[06:50:04] Klaas Wierenga joins the room
[07:00:25] Melinda joins the room
[07:00:28] Klaas Wierenga leaves the room
[07:00:40] hartmans joins the room
[07:00:41] jimsch joins the room
[07:00:57] lef joins the room
[07:02:31] Gabriel Lopez joins the room
[07:02:39] lel joins the room
[07:02:43] Rhys joins the room
[07:03:32] Josh Howlett joins the room
[07:03:59] Linus Nordberg joins the room
[07:04:51] sftcd joins the room
[07:05:24] Wolfgang Beck joins the room
[07:06:02] barryleiba joins the room
[07:07:05] leifj joins the room
[07:10:17] alejandro.perez.mendez joins the room
[07:10:58] lhoward joins the room
[07:11:13] jhutz@jis.mit.edu/owl joins the room
[07:12:13] lhoward leaves the room
[07:12:27] lukeh joins the room
[07:13:18] <lukeh> I'm here, but I'm at my folks for dinner so participation may be limited.
[07:13:20] Rhys leaves the room
[07:13:45] <lukeh> I think we do WELLKNOWN:ANONYMOUS in the current implementation (but we do set GSS_C_ANON_FLAG, and that's probably more important)
[07:13:59] <Melinda> How's the audio?
[07:14:35] semery joins the room
[07:14:59] <lukeh> it's good and I'm over WiFi through several walls
[07:15:03] Rhys joins the room
[07:15:24] <alejandro.perez.mendez> yeah, it's good for me too
[07:16:28] <lukeh> OK, I'll shut up about Moonshot then :)
[07:16:36] <alejandro.perez.mendez> hhehe
[07:17:39] <Melinda> let me know if you've got questions/comments to relay
[07:17:59] <lukeh> thanks
[07:18:35] lef leaves the room
[07:19:02] lef.mutualauth joins the room
[07:28:19] stpeter joins the room
[07:29:07] <lukeh> slides link please?
[07:29:44] <Josh Howlett> http://tools.ietf.org/wg/abfab/agenda
[07:30:03] <lukeh> drafts I can see, slides not
[07:30:07] <lukeh> ah sorry
[07:30:15] <lukeh> I cna't read
[07:30:21] <Linus Nordberg> or write ;)
[07:30:29] <lukeh> correct
[07:30:34] <Melinda> http://www.ietf.org/proceedings/80/slides/abfab-8.pdf
[07:31:00] <Rhys> currently on slide 7
[07:31:20] <lukeh> got it
[07:33:31] Josh Howlett leaves the room
[07:33:44] Josh Howlett joins the room
[07:35:29] Hugh_Daniel joins the room
[07:37:43] <lukeh> You could put that state in the channel bindings.
[07:38:37] eburger joins the room
[07:40:14] rafa.marinlopez joins the room
[07:40:14] <lukeh> Option 5 would be to revise RFC 3961
[07:40:22] <lukeh> That demands a lot of implementors
[07:40:27] <lukeh> Please channel
[07:40:32] <Melinda> sure thing
[07:41:33] <lukeh> The stuff that needs to be confirmed, could be put in GSS channel bindings, could it not?
[07:42:41] <Hugh_Daniel> Remind speakers to speek clearly into the mic.
[07:43:09] <lukeh> Right
[07:43:16] <lukeh> Finalize is compatible
[07:43:33] <lukeh> I guess it mightn't work with CCM
[07:43:46] <lukeh> Yeah, good point.
[07:43:49] buckeyeskeeve joins the room
[07:44:31] <lukeh> Yeah, what Jeff said, I'm not adding anything.
[07:44:34] <Hugh_Daniel> We can hear Malinda better now.
[07:44:38] Satoru Kanno joins the room
[07:45:38] <jhutz@jis.mit.edu/owl> I can think of something evil; it basically involves the server
making up a key at the start of the exchange to use in computing
the finish hash, and then conveying that key to the client at
the end of the exchange.
