[{"author": "Paul Wouters", "text": "<p>hello hello :)</p>", "time": "2023-05-22T14:00:42Z"}, {"author": "Hannes Tschofenig", "text": "<p>I can take a few notes during the first hour.</p>", "time": "2023-05-22T14:02:34Z"}, {"author": "Hannes Tschofenig", "text": "<p>(Have to leave after one hour)</p>", "time": "2023-05-22T14:02:46Z"}, {"author": "Alan DeKok", "text": "<p>One option might be to just ignore / drop 6613, as it is being deprecated?</p>", "time": "2023-05-22T14:12:07Z"}, {"author": "Alan DeKok", "text": "<p>we may also want to merge 7360 (RADIUS/DTLS), but I haven't compared the docs in detail</p>", "time": "2023-05-22T14:12:36Z"}, {"author": "Hannes Tschofenig", "text": "<p>my view: downrefs are not a problem. Just needs to be indicated in the shepherd write-up.</p>", "time": "2023-05-22T14:15:54Z"}, {"author": "Hannes Tschofenig", "text": "<p>you can be compliant to a spec even if you only implement one part of it. Needs to be clear in the spec though</p>", "time": "2023-05-22T14:16:14Z"}, {"author": "Alan DeKok", "text": "<p>the only issue is the watchdog, etc. stuff in 6613 which is still needed in 6614, and also in 7360 (DTLS)</p>", "time": "2023-05-22T14:18:11Z"}, {"author": "Paul Wouters", "text": "<p>(I have no strong preference)</p>", "time": "2023-05-22T14:21:05Z"}, {"author": "Valery Smyslov", "text": "<p>Do you want me to speak this to the mic?</p>", "time": "2023-05-22T14:22:01Z"}, {"author": "Alan DeKok", "text": "<p>It's good to suggest that people do both, I'd argue we don't need to require that they implement both</p>", "time": "2023-05-22T14:27:06Z"}, {"author": "Matthew Newton", "text": "<p>Agreed</p>", "time": "2023-05-22T14:28:08Z"}, {"author": "Paul Wouters", "text": "<p>that client looks very serverly :)</p>", "time": "2023-05-22T14:32:10Z"}, {"author": "Heikki Vatiainen", "text": "<p>Regarding combined Radsec spec: My guess is servers would be more likely to implement the DTLS and TLS while clients may have more specific uses where just one variant is good enough</p>", "time": "2023-05-22T14:33:42Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>@heikki good point. I'll keep it as SHOULD do both, but MUST only do one of the two</p>", "time": "2023-05-22T14:34:25Z"}, {"author": "Matthew Newton", "text": "<p>sorry can't see how to get off mute!</p>", "time": "2023-05-22T14:45:45Z"}, {"author": "Hannes Tschofenig", "text": "<p>Matthew - microphone problems?</p>", "time": "2023-05-22T14:45:45Z"}, {"author": "Valery Smyslov", "text": "<p>THe mic sign above the list of participants</p>", "time": "2023-05-22T14:46:11Z"}, {"author": "Matthew Newton", "text": "<p>thanks found it</p>", "time": "2023-05-22T14:46:20Z"}, {"author": "Valery Smyslov", "text": "<p>Just click on it</p>", "time": "2023-05-22T14:46:20Z"}, {"author": "Paul Wouters", "text": "<p>I guess \"do the PQ in TLS, not in radius\"  ?</p>", "time": "2023-05-22T14:47:36Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>Basically the intention is: TLS people know their stuff, don't try to invent your own things.</p>", "time": "2023-05-22T14:48:25Z"}, {"author": "Hannes Tschofenig", "text": "<p>I unfortunately have to leave. Good meeting.</p>", "time": "2023-05-22T14:55:56Z"}, {"author": "Alexander Clouter", "text": "<p>\"SHIP IT!\"</p>", "time": "2023-05-22T14:55:57Z"}, {"author": "Alexander Clouter", "text": "<p>:)</p>", "time": "2023-05-22T14:55:59Z"}, {"author": "Matthew Newton", "text": "<p>I've been through it a few times, have a few more typos but otherwise all happy with it.</p>", "time": "2023-05-22T14:56:17Z"}, {"author": "Alexander Clouter", "text": "<p>Alan obviously does not love his spellchecker :)</p>", "time": "2023-05-22T14:56:29Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>Jan 2024    6614bis and 7360bis to IESG     draft-rieckers-radext-rfc6614bis<br>\nSep 2023    TLS-PSK Best Practices  draft-dekok-radext-tls-psk</p>", "time": "2023-05-22T15:01:21Z"}, {"author": "Alan DeKok", "text": "<p>It's really just documenting administration interfaces</p>", "time": "2023-05-22T15:02:37Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>+1</p>", "time": "2023-05-22T15:06:08Z"}, {"author": "Mark Donnelly", "text": "<p>+1</p>", "time": "2023-05-22T15:06:16Z"}, {"author": "Paul Wouters", "text": "<p>yes, this is not really Experimental anymore :)</p>", "time": "2023-05-22T15:14:14Z"}, {"author": "Valery Smyslov", "text": "<p>Standards track or BCP?</p>", "time": "2023-05-22T15:14:53Z"}, {"author": "Paul Wouters", "text": "<p>it is something \"new\", so i would argue it is not BCP ?</p>", "time": "2023-05-22T15:17:35Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>+100</p>", "time": "2023-05-22T15:21:31Z"}, {"author": "Paul Wouters", "text": "<p>(for IKEv1 and IKEv2, people were running both and we wanted to move them to IKEv2. that is more BCP like but we still decided to mark IKEv1 as Historic to push peope a bit harder to IKEv2.But here, as Alan points out, it is far worse. The current deployment without TLS is basically broken. It needs a very strong MUST for transport encryption.