[{"author": "Yoav Nir", "text": "I think with a hybrid meeting, not even a proxy proposal would pack the room.
", "time": "2022-03-23T09:00:02Z"}, {"author": "Yoav Nir", "text": "Can someone with a proper Jabber client fix the topic?
", "time": "2022-03-23T09:00:14Z"}, {"author": "Martin Thomson", "text": "did we sort out the ordering?
", "time": "2022-03-23T09:02:46Z"}, {"author": "Thom Wiggers", "text": "Slides died
", "time": "2022-03-23T09:03:26Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "MT: ordering of ... handshake messages? Or documents?
", "time": "2022-03-23T09:03:42Z"}, {"author": "Martin Thomson", "text": "the hybrid key exchange presentation was marked specially in the agenda
", "time": "2022-03-23T09:03:54Z"}, {"author": "dkg", "text": "slides are gone
", "time": "2022-03-23T09:03:55Z"}, {"author": "Martin Thomson", "text": "it's the \"document\" icon
", "time": "2022-03-23T09:05:17Z"}, {"author": "Martin Thomson", "text": "do you need the length AND the fragmentation pieces?
", "time": "2022-03-23T09:11:04Z"}, {"author": "Martin Thomson", "text": "SGTM
", "time": "2022-03-23T09:13:30Z"}, {"author": "Martin Thomson", "text": "these seem like clear examples of stuff that can be added as an extension
", "time": "2022-03-23T09:14:19Z"}, {"author": "jhoyla", "text": "I don't follow the logic of why you can drop the Finished? Because the record layer performs the same function?
", "time": "2022-03-23T09:16:29Z"}, {"author": "Martin Thomson", "text": "so would you take the on-the-wire transcript instead?
", "time": "2022-03-23T09:16:41Z"}, {"author": "Deb Cooley", "text": "Hannes, you are very tiny....
", "time": "2022-03-23T09:17:11Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "jhoyla: I think that's the idea, yeah, that the AEAD tag performs
key-confirmation for the final keys...but huh, what about the client's
final flight.
", "time": "2022-03-23T09:17:21Z"}, {"author": "Martin Thomson", "text": "the finished thing is probably the thingthat makes me most nervous
", "time": "2022-03-23T09:17:43Z"}, {"author": "Martin Thomson", "text": "what if one endpoint never sends application data?
", "time": "2022-03-23T09:17:59Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Indeed, there are many reasons to be nervous about the finished thing
", "time": "2022-03-23T09:18:19Z"}, {"author": "jhoyla", "text": "For example if you're in EAP-TLS
", "time": "2022-03-23T09:18:19Z"}, {"author": "Deb Cooley", "text": "@Martin: Is there actually a channel at all in that case?
", "time": "2022-03-23T09:18:30Z"}, {"author": "Richard Barnes", "text": "Hannes is also very yellow
", "time": "2022-03-23T09:18:34Z"}, {"author": "Deb Cooley", "text": "@rlb LOL
", "time": "2022-03-23T09:18:49Z"}, {"author": "Sean Turner", "text": "safety dance!
", "time": "2022-03-23T09:18:53Z"}, {"author": "Martin Thomson", "text": "deb: it might not be symmetric, so one side might want to send, but they haven't received Finished to confirm the keys of its peer.
", "time": "2022-03-23T09:19:03Z"}, {"author": "Benjamin Schwartz", "text": "To be clear, the draft currently supports reducing the Random and Finished size to a custom value, which can be zero.
", "time": "2022-03-23T09:19:07Z"}, {"author": "Martin Thomson", "text": "as stated, this needs careful analysis
", "time": "2022-03-23T09:19:13Z"}, {"author": "Robin Wilton", "text": "Hannes is closer to red shift than blue shift...
", "time": "2022-03-23T09:19:19Z"}, {"author": "jhoyla", "text": "@Thom, how much work do you think it would be to include the record layer into the Tamarin model?
", "time": "2022-03-23T09:19:44Z"}, {"author": "Martin Thomson", "text": "I think that you can make an information theoretic argument for use of the CTLS transcript on the basis that any negotiation is either embodied in the profile (via profile ID) or in the transcript
", "time": "2022-03-23T09:20:17Z"}, {"author": "Richard Barnes", "text": "To be clear, my clever ideas only only turn out to be actually clever about 60% of the time
", "time": "2022-03-23T09:20:38Z"}, {"author": "Richard Barnes", "text": "that may be an overestimate
", "time": "2022-03-23T09:20:50Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "\"authenticate the bits as they were on the wire\" does have something
going for it
", "time": "2022-03-23T09:20:52Z"}, {"author": "Martin Thomson", "text": "kaduk, precisely
", "time": "2022-03-23T09:21:04Z"}, {"author": "Benjamin Schwartz", "text": "I wonder if we need to worry about profile disagreements though
", "time": "2022-03-23T09:21:28Z"}, {"author": "Deb Cooley", "text": "@rlb more often than some
", "time": "2022-03-23T09:21:32Z"}, {"author": "Benjamin Schwartz", "text": "Consider an adversary who can swap out the profile contents...
", "time": "2022-03-23T09:21:41Z"}, {"author": "Thom Wiggers", "text": "@jhoyla: it\u2019s already somewhat included in the TLS13 model but doesn\u2019t cover the aead properties
", "time": "2022-03-23T09:21:46Z"}, {"author": "Martin Thomson", "text": "ben schwartz: yes, that bothers me a little, which we might do by hashing a profile, for example
", "time": "2022-03-23T09:21:56Z"}, {"author": "Benjamin Schwartz", "text": "Martin: Yep. But then we need a canonical representation of the profile...
", "time": "2022-03-23T09:22:18Z"}, {"author": "jhoyla", "text": "@kaduk From a symbolic proof perspective I don't think that the bits on the wire changes actually make a difference to the proof.
", "time": "2022-03-23T09:22:19Z"}, {"author": "Martin Thomson", "text": "though as JSON, it's not necessarily in a canonical form
", "time": "2022-03-23T09:22:19Z"}, {"author": "Martin Thomson", "text": "haha :)
", "time": "2022-03-23T09:22:28Z"}, {"author": "Thom Wiggers", "text": "If you want to model cTLS you might want to be able turn off/on all the options especially if you get rid of the reconstruction
", "time": "2022-03-23T09:22:43Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "jhoyla: I also think so...which is why the \"something\" that it has
going for it is rather under-specified :)
", "time": "2022-03-23T09:23:00Z"}, {"author": "jhoyla", "text": "@Thom I think we could add the AEAD properties pretty easily, because the functions are already defined in other models
", "time": "2022-03-23T09:23:02Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "MT: but JCS!
", "time": "2022-03-23T09:23:11Z"}, {"author": "Robin Wilton", "text": "@Richard The phrase \"I've had this *really clever* idea that will save us 4 bytes of storage\" has been striking fear into maintainers' hearts since the invention of the computer.
", "time": "2022-03-23T09:23:20Z"}, {"author": "Christopher Patton", "text": "\"PCS\"?
", "time": "2022-03-23T09:23:21Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "post-compromise security
", "time": "2022-03-23T09:23:29Z"}, {"author": "Thom Wiggers", "text": "jhoyla: agreed
", "time": "2022-03-23T09:23:31Z"}, {"author": "Sean Turner", "text": "post compromise
", "time": "2022-03-23T09:23:31Z"}, {"author": "Christopher Patton", "text": "thanks
", "time": "2022-03-23T09:23:41Z"}, {"author": "Martin Thomson", "text": "kaduk: nice try
", "time": "2022-03-23T09:23:54Z"}, {"author": "Martin Thomson", "text": "please, we don't need to do renegotiation in TLS 1.3, or if we do, someone can write an extension
", "time": "2022-03-23T09:24:24Z"}, {"author": "Martin Thomson", "text": "these granular alerts are a royal pain; definitely reduce it to one
", "time": "2022-03-23T09:25:14Z"}, {"author": "Thom Wiggers", "text": "jhoyla: implicit auth does basically mean that until a peer sends something you don\u2019t have confirmation on their choices for hello parameters (which cTLS presumably just hard codes)
", "time": "2022-03-23T09:25:25Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "certificate_rejected
", "time": "2022-03-23T09:25:29Z"}, {"author": "Martin Thomson", "text": "thom: not all choices will be hard coded
", "time": "2022-03-23T09:25:43Z"}, {"author": "jhoyla", "text": "Is having exactly one PSK error significantly different from having zero PSK errors?
", "time": "2022-03-23T09:25:45Z"}, {"author": "Christopher Patton", "text": "I like the proposal as well
", "time": "2022-03-23T09:26:28Z"}, {"author": "Christopher Patton", "text": "KISS
", "time": "2022-03-23T09:26:36Z"}, {"author": "Joseph Salowey", "text": "less is more
", "time": "2022-03-23T09:26:45Z"}, {"author": "Sean Turner", "text": "you can give the general \"error\" or provide info that you know it's about a PSK
", "time": "2022-03-23T09:26:51Z"}, {"author": "Rich Salz", "text": "\"wrong username\"/\"wrong password\" vs \"login failed\"
", "time": "2022-03-23T09:27:03Z"}, {"author": "Rich Salz", "text": "i have not found detailed alerts very usefl for debugging. most commonly, it gives Hubert Khario something to complain about ;)
", "time": "2022-03-23T09:27:47Z"}, {"author": "Martin Thomson", "text": "HRR contains the negotiated cipher suite, right? in which case, we are good
", "time": "2022-03-23T09:28:33Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I agree that it should be the negotiated hash used for message_hash
reinjection. No comment on what the current text says.
