►
From YouTube: RATS Architecture Design Team, 2020-04-28
Description
RATS Architecture Design Team, 2020-04-28
C
Screwed
up
and
let
the
meeting
url
the
other
one
expire,
so
I'm
just
trying
to
send
it
to
everyone
here.
I
wish
it
would
just
let
me
renew
it
because,
oh
you
can't
edit
that
one.
It's
already
done.
A
It's
a
big
fire,
oh
yeah,
it
won't
come
here,
but
we
have
sirens
and
firefighters
all
day
around
like
like
it's
like
six
hours
now
and
they're
still
not
sticking
the
flames.
So
that's
a
big
fire.
B
E
D
A
Yeah,
actually
I
thought
we
canceled
this
meeting,
so
I
was.
C
A
C
Or
I've
sent
him
the
message
anyway,.
A
C
C
D
C
D
B
C
E
C
E
Okay,
I've
read
it.
I
need
to
read
his
comment
that
what
about
the
following.
E
E
The
key
question
is
what
ties
the
evidence
generator
to
the
link
endpoint
and
it's
missing
a
sentence
or
a
statement
about
that.
C
E
A
sentence,
although
I'm
just
only
awake
enough
to
not
necessarily
be
able
to
suggest
the
text.
E
E
E
Yeah,
because
normally
the
evidence
itself
would
include
the
signature
of
the
evidence
right
and
so
the
thing
that's
find.
The
evidence
is
what
you're
anchoring
it
to
you,
and
so
what
he's
trying
to
say
is
evidence
may
be
implicitly
signed
by
being
sent
across
a
communications
channel
that
signs
it
right
and
so
it's
not
signed
at
the
object
level.
It's
signed
at
the
you
know,
transport
level
or
something
like
that.
I
think
that's
what
he's
trying
to
get.
A
Okay,
I
think
we
have.
We
wrote
a
separate
draft
about
this.
The
uccs
draft,
which
talks
about
the
unsigned
token
stuff
and
and
the
main
part
of
that
draft,
is
about
discussing
the
secure
channel
when
it's
appropriate
as
prerequisites
of
requirements
and
probably
it's
used
scenarios
so
now
I
underst
finally
understand
what
this
tie
is
because
it
literally
does
not
say
that
you
can
leave
something
out
of
evidence
and
it
is
exchanged
by
the
qualities
of
the
communications
link.
A
It
is
called
here,
that's
right,
so
I
think
that
is
that
so
by
inference
now
and
by
dave
telling
it
to
me,
I
know
it
all
falls
together
now
for
me
and
my
mental
picture,
but
before
that
was
like
why
and
now
now
I
see
so
that
that's
what
the
the
it
should
start
with
the
problem,
it
solves.
A
C
C
Are
we
waiting
I'm
trying
to
I'm
trying
to
rebase
the
text
so
that
I
can
add
the
the
what
about
the
following,
and
we
can
see
it
all
together
with
all
the
suggestions
that
we
made
and
then
we
can
see
it
all
together
is
the
goal.
C
Someone
else
join
no,
I
wanted
to
say
maybe
there's
another
pull
request
that
we
could
work
on
next
and
will
be
worth
reading
mitch.
Initially
hank.
E
E
Either
of
the
top
two,
because
nobody
else
has
reviewed
them
yet,
and
certainly
the
top
one,
the
ad
privacy
this
one,
I
okay
great,
thank
you.
I
thought
you
passed.
Probably
maybe
you
did
it
while
I
was
sleeping,
oh
no,
you
approved
a
long
time
ago,
all
right
great.
Thank
you,
michael
this
one.
I
tried
to
capture
the
discussions
we'd
already
had
in
this
meeting,
as
opposed
to
proposing
anything
new,
so
I
may
have
gotten
it
wrong
in
the
text,
but
I
think
the
concepts
are
what
we
already
discussed.
E
E
C
Have
him
on
chat
anywhere,
he
probably
might
be
still
struggling
looking
for
the
right,
url.
E
D
Lost
which,
which
pull
request?
Are
we
in
here.
E
It's
on
the
screen,
but
this
is
the
highest
numbered,
pull
request.
It's
81
81
yeah.
This
is
the
one
about
that
the
tester
may
need
to
go
through
a
process
where
it
gets
trust
in
the
verifier,
and
so
somebody
probably
pointed
out
that
there
may
be
like
a
neutral
attestation
almost,
and
so
this
is
the
text
that
was
added
into
the
privacy
considerations
section.
