the
ra
wants
to
get
challenged
password
and
some
additional
information
about
the
the
client,
he
would
generate
this
base64
encoded,
asn.1
blob,
which
decodes
like
this.
A
You
know
it
says
it's
a
sequence
of
an
oid
for
challenge
password,
followed
by
an
object
which
is
easy
public
key
using
p384
and
then
there's
another
attribute
of
an
extension
request
that
has
three
sets
in
there.
One
is
it's
requesting
a
serial
number,
a
subject:
alternative
name
and
the
device's
favorite
drink
and
to
sign
the
whole
thing
with
shop384.
A
D
D
So
I
see
max
on
the
on
the
call
as
well
who's,
also
an
eight
nine,
nine
five
author
and
a
70
30
author,
and
so
for
those
of
you
don't
know
a
lot
about
it.
I
put
a
bunch
of
links
here
that
would
probably
help
you
a
little
bit
to
get
more
familiar,
but
I
don't
propose
to
go
a
great
deal
into
that
next
slide.
Please.
D
D
Well,
it's
actually
a
prefix,
not
just
a
an
address
and
provide
some
context
in
the
form
of
a
domain
name
which
is
used
in
a
couple
places,
and
that
address
is
in
fact
used
to
configure
addresses
on
the
devices,
mostly
in
the
case
of
8994,
we're
talking
about
enterprise
isp
routers.
So
so
you
know
big
and
small
iron
that
would
be
drop
shipped
to
locations.
D
D
Well,
we
should
you
know
we
should
put
this
in
the
csr
attributes
and
that's
what
we
understood
from
doing
it,
and
this
is
a
little
close-up
as
to
what
it's
supposed
to
look
like
and
we
wrote
some
code
and
we
seem
to
have
interoperated
at
least
with
a
few
people,
but
obviously
not
with
dan,
because
we
would
have
figured
that
out
immediately
next
slide.
Please.
D
So
what
does
our
csr
attribute?
Look
like
well,
this
is
what
it
looks
like
you
know.
Subject:
alt
name,
there's,
probably
no
id
that
actually
doesn't
say
other
name,
but
rather
dns
name,
but
I
didn't
it
didn't
fix
this
example
and
that's
what
we
kind
of
came
up
with
from
what
we're
reading
of
the
of
7030
as
asn
1.,
that's
what
we
thought
we
were
doing
so
obviously
it
was
wrong
and
the
resulting
csr
next
slide.
D
You
know
it
looks
like
that
right,
utf
string
in
the
right
hand,
side
there,
so
that's
a
little
bit
hard
too
hard
to
see
and
and
we
get
a
certificate
out
of
that.
That
has
the
right
thing
from
it
and
I
guess
I'll
point
out
that
the
csr
is
pretty
much
the
only
interface
to
some
cas
which,
for
instance,
that
use
eight
five
five
five,
which
is
the
acme,
let's
encrypt
kind
of
process.
D
D
So
the
options
as
we
kind
of
see
it
right
is
one
is
70
30s.
It
was
intended
to
do
what
we
want
and
dan
says:
that's
not
the
case,
but
that's
one
option.
We
could
fix
it
to
say
to
include
something
like
what
we
want
and
continue
on.
We
could
extend
it
to
do
something
else
in
some
other
way.
Using
asn1.
D
This
could
be
a
different
call.
It
could
be
a
different
attributes
could
be
something
else
we
could
do
number
three,
which
at
one
point
I
think
elliott
was
you
know
discussing
when
this
started.
This
came
up
with
that
you
know.
Couldn't
we
do
something
based
upon
jason,
because
he
was
his
developers
were
having
a
hard
time
trying
to
make
this
stuff
work
in
the
current
library,
and
it
didn't
appear
that
they
could
do
what
they
what
what
he
wanted.
D
D
So
we
could
another
possibility,
is
we
could
have
89.95
94.95
just
do
something
else,
that's
very
specific
to
our
environment
and
not
try
and
create
any
kind
of
json
or
c
bar
update
to
70
30
for
others.
In
that
case,
I
suppose
we
do
whatever
we
like
and
we
could
ignore
the
rest
of
you,
and
I
think
that
was
my
last
slide.
D
That's
why
I
think
we
need
a
meeting.
Is
that
that
I
think
that
we
need
to
at
least
agree
on
which
ones
we
don't
want
to
do,
and
I
think
we
need
to
figure
out.
You
know
of
the
of
the
choices
which
ones
people
prefer
and
recognizing
that
this
is
clearly
errata
on
eight
nine,
nine,
four
and
eight
nine
nine
five
already
so
whoever's,
okay,.
D
D
D
E
Hey
yeah,
so
I'm
I'm
I'm
trying
to
wrap
my
head
around
dan's
presentation
right,
and
so
I
think
I
didn't
get
from
the
presentation.
Any
proof
to
you
know
what
is
is
really
intended
from
70
30
from
from
from
the
spec
right,
which
is
why,
obviously,
we
we
got
to
where
we
are
with
anima
right
and
just
the
point
that
you
know
other
systems
like
dpp
are
doing.
You
know
a
different
set
of
things
in
csr
etra.