", "time": "2022-03-23T09:28:35Z"}, {"author": "Martin Thomson", "text": "this is good, because that is what people implement in practice
", "time": "2022-03-23T09:28:58Z"}, {"author": "Martin Thomson", "text": "though it's not very well tested, I'm sure
", "time": "2022-03-23T09:29:12Z"}, {"author": "jhoyla", "text": "Given that there isn't downgrade protection on CH2 is there anything bad that can happen if you use the negotiated hash?
", "time": "2022-03-23T09:29:15Z"}, {"author": "jhoyla", "text": "I don't think so, but it makes me a bit nervous.
", "time": "2022-03-23T09:29:27Z"}, {"author": "jhoyla", "text": "(Or rather, there isn't downgrade protection of CH2 until the server Finished)
", "time": "2022-03-23T09:30:01Z"}, {"author": "Martin Thomson", "text": "davidben isn't here, so maybe we won't make progress
", "time": "2022-03-23T09:31:02Z"}, {"author": "sftcd-x-x", "text": "maybe not a minimum thing, but entirely ditching HRR seems like it should be attractive :-)
", "time": "2022-03-23T09:31:03Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I don't see davidben in the participants list :(
", "time": "2022-03-23T09:31:05Z"}, {"author": "Martin Thomson", "text": "I think that his approach is dangerous, but he is right that it isn't absolute
", "time": "2022-03-23T09:31:23Z"}, {"author": "Sean Turner", "text": "that's a good way forward ekr
", "time": "2022-03-23T09:31:44Z"}, {"author": "Martin Thomson", "text": "wfm
", "time": "2022-03-23T09:31:50Z"}, {"author": "Sean Turner", "text": "on 1214 - that's fine it's why there's 8447bis
", "time": "2022-03-23T09:32:47Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I think 1206 was passing an IESG ballot comment on DTLS 1.3 over to
8446bis as \"more appropriately handled\" here, but have no objection to
closing with no change
", "time": "2022-03-23T09:33:09Z"}, {"author": "Martin Thomson", "text": "multiple identities is an application issue; we just have to say that it can happen
", "time": "2022-03-23T09:33:24Z"}, {"author": "Richard Barnes", "text": "-ter
", "time": "2022-03-23T09:34:18Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "8446bisbis rather than 8446ter?
", "time": "2022-03-23T09:34:21Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "*high-five* Barnes :)
", "time": "2022-03-23T09:34:30Z"}, {"author": "Richard Barnes", "text": "\ud83d\ude4c\ud83c\udffb
", "time": "2022-03-23T09:34:44Z"}, {"author": "jhoyla", "text": "Could SNIP allow a client to abandon a TLS 1.3 connection attempt before it completes and move to a QUIC option?
", "time": "2022-03-23T09:36:42Z"}, {"author": "Sean Turner", "text": "Unless people start beating down the door - we are going to park it
", "time": "2022-03-23T09:36:46Z"}, {"author": "Benjamin Schwartz", "text": "It might be straightforward to implement in the context of an HTTP server that has built-in support for HTTP/3.
", "time": "2022-03-23T09:36:59Z"}, {"author": "Martin Thomson", "text": "jhoyla: basically, yes
", "time": "2022-03-23T09:37:06Z"}, {"author": "Christopher Wood", "text": "Douglas is not here.
", "time": "2022-03-23T09:37:41Z"}, {"author": "Eric Rescorla", "text": "It is very confusing to me that this is not the same as \"Hybrid Public Key Exchange\"
", "time": "2022-03-23T09:37:51Z"}, {"author": "Martin Thomson", "text": "the naming here is very unfortunate
", "time": "2022-03-23T09:38:05Z"}, {"author": "jhoyla", "text": "@MT Cool, it would mess with some of my experiments, but I like the idea.
", "time": "2022-03-23T09:38:18Z"}, {"author": "Christopher Patton", "text": "HPKE = hybrid PKE
", "time": "2022-03-23T09:38:27Z"}, {"author": "Florence D", "text": "There's been similar discussion about naming on the LAMPS mailing list
", "time": "2022-03-23T09:38:31Z"}, {"author": "Sean Turner", "text": "haha
", "time": "2022-03-23T09:38:34Z"}, {"author": "Dennis Jackson", "text": ":-P
", "time": "2022-03-23T09:38:37Z"}, {"author": "Christopher Patton", "text": "lol
", "time": "2022-03-23T09:38:37Z"}, {"author": "Thom Wiggers", "text": "Hyper pke
", "time": "2022-03-23T09:38:50Z"}, {"author": "Deb Cooley", "text": "just ban the word 'hybrid' altogether
", "time": "2022-03-23T09:38:51Z"}, {"author": "sftcd-x-x", "text": "+1 for spending a year or so talking about terminology before doing anything substantive on PQC in protocols :-)
", "time": "2022-03-23T09:38:54Z"}, {"author": "Eric Orth", "text": "They're still similar-sounding enough that it confused me in the same way at this early hour.
", "time": "2022-03-23T09:38:55Z"}, {"author": "Richard Barnes", "text": "+1 deb
", "time": "2022-03-23T09:38:56Z"}, {"author": "Eric Rescorla", "text": "Hilarious Public Key Exchange?
", "time": "2022-03-23T09:39:05Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "genetic hybridization only?
", "time": "2022-03-23T09:39:05Z"}, {"author": "Panos Kampanakis", "text": "PQ-hybrid is probably clearer
", "time": "2022-03-23T09:39:13Z"}, {"author": "Deb Cooley", "text": "no-GMO
", "time": "2022-03-23T09:39:19Z"}, {"author": "Sean Turner", "text": "@stfcd - aren't you missing another X?
", "time": "2022-03-23T09:39:21Z"}, {"author": "Britta Hale", "text": "Ekr is correct, that is different.
", "time": "2022-03-23T09:39:23Z"}, {"author": "Vincent Cheval", "text": "Problem with my mic apparently
", "time": "2022-03-23T09:39:24Z"}, {"author": "Martin Thomson", "text": "homomorphic private key exposure
", "time": "2022-03-23T09:39:26Z"}, {"author": "Martin Thomson", "text": "homomorphic private key exfiltration
", "time": "2022-03-23T09:39:44Z"}, {"author": "Vincent Cheval", "text": "Mic is not working
", "time": "2022-03-23T09:39:48Z"}, {"author": "sftcd-x-x", "text": "@turner: I can add another -x later
", "time": "2022-03-23T09:39:50Z"}, {"author": "Mike Ounsworth", "text": "Re naming of \"Hybrid key exchange\": the lamps thread is: https://mailarchive.ietf.org/arch/msg/spasm/P9kKu-3ToUvYwidY8fUGoiYu0Dg/
", "time": "2022-03-23T09:40:02Z"}, {"author": "Richard Barnes", "text": "@sftcd-x-x please save @sftcd-xxx for after the meeting
", "time": "2022-03-23T09:40:14Z"}, {"author": "Mike Ounsworth", "text": "I personally prefer \"multi-key KEM\" or \"multi-algorithm KEM\", of which \"composite\" is a specific multi-key scheme.
", "time": "2022-03-23T09:40:27Z"}, {"author": "Martin Thomson", "text": "Joe, try reloading
", "time": "2022-03-23T09:40:30Z"}, {"author": "Martin Thomson", "text": "wheee!
", "time": "2022-03-23T09:40:50Z"}, {"author": "Vincent Cheval", "text": "I have a permission problem
", "time": "2022-03-23T09:40:56Z"}, {"author": "Eric Rescorla", "text": "Which browser are you in?
", "time": "2022-03-23T09:41:15Z"}, {"author": "Deb Cooley", "text": "@ekr, LOL
", "time": "2022-03-23T09:41:29Z"}, {"author": "Martin Thomson", "text": "you don't need to restart
", "time": "2022-03-23T09:41:30Z"}, {"author": "Martin Thomson", "text": "but you need to know how to navigate the UI
", "time": "2022-03-23T09:41:37Z"}, {"author": "sofiaceli", "text": "Unfortunately, the \u2018hybrid\u2019 name is part of the NIST post-quantum competition and is referred now academically also as so: https://csrc.nist.gov/Projects/post-quantum-cryptography/faqs
", "time": "2022-03-23T09:41:43Z"}, {"author": "Eric Rescorla", "text": "@deb: well, I was going to walk him through the UI
", "time": "2022-03-23T09:41:43Z"}, {"author": "Martin Thomson", "text": "and it isn't exactly obvious
", "time": "2022-03-23T09:41:43Z"}, {"author": "Deb Cooley", "text": "Firefox for the win
", "time": "2022-03-23T09:41:43Z"}, {"author": "Mike Ounsworth", "text": "There was some discussion on LAMPS that maybe we need a draft to standardize language for talking about multi-key / hybrid / dual / composite PQ stuffs
", "time": "2022-03-23T09:41:51Z"}, {"author": "Rich Salz", "text": "yeah, clap clap
", "time": "2022-03-23T09:42:29Z"}, {"author": "jhoyla", "text": "Can we increase Vincent's gain?
", "time": "2022-03-23T09:42:31Z"}, {"author": "Florence D", "text": "@mike I think it's good to break down what's 'composite' further than the scheme. Because you could have a 'composite' signature using 'non-composite' keys for example.
