►
From YouTube: RATS Architecture Design Team, 2020-05-26
Description
RATS Architecture Design Team, 2020-05-26
A
D
C
C
C
B
C
B
C
C
E
Have
no
strong
opinion
either
way.
I
mean
I,
agree
with
you
that
it
would
be
useful
to
capture
some
place.
The
other
place
that
could
be
added
would
be
into
the
eat
document.
I,
don't
have
a
preference
between
the
two
documents.
I,
don't
think.
I
belongs
in
this
part
of
this
document,
but
okay,
whether
we
just
edit
in
to
eat
or
edit
it
as
an
architectural
thing,
I
think
but
I
agree.
That
would
be
good
to
capture
that
point
somewhere.
I
did
not
check
to
see
if
it
was
already
in
the
eat
document.
So
it's.
C
F
Yeah,
you
know
me
and
Lawrence
discussed
this
about
whether
we
should
have
verified
procedures
and
I
think
I'm
going
to
add
it
in
the
document
and
we
took
it
out
because
we
were
hoping
that
their
description
of
what
a
verifier
Perdition
do
would
be
in
the
architecture
document.
So
you
know
this
yeah
I
know
I,
look
at
this
yeah
I
agree
with
what
I
said
earlier.
There's
no
and
there's
nothing
heat
specific
here
and
you
know
we
can.
E
E
C
E
F
E
E
E
C
E
Proposing
to
put
it
in
4.1
I,
don't
see
a
better
place
yeah.
So
Hank
is
saying
if
we
aimed
it
from
appraisal
policies
to
appraisal
process
but
kept
the
same
text
and
then
augmented
it
with
something
like
the
text
that
I
put
into
the
comment.
I
think
that's
what
you're
suggesting
Hank
right
yeah.
It
sounds
good
to
me.
G
E
D
C
Like
me,
sorry
for
that
yeah
you
have
this
administrator
above
so
I
was
like
confused
by
that
specification,
and
so
I
thought
the
very
five
heads
were
empty.
No
I,
don't
know
why,
and
what
does
this
so
I
assumed
that
the
verifier
would
be
a
service
running
somewhere,
but
maybe
that's
wrong.
I
think
that
it's
just
trying
to
be
symmetric
in
the
expressiveness
of
this
definition.
C
B
The
real
lot
we
had
a
large
conversation
about
the
relying
party
and
how
it's
a
part
of
a
bigger
entity
or
and
then
whether
the
relying
party
was
the
bigger
entity
or
just
the
thing
that
does
the
actual
evaluation.
Okay
appraisal.
We
had
that
conversation
about
about
relying
party
that
made
sense
to
me,
but
I'll.
I
I
I
don't.
I
don't
understand,
typically
a
service
in
this
case
here.
If.
B
D
E
B
E
E
C
C
E
B
E
E
So
this
is
in
the
section
on
composite
device,
and
the
text
is
about
because
I'm
looking
at
the
line,
466
right,
the
conceptual
data
flow
for
a
composite
device
and
then
for
78
deleted
is
talking
about
in
this
composite
by
scenario.
So
it
does
match.
Okay,
then
I,
guess
I.
If
we
don't
take
the
NED
version,
then
I
think
that
this
text
needs
to
stay.
C
E
E
It's
one
of
the
earlier
ones
me
earlier
in
the
document,
something
where
I
said.
Let's
refer,
you
said
yeah
you
liked
the
other
one
better
to
you
agreed
and
then,
but
you'd
said
oh,
but
we
should
had
the
word
remote
and
I.
Remember
where
that
was
that's
before
it
was
before
that
comment.
So
it
was
one
of
the
ones
eternity
resolved.
Let
me
see
if
I
can
find
it.
I
noticed
your
comment.
E
Yep
that
one
scroll
down
a
little
bit
nope,
the
previous
it
sure
is
I
I
mean
I,
have
mall
yep.
That's
it
that's
the.