For
that
I
have
to
say
you
may
not
want
to
send
your
sensitive.
You
know
evidence
to
somebody
until
you've,
attested
who
they
are
and
that
they're
healthy.
B
Privacy,
I
think
that
addresses
is
just
fine.
The
point
that
I
originally
tried
to
make,
though,
was
that
there
might
be
other
policy
concerns
that
an
attester
wants
to
make,
or
have
so
basically
that
the
idea
that
participating
in
an
attestation
is
a
voluntary
act
according
to
their
own
policy.
E
E
Hey,
can
you
go
ahead
and
press
the
delete
branch
button?
I
usually
go
and
do
that
afterwards,
but
as
long
as
you
have
it
on
the
screen,
it's
down
down
right
above
it
never
mind:
okay,
yeah!
It's
there
thanks.
C
An
my.
E
So
this
one,
if
you
remember
right,
we
had
a
discussion
and
said
well,
let's
go
ahead
and
merge
it
and
then
do
any
subsequent
changes
in
the
separate
pro
request,
and
so
one
of
my
comments
there
was
all
the
previous
text
was
talking
about
appraisal
policies
for
evidence
and
I
had
said
near
the
end
of
the
call
that
well
actually-
and
I
think
I
made
this
in
a
github
comment
on
that
issue-
that
we
merged
to
you.
E
That
says
actually
most
of
this
discussion
also
applies
to
appraisal
policies
for
attestation
results,
and
so
that's
what
I
try
to
do
here,
too,
is
you,
can
see
I
put
in
a
section
break
at
like
one
third
called
appraisal
policies
and
most
of
the
text.
I
then
you
can
see
like
in
the
next
line
down
334.
E
You
can
see
it
used
to
say
appraisal
policy
for
evidence,
and
so
I
tried
to
say
that
the
following
applies
to
both
types
of
appraisal
policy,
and
then
I
tried
to
just
remove
things
like
for
evidence
and
make
that
flow.
So
and
so
it's
trying
to
capture
the
same
points
but
make
them
be
applying
to
both
types
of
personal
policy.
That
was
the
intent
of
this
one.
E
So
this
is
remember,
this
is
originally
the
point
about
reference
values
and
other
types
of
you
know
constants
that
get
used
so
that
can
equally
apply
to
the
appraisal
policy
for
attestation
results.
A
E
We
could
also
not
I
mean,
in
other
words,
delete
the
first
part,
an
appraising
party
and
promote
the
ie
into
the
actual
subject.
E
E
E
E
A
Let
me
think
about
that.
The
term
we're
going.
A
A
Yeah,
we
don't
have
appraiser,
but
that
is
the
point
I
have
I'm
making
here.
E
A
A
This
doesn't
address
my
point,
which
I
think
is
again
maybe
a
little
bit
too
detailed,
but
I
would
we
can
never
tell
this
first
week
and
then
you
know
the
appraisal
is
a
burden.
It's
really
really
hard.
Sometimes
it
really
takes
computational
power
as
timing
issues
and
all
that
the
attestation
result,
on
the
other
hand,
should
be
easily
easy
to
digest.
A
Now
we
are
applying
the
same
procedure
to
the
to
the
data
and,
and
it
looks
same
the
same,
but
it
should
be
inherently
different,
and
that
is
why
I
don't
like
to
use
the
same
term
for
something
that
should
be
inherently
different.
That's
my
only
problem.
E
E
Yes,
you're
still
checking
the
signer
you're,
still
checking
what
the
signer
has
been
revoked.
If
the,
if
that's
relevant,
you're,
still
checking
the
expiration
time,
you
may
be
checking
other
claims
that
were
inserted
by
the
verifier.
A
Yeah,
maybe,
on
the
other
hand,
why
I'm
thinking
about
this
we're
talking
about
composite
evidence.
We
want
to
mix
in
a
hierarchy,
evidence
and
attestation
results,
so
in
the
end
the
appraisal
for
verifier
would
also
consume
attestation
results
at
some
point-
probably
maybe
I
don't
know,
okay,
it's
too
detailed
to
just
ponder.
I
think.
C
E
If
he
likes
it
better,
I'm
gonna
instead
of
you
doing
it
a
suggestion.
Let
me
do
it
in
this.
In
the
same
suggestion
thing
here
I
mean
I'm
just
doing
exactly
what
you're
doing
so.
You
should
see
that
shortly.