", "time": "2022-03-23T09:42:38Z"}, {"author": "Eric Rescorla", "text": "In any browser, however, if you reload the page (?) or re-ask for media (?) it should re-prompt you for permissions
", "time": "2022-03-23T09:42:39Z"}, {"author": "Andrew Campling", "text": "Vincent is a little quiet in the room
", "time": "2022-03-23T09:42:46Z"}, {"author": "Florence D", "text": "Then I suppose there's also the \"dual signature\" language which might be clearer
", "time": "2022-03-23T09:43:00Z"}, {"author": "sofiaceli", "text": "Yes! @Mike that will be nice, as confusingly enough it is \u2018hybrid\u2019 for key exchange, and \u2018dual\u2019 for signatures, according to NIST
", "time": "2022-03-23T09:43:02Z"}, {"author": "Eric Rescorla", "text": "Are composite keys when they are non-prime?
", "time": "2022-03-23T09:43:24Z"}, {"author": "svaldez@jabber.hot-chilli.net/barnowl", "text": "Vincent is still kind of quiet.
", "time": "2022-03-23T09:43:43Z"}, {"author": "Andrew Campling", "text": "The in-room sound is still pretty quiet
", "time": "2022-03-23T09:43:59Z"}, {"author": "jhoyla", "text": "Yeah, I can't hear at all
", "time": "2022-03-23T09:44:04Z"}, {"author": "Eric Rescorla", "text": "I made him loader by jacking up my local gain
", "time": "2022-03-23T09:44:11Z"}, {"author": "Rich Salz", "text": "ditto
", "time": "2022-03-23T09:44:22Z"}, {"author": "Florence D", "text": "@ekr - I'm ashamed I've never thought of that joke before
", "time": "2022-03-23T09:44:22Z"}, {"author": "Eric Rescorla", "text": "loader, actually
", "time": "2022-03-23T09:44:35Z"}, {"author": "jhoyla", "text": "We can all go and cuddle the speaker I guess :P
", "time": "2022-03-23T09:44:44Z"}, {"author": "Mike Ounsworth", "text": "@ekr /facepalm
", "time": "2022-03-23T09:44:49Z"}, {"author": "Thom Wiggers", "text": "I don\u2019t think I can pick up the room speakers and put them in front of me
", "time": "2022-03-23T09:44:52Z"}, {"author": "jhoyla", "text": "That is not the list of properties in the document ...
", "time": "2022-03-23T09:45:50Z"}, {"author": "Sean Turner", "text": "yeah it would be good to have two for all
", "time": "2022-03-23T09:46:52Z"}, {"author": "Thom Wiggers", "text": "Should be trivial to extend the tamarin model for client identity privacy
", "time": "2022-03-23T09:48:29Z"}, {"author": "Sean Turner", "text": "@Thom have they automated the button pressing yet? :)
", "time": "2022-03-23T09:48:55Z"}, {"author": "Eric Rescorla", "text": "\"Should be trivial\" is usually the start of a paper called \"breaking and repairing....\"
", "time": "2022-03-23T09:49:11Z"}, {"author": "jhoyla", "text": "@SPT Thom managed to automate pretty much all the proofs, paper forthcoming!
", "time": "2022-03-23T09:49:23Z"}, {"author": "Thom Wiggers", "text": "My KEMTLS model variant has no button pressing o/
", "time": "2022-03-23T09:49:24Z"}, {"author": "Sean Turner", "text": "awesome sauce
", "time": "2022-03-23T09:49:37Z"}, {"author": "kaduk@jabber.org/barnowl", "text": ":celebrate:
", "time": "2022-03-23T09:49:47Z"}, {"author": "Sean Turner", "text": ":profit:
", "time": "2022-03-23T09:49:56Z"}, {"author": "Rich Salz", "text": ":tenure:
", "time": "2022-03-23T09:50:05Z"}, {"author": "jhoyla", "text": ":joy:
", "time": "2022-03-23T09:50:30Z"}, {"author": "Richard Barnes", "text": "is the \"hpke\" on the slide referring to the post-quantum stuff?
", "time": "2022-03-23T09:50:47Z"}, {"author": "Thom Wiggers", "text": "Rich: I\u2019ll tell Peter Schwabe to give me my PhD then
", "time": "2022-03-23T09:50:48Z"}, {"author": "Martin Thomson", "text": "looking at these diagrams I am reminded of just how deep this gets
", "time": "2022-03-23T09:51:08Z"}, {"author": "Christopher Wood", "text": "ECH is complicated.
", "time": "2022-03-23T09:51:16Z"}, {"author": "jhoyla", "text": "*cough* channel bindings *cough*
", "time": "2022-03-23T09:51:17Z"}, {"author": "Sean Turner", "text": "I like that the font keeps getting smaller and smaller and smaller ;)
", "time": "2022-03-23T09:51:35Z"}, {"author": "sftcd-x-x", "text": "ECH isn't so bad, ECH+HRR is an utter PITA
", "time": "2022-03-23T09:51:38Z"}, {"author": "Martin Thomson", "text": "this has got to be hugely intimidating
", "time": "2022-03-23T09:51:49Z"}, {"author": "jhoyla", "text": "(I guess that format is much scarier for the in person people ;P)
", "time": "2022-03-23T09:51:53Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "What was sftcd-x-x saying earlier? Get rid of HRR?
", "time": "2022-03-23T09:51:53Z"}, {"author": "David Schinazi", "text": "Can confirm this is hugely intimidating for enthusiasts
", "time": "2022-03-23T09:52:05Z"}, {"author": "Deb Cooley", "text": "I must be old - I can't hear, and I certainly can't read those slides...
", "time": "2022-03-23T09:52:06Z"}, {"author": "Martin Thomson", "text": "deb: not many people can, even if they weren't in ant font
", "time": "2022-03-23T09:52:32Z"}, {"author": "sftcd-x-x", "text": "I loaded the slides locally https://datatracker.ietf.org/meeting/113/materials/slides-113-tls-tls-security-analysis-00
", "time": "2022-03-23T09:52:45Z"}, {"author": "Deb Cooley", "text": "shew
", "time": "2022-03-23T09:52:50Z"}, {"author": "Christopher Patton", "text": "Implementing ECH is complicated, yes. But it's also a pretty major change to to the protocol. Not sure if it could have been simpler..
", "time": "2022-03-23T09:52:54Z"}, {"author": "Deb Cooley", "text": "LOL...
", "time": "2022-03-23T09:53:06Z"}, {"author": "Eric Rescorla", "text": "It's fine to just have TLS 1.3, b/c ECH doesn't work with TLS 1.2
", "time": "2022-03-23T09:53:09Z"}, {"author": "Benjamin Schwartz", "text": "We could have dropped support for HRR
", "time": "2022-03-23T09:53:11Z"}, {"author": "jhoyla", "text": "48H and 100GB are pretty low limits for a Tamarin proof ;P
", "time": "2022-03-23T09:53:14Z"}, {"author": "Eric Rescorla", "text": "I'll buy some more memory
", "time": "2022-03-23T09:53:26Z"}, {"author": "Rich Salz", "text": "just don't run chrome when doing proofs
", "time": "2022-03-23T09:53:37Z"}, {"author": "Eric Rescorla", "text": "@bemasc: yeah, but I think we're gonna really need it when we do PQ
", "time": "2022-03-23T09:53:48Z"}, {"author": "Martin Thomson", "text": "down took a fair while
", "time": "2022-03-23T09:54:05Z"}, {"author": "Dennis Jackson", "text": "@ekr - Doesn't exclude cross-version attacks
", "time": "2022-03-23T09:54:16Z"}, {"author": "Eric Rescorla", "text": "@Dennis: correct. But maybe there's some way to stylize that
", "time": "2022-03-23T09:54:35Z"}, {"author": "jhoyla", "text": "Tamarin stresses browsers pretty hard actually. You can max out the DOM tree and redrawing a 28MB page for each proof step makes both Chrome and FF choke.
", "time": "2022-03-23T09:54:43Z"}, {"author": "Eric Rescorla", "text": "Like model it as fall back to plaintext or something
", "time": "2022-03-23T09:54:45Z"}, {"author": "sftcd-x-x", "text": "is there also an assumption here that the same ech-config is used for BS1 & BS2? that might not always happen due to DNS caching
", "time": "2022-03-23T09:55:26Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I can see the headlines now: \"TLS protocol author says TLS 1.2 is equivalent to plaintext\"
", "time": "2022-03-23T09:55:31Z"}, {"author": "jhoyla", "text": "Or as a bunch of oracles to simulate being able to extract info from TLS 1.2
", "time": "2022-03-23T09:55:38Z"}, {"author": "Christopher Wood", "text": "@sftcd yeah, that's correct
", "time": "2022-03-23T09:55:51Z"}, {"author": "Christopher Wood", "text": "(it assumes a consistent configuration across BS1 and BS2)
", "time": "2022-03-23T09:55:59Z"}, {"author": "sftcd-x-x", "text": "you'd hope if the same groups are used it should be fine but be nice if that were considered (ekr said he'd add more RAM:-)
", "time": "2022-03-23T09:56:22Z"}, {"author": "jhoyla", "text": "@kaduk LOL!