</p>", "time": "2023-05-22T15:22:47Z"}, {"author": "Paul Wouters", "text": "<p>i feel the RFC without transport security should be obsoleted</p>", "time": "2023-05-22T15:23:24Z"}, {"author": "Matthew Newton", "text": "<p>ALPN doc has good comments saying debugging is recommended.</p>", "time": "2023-05-22T15:25:09Z"}, {"author": "Alexander Clouter", "text": "<p>Michael: if you control the client or server, you can gain the plaintext of the TLS data and dig through it all in Wireshark</p>", "time": "2023-05-22T15:25:42Z"}, {"author": "Alan DeKok", "text": "<p>Matthew: good point... maybe I can use that in the deprecating doc.</p>", "time": "2023-05-22T15:28:18Z"}, {"author": "Michael Sym", "text": "<p>thanks, Alex: do you mean you can gain that at the application level, which can then log it?  running a pcap on the box would have that whole exchange encrypted.</p>", "time": "2023-05-22T15:29:18Z"}, {"author": "Matthew Newton", "text": "<p>Alan: Sounds good, I would put comments about debug output everywhere. Software that doesn't tell you what it's doing is infuriating.</p>", "time": "2023-05-22T15:29:56Z"}, {"author": "Alan DeKok", "text": "<p>OpenSSL can export the TLS session information in a key file.  Wireshark can read that information to decrypt the TLS session</p>\n<p>See <a href=\"https://everything.curl.dev/usingcurl/tls/sslkeylogfile\">https://everything.curl.dev/usingcurl/tls/sslkeylogfile</a> for an example.  FreeRADIUS does the same thing</p>", "time": "2023-05-22T15:33:18Z"}, {"author": "Michael Sym", "text": "<p>Got it, thanks for the link.  Agree this is helpful when controlling the client or server as an admin.  For debugging we often need both the client and server side.</p>", "time": "2023-05-22T15:39:41Z"}, {"author": "Michael Sym", "text": "<p>We see a lot more native RadSec support on equipment like APs these days, where full admin control may not be available.</p>", "time": "2023-05-22T15:40:09Z"}, {"author": "Alexander Clouter", "text": "<p><a href=\"https://gist.github.com/jimdigriz/327ef6afa808a1b291d12d68857dec05\">https://gist.github.com/jimdigriz/327ef6afa808a1b291d12d68857dec05</a></p>", "time": "2023-05-22T15:40:23Z"}, {"author": "Alexander Clouter", "text": "<p>for the TLS decoding</p>", "time": "2023-05-22T15:40:32Z"}, {"author": "Alexander Clouter", "text": "<p>I think Radiator supports something like dumping the keys and hostapd does (behind a compile flag)</p>", "time": "2023-05-22T15:41:01Z"}, {"author": "Heikki Vatiainen", "text": "<p>Radiator can also dump the keys in SSLKEYLOGFILE format. It's become really useful with TLSv1.3</p>", "time": "2023-05-22T15:47:21Z"}, {"author": "Michael Sym", "text": "<p>Thanks, Alex and Heikki!  Heikki, is that documented in the latest ref.pdf?</p>", "time": "2023-05-22T15:48:19Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>I won't be in San Francisco (and may not be able to join remotely)</p>", "time": "2023-05-22T15:48:21Z"}, {"author": "Paul Wouters", "text": "<p>there were thoughts on standardizing SSLKEYLOGFILE, but people got really nervous some will use it as backdoor mechanism on production units.</p>", "time": "2023-05-22T15:48:27Z"}, {"author": "Alexander Clouter", "text": "<p>I fixed up the EAP TLS decoding for RADIUS, so you can go all the way down</p>", "time": "2023-05-22T15:48:30Z"}, {"author": "Alexander Clouter", "text": "<p>I discovered EAPOL decoding is bust again, but EAP over RADIUS is fine; as RADIUS over TLS should be fine too</p>", "time": "2023-05-22T15:49:02Z"}, {"author": "Paul Wouters", "text": "<p>If meeting in july, remember you cannot meet within two weeks of IETF 117</p>", "time": "2023-05-22T15:49:12Z"}, {"author": "Alan DeKok", "text": "<p>so it would have to be June.  With 2 weeks advance notice needed, pretty much only last 2 weeks of June would be allowed</p>", "time": "2023-05-22T15:50:40Z"}, {"author": "Paul Wouters", "text": "<p>The list seems low key enough to actually get work done without interims</p>", "time": "2023-05-22T15:51:49Z"}, {"author": "Alan DeKok", "text": "<p>If we need another interim after July, we can always add one.</p>", "time": "2023-05-22T15:55:13Z"}, {"author": "Jan-Frederik Rieckers", "text": "<p>+1</p>", "time": "2023-05-22T15:55:29Z"}, {"author": "Paul Wouters", "text": "<p>I love pinball :)</p>", "time": "2023-05-22T15:55:38Z"}, {"author": "Heikki Vatiainen", "text": "<p>Michael search for SSLKEYLOGFILE in ref.pdf. It's available for EAPs and Radsec</p>", "time": "2023-05-22T15:55:50Z"}, {"author": "Alexander Clouter", "text": "<p>Michael, you need Wireshark 4.0 or later to decode EAP types too</p>", "time": "2023-05-22T15:57:24Z"}]