[07:46:04] <jhutz@jis.mit.edu/owl> But I'm not sure I'm thrilled about the server choosing that key
unilaterally rather than involving the client in its selection.
[07:46:56] <Rhys> onto http://tools.ietf.org/agenda/80/slides/abfab-9.pptx
[07:47:21] <hartmans> jhutz: client contributes something.
[07:47:35] <hartmans> Server computes k, but uses k2 = prf(client_contribution)
[07:47:43] <hartmans> server discloses k client computse k2
[07:47:50] hartmans loves it
[07:48:28] <jhutz@jis.mit.edu/owl> Oh, yes, you could do that, if the client provides its contribution in
the first message.
[07:49:19] <lukeh> Josh: this is just a standard RADIUS AVP, not one with an embedded type/length/value?
[07:50:58] <lukeh> A question for Sam: sorry to backtrack, should GSS_C_NT_ANONYMOUS be set only for the completely empty name, or for @realm.
[07:51:17] <jhutz@jis.mit.edu/owl> I answered that already.
[07:51:23] <jhutz@jis.mit.edu/owl> You can set it only for fully anonymous names.
[07:51:28] <lukeh> Great.
[07:51:29] <lukeh> Thanks Jeff.
[07:51:44] <lukeh> sorry.
[07:51:45] <leifj> we'll come back to that in a minute
[07:51:47] <lukeh> thanks.
[07:51:56] <hartmans> lukeh: only completely anonymous
[07:52:11] <hartmans> RFC 6112 clarifies 2743 in this regard.
[07:52:37] <jhutz@jis.mit.edu/owl> See the first paragraph of section 6 of RFC-to-be 6112 (aka
draft-ietf-krb-wg-anon-12.txt) which describes how this
works for Kerberos
[07:52:53] <lukeh> Ditto for GSS_C_ANON_FLAG on acceptor or?
[07:52:58] <lukeh> Sorry I should read the RFC.
[07:53:09] <hartmans> Yes, the same.
[07:53:12] <lukeh> Thanks
[07:53:20] <jhutz@jis.mit.edu/owl> You should, preferably before it unblocks from AUTH48 :-)
[07:56:52] <Rhys> http://tools.ietf.org/agenda/80/slides/abfab-6.ppt now
[07:59:26] <lukeh> But it contains redundant information, does it not, because it could be understood from the XML?
[08:03:28] <lukeh> It seems to me that if we the binding requires a request and response, then we can still have one attribute, and then the direction determines the type of message.
[08:03:47] <lukeh> And why cannot it be extensible by virtue of the underlying XML? I don't know if there's a clear advantage for duplication of this information at the EAP layer.
[08:04:04] <lukeh> Unless it's for simplicity of parsing, I can understand that.
[08:05:03] <buckeyeskeeve> in SAML we generally didn't duplicate the message type at the binding layer
[08:05:09] <lukeh> Right.
[08:05:17] <buckeyeskeeve> in terms of directionality, though, some SAML bindings can actually flow "backwards"
[08:05:29] <buckeyeskeeve> relative to what one might expect anyway
[08:05:55] Wolfgang Beck leaves the room
[08:14:54] <leifj> that is XACML
[08:15:03] sftcd leaves the room
[08:23:06] <Rhys> http://tools.ietf.org/agenda/80/slides/abfab-7.pptx
[08:28:57] sftcd joins the room
[08:29:49] lef.mutualauth leaves the room
[08:29:50] lef.mutualauth joins the room
[08:34:03] sftcd leaves the room
[08:34:05] sftcd joins the room
[08:36:33] sftcd leaves the room
[08:36:35] sftcd joins the room
[08:37:38] sftcd leaves the room
[08:37:45] sftcd joins the room
[08:38:49] <hartmans> h
[08:43:06] lef.mutualauth leaves the room
[08:47:06] <sftcd> so was this presented to radext or raised on that wg's list?
[08:47:14] wolfgang.beck01 joins the room
[08:49:04] <Melinda> did you hear that?