", "time": "2022-03-23T09:56:27Z"}, {"author": "Thom Wiggers", "text": "@jhoyla: that requires modeling tls12; seems easier to model it as a \u201cbad\u201d state
", "time": "2022-03-23T09:56:40Z"}, {"author": "Christopher Patton", "text": "yes, thank you for the work!
", "time": "2022-03-23T09:57:06Z"}, {"author": "Dan McArdle", "text": "Very very cool!
", "time": "2022-03-23T09:57:09Z"}, {"author": "Dan McArdle", "text": "Are slides available somewhere?
", "time": "2022-03-23T09:57:14Z"}, {"author": "sftcd-x-x", "text": "https://datatracker.ietf.org/meeting/113/materials/slides-113-tls-tls-security-analysis-00
", "time": "2022-03-23T09:57:18Z"}, {"author": "Dan McArdle", "text": "Awesome, thanks sftcd-xxx!
", "time": "2022-03-23T09:57:38Z"}, {"author": "jhoyla", "text": "@Thom, I don't think so, I think you could just have a few functions that leak some state, and say that they overapproximate the info you could possibly derive from 1.2
", "time": "2022-03-23T09:57:40Z"}, {"author": "Thom Wiggers", "text": "@ekr: the room here is a bit echoey, could you maybe slow down just the tiniest bit:innocent:
", "time": "2022-03-23T09:58:11Z"}, {"author": "Richard Barnes", "text": "if you don't have 1TB of memory, are you even using a computer?
", "time": "2022-03-23T09:58:30Z"}, {"author": "Thom Wiggers", "text": "Perfect
", "time": "2022-03-23T09:58:33Z"}, {"author": "Eric Rescorla", "text": "Again, fantastic work
", "time": "2022-03-23T09:58:40Z"}, {"author": "Eric Rescorla", "text": "I would just put check marks on some of the places where they have xs
", "time": "2022-03-23T09:58:59Z"}, {"author": "Martin Thomson", "text": "yeah, this is great. and what this says is that x means \"we don't know for sure that this is OK\" as opposed to \"this is broken\"
", "time": "2022-03-23T09:59:04Z"}, {"author": "Paul Wouters", "text": "who is speaking ?
", "time": "2022-03-23T09:59:28Z"}, {"author": "Mike Ounsworth", "text": "Oh the network inspection question again ...
", "time": "2022-03-23T09:59:31Z"}, {"author": "Christopher Wood", "text": "This is out of scope for the analysis.
", "time": "2022-03-23T09:59:40Z"}, {"author": "jhoyla", "text": "I used a little clock icon to indicate that the proof wasn't available yet
", "time": "2022-03-23T09:59:52Z"}, {"author": "sftcd-x-x", "text": "you'd guess if there's a deliberate MITM then all security properties are more or less lost
", "time": "2022-03-23T09:59:52Z"}, {"author": "Rich Salz", "text": "Agreed, he analyzed it, didn't write it.
", "time": "2022-03-23T09:59:57Z"}, {"author": "dkg", "text": "when you add network inspection to the model, then the privacy properties are gone, no?
", "time": "2022-03-23T10:00:10Z"}, {"author": "Andrew Campling", "text": "Arnaud Taddei is speaking
", "time": "2022-03-23T10:00:11Z"}, {"author": "Eric Rescorla", "text": "Indeed.
", "time": "2022-03-23T10:00:23Z"}, {"author": "dkg", "text": "that's the point of network inspection
", "time": "2022-03-23T10:00:26Z"}, {"author": "Paul Wouters", "text": "thanks
", "time": "2022-03-23T10:00:26Z"}, {"author": "svaldez@jabber.hot-chilli.net/barnowl", "text": "Yeah...
", "time": "2022-03-23T10:00:28Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "You need a protocol to exist before you can model it
", "time": "2022-03-23T10:00:35Z"}, {"author": "Eric Rescorla", "text": "You may find reading ProVerif scripts somewhat challenging
", "time": "2022-03-23T10:01:45Z"}, {"author": "Christopher Patton", "text": "lol
", "time": "2022-03-23T10:02:08Z"}, {"author": "jhoyla", "text": "@caw could you dump the link to the GH in chat?
", "time": "2022-03-23T10:02:10Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Is the COVID officer going to come crack down on the physical line? I
thought we were supposed to stay in our chair until it was time to
talk
", "time": "2022-03-23T10:02:24Z"}, {"author": "Robin Wilton", "text": "@Arnaud: Vincent's goal was a \"Symbolic Analysis of Privacy for TLS 1.3 with ECH\"... not to model configurations where ECH is intentionally undermined at the server end.
", "time": "2022-03-23T10:02:26Z"}, {"author": "Mike Ounsworth", "text": "Sounds like we need to definitively decide if network inspection is in-scope for IETF or not. Are we obliged to design protocols to facilitate it? Are we obliged to recommend configurations to facilitate it?
", "time": "2022-03-23T10:02:46Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Mike: isn't that covered in RFC 2804?
", "time": "2022-03-23T10:03:11Z"}, {"author": "Martin Thomson", "text": "if both back end servers have two valid configurations that can reach them, in theory they could still be indistinguishable
", "time": "2022-03-23T10:03:19Z"}, {"author": "Sean Turner", "text": "we are not obligated to design protocols that facilitate it. That is settled long ago.
", "time": "2022-03-23T10:03:23Z"}, {"author": "Martin Thomson", "text": "I think
", "time": "2022-03-23T10:03:23Z"}, {"author": "Christopher Wood", "text": "Technical report: https://hal.inria.fr/hal-03594482/document
", "time": "2022-03-23T10:03:32Z"}, {"author": "Richard Barnes", "text": "I don't think it's really even an RFC 2804 question. it's just a question of where the ends of the protocol are.
", "time": "2022-03-23T10:03:37Z"}, {"author": "Christopher Wood", "text": "Model: https://gitlab.inria.fr/chevalvi/echo_tls
", "time": "2022-03-23T10:03:37Z"}, {"author": "Michael Jenkins", "text": "@ben in my experience the in-room chairs aren't really managing the in-room mics. Either they haven't been trained to do so or I've been in rooms with so few people it's not been an issue.
", "time": "2022-03-23T10:03:44Z"}, {"author": "Sean Turner", "text": "And, we basically re-litigated that during the draft-green discussions.
", "time": "2022-03-23T10:03:45Z"}, {"author": "Paul Wouters", "text": "We fight for the (end)user ! -- Tron
", "time": "2022-03-23T10:04:16Z"}, {"author": "Mike Ounsworth", "text": "RFC 2804. Yup. Seems definitive. Now, why does this keep coming up at every WG session?
", "time": "2022-03-23T10:04:42Z"}, {"author": "Deb Cooley", "text": "hope springs eternal?
", "time": "2022-03-23T10:04:58Z"}, {"author": "Andrew Campling", "text": "@Sean \u201csettled long ago\u201d presumably doesn\u2019t prohibit an issue being re-examined given changing circumstances.
", "time": "2022-03-23T10:05:13Z"}, {"author": "Sean Turner", "text": "@Mike This is the battle ground
", "time": "2022-03-23T10:05:17Z"}, {"author": "Sean Turner", "text": "@Andrew - sure but we just redid it two years ago. Nothing new has really been added.
", "time": "2022-03-23T10:05:40Z"}, {"author": "sftcd-x-x", "text": "re-visiting the deliberate mitm issue so often gets a little tedious I have to say
", "time": "2022-03-23T10:05:48Z"}, {"author": "Martin Thomson", "text": "if someone had new information, that might be different, but claiming that information is new doesn't make it so
", "time": "2022-03-23T10:06:01Z"}, {"author": "Arnaud Taddei", "text": "@Robin I know what Vincent is trying to do and quite fascinating. I think there would be a lot of value to ask the same thing in a real environment
", "time": "2022-03-23T10:06:05Z"}, {"author": "Eric Rescorla", "text": "@Andrew: yes, if you want to reoepn the question of RFC 2804 in IETF as a whole, sure.
", "time": "2022-03-23T10:06:10Z"}, {"author": "Eric Rescorla", "text": "@Arnaud: well, I'm not sure what you mean by a \"real environment\". The vast majority of clients do not have MITM proxies
", "time": "2022-03-23T10:06:29Z"}, {"author": "sftcd-x-x", "text": "@arnaud: \"real! != MITM proxies
", "time": "2022-03-23T10:06:40Z"}, {"author": "Eric Rescorla", "text": "And this model *does* capture the rest of what you are asking, I believe
", "time": "2022-03-23T10:06:45Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "> hybrid means using multiple algorithms
(probably also describes HPKE, but I hope we have unconfused ourselves
on this point for the purpose of this session)
", "time": "2022-03-23T10:06:49Z"}, {"author": "Arnaud Taddei", "text": "@Eric, this is bizarre, I have all tier 1 500 fortune enterprises that disagree
", "time": "2022-03-23T10:07:01Z"}, {"author": "Rich Salz", "text": "STOP
", "time": "2022-03-23T10:07:11Z"}, {"author": "Eric Rescorla", "text": "@arnaud: I can show you our measurements
", "time": "2022-03-23T10:07:21Z"}, {"author": "sftcd-x-x", "text": "1500 web servers is a tiny numbers
", "time": "2022-03-23T10:07:26Z"}, {"author": "Rich Salz", "text": "This is not the place for restarting this discussion.
", "time": "2022-03-23T10:07:26Z"}, {"author": "Rich Salz", "text": "Please STOP everyone.