C
E
C
Yeah,
I
think
that
that
that
promoting
it
makes
it
read
easier,
the
verifier
appraising
evidence.
I
have
a
problem
with
this.
I
feel
like
I
have
a
problem
with
this.
First.
C
I
think
that
would
read
easier.
I
I
is
not
incorrect,
but
I
think
is
needlessly
complicated.
C
E
Did
we
what's
the
term
that
we
used?
Did
we
define
the
term
attestation
result
or
attestation
results?
What's
the
term
in
the
terminology
section,
I
thought
it
was
results.
You
think
you
okay.
So
if
we
said
attestation
results
is
the
term
for
a
thing
which
contains
a
set
of
claims
and
we
use
a
plural
word.
Then
I'm
happy
to
change
probably
reads
better
too,
because
it
deletes
a
word
so.
C
C
C
B
E
Okay,
I'm
making
another
one
word
suggestion
change
in
the
line
below
that,
and
so.
E
C
A
E
A
E
Okay,
you
may
need
an
endorsement
or
for
around
the
signature
or
on
the
link,
and
so
what
he
means
by
additional
is
in
addition
to
the
one
that
you
already
have
to
use,
and
so
that
wasn't
clear
to
me
at
all,
and
so
I
would
want
him
to
rephrase
that,
but
it
does
mean
that
the
problem
that
it
gave
me
is,
I'm
not
sure
the
term
implicit
trust
is
the
right
term
here
right,
and
so
you
see
lines,
698
talks
about
implicitly
trusted
right,
and
so
the
context
of
the
term
implicit
trust
up
above
in
that
paragraph
is
the
thing
that
you
implicitly
trust
is
the
thing
that
you
trust
be
true.
E
Without
any
other
evidence,
you
have
it's
like
your
root
of
trust.
Right,
that's
defining
word
of
trust
right,
the
the
thing
that
you
have.
No
other
thing
you
just
take
it
on
faith
right,
and
so
what
he's
saying
here
is
implicit
trust
can
also
be
tied
to
the
communications
link.
Well
either
he's
saying
you
have
to
implicitly
trust
the
communications
link,
which
is
not
true
based
on
that
bottom
paragraph
right,
because
it's
he
said
there
may
be
an
additional
endorsement
in
addition
to
the
is
in
his
text
that
he
was
saying.
E
Let's
see,
line
707
may
have
received
evidence
that
the
communications
link
is
anchored
to
a
root
of
trust
from
an
entity
that
established
the
communications
link
right.
So
the
link
itself
is
not
implicitly
trusted
right
because
it
may
have
evidence,
that's
anchored
over
to
trust
right.
It's
the
rate
of
trust.
That's
implicitly
trusted
not
the
communications
link,
and
so
that's
what.
A
C
E
D
A
A
E
D
So
so
the
tcg
definition
which
they
haven't
published
goes
along
the
lines
of
if
the
key
it's
implicit,
well,
they're,
they're,
they're,
defining
implicit
attestation,
which
may
differ
from
implicit
trust,
but
implicit
attestation
is
that
the
key
doesn't
exist
unless
you
are
in
a
good
state.
D
But
you
know
that's
that's
on
a
different
path
than
trying
to
define
implicit
trust.
People
are
going
to
confuse
the
two
if
they're
different-
and
I
don't
know
that.
There's
a
good
industry
definition
for
implicit
trust.
That's
either
trusted
or
you
don't
kind
of
think
it's
either
trusted
or
it's
not.
E
A
E
Basically,
it's
transitive,
it's
not
he's
asking
whether
that
would
be
helpful.
I
I
think
it
reads
fine.
If
the
word
implicit
is
removed,
I
think
it
actually
reduces
the
uncertainty
and
he
says
trust
can
also
be
tied
to
the
communications
link
yeah.
I
think
his
point
is
still
valid.
Sorry,
his
geary's
point
is
still
valid.
There.
B
There
can
be
trust
all
along
the
thing:
it's
not
really
tied
to
just
a
root
of
trust.
You
know
it
really
applied
to
the
idea
that
at
the
appraisal
point
whether
or
not
a
claim
needs
to
be
verified
in
some
way
or
not.
If
it
doesn't
then
you're
implicitly
trusting
that
that
claim
is
okay
and
where
that
claim
came
from,
including
whatever
processing
went
into
that.
So,
if
you
have
something
gathering
evidence
somewhere,
that's
going
to
be
presented
in
that
testation.