C
C
E
E
C
C
E
B
B
D
E
E
B
E
B
E
B
E
B
C
D
B
B
C
E
B
C
C
C
E
C
Same
as
with
the
thing
about
vouching
for
the
verifier
stuff,
it
is
not
each
specific
and
it
is
not
to
the
specific
and
it's
not
a
young
Chara
specific.
It
is
a
relatively
Universal
Veda.
There
are
very
finite
ways
to
talk
about,
freshness
and
I
think
go
into
some
detail.
If
it's
only
a
few
options
is
in
the
scope
of
the
architecture,
because
if
you
pull
it
into
each,
then
it
suddenly
it's
specific,
but
but
using
anons
and
cryptography
seriously
is
a
architectural
feature.
E
C
Therefore,
it's
an
eat
and
the
nonce
claim.
Isn't
it
it's
absolutely
okay,
but
there
are
effectively
uses
to
this
that.
Why
is
this
so
interesting,
and
that
is
this
unique
value?
That's
non-repeatable
thing
the
promise
actually
brought
and
I
know
everybody's
a
little
bit
annoyed,
especially
by
the
long
discussion.
I
know,
sorry,
sorry,
but
the
concept
I
think
provides
you
with
the
guidance
that
you
need
to
create
protocols.
I
think
that
is.
That
is
the
essential
thing.
C
C
C
C
C
One
of
the
two
things:
how
to
do
the
security
conservation,
which
are
motivated
here
because
of
no
replay
attacks,
evidence
has
to
be
attributable,
I
think
and
it
is
very
important
to
have
it
as
soon
as
possible
and
some
so
nervous.
That's
why
all
this
reason
the
stuff
is
in
there
now
and
one
of
the
very
common
things
receptors
normally
play
everything
and
in
Thomas's
comment
you
haven't
read
that
yet
Dave
I
think
maybe
maybe
you
have
actually
provides
some
answers
to
your
question.
Why
is
this
relevant?
C
E
C
F
C
So
that's
basically
the
reason
why
I
think
this
is
Thomas
got
it
like
like
entirely
so
I
think
we're
now
very
actually,
we
converged
somehow
I
totally
agree
with
this
and
I
think
that
is
essential
because
all
this
timing,
stuff
in
the
timing,
consideration
section,
show
us
there
is
a
relevance
to
all
of
this
when
this
happens
and
why
this
is
all
these
time,
steps
important
and
especially
with
the
conveyance
of
evidence
and,
of
course,
also
with
the
conveyance
of
other
conceptual
messages.
We
have
this
recentness
and
this
is-
and
is
it
still
valid?
C
So
we
have
two
things
here.
Is
it
is
it?
Is
it
very
recent,
so
that's
very
important
to
some
of
the
scenarios,
and
is
this
still
valid?
These
are
true
timing,
intense
at
least
and
then
elaborate
on
by
going
through
all
the
timestamps
later
on
again-
and
that's
also
why
I
edit
this,
because
there
is
no
transition
from
from
the
idea
of
remote
attestation
and
the
interactions
we
have
here
and
suddenly
timestamps
and
the
scenarios
which
is
correct.
C
But
there
is
this
intent
in
between
that
I
I
think
there
is
hard
to
understand
why-
and
this
is
the
why?
Because
it
is
important
to
have
some
evidence
very
recent
and
to
understand
some
evidence
expired.
It's
not
valid
anymore,
and
these
are
two
things
that
Thomas
elaborated
on
here
with
blocks
and
the
notion
of
expiry
and
such
and
I
think
that's
is
a
fundamental
principle:
that's
not
specific
to
a
single
solution,
and
that
is
the
answer
to
Dave,
not
specific.
D
E
Is
everything
you
just
said
is
already
in
the
master
branch
in
Section
10
right
now?
What's
the
problem
we're
trying
to
address
it's
not
already
addressed,
because
it
does
talk
about
freshness
it
talks
about
expiration.
