Thurday, July 24th at 14:30 local time (12:30 UTC)
Agenda:
Chairs
Valery: Ask for adoption of two drafts, the reliable TCP and big
payloads
Chairs: will do if no objection
Steffen Klassert
Valery: For clarification, EESP IKEv2 is a little bit behind.
Jun Hu: EESP is to replace ESP or not?
Steffen: No. Could replace in the future.
Jun Hu: don't want to replace ESP.
Liang Xia: EESP is bound to IKEv2 or not?
Steffen: Should use IKEv2, but can use other control protocols.
Liang Xia: Want to not use IKEv2 in some use cases.
Steffen: It's up to you to choose.
Wei PAN
Paul Wouters: ask for adoption of draft-pfs-info after this meeting.
Need more implememntations and interop tests before asking for WGLC of
this draft.
Anthony
No comments or questions raised.
Valery Smyslov, Chris Patton
Paul Wouters: Does the signing key here refer to auth payload signing
key?
Valery: Yes.
Paul Wouters: It's only for the initial exchange, not for rekey?
Valery: Yes.
Paul Wouters: Why not the attacker just impersonate one IKE peer?
Valery: It's not the attacker's goal.
Paul Wouters: Wonder why to protect this situation that the attacker
compromise the signing key?
Tiru: Similar question like Paul.
Valery: The attacker only has one peer's signing key.
Chris Patton: The attacker compromises the initiator's signing key, and
downgrade attack, to earsdropping the traffic.
Thom Wiggers: we can call this key compromise impersonate attack, many
protocols need to address this.
Paul Wouters: No only suitable for downgrade attack, generic problem is
that need to cryptograpically ensure that both peer have agreed to the
same state
Guilin Wang: Week algorithm is not only suitable for Quantum era.
Scoot Fluther: Attacker can impersonate the peer if it has the signing
key.
Valery: it's not the attacker's goal.
Scoot: Just make sure your key is safe.
Jun Hu: If peers only support weak algorithms, then the problem can't be
solved. In nowadays, ensuring the configuration right is the best choice
than changing the IKEv2 protocol that having been deployed for a long
time.
Alicja Kario: (missed)
Chris Patton: our goal is to make sure peers know the conversation is
authentic. The threat model doesn't require key compromise. It's not
just about PQ.
Paul Wouters: Should hash all message besides the IKE_AUTH?
Chair: Have more discussion on the mailing list.
Tiru: Highlight that not requiring key compromise will help the draft
being accepted.
Chris Patton: Many support for adoption in the Zulip.
Ben Salter
Paul Wouters: why would you want to do SHA3 with any AEAD algorithm.
Don't want to use SHA3 for AES-CBC algo.
Uri Blumenthai: removing HMAC with SHA3. smaller library apply only to
software implementation.
Valery: don't inist on context strings. generic to all class of variable
output. Genric draft not only suitable for SHA3.
Uri Blumenthai: yes to domain separators.
Adam R: KMAC for ESP null
Quynh Dang: don't need to be FIPS complaint, use of SHAKE is fine.
specify how to use SHAKE in IKE. If adopted, NIST will review and
consider whether to approve.
John Mattsson: Adopt the draft now and discuss whehter to use context
later.
Uri Blumenthai: Would NIST adopt SHAKE?
Quyhh Dang: Many algorithms are based on SHAKE. If there's one use case
and NIST is aske to review, we will review it. When the protocol is well
defined and vendor deployed it, NIST will review and make decesion
later.
Jun Hu
Scoot Fluhrer: type-2 each peer need two certs
Chris Patton: it's better to avoid key reuse
Valery: TLS WG has a similar draft about two certs binding.
Jun Hu: No conclusion yet.
Tiru Reddy: do we want to support both types or only choose one.
Jun Hu: we need to support both as the PKI may have both types.
Yuta Fukagawa
Chairs: Discussing on the mailing list due to time reason.
Liang Xia
Chairs: Discussing on the mailing list due to time reason.
Uri Blumenthal
Chairs: Discussing on the mailing list due to time reason.