Minutes interim-2020-mls-18: Tue 12:00
minutes-interim-2020-mls-18-202008111200-00

# Issues/PRs

* PSK injection:
    - Richard: Do we want/need a proposal to inject a PSK? Currently the plan
    is using a commit extension. I feel like we don't need a proposal. An
    extension is enough. - Konrad: Proposals are handy because they
    authenticate a potential external source of the restart/re-add action. -
    Raphael: Since there is no one really advocating proposals based on a
    concrete use case, we should avoid overcomplicating the protocol. Vendor
    can do it in a proprietary way on the application level. - Brendan: We
    could make commits more extensible by keeping all proposals in a single
    array, which would give the committer a way to indicate ordering. -
    Richard: The application would still have to check that the ordering is
    sane. - Raphael: This might be worthwhile if it keeps commits extensible. -
    Richard: More work is needed to negotiate the availability of proposals
    throughout the group. - Brendan agrees to provide some pseudocode for his
    idea.

* PR #388
    - Richard: It turns out we need to refer to a raw hash function. Eric
    brought this up. - Eric: #388 solves the issue I raised.

* PR #387
    - Sean: IANA usually reserves the first enum version, but we don't have to
    do it. It might be sensible to change it from "invalid" to "reserved" so we
    have less trouble with reviews later.

* PR #369
    - Brendan: What instructions would one put in an extension would we that
    wouldn't work as a proposal? - Richard: Instructions that would not enter
    into the transcript. - Konrad: With extensible commits, we would have two
    ways of communicating instructions to the group. - Richard: That is true,
    if we have extensible proposals. Do we need to have communication about
    PSKs in the transcript? - Konrad: We do if we want the communication
    authenticated in the transcript. - Sean: We can wait with this PR until we
    agree on how to extend commits.

* PR #360
    - Richard (refers to his comment on the PR): We should go with option b) to
    save entropy. Option c) seems scary. - Brendan: b) doesn't change that
    much. If we want more efficiency we should go for c). - Britta: I believe
    that we can't just drop the auth tag and expect the same level of
    authentication. - Raphael: The lack of ordering requirement makes losing FS
    on authenticity more dangerous, although there is still a signature on the
    inside. - Britta: It might be a good idea to rely on both signatures and
    auth tags, because signature keys won't get rotated as much. - Sean: We
    should push this back one or two weeks.