CFRG @ IETF 89 Minutes



Document Status 

   Sean Turner: applicability; say why and what for

   Paul Hoffman: but CFRG produces many mechanisms

   Bob Moscowitz: applicability statement is prefered

   Joe Salowey, Paul Hoffman: catalog


Password Authenticated Key Exchange 
  Presentation on AugPAKE  (seonghan.shin@aist.go.jp)   
  DragonFly quick status update

   Readers of COSE draft - not many, defer discussion

   Yoav Nir: dictionary attack against big-W?
   
   Hannes Tschofenig: what needs to get deployed?

   HTTP PAKE Protocol

   Paul: need to pay attention to licensing and IPR

   Kenny: what about the group membership test, and its impact on
   performance?

   PHB: nontangible (?)

   Bob Moscowitz: I might have a use case for this

   Hannes Tschofenig: I-D management: strong authentication, seamless
   authentication


New Authenticated Encryption Mechanisms       
  Presentation and DISCUSSION on ChaCha+Poly1305 (ynir@checkpoint.com)

    Yoav Nir: please check test cases

    Kenny Paterson: what about parsing attacks?  Need to carefully check that
    those are not possible against the AEAD construction.

    Kevin Igoe: when we are asking people to review this draft, let's
    also ask DJB

    Many people, including Hannes and PHB, asked for better clarity.
    Please don't say "stream cipher" when you mean "additive
    encryption" or something else.

    Joe Salowey: TLS should not be using stream cipher.

    Sean Turner: registries are not really for policy.

    David McGrew: what we really need is a ciphersuite reputation
    database.


Presentation on Authenticated Encryption using Replay Protection (AERO)
    draft-mcgrew-srtp-aero-01 (mcgrew@cisco.com)

    Bob Moscowitz: AERO should work well on short plaintexts - that's an
    important design goal.

    Stephen Farrel: in the IPR statement, why does it say "standard"
    when the draft is "informational"?

New Elliptic Curve Crypto       
  Status and DISCUSSION of non-standard curves  (15 min)

   Edwards curves - 30% in favor, 60% need to learn more about it
   before coming to decision

   Many: it would be a good idea to have an interim meeting.

   Kenny: invite DJB and Tanja Lange

   David: good idea

   Paul: *focus* in interim meeting (solve the important problems)

   allow prep and write statements/drafts


Consideration of new topics  (15 min)

   Stephen: Post-Quantum (PQ) cryptography is good

   David: agreed.

   Paul: PQ crypto should not be a priority.

   Many people: invite experts in post-quantum security to participate
   in the RG, if/as we take on post-quantum algorithm definitions.
   Example: what is real security of algorithms relative to Grover's
   shake?