E
D
E
D
E
We
still
need,
I
think,
popping
back
a
level
hank
and
I
you
still
have
problems
with
line
714
the
comments
about
the
endorsement.
A
Yeah-
and
I
have
an
additional
comment
now
meanwhile,
so
to
speak,
because
I
am
I
and
maybe
I
need
an
example
of
what
additional
endorsement
we
can
now
skip
here,
because
I
don't
find
a
good
one
from
the
top
of
my
head.
So
what
is
the
benefit
of
getting
an
additional
idea
since.
E
He's
not
on
the
call
I'm
going
to
try
to
give.
My
guess
is
to
I'm
going
to
try
to
channel
gary,
because
I
think
I
understand
his
point,
and
so
I'm
going
to
try
to
translate
for
you
again
to
the
extent
that
I
can
okay.
So
if
you
were
I'm
going
to
first
talk
about
not
the
case
he's
talking
about,
because
I'm
going
to
give
it
as
an
analogy
right.
If
we
talk
about
layered
attestation
right,
then
what
happens?
E
Is
you
have
a
testing
environment
and
a
tested
environment
and
the
test
environment
becomes
the
testing
environment
for
the
next
layer
up
and
so
on.
Right
and
so
what
you
get.
Is
you
get
a
a
collection
of
evidence
that
has
one
layer
that
signs
the
next
layer
that
signs
the
next
layer
right
and
it's
all
inside
the
the
blob
that
we
call
evidence
which
has
multiple
layers
inside
it
encoded?
Somehow?
Okay,
you
with
me
so
far.
E
Okay,
the
analogy
is:
okay,
let's
take
the
bottom
layer
and
replace
that
with
something
that's
outside
the
evidence
and
is
instead
communicated
as
part
of
the
communications
link,
and
so
the
binding
between
the
two
layers
of
claim
sets
is
when
one
is
sent
across
a
communications
channel
that
was
established
with
the
other,
then
the
cl
then
gary's
claim
is.
The
chain
is
still
valid.
Okay,
and
so
what
happens?
E
Is
the
route
is
done
at
the
time
it
sorry,
the
the
bottom
layer,
the
bottom
linkage
or
whatever
bottom
set
of
claims
is
done
at
the
time
the
link
comes
up
not
at
the
not
at
some
later
time.
E
Okay,
and
so
at
that
time,
the
bottom
one
still
has
an
endorsement,
just
like
the
bottom
would
be
in
layered
attestation
right
and
so
the
the
when
you're
sitting,
you
know
the
top
half
of
it
or
whatever
you're,
sending
that
across
the
link,
and
you
don't
need
an
additional
endorsement
for
the
top
half
just
like
you,
don't
need
endorsements
at
multiple
layers
in
layered
attestation,
it's
only
the
bottom
layer
that
you
need
and
that
you
need
an
endorsement
for,
and
so.
C
Can
I
give
you
a
really
concrete,
maybe
example
of
this,
if
to
make
sure
I
understand
what
you're
saying
so,
let's
say
we
have
that
layered
thing,
as
you
just
said,
and
the
the
signed
evidence
goes
into
a
special
magic
piece
of
ram,
which
has
a
jtag
interface
to
the
verifier,
and
so
the
verifier
knows
that
he's
reading
that
ram
through
this
magic
communications
link
and
therefore
knows
that
he's
reading
the
correct
thing
is
that
an
example
I.
E
I
think
his
point
is:
it's
actually
signed,
it's
because
it's
well,
I
should
say
in
the
ip
case
I
don't
know
about
the
jpeg
case.
It's
signed
because
it's
going
across
an
encrypted
channel
or
at
least
a
signed
channel
and
the
process
of
encapsulation
actually
takes
care
of
signing
by
put
it
inside
the
song,
putting
it
inside
the
signed
channel.
I
agree.
Yeah.
C
Implicit
key
of
the
link,
not
by
the
a
specific
signature
on
it.
Yes,
okay,
so
in.
E
E
Correct
right
because
he
says
any
endorsement
would
be
applied
to
assertions
associated
with
the
communications
link,
not
the
attestation
evidence,
and
so
his
assertions
associated
with
the
communications
link
was
the
part
where
he
says
top
of
your
screen.
What
about
the
following
or
may
have
received
evidence
from
the
communications
link
right
so
right.
That's
the
first
time
he's
actually
mentioning
his
comment
14
hours
ago,
that
there's
evidence
associated
with
the
communications
link
that
evidence
contains
claims
or
assertions
and
that's
what
he
means
by
any
endorsement
would
apply
to
that.