", "time": "2022-03-23T10:07:37Z"}, {"author": "Martin Thomson", "text": "+1 r$, this is the time we have for talking about hybrid key exchange
", "time": "2022-03-23T10:07:48Z"}, {"author": "Dennis Jackson", "text": "Thanks Rich.
", "time": "2022-03-23T10:07:49Z"}, {"author": "Arnaud Taddei", "text": "Well, it seems we have a problem then if you guys are not willing to listen.
", "time": "2022-03-23T10:07:50Z"}, {"author": "Mike Ounsworth", "text": "+1 @Rich
", "time": "2022-03-23T10:07:51Z"}, {"author": "David Schinazi", "text": "+1 Rich
", "time": "2022-03-23T10:07:56Z"}, {"author": "Sean Turner", "text": "Yep - we settled this.
", "time": "2022-03-23T10:08:04Z"}, {"author": "jhoyla", "text": "@Rich I don't know if you can restart a discussion that has never really stopped :P
", "time": "2022-03-23T10:08:13Z"}, {"author": "Rich Salz", "text": "Let's talk about how proverif uses (* broken comment indicators *)
", "time": "2022-03-23T10:08:41Z"}, {"author": "Mike Ounsworth", "text": "Clearly this needs to be discussed. So what is the right forum? TLS WG mailist?
", "time": "2022-03-23T10:08:44Z"}, {"author": "Sean Turner", "text": "ietf@ietf.org
", "time": "2022-03-23T10:08:56Z"}, {"author": "Eric Rescorla", "text": "ietf@
", "time": "2022-03-23T10:08:58Z"}, {"author": "Eric Rescorla", "text": "because it's a general question about IETF policy
", "time": "2022-03-23T10:09:09Z"}, {"author": "Thom Wiggers", "text": "jhoyla: this is the name I was failing to come up with again and again :-)
", "time": "2022-03-23T10:09:11Z"}, {"author": "Arnaud Taddei", "text": "I can accept not to make the discussion here but we need to have the discussion as it is not going to fly in the real world
", "time": "2022-03-23T10:09:14Z"}, {"author": "sftcd-x-x", "text": "@mikeO: this has all been discussed, endlessly, please GOTO mail archives
", "time": "2022-03-23T10:09:16Z"}, {"author": "Eric Rescorla", "text": "If you want to discuss the fraction of clients that have MITM proxies, then tls@ is appropriate. Happy to share our data on this
", "time": "2022-03-23T10:09:36Z"}, {"author": "Thom Wiggers", "text": "This draft is very mature afaict
", "time": "2022-03-23T10:11:02Z"}, {"author": "Mike Ounsworth", "text": "@Arnaud, there's your answer: if you want to challenge RFC 2804, you should do so on the ietf@ietf.org list.
", "time": "2022-03-23T10:11:18Z"}, {"author": "Richard Barnes", "text": "@Arnaud - I think your scenario is simply out of scope. A TLS inspection device terminates and re-initiates TLS. TLS works unmodified because the inspection agent is a back-to-back agent, and there is no attempt to assure cryptographic security properties across the break/reinitiate boundary.
", "time": "2022-03-23T10:11:20Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Is everyone or just me seeing Vincent in the queue but with no
requested permissions?
", "time": "2022-03-23T10:11:30Z"}, {"author": "Thom Wiggers", "text": "@kaduk: we see this in the room as well
", "time": "2022-03-23T10:11:54Z"}, {"author": "Arnaud Taddei", "text": "Ok so I will have to endure the mailing lists then
", "time": "2022-03-23T10:12:08Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Thom: thanks.
", "time": "2022-03-23T10:12:10Z"}, {"author": "Thom Wiggers", "text": "@meetecho Vincent seems stuck in the queue without a request
", "time": "2022-03-23T10:12:29Z"}, {"author": "Sean Turner", "text": "@arnaud: that's pretty much the IETF process.
", "time": "2022-03-23T10:12:31Z"}, {"author": "Meetecho", "text": "Kaduk: Vincent is in queue to present slides
", "time": "2022-03-23T10:12:33Z"}, {"author": "Meetecho", "text": "Maybe by accident?
", "time": "2022-03-23T10:12:38Z"}, {"author": "Meetecho", "text": "That's not the \"can I talk\" icon
", "time": "2022-03-23T10:12:46Z"}, {"author": "jhoyla", "text": "@Arnaud https://malcolm.cloudflare.com/
", "time": "2022-03-23T10:12:50Z"}, {"author": "Alexey Melnikov", "text": "+1 to Stephen
", "time": "2022-03-23T10:13:08Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "I think I still am confused about what Arnoud is asking for.
We can acknowledge that there are some companies that are using
in-network devices to attempt to inspect their TLS traffic, that's
easy. We have IETF consensus that we aren't obliged to design
technical mechansisms to enable that behavior.
", "time": "2022-03-23T10:13:11Z"}, {"author": "Christopher Wood", "text": "@sftcd -- WGLC does not mean \"publish as RFC.\" Parking is totally appropriate.
", "time": "2022-03-23T10:13:16Z"}, {"author": "Bas Westerbaan", "text": "I agree this is the right time. NIST is bound to announce any time now.
", "time": "2022-03-23T10:13:30Z"}, {"author": "Yoav Nir", "text": "Not sure. I don't think we've parked documents before.
", "time": "2022-03-23T10:13:40Z"}, {"author": "Martin Thomson", "text": "I'm not sure that I agree with sftcd. This is being used in anger.
", "time": "2022-03-23T10:14:08Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "@Meetech: right, I know what the \"request to share slides\" icon looks
like, and I saw it for Vincent when he first was trying to present. I
don't see it now. But I don't feel a need to worry about a single U/I
glitch right now :)
", "time": "2022-03-23T10:14:13Z"}, {"author": "jhoyla", "text": "By the end of the month.
", "time": "2022-03-23T10:14:54Z"}, {"author": "jhoyla", "text": "Or so they say.
", "time": "2022-03-23T10:14:59Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "@Meetecho: whoops, typo'd your name in the previous
", "time": "2022-03-23T10:15:00Z"}, {"author": "Richard Barnes", "text": "why do we care about NIST finishing? this seems like a generic combinator
", "time": "2022-03-23T10:15:00Z"}, {"author": "jhoyla", "text": "+1 @rlb
", "time": "2022-03-23T10:15:21Z"}, {"author": "jhoyla", "text": "(and ekr)
", "time": "2022-03-23T10:15:27Z"}, {"author": "Martin Thomson", "text": "does this even depend on having a PQ KEM?
", "time": "2022-03-23T10:15:30Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "It seems possible to publish the spec about how to do the thing in the
abstract and register actual codepoints for specific combinations of
values later, after the RFC is published
", "time": "2022-03-23T10:15:42Z"}, {"author": "Martin Thomson", "text": "I mean, we can glue RSA and ECDH together, right?
", "time": "2022-03-23T10:15:45Z"}, {"author": "Florence D", "text": "Sec Cons may depend on the algorithms (e.g. the impact of using the FO transform on the security properties).
", "time": "2022-03-23T10:16:03Z"}, {"author": "Deb Cooley", "text": "because you love complexity?
", "time": "2022-03-23T10:16:05Z"}, {"author": "Yoav Nir", "text": "There's a difference between a generic mechanism for 100-byte key/cert/signature and a 100KB key/cert/signature
", "time": "2022-03-23T10:16:08Z"}, {"author": "Sean Turner", "text": "@kaduk technically yes we could do that
", "time": "2022-03-23T10:16:10Z"}, {"author": "jhoyla", "text": "@MT no, it doesn't, but you only get the security of the most secure algorithm, so if they're both classical you don't have PQ resistance.
", "time": "2022-03-23T10:16:36Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Yoav: sure, but that's out of scope, since this is for key exchange
", "time": "2022-03-23T10:16:40Z"}, {"author": "Richard Barnes", "text": "it seems like you could also address length ambiguity by properly encoding the hash input?
", "time": "2022-03-23T10:16:44Z"}, {"author": "Richard Barnes", "text": "i am ending every sentence with ? bc i am not quite awake?
", "time": "2022-03-23T10:17:11Z"}, {"author": "Martin Thomson", "text": "jhoyla: not my point; my point was exactly yours: this is a way to combine algorithms in a way that ensures you get the strongest of the set.
", "time": "2022-03-23T10:17:13Z"}, {"author": "Martin Thomson", "text": "It doesn't help with PQ until we have a PQ-secure algorithm, but it does work with classic security if you had no faith in a classic algorithm
", "time": "2022-03-23T10:17:45Z"}, {"author": "Dennis Jackson", "text": "although you do get the memory-safety property of the weakest :-P
", "time": "2022-03-23T10:17:47Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Barnes: I don't think it's length ambiguity but rather controlling
hash state. But maybe I'm confused!
", "time": "2022-03-23T10:17:47Z"}, {"author": "Martin Thomson", "text": "not that you would want to do that, of course
", "time": "2022-03-23T10:17:52Z"}, {"author": "jhoyla", "text": "I think my Extended Key Schedule draft (sadly expired) would fix this issue by adding the necessary framing .
", "time": "2022-03-23T10:17:54Z"}, {"author": "Yoav Nir", "text": "@kaduk: I should have included \"key part\" instead of \"key\"
", "time": "2022-03-23T10:18:55Z"}, {"author": "Sean Turner", "text": "Let's keep the comment as brief as possible.
