SAAG met for a short 1 hour slot on Thursday. Thanks to Rich Salz for minute taking.

* Working Group summaries discussion was short.
  - Justin: web-bot-auth non-WG list created that might be of interest to SEC area
  - Note: If you haven't yet, please send your Working Group summary to the saag mailing list


* (sec)dispatch results
  - The dispatch session had two security related topics

    - Recommendations for Key Directories over HTTP
      draft-darling-key-directory-over-http
      To be discussed on secdispatch

    - Organization Trust Relationship Protocol
      draft-org-trust-relationship-protocol
      To be discussed in ART

* Damien Miller gave an overview presentation of the SSH protocol suite

* Open Mic
  - HPKE short lived WG proposal by Richard Barnes / Martin Thomson
    Not having a standard, being kicked around various groups, is affecting
    other groups that want it.
    ADs: Don’t need a BoF, need consensus to create group and a charter and
         the ADs can do it.
    Martin Thomson: HPKE is really engineering now, not in CFRG research charter,
            proposal was discussed with CFRG folks.
    ADs: please post feedback to SAAG for now, we’ll do it after the IETF week.
    Sean Turner: we need to put guardrails on this because we had concerns before
         about the security.
    David Schinazi: Like the charter, tightly constrained will avoid the pitfalls
    Tero Kivinen: This is like maintenance of HPKE, so makes sense to be IETF not CFRG
    Chris Woods: I support this, there is cruft we could/should remove
    Martin Thomson: everything we keep must be 100% compatible with current spec.
    Stephen Farrell: I like the idea that maintenance could drop things.
    Deb Cooley(AD): if you do disagree and don’t want to say publicly, you can write
                    the ADs
    Sean Turner: how fast?
    Richard Barnes: Want to be mostly done by Madrid, we have a $600 ham riding on
                    it (Barnes v Salz)

  - PHB: Been looking at shipping info in DNS.
         Looking at JSContact (vCard in JSON). Updating to make, e.g., clarify/specify
         adding and use of keys. This is being done in calext

  - Florence: UK PQ timeline and guidelines were published this morning. Looking for
              experiences in migration to PQC, etc. – really want to engage the industry.

  - David Venhoek: In NTP not doing PQ, but we use HMAC for its security model. Is there
                   guidance on what algorithms we should use? If not, interest in
                   creating one?
    Sean: there are already multiple hash registries, use one or take over an abandoned one.
          I will send you info.

  - Simone Onofri: W3C will be asking for review of web authentication. ADs will put it out
                   to the SAAG list.