[08:50:06] <lukeh> slide #? was at dinner
[08:50:33] <Linus Nordberg> lukeh: "A single PKI for ABFAB deployuments?"
[08:50:50] <Rhys> 13
[08:55:17] <hartmans> Not presented to radext, do you think it would be useful there?
[08:55:31] <hartmans> nato that radsec (radius over tls) definitely has been discussed there.
[08:57:08] <sftcd> I think if you're proposing to do key mgmt for radius (how I read this) then that needs to be discussed there, at minimum, before going anywhere
[08:57:38] <hartmans> The key mgmt for radius is clearly in abfab's charter provided that we don't need to change radius to do it.
[08:57:59] <hartmans> So, while I agree discussing it there would be fine if they are interested, I don't agree it's blocking.
[08:58:09] <hartmans> The trust router is not clearly in our charter.
[08:58:27] <sftcd> we may disagree on that, not saying we do at this point but needs clarification
[08:58:39] <hartmans> I can make an argument that it fits, but it's not as strong as the argument for AAA key management
[08:59:50] <leifj> for the record, the charter text that we're talking about here is this: 

Concerns have been raised that additional work is required in keying AAA
associations in a federated environment. The working group is chartered
to explore these concerns and if needed, specify protocols that use
existing AAA key management mechanisms to address these concerns.
[08:59:53] <hartmans> I think sending mail to radext and soliciting comments as we're deciding whether to adopt would be a really good idea
[09:15:06] <hartmans> I should not have read this mail from Josh during the meeting.
[09:15:29] <hartmans> I did mean to burst out in uncontrollable laughter, it is unrelated to the wg.
[09:18:03] sftcd leaves the room
[09:18:34] sftcd joins the room
[09:21:17] barryleiba leaves the room
[09:23:17] <eburger> ?
[09:23:18] semery leaves the room: Disconnected
[09:25:53] <lukeh> that won't be a problem, of course
[09:27:24] lel leaves the room
[09:27:25] jimsch leaves the room
[09:28:11] wolfgang.beck01 leaves the room
[09:28:41] Satoru Kanno leaves the room
[09:29:41] eburger leaves the room
[09:30:10] buckeyeskeeve leaves the room
[09:30:16] stpeter leaves the room: Disconnected: connection closed
[09:30:49] Klaas Wierenga joins the room
[09:33:11] Rhys leaves the room
[09:33:24] hartmans leaves the room
[09:34:56] alejandro.perez.mendez leaves the room
[09:35:34] lukeh leaves the room
[09:37:54] Josh Howlett leaves the room
[09:39:27] Josh Howlett joins the room
[09:39:31] Linus Nordberg leaves the room
[09:40:04] Gabriel Lopez leaves the room
[09:41:34] sftcd leaves the room
[09:43:47] Josh Howlett leaves the room
[09:44:52] rafa.marinlopez leaves the room
[09:45:34] Melinda leaves the room
[09:48:26] Klaas Wierenga leaves the room
[09:50:15] sftcd joins the room
[09:57:24] leifj leaves the room
[09:58:44] sftcd leaves the room: offline
[10:04:57] lukeh joins the room
[10:26:18] lukeh leaves the room
[10:58:45] semery joins the room
[10:59:00] semery leaves the room
[11:04:40] stpeter joins the room
[11:07:51] wolfgang.beck01 joins the room
[11:08:00] wolfgang.beck01 leaves the room
[11:13:33] leifj joins the room
[11:17:30] Josh Howlett joins the room
[11:31:43] Klaas Wierenga joins the room
[11:52:21] leifj leaves the room
[12:23:45] Josh Howlett leaves the room
[13:22:50] stpeter leaves the room
[13:36:25] Melinda joins the room
[14:01:52] Melinda leaves the room
[14:56:29] jhutz@jis.mit.edu/owl leaves the room
[15:34:33] Hugh_Daniel leaves the room
[16:45:02] Klaas Wierenga leaves the room