It
talks
about
whether
you
have
a
use
of
the
word
nonce
or
to
use
synchronize
clocks.
All
that
discussion
is
in
there
right
now.
What's
the
gap.
C
E
C
I
was
talking
to
a
lot
of
stakeholders
who
could
call
it
I,
don't
know
people
who
do
remote
attestation
effectively
and
I
realize
the
freshness
means
different
things
to
a
conceptual
different
types
of
conceptual
messages.
The
freshness
to
attestation
resides
is
different,
the
freshness
of
evidence
in
such
a
way
that
if
you
apply
the
same
principles
of
freshness
to
offer
today's
results
to
evidence,
it's
broken
work
anymore,
it's
just
useless,
and
that
is
that
was
a
high.
C
E
C
Freshness
business
that's
completed,
a
lot
is
not
there,
because
I
did
not
write
it
up,
but,
as
I
already
said
by
accident,
basically,
it's
almost
wrote
up
like
80%
of
it.
These
are
the
cornerstones.
It
just
affects
the
problem,
and
it
is
that
you
can
use
expiry
for
some
things,
but
it's
not
usually
use
nonces,
for
example,
and
it
doesn't
help
you
at
all
and
also
time,
synchronization
doesn't
help
you
anymore.
C
A
It's
gonna
just
add
to
that.
One
of
the
things
I
like
about
the
the
text
of
Thomas
just
wrote
is
that
it
gets
away
from
the
idea
of
nonce,
as
it
relates
to
challenge
response,
there's
so
much
baggage
that
the
word
nonce
has
in
people's
minds
that
the
idea
of
showing
that
there
are
other
methods
for
freshness
I
think
is
a
useful
thing
to
add
that
I,
don't
think
is,
is
not
denied
by
section
10,
but
we're
not
articulating
other
methods
that
are
interesting.
A
I
know
that
I
care
a
lot
about
not
having
a
challenge
response
for
a
lot
of
the
work
in
the
in
the
network,
because
I
want
to
make
sure
that
we
can
do
broadcast
multicast
all
kind
of
ways
of
doing
validity
and
freshness
without
having
in
the
months
every
time
it's
out
there.
So
I
do
like
the
text
put
together
because
it
starts
to
highlight
alternatives
to
challenge
response
which
are
often
bound
to
the
idea
of
announce.
We.
A
I
think
that
this
gets
beyond,
what's
in
Section
ten,
for
why
architectures
care
about
some
of
this,
and
we
really
haven't,
talked
much
about
the
need
for
broadcast
or
multicast
proof
of
freshness
in
the
base
document
in
Section
ten.
This
starts
to
highlight
that
the
beyond
Ananse
and
beyond
challenge
response.
There
are
methods
of
doing
remote
at
the
station
without
the
challenge
response.
So
that's
why
I'd
like
about
what.
E
Section
already
talks
I
mean
I'm,
not
trying
to
necessarily
say
that
section
10
is
perfect,
I'm
trying
to
say
what's
the
problem,
we're
trying
to
solve
right
so
section
10
already
talks
about
you
can
do
it
without
a
nonce
right.
That
was
the
whole
time.
Synchronization
paragraph
that's
in
there
right
now,
so
that
part's
in
there
so
I'm
trying
to
figure
out
what's
the
problem
or
trying
to
resolve.
A
The
problem
I
see
here,
that's
not
intend
in
some
of
the
elements
of
how,
where
section
10,
is
that
we're
not
explicitly
saying
this
can't
be
done
so
I
think
that
10
is
at
least
I
granted
was
saying
that
the
elements
that
are
there
versus
any
of
them
any
of
wait
to
drift
break
halts,
but
it
doesn't
talk
about
I,
guess,
I
sort
of
read
it
I,
don't
it
doesn't
the
idea
that
this
is
not
challenge
response.
Only
challenge
response
doesn't
pop
that
me
for
sure.