", "time": "2022-03-23T10:18:56Z"}, {"author": "jhoyla", "text": "Cryptanalysis on one foot / off the cuff is always hard.
", "time": "2022-03-23T10:19:35Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "But you have to simultaneously collide transcript and keys...
", "time": "2022-03-23T10:19:36Z"}, {"author": "Scott Fluhrer", "text": "I don't see how this 'downgrade attack' can work. With this draft, we consider only specific groups, for example, X25519+NTRU. The only issue if we were to define a 'named group' that included a variable length group
", "time": "2022-03-23T10:20:36Z"}, {"author": "David Benjamin", "text": "We don't need a filter in the negotiation, just to not define a bad code point.
", "time": "2022-03-23T10:20:45Z"}, {"author": "David Benjamin", "text": "Since each combo gets its own code point.
", "time": "2022-03-23T10:21:02Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Oh hey, davidben is here.
", "time": "2022-03-23T10:21:02Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Note that we gave you some action items earlier, while you were away
:)
", "time": "2022-03-23T10:21:16Z"}, {"author": "David Benjamin", "text": "Hi! Yeah, the meeting is 5am my time and I overslept. :(
", "time": "2022-03-23T10:21:22Z"}, {"author": "Martin Thomson", "text": "the combiner was too unpleasant to consider
", "time": "2022-03-23T10:21:23Z"}, {"author": "Bas Westerbaan", "text": "Is there an application for variable-length shared secrets? I think restricting to fixed-length ss is very reasonable.
", "time": "2022-03-23T10:21:33Z"}, {"author": "David Benjamin", "text": "Oh, good to know... what were the action items?
", "time": "2022-03-23T10:21:37Z"}, {"author": "dkg", "text": "MT: thanks, that was the critical bit of summary
", "time": "2022-03-23T10:21:48Z"}, {"author": "Mike Ounsworth", "text": "Is Aviram et al. a generic attack on NIST SP 800-56Cr2 with Z' = Z || T ?
", "time": "2022-03-23T10:22:16Z"}, {"author": "Rich Salz", "text": "Text for one of the issues you brought up on 8446bis
", "time": "2022-03-23T10:22:16Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "off the top of my head, propose text to clarify that the negotiated
hash is used for message_hash injection, hopefully as the \"smallest
change we can get away with\"
", "time": "2022-03-23T10:22:18Z"}, {"author": "Martin Thomson", "text": "davidben: you need to provide a fix for RFC 8446 that addresses the question of whether CH1 or CH2 determines connection parameters when there is HRR
", "time": "2022-03-23T10:22:31Z"}, {"author": "Arnaud Taddei", "text": "@jhoyla, thank you for the link
", "time": "2022-03-23T10:22:35Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "There may have been one more; hopefully the minutes will know.
", "time": "2022-03-23T10:22:36Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Yeah, MT got it, thanks
", "time": "2022-03-23T10:22:51Z"}, {"author": "Martin Thomson", "text": "the one that kaduk identified is, I think, on ekr's plate
", "time": "2022-03-23T10:22:52Z"}, {"author": "Eric Rescorla", "text": "@davidben: or, if you feel lazy, press \"close\" :)
", "time": "2022-03-23T10:22:59Z"}, {"author": "David Benjamin", "text": "Oh dear. So basically solve the disaster that is HRR. Piece of cake! :D
", "time": "2022-03-23T10:23:18Z"}, {"author": "Christopher Patton", "text": "lol
", "time": "2022-03-23T10:23:32Z"}, {"author": "Eric Rescorla", "text": "Correct, that is on my plate, but I plan to be explicit about which hash is used everywhere, which is what davidben and I discused
", "time": "2022-03-23T10:23:34Z"}, {"author": "Scott Fluhrer", "text": "How to upgrade the key combiner: when we define a new hybrid named group, include the combiner for that named group in the definition
", "time": "2022-03-23T10:23:36Z"}, {"author": "dkg", "text": "isn't each new algorithm codepoint basically KEX1+KEX2+combiner choice?
", "time": "2022-03-23T10:23:38Z"}, {"author": "Eric Rescorla", "text": "@dkg: I guess you're right
", "time": "2022-03-23T10:23:55Z"}, {"author": "dkg", "text": "what Scott said
", "time": "2022-03-23T10:24:13Z"}, {"author": "Martin Thomson", "text": "\"\"\" TLS 1.3 does not require that ephemeral public keys be used only in a
single key exchange session; some implementations may reuse them, at
the cost of limited forward secrecy. As a result, any KEM used in
the manner described in this document MUST explicitly be designed to
be secure in the event that the public key is reused, such as
achieving IND-CCA2 security or having a transform like the Fujisaki-
Okamoto transform [FO] [HHK] applied. While it is recommended that
implementations avoid reuse of KEM public keys, implementations that
do reuse KEM public keys MUST ensure that the number of reuses of a
KEM public key abides by any bounds in the specification of the KEM
or subsequent security analyses. Implementations MUST NOT reuse
randomness in the generation of KEM ciphertexts.\"\"\"
", "time": "2022-03-23T10:25:35Z"}, {"author": "Eric Rescorla", "text": "@DavidBen: the actual ask is \"propose whatever minimal HRR changes you think improve the situation without making things more confusing\"
", "time": "2022-03-23T10:25:36Z"}, {"author": "Martin Thomson", "text": "I thought that this was about clarifying the risks of either approach and identifying where there is no real choice
", "time": "2022-03-23T10:26:02Z"}, {"author": "Martin Thomson", "text": "(between CH1 and CH2
", "time": "2022-03-23T10:26:06Z"}, {"author": "Eric Rescorla", "text": "That's a better phrasing
", "time": "2022-03-23T10:26:20Z"}, {"author": "Eric Rescorla", "text": "and keep it to one paragraph :)
", "time": "2022-03-23T10:26:52Z"}, {"author": "Sean Turner", "text": "We are moving the kitten updates header to the mailing list. We ran over on the WG I-Ds.
", "time": "2022-03-23T10:26:52Z"}, {"author": "Richard Barnes", "text": "browser / server folks -- what are the stats looking like on KEX these days?
", "time": "2022-03-23T10:27:03Z"}, {"author": "Yoav Nir", "text": "I thought we had already deprecated them in 1.3, no?
", "time": "2022-03-23T10:27:17Z"}, {"author": "Rich Salz", "text": "X25519 dominates
", "time": "2022-03-23T10:27:20Z"}, {"author": "Martin Thomson", "text": "99.29% ECDH
", "time": "2022-03-23T10:28:02Z"}, {"author": "Martin Thomson", "text": "the rest is RSA
", "time": "2022-03-23T10:28:22Z"}, {"author": "David Benjamin", "text": "Or 100% if you didn't implement FFDH at all. :-)
", "time": "2022-03-23T10:28:24Z"}, {"author": "Richard Barnes", "text": "interesting, thansk
", "time": "2022-03-23T10:28:28Z"}, {"author": "David Benjamin", "text": "Oh you mean including 1.2. Sorry, misunderstood.
", "time": "2022-03-23T10:28:39Z"}, {"author": "dkg", "text": "when you say \"e-mail\" it would be useful to clarify that you're talking about SMTP and IMAP
", "time": "2022-03-23T10:28:45Z"}, {"author": "svaldez@jabber.hot-chilli.net/barnowl", "text": "Is this intended to deprecate in 1.2 and below?
", "time": "2022-03-23T10:28:54Z"}, {"author": "Eric Rescorla", "text": "I think so
", "time": "2022-03-23T10:28:59Z"}, {"author": "Yoav Nir", "text": "Not much point in deprecating them for 1.2 and lower, because if they're upgrading the software, them might as well upgrade to 1.3 rather than 1.2-with-this-new-RFC
", "time": "2022-03-23T10:28:59Z"}, {"author": "dkg", "text": "there are other forms of e-mail encryption
", "time": "2022-03-23T10:29:00Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "You can update your config without updating your software.
", "time": "2022-03-23T10:29:15Z"}, {"author": "sftcd-x-x", "text": "@dkg: its usually smtp stats IIUC
", "time": "2022-03-23T10:29:20Z"}, {"author": "Sean Turner", "text": "@Yoav yep this the regular debate about deprecation
", "time": "2022-03-23T10:29:32Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Are there other forms of email servers? (Don't answer that.)
", "time": "2022-03-23T10:29:34Z"}, {"author": "Yoav Nir", "text": "And I think UTA has had a configuration recommendation document about how to configure 1.2.
", "time": "2022-03-23T10:29:59Z"}, {"author": "Eric Rescorla", "text": "@kaduk: Gmail!
", "time": "2022-03-23T10:30:16Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "A certain 7525bis?
", "time": "2022-03-23T10:30:42Z"}, {"author": "Martin Thomson", "text": "For ECDH: X25519 78.84% P-256 19.65% P-384 1.44%
", "time": "2022-03-23T10:30:54Z"}, {"author": "Yoav Nir", "text": "Yeah, that's the one. In that case, they're in the wrong room
", "time": "2022-03-23T10:31:12Z"}, {"author": "Martin Thomson", "text": "stats are from our nightly builds
", "time": "2022-03-23T10:31:14Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "LEaving 0.07% \"other\"?
", "time": "2022-03-23T10:31:17Z"}, {"author": "sftcd-x-x", "text": "@mt: any clue who/what uses p384?