E
So
there's
still
something
at
the
bottom
of
the
you
know
chain.
If
you
will,
that
has
evidence,
assertions
and
endorsements,
possibly
making
that
a
clear,
I
think,
is
what
we
want.
E
C
Verif
the
verify
so
in
in
the
context
of
this,
the
verifier
might
have
a
policy
that
says
if
the
other
end
of
this
link
is
signed
by
ca
x,
then
it's
that's
an
endorsement
right.
The
communication
link
comes
up
with
a
certificate
from
x,
so
that
would
work
or
there
might
be.
C
The
certificate,
but
the
communication
link
came
up
from
it
came
up
and
that
that
thing
that
was
used
to
establish
it
caused
it.
So.
E
C
For
instance,
ocsp
would
be
another
way
of
doing
it
yeah.
So
what
is
it
we're
trying
to
fix
in
this
piece
here
so
that
it's
clear
error
to
the
next
reader,
maybe
we'll
trust
the
evidence
from
the
device
without
an
additional
endorsement?
So
I
think
it's
partly
this
additional
word
additional
right.
That's
bothering
us
correct.
C
C
From
the
device-
and
I
think
that
it's
this
part-
that's
really
bothering
us-
you
need
to
say-
may
be
able
to
trust
the
attestation
evidence
from
the
device
using
the.
D
D
D
I
think
it's
saying
we're
sort
of
saying:
hey
the
architecture
defines
all
defines
a
few
positive
ways
of
doing
this.
We
call
that
endorsement,
but
you
can
still
have
policies
that
that
allow
trust
in
some
other
way
which
we're
not
defining
here
and
I
think
that's
the
correct
statement.
D
E
That
I'm
so
I
agree
with
that
too.
B
Oh
go
ahead,
say
something
about
the
policy
that
it's,
according
to
the
appraisal
policy
that
is
going
to
govern
what
level
of
trust
you
can
put
in
this
and
what
evidence
is
necessary.
So
if
the
policy
says
that
you
can
trust
it
without
further
evidence,
then
that's
okay.
If
you
can
need
additional
evidence,
then
you
can
so.
C
B
Yeah
is
that
what
you're
getting
at
yeah,
so
you
can
you
have
the
ability,
as
an
appraiser
according
to
your
own
policy,
to
take
evidence
at
face
value
or
require
evidence
about
the
evidence
and
that
evidence
about
the
evidence
maybe
come
in
the
form
of
an
endorsement
or
some
chain
of
endorsements,
more
evidence
followed
by
eventually
something
rooted
in
a
root
of
trust,
and
so
it
gets
to
the
wisdom
of
your
appraisal
policy
on
what
it
really
means.
Did
you
really
establish
trust
or
not
some
people
might
say
yeah.
I
trust
it.
It's
not!
E
E
E
Then
I
think
you
still
would
need
like
an
endorsement
of
the
thing
that
is
signing
the
link.
C
So
time
check
do
you
want
to
go
with
this
text?
I
just
opened
an
issue
to
add
security
considerations
text
for
this.
It's
probably
two
paragraphs.
There.
E
C
A
C
So
I'm
going
to
leave
that
there
this
one
is
closed
for
that.
What
I
want
to
do
in
the
three
minutes
we
have
is
come
back
to
the
issues.
When
are
we
done?
C
E
I
don't
know
if
we
have
any
tags
labels.
When
are
we
done
we're
done
when
working
group
last
call
passes
and
ietf's
last
call
passes?
Otherwise
we're
not
done
when.
A
E
Well,
or
at
least
the
working
group
chairs,
have
to
declare
rough
consensus
one
another.
C
Well,
what
I'm
interested
in
in
is
for
people
to
read
the
issues,
and
you
know
if
you
like.
What
can
you
do?
You
know
this
button
right?
If
you
completely
think
it's
useless
or
whatever
I
I'm
that's
what
I'm
trying
to
get
at.
We
have
some
cons
some
agreement
about.
A
C
If
I
do
this
to
ned's
thing,
I
go
on
the
happy
face
come
on,
oh
I
have
to
click
on
it
and
then
you
can
say
down
you
see
it
gives
you
down,
reacted,
found
thumbs
down
and
I
can
click
on
it
again
and
it
goes
away
okay
and
then
hooray
rocket
whatever
that
means
I
love
it.
I'm
confused
right
pick.
Your
reaction.