E
F
Yes,
sorry,
any
going
off
of
what
Eric
said,
I
mean
we've
run
into
a
rerun,
is
a
recent
problem
with
our
BOE
products,
where
we
want
to
send
a
some
sort
of
security
assurance
of
the
myriad
channel,
which
is
one
way
it's
like
about.
It's
like
a
multicast,
but
the
problem
is:
is
that
no
devices
just
don't
have
an
absolute
time
reference
in
eat?
What
we
did
was
we
actually
divined
a
value
called
uptime
which
isn't
great?
F
It's
not
you
know,
but
it
just
says:
okay,
how
long
is
the
device
been
up
since
until
I
asked
a
spec
boot
cycle?
Is
that
going
to
be
a?
Would
we
allow
for
such
things
when
we
talk
about
freshness
in
these
one-way
connections?
You
know
like
what
Eric
toilet,
what
Erica
80?
You
know
the
nonchalant
response,
or
what
is
always
that,
would
we
say
every
time,
references
and
that's
it
progression.
This.
C
E
E
C
E
C
F
C
A
B
So
Hank
I
am
did
a
rebase
of
this
87
on
master
again
there
was
some
conflicts
that
I
think
were
trivial,
that
I
resolved
mostly
involving
the
Tuda
reference,
and
so
that's
on
the
branch
freshness
too,
but
I
could
push
it
as
freshness
if
you
prefer
I'm,
not
sure
what
that
does
to
all
the
conversation.
So
that's
why
I
recall
our
decline,
and
then
you
got
your
gonna
put
you're
gonna
put
some
text
in
from
Thomas.
On
top
of
that,
that's.
C
E
B
E
The
wall
of
green
text
is
stuff
that
I
would
be
happy
to
see
Thomas
you
if
you
choose
to
not
start
from
the
wall
of
green
text
and
start
from
something
else,
that's
what
I'm
suggesting
I
would
find
it
easier
to
review
because
I
just
don't
understand,
what's
broken,
but
I'm
hoping
you
can
make
it
clear
in
your
pull
request.
So,
okay.
D
C
C
C
E
Time
of
something
matters,
if
one
of
two
things
is
true
either
the
actual
time
has
passed
in
some
form
in
a
message
across
a
wire
Hey
or,
if
that's
an
example
right
because
time
eg
is
an
example
of
one
that
might
be
passed
inside
the
evidence
right,
you
put
the
timestamp
in
there.
That's
an
example.
I'm.
E
In
some
of
the
diagrams
is
the
the
message
is
actually
include
in
some
of
the
examples.
A
particular
time
stand
time.
So
I
I
think
it
belongs
in
the
document
if
the
sample
is
actually
patent.
One
of
two
cases
right.
The
first
case
is
if
you
actually
passed
the
timestamp
in
an
actual
message,
then
I
agree.
It
goes
in
here.
The
second
case
that
I
agree
that
it
goes
in
there
is,
if
you
remember
it,
and
prepare
it
in
some
way
against
something
that
gets
passed
in
a
message.
E
So,
for
example,
you
compare
the
value
that
you
get
in
a
message.
You
received
against
a
value
that
you'd
storage
from
before
and
compare
that
against
some
threshold
as
an
example
and
that's
a
way
of
using
it
and
then
it's
then
it's
important
to
keep
in
here.
I,
don't
know
if
a
third
state-
and
so
if.
E
One
of
the
time
so
CC
is
the
first
one
right
I
had
claimed
that
CC
is
never
passed
in
a
message,
nor
is
it
used
in
some
comparison
against
something
that
can
cross
wire,
and
so
that's
why
I
argued
that
CC
is
not
necessary
in
this
diagram.
It's
an
event
that
happens,
but
the
timestamp
of
it
is
not
relevant.
That
is
correct
at
the
timestamp.
E
There
are
some
that
don't
go
in
the
wire,
but
they're
compared
against
in
some
way.
Yeah
so
that's
say,
CC
is
not
necessary
in
this
document.