", "time": "2022-03-23T10:31:18Z"}, {"author": "svaldez@jabber.hot-chilli.net/barnowl", "text": "Clearly we need fully turing complete configurations so that updating
to more modern protocols is equivalent to updating the configuration.
", "time": "2022-03-23T10:31:24Z"}, {"author": "Martin Thomson", "text": "kaduk: we get some P-521
", "time": "2022-03-23T10:31:26Z"}, {"author": "Martin Thomson", "text": "sftcd: we don't collect stats on sites
", "time": "2022-03-23T10:31:38Z"}, {"author": "Eric Rescorla", "text": "@svaldex: isn't that called \"the web\"?
", "time": "2022-03-23T10:31:38Z"}, {"author": "Maarten Aertsen", "text": "Re: smtp is opportunistic, we have active use of starttls+dane in the Netherlands. And now Microsoft has actually turned it on for outbound email from O365, this may grow elsewhere too. I like this draft very much btw.
", "time": "2022-03-23T10:31:48Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Hmm, nightly builds are going to bias towards early adopters in
general, though.
", "time": "2022-03-23T10:31:53Z"}, {"author": "Richard Barnes", "text": "@sftcd Some Navy folks asked for 384 in MLS
", "time": "2022-03-23T10:32:00Z"}, {"author": "Martin Thomson", "text": "kaduk: you would be surprised; it's our Beta that biases toward the more modern TLS
", "time": "2022-03-23T10:32:13Z"}, {"author": "Rich Salz", "text": "@sftcd-x-x-x-x: you'd be surprised. government/hospitality
", "time": "2022-03-23T10:32:19Z"}, {"author": "Richard Barnes", "text": "(@Britta in particular :) )
", "time": "2022-03-23T10:32:28Z"}, {"author": "Christopher Patton", "text": "1.3 supports FFDHE
", "time": "2022-03-23T10:32:36Z"}, {"author": "Martin Thomson", "text": "Christopher Patton: but it's not widely used
", "time": "2022-03-23T10:32:56Z"}, {"author": "Thom Wiggers", "text": "OpenSSL e.g. does not implement it last time I checked
", "time": "2022-03-23T10:33:08Z"}, {"author": "Christopher Patton", "text": "does 8446 say anything about static FFDHE?
", "time": "2022-03-23T10:33:11Z"}, {"author": "Britta Hale", "text": "@sftcd-x-x: the NSA has it as a requirement for certain use classifications
", "time": "2022-03-23T10:33:18Z"}, {"author": "Deb Cooley", "text": "@sftcd-x-x: we do indeed.
", "time": "2022-03-23T10:33:35Z"}, {"author": "Eric Rescorla", "text": "Is the answer to take it to UTA?
", "time": "2022-03-23T10:33:42Z"}, {"author": "Martin Thomson", "text": "we implemented the ffdhe groups, but Firefox doesn't have them turned on
", "time": "2022-03-23T10:33:45Z"}, {"author": "Eric Rescorla", "text": "Could we just add this to 7525-bis?
", "time": "2022-03-23T10:33:51Z"}, {"author": "Richard Barnes", "text": "turning off TLS features seems appropriate to TLS
", "time": "2022-03-23T10:33:57Z"}, {"author": "Deb Cooley", "text": "static FFDHE is an oxymoron?
", "time": "2022-03-23T10:33:59Z"}, {"author": "Rich Salz", "text": "imagine a hotel that wants to keep \"who registered\" private from post-facto disclosure, because they're a favored hotel of us govt.
", "time": "2022-03-23T10:34:28Z"}, {"author": "Alexey Melnikov", "text": "I interpreted this as suggestion to have a single document with the one in UTA
", "time": "2022-03-23T10:34:32Z"}, {"author": "Carrick", "text": "@Deb Yes, but in practice apparently people still reuse key material when using FFDHE
", "time": "2022-03-23T10:34:33Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "OpenSSL implements FFDHE for TLS 1.3 only, IIRC
", "time": "2022-03-23T10:34:34Z"}, {"author": "Christopher Patton", "text": "@Deb sorry I meant static FFDH :)
", "time": "2022-03-23T10:34:42Z"}, {"author": "Martin Thomson", "text": "I'm OK with this being adopted and published. it's the right advice to be giving. I have no preference between a standalone thing and 7525-bis
", "time": "2022-03-23T10:34:48Z"}, {"author": "Richard Barnes", "text": "nothing as fun as a good jurisdictional fight
", "time": "2022-03-23T10:34:56Z"}, {"author": "Deb Cooley", "text": "@carrick - yeah people are dumb
", "time": "2022-03-23T10:34:59Z"}, {"author": "Yoav Nir", "text": "\"updates 7525\" is also good.
", "time": "2022-03-23T10:35:20Z"}, {"author": "Rich Salz", "text": "I think TLS makes sense to say that certain TLS algs should now be avoided.
", "time": "2022-03-23T10:35:42Z"}, {"author": "Yoav Nir", "text": "I think we said this by not including them in 1.3
", "time": "2022-03-23T10:36:03Z"}, {"author": "Rich Salz", "text": "But David's point: we did it for old versions and old protocols already. This is just one more.
", "time": "2022-03-23T10:36:55Z"}, {"author": "Eric Rescorla", "text": "Can I propose that the chairs sort out the WG?
", "time": "2022-03-23T10:36:57Z"}, {"author": "Eric Rescorla", "text": "With the other chairs
", "time": "2022-03-23T10:37:03Z"}, {"author": "Maarten Aertsen", "text": "Drafts like these have communication value to industry/operators.
", "time": "2022-03-23T10:37:07Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Yes, let the chairs talk about venue
", "time": "2022-03-23T10:37:09Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "https://github.com/openssl/openssl/pull/8178 is \"TLS1.3 FFDHE
support\", since we mentioned that previously
", "time": "2022-03-23T10:37:40Z"}, {"author": "David Benjamin", "text": "+1 to having the chairs deal with this. Though, as an implementor, I've definitely found these kinds of drafts helpful and support this work as-is.
", "time": "2022-03-23T10:37:43Z"}, {"author": "sftcd-x-x", "text": "+1 to letting chairs/ADs figure it out, but also +1 to doing the deprecations
", "time": "2022-03-23T10:37:53Z"}, {"author": "Yoav Nir", "text": "It's why we pay them the big bucks
", "time": "2022-03-23T10:38:19Z"}, {"author": "Roman Danyliw", "text": "Action caught. AD+Chairs will coordinate.
", "time": "2022-03-23T10:38:37Z"}, {"author": "jhoyla", "text": "https://blog.cloudflare.com/sizing-up-post-quantum-signatures/
", "time": "2022-03-23T10:42:21Z"}, {"author": "dkg", "text": "what does the / represent in these figures? does it separate two different PQ algos? or is it up/down ?
", "time": "2022-03-23T10:45:07Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "might have to ask at the mic
", "time": "2022-03-23T10:45:52Z"}, {"author": "Richard Barnes", "text": "just put a bloom filter in the ClientHello
", "time": "2022-03-23T10:46:47Z"}, {"author": "sftcd-x-x", "text": "just wondering: what's the rate of change of the WebPKI ICA list? (i.e. how often is any change made)
", "time": "2022-03-23T10:46:47Z"}, {"author": "Martin Thomson", "text": "sftcd: we asked the same question and the answer is that we get a new intermediate every day or so
", "time": "2022-03-23T10:47:06Z"}, {"author": "dkg", "text": "that's good data to publicize somewhere
", "time": "2022-03-23T10:47:24Z"}, {"author": "Richard Barnes", "text": "also kinda terrifying
", "time": "2022-03-23T10:47:33Z"}, {"author": "sftcd-x-x", "text": "interesting, that's faster than I'd have expected
", "time": "2022-03-23T10:47:35Z"}, {"author": "dkg", "text": "and do you remove ICAs at about the same rate?
", "time": "2022-03-23T10:47:43Z"}, {"author": "Martin Thomson", "text": "we don't have precise stats, so that's a sort of eyeballing of the log
", "time": "2022-03-23T10:47:43Z"}, {"author": "dkg", "text": "(assuming removals happen based on expiration mainly)
", "time": "2022-03-23T10:47:53Z"}, {"author": "Richard Barnes", "text": "@Martin shouldn't CCADB tell you?
", "time": "2022-03-23T10:47:55Z"}, {"author": "Martin Thomson", "text": "Richard: yes, we looked at a secondary source, but it is driven from CCADB
", "time": "2022-03-23T10:48:22Z"}, {"author": "dkg", "text": "if there are 1500 ICAs and ICA cert duration is 4 years and they're evenly distributed, that's ~~1 expiration per day
", "time": "2022-03-23T10:49:11Z"}, {"author": "sftcd-x-x", "text": "enough of that math magic dkg!
", "time": "2022-03-23T10:49:40Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Doesn't everyone want to be a mathemagician?
", "time": "2022-03-23T10:50:00Z"}, {"author": "Bas Westerbaan", "text": "Clients can know they have an old list.
", "time": "2022-03-23T10:50:45Z"}, {"author": "Benjamin Schwartz", "text": "Represent list as a URL :) Server can fetch it if unrecognized
", "time": "2022-03-23T10:50:56Z"}, {"author": "Christopher Patton", "text": "Good point David
", "time": "2022-03-23T10:51:08Z"}, {"author": "sftcd-x-x", "text": "@bas: aren't some of these lists in the OS rather than the application client?