A
Well,
I
I
just
wrote
in
the
in
the
chat
that
I'm
not
I'm
if,
if,
if
anyone
is
thinking
that
I'm
opposed
to
what
brewski
was
doing,
I'm
not,
I
was
just
trying
to
explain
at
least
what
I
thought
we
were
doing
when
we
wrote
70
30..
But
that's
you
know
clearly.
If,
if
there
is
another
use
for
this,
then
I
you
know,
I'm
completely
on
board
with
either
one
or
two
depending
upon
what
the
the
group
wants
to
to
do.
C
F
Hi
good
afternoon,
good
evening
and
good
morning
to
those
who,
where
it
is
still
morning,
there
were
two
problems
that
that
we
ran
into
the
first
that
when
we're
looking
at
this
and
and
there's
sort
of
a
number
five
that
that
probably
we
need
to
at
least
discuss
problem
number
one,
as
I
mentioned
in
the
chat,
was
that
clients
were
having
difficulty
implementing
csr
attributes.
I
realized
we
said
we're
not
going
to
quite
scope
the
work
for
today
for
that,
but
I
I
don't
want
to.
I
don't.
F
I
don't
want
to
understate
the
library
issue,
because
you
know
we
don't
have
control
of
the
clients,
often
and
so
they're
using
high-level
languages.
The
high-level
languages
don't
have
expressions
for
csr
attributes.
They
end
up
having
to
bring
in
rather
large
additional
libraries
to
to
parse
asn
1..
They
do
a
poor
job
of
it.
It's.
F
This
is
one
issue
that
we
have
the
second
problem
that
we
had
was
more
around
just
our
own
understanding
of
how
to
get
values
in,
and
so
we
we
can,
if
we
do
number
one
which
is
fine
dan,
had
also
a
perfectly
fine
suggestion
that
we
should
investigate,
which
he
put.
I
think
he
posted
it
yesterday,
your
time
dan,
which
is
to
explore
the
the
possibility
of
a
side
channel
for
between
the
ra
and
the
ca
to
add
additional
information.
F
I
I
replied
to
that
note
indicating
that
there
might
be
points
in
time
where
you
want
to
do
one
or
the
other,
and
there
are
some
challenges
with
the
side
channel,
but
I
do
think
it's
worth
at
least
having
the
discussion.
If
we
can
get
the
right
people
in
the
room-
and
I
apologize
I'll
need
to
disappear
for
five
minutes
at
the
top
five
ten
minutes
at
the
top
of
the
hour
and
then
I'll
be
back.
C
B
Greetings,
I
I
think
I'm
I'm
falling
in
along
with
lines
of
taurulis
here,
in
that
my
understanding
and
recollection
from
the
the
section
we're
really
talking
about
from
70
30,
where
we're
we're
indicating
csr
attributes.
There's
multiple
paragraphs
here
where
we're
indicating
the
ability
to
to
indicate
to
the
client
specifics
and
there
is
as
it
is
under
specified,
but
it
is
clearly
indicates
csr.
Attributes
response
should
reflect
the
structure
of
the
csr
that
it
is
hoping
to
get
back
and
in
the
example
of
crypto
algorithms,
etc.
B
But
I'm
not
seeing
a
real
conflict
so
much
as
some
work
to
be
done
to
clarify
that
a
little
bit
to
the
point
that
was
just
made
about
an
outer
band.
I
don't
have
any
problems
with
that.
I
I
don't
have
any
preference
towards
it
either.
So
I
kind
of
don't
care,
but
my
I
feel,
like
part
of
this
all
comes
back
around
to
the
asn
1
and
confusions
about
how
it
looks,
and
so
maybe
that's
a
way
forward
is
kind
of
towards
that
rethinking
of
it.
C
C
B
F
E
C
C
B
E
C
B
E
Sorry
mute
buttons,
it's
it's
always
slow
yeah.
So
I
think,
with
respect
to
tls,
I
think
I
wouldn't
have
an
issue
of
of
updating
it
to
to
include
the
you
know,
obsoletion
of
1.1,
but
I
in
in
anima.
We
we
had
also
the
very
long
debate
about
you
know
the
mandate
of
1.3
versus
because
we're
a
lot
in
the
embedded
environment
and
libraries
and
hardware
you
know
bound
software.
Very
often
you
know,
are
still
only
1.2
so
that
that's
something
I'd
be
worried
about.
C
D
It
sounded
like
deb
was
suggesting
what
what
might
be
a
there's
a
whole
bunch
of
other
fixes
in
70
30
that
some
people
would
like
to
do,
and
so
that
kind
of
gets
into
the
70
30
bis,
which
I
think
is
probably
okay,
maybe
not
a
whole
bunch.
She
says,
but
just
that
one
okay,
you
know
we
already
did
update
it
once
with
one
document.
So
I
I
I
think
that
we
could
write
a
a
reasonable.
D
You
know
five
to
twelve
page
csr,
attributes
and
examples
document,
and
I
think
that
would
be
fine.
It's
I
I
I
I'm.
I
would
have
thought
the
text
says
you
know
tls
1.1
or
better,
and
maybe
we
don't
need
to
fix
that
so
badly.
But
anyway
I
I.
I
think
there
are
lots
of
other
places
that
could
be
fixed,
but
I
think
that
the
right
answer
is
just
an
updates
document
and
that's
it
and
I
don't
think
we
should
try
to
go
beyond
that
point.