Was
the
first
point
because
of
the
things
so
then
we
can
go
on
to
the
next
one,
which
was
HD,
which
I'm
not
sure,
I
completely
understand
HD
you
guys
trying
to
figure
out.
Why
is
HD
relevant
is
HD
appear
on
the
wire
or
you're,
comparing
it
against.
Something
goes
on
the
wire
and
as
far
as
I
can
tell,
the
answer
is
no.
C
E
F
C
C
The
example
that
is
coming
below
for
time,
based
basically
it's
the
it's
the
it's
the
time
stamp
thingy,
that
is
not
the
nuns,
so
we
were
talking
about
broadcast
I
think
it
came
up.
That
is
a
very
good
example,
I
think
so
the
handy
distribution
could
be
a
broadcast.
So
what
I
did
not
do
is
to
input
it
put
into
this
diagram
the
source
of
the
broadcast.
Basically
time
HD
is
the
reception
of
the
handle
of.
F
C
E
C
Eg,
let
me
think
about
this
know
that
it
is
not
true,
so
the
tester
has
a
clock
that
drifts
all
the
time
into
a
master.
So
it
is,
there
is
a
maximum
time
time
spent
to
the
receiver
of
HD,
which
the
testers
were
keep
in
mind
when
creating
evidence,
because
if
it
has
no
new
HD
after
a
certain
threshold,
when
the
drift
is
too
high,
for
example,
which
is
sampling
beforehand,
then
HD
is
not
received.
Hd
is
not
at
the
point
of
time.
We
have
to
check
for
that.
C
E
C
B
C
B
This
diagram
would
be
clearer.
It
would
be
clear
if
there
was
an
arrow
somehow
that
pointed
in
right
at
this
point
from
somewhere
else,
because
that
would
distinguish
that
dot
point
right.
It
looks
arbitrary
to
me
because
there's
no
doesn't
this.
This
part
is
not
annotated
in
any
way,
but
there's
an
external
event.
That's
driving
where
the
time
of
HD
is
I.
C
A
F
Yeah
and
I
think
you
know
I
think
the
challenge
is
even
if
you
look
at
broadcast
multicast,
you
know
in
both
devices
you
can't
since
there's
no
connection,
you
don't
know
where
they
both
devices.
Are
you
even
if
they
have
reliable
time
references
you
don't
know,
and
they
say
if
they're,
using
the
same
reliable
time,
references
I
want
to
be
using
a
different
NTP
source
than
the
other.
So
I
still
think
that
you
can
get
an
adequate
security
assurance
with
some
relative
freshness.
F
E
C
B
C
C
E
E
C
What
we
do
here
is
create
evidence
specifically
created
for
the
proof
that
this
clock
actually
refers
to
a
attestation
vironment,
you
know,
so
we
create
evidence.
That
is
not
the
evidence
for
that.
The
ancestor
creates,
but
only
evidences
can
only
create
with
this
outside
handle
that
this
domain
here
of
the
three
parties
have
and
Trust
the
synchronization
is.
C
That
is
the
only
thing
we
are
doing
here
with
the
hand
resolution,
and
we
could
make
this
diagram
very
complex
to
make
it
correct,
or
we
have
to
abstract
it
somehow
and
maybe
revert
the
definition
of
HD
a
little
bit
to
make
this
work
with
only
the
three
parties
Illustrated.
Otherwise,
we
are
breaking
the
pattern
here
of
how
to
do
the
diagrams,
which
is
a
little
bit
confusing,
to
read.
I
assume
notice.
A
B
C
B
H
C
That's
good,
fine,
okay,
yes,
again,
I
know
that
editing
something
that,
as
we
based
three
times
as
hard
I,
think
it
was
by-
and
at
least
Thomas
now
frying
this
Wow
in
what
was
really
perfect.
By
how
cool
the
input
was.
This
might
actually
resolve
into
something
that
you
can
edit.
The
document
you're.