", "time": "2022-03-23T10:51:12Z"}, {"author": "Martin Thomson", "text": "the webPKI case that is most tricky is technically constrained intermediaries.
", "time": "2022-03-23T10:51:13Z"}, {"author": "Christopher Patton", "text": "FWIW, I think this is something worth working on
", "time": "2022-03-23T10:51:19Z"}, {"author": "dkg", "text": "Ben: b/c URL contents never change?
", "time": "2022-03-23T10:51:20Z"}, {"author": "jhoyla", "text": "@Ben Schwartz that's fancy
", "time": "2022-03-23T10:51:38Z"}, {"author": "Eric Rescorla", "text": "of course, arguably we're sort of running this experiment, just w/o the extension :)
", "time": "2022-03-23T10:51:40Z"}, {"author": "Benjamin Schwartz", "text": "dkg: We can demand that it's immutable, or just use HTTP cache lifetimes
", "time": "2022-03-23T10:51:41Z"}, {"author": "Bas Westerbaan", "text": "@sftcd-x-x that doesn't prevent the OS from recording how up-to-date it is or updating it frequently
", "time": "2022-03-23T10:51:41Z"}, {"author": "jhoyla", "text": "@dkg You can ensure that they don't.
", "time": "2022-03-23T10:51:48Z"}, {"author": "Eric Rescorla", "text": "And our ICA preload is designed to work around it
", "time": "2022-03-23T10:52:02Z"}, {"author": "Massimiliano Pala", "text": "From what I can tell, the solution seems quite prone to issues, misalignment, and results can really vary on implementations, freshness, etc. Maybe there might be some more considerations that need to be taken in consideration...
", "time": "2022-03-23T10:52:08Z"}, {"author": "Eric Rescorla", "text": "It's just that servers inadvertantly do this!
", "time": "2022-03-23T10:52:13Z"}, {"author": "Martin Thomson", "text": "Ben Schwartz's idea is a privacy problem
", "time": "2022-03-23T10:52:20Z"}, {"author": "jhoyla", "text": "@MT isn't it the same as OCSP?
", "time": "2022-03-23T10:52:46Z"}, {"author": "Richard Barnes", "text": "who is presenting?
", "time": "2022-03-23T10:52:46Z"}, {"author": "dkg", "text": "it also means that clients get to force servers to load and parse arbitrary ASN.1
", "time": "2022-03-23T10:52:47Z"}, {"author": "Benjamin Schwartz", "text": "Martin: Among other things!
", "time": "2022-03-23T10:52:49Z"}, {"author": "Bas Westerbaan", "text": "@richard Thom Wiggers
", "time": "2022-03-23T10:52:54Z"}, {"author": "Martin Thomson", "text": "jhoyla: yes. staple OCSP please.
", "time": "2022-03-23T10:52:59Z"}, {"author": "jhoyla", "text": "And the solution would be to do staples if requested
", "time": "2022-03-23T10:53:06Z"}, {"author": "Eric Rescorla", "text": "We are trying to eliminate OCSP
", "time": "2022-03-23T10:53:07Z"}, {"author": "Christopher Wood", "text": "See CRLlite
", "time": "2022-03-23T10:53:18Z"}, {"author": "dkg", "text": "even when stapled?
", "time": "2022-03-23T10:53:18Z"}, {"author": "jhoyla", "text": "OCSP MUST-STAPLE is annoyingly hard.
", "time": "2022-03-23T10:53:23Z"}, {"author": "Martin Thomson", "text": "stapling is perfectly fine
", "time": "2022-03-23T10:53:25Z"}, {"author": "Richard Barnes", "text": "is this AuthKEM in the sense that HPKE uses that word?
", "time": "2022-03-23T10:53:29Z"}, {"author": "Eric Rescorla", "text": "but we're mostly just moving to a centralized thing
", "time": "2022-03-23T10:53:33Z"}, {"author": "Christopher Wood", "text": "@rlb no
", "time": "2022-03-23T10:53:38Z"}, {"author": "dkg", "text": "ekr: are you saing eliminate OCSP stapling?
", "time": "2022-03-23T10:53:39Z"}, {"author": "Martin Thomson", "text": "though you are right that MUST-STAPLE is rough
", "time": "2022-03-23T10:53:40Z"}, {"author": "Bas Westerbaan", "text": "Personal guess: Dilithium (1.3kB pk and 2.4kB signatures)
", "time": "2022-03-23T10:53:42Z"}, {"author": "Richard Barnes", "text": "@caw thanks
", "time": "2022-03-23T10:53:44Z"}, {"author": "Martin Thomson", "text": "dkg: just the extra query
", "time": "2022-03-23T10:53:49Z"}, {"author": "Eric Rescorla", "text": "@dkg: less saying \"eliminate\" than \"we're not going to assume it's there, and so we expect not to see too much\"
", "time": "2022-03-23T10:54:07Z"}, {"author": "Sean Turner", "text": "@Bas we should started a betting pool. Or is there one that I didn't know about ;)
", "time": "2022-03-23T10:54:17Z"}, {"author": "Eric Rescorla", "text": "Because there won't be any perf advantage
", "time": "2022-03-23T10:54:28Z"}, {"author": "dkg", "text": "i'm just asking you to be explicit about whether you're saying \"eliminate clients actively doing OCSP querying\" or \"eliminate clients and servers using OCSP-formatted data in any context\"
", "time": "2022-03-23T10:54:58Z"}, {"author": "Maarten Aertsen", "text": "Queue still closed?
", "time": "2022-03-23T10:55:05Z"}, {"author": "jhoyla", "text": "@ekr Is the plan to continue enforcing MUST-STAPLE?
", "time": "2022-03-23T10:55:07Z"}, {"author": "Sean Turner", "text": "I like the strike through of Rainbow ;)
", "time": "2022-03-23T10:55:40Z"}, {"author": "sftcd-x-x", "text": "yeah, nice rainbow tough
", "time": "2022-03-23T10:55:55Z"}, {"author": "Eric Rescorla", "text": "@jhoyla: I expect so. What fraction of certs have it
", "time": "2022-03-23T10:56:14Z"}, {"author": "jhoyla", "text": "Based on my research virtually none, although I have been experimenting with one.
", "time": "2022-03-23T10:57:00Z"}, {"author": "jhoyla", "text": "And keeping it up is _way_ harder than I anticipated.
", "time": "2022-03-23T10:57:21Z"}, {"author": "dkg", "text": "jhoyla: what failures are you seeing?
", "time": "2022-03-23T10:57:45Z"}, {"author": "sftcd-x-x", "text": "@jhoyla: why?
", "time": "2022-03-23T10:57:45Z"}, {"author": "jhoyla", "text": "Making sure that the staple is in place and making sure that it gets delivered.
", "time": "2022-03-23T10:58:08Z"}, {"author": "Mike Ounsworth", "text": "How does \"authKEM\" relate to \"KEMTLS\" ?
", "time": "2022-03-23T10:58:14Z"}, {"author": "Bas Westerbaan", "text": "Essentially the same
", "time": "2022-03-23T10:58:20Z"}, {"author": "jhoyla", "text": "Not sure why either of those things would fail, but apparently they both do.
", "time": "2022-03-23T10:58:21Z"}, {"author": "kaduk@jabber.org/barnowl", "text": "Thanks Thom!
", "time": "2022-03-23T10:58:47Z"}, {"author": "Christopher Patton", "text": "Thanks for the work Thom, this is an important problem to work on now.
", "time": "2022-03-23T10:58:47Z"}, {"author": "jhoyla", "text": "@Mike authKEM and KEMTLS are totally different
", "time": "2022-03-23T10:58:51Z"}, {"author": "Christopher Patton", "text": "*Thom and co-authors
", "time": "2022-03-23T10:58:58Z"}, {"author": "dkg", "text": "jhoyla: if you could write up a note that describes the failures you're seeing in more detail, that would be really useful
", "time": "2022-03-23T10:59:14Z"}, {"author": "jhoyla", "text": "KEMTLS replaces the ephemeral bit, AuthKEM replaces the signatures bit
", "time": "2022-03-23T10:59:16Z"}, {"author": "Sean Turner", "text": "Thanks everybody!
", "time": "2022-03-23T10:59:24Z"}, {"author": "jhoyla", "text": "@dkg That's a really good idea, will do.
", "time": "2022-03-23T10:59:27Z"}, {"author": "sofiaceli", "text": "@jhoyla not true.
", "time": "2022-03-23T10:59:38Z"}, {"author": "Rich Salz", "text": "thanks
", "time": "2022-03-23T10:59:39Z"}, {"author": "Massimiliano Pala", "text": "thanks everybody!
", "time": "2022-03-23T10:59:49Z"}, {"author": "sofiaceli", "text": "KMTLS is using both keys for auth and key exchange
", "time": "2022-03-23T10:59:49Z"}, {"author": "Douglas Stebila", "text": "No @joyla KEMTLS replaces the signatures bit too. AuthKEM is a renaming of KEMTLS (with some reformatting to use HPKE etc.)
", "time": "2022-03-23T10:59:51Z"}, {"author": "sofiaceli", "text": "Keys -> KEMs
", "time": "2022-03-23T11:00:21Z"}, {"author": "sofiaceli", "text": "AuthKEM is just the authentication part of KEMTLS, combined with a KEM in the KEX, you basically have KEMTLS
", "time": "2022-03-23T11:00:57Z"}]