IETF
ace
ace@jabber.ietf.org
Monday, July 16, 2018< ^ >
kaduk@jabber.org/barnowl has set the subject to: ACE meeting - IETF 100 - https://datatracker.ietf.org/meeting/100/materials/agenda-100-ace/
Room Configuration
Room Occupants

GMT+0
[01:05:19] metricamerica joins the room
[05:40:22] metricamerica leaves the room
[05:40:28] metricamerica joins the room
[12:45:52] jimsch joins the room
[13:09:21] cw-ietf joins the room
[13:10:19] meetecho joins the room
[13:11:53] metricamerica leaves the room
[13:12:27] metricamerica joins the room
[13:13:00] jguP9pGD joins the room
[13:13:34] <jimsch> @meetecho - we are getting feedback in this room
[13:14:19] francesca joins the room
[13:15:43] <francesca> Jim Could is the link to the etherpad: http://etherpad.tools.ietf.org:9000/p/notes-ietf-102-ace ?
[13:16:15] Benjamin Damm joins the room
[13:17:12] <francesca> (minus Could)
[13:19:06] <meetecho> jimsch: do you mean in the speakers?
[13:20:53] <jimsch> @meetecho - yes we were getting ome high feedback but it is quite now
[13:21:51] metricamerica joins the room
[13:21:59] Benjamin Damm checks
[13:22:25] Benjamin Damm is jabber "scribe" and will speak to the mic any concerns voiced in the jabber room.
[13:23:23] metricamerica leaves the room
[13:25:09] Lorenzo Miniero joins the room
[13:25:10] Klaus Hartke joins the room
[13:25:11] Malisa Vucinic joins the room
[13:25:12] Christian Amsüss joins the room
[13:26:24] francesca has set the subject to: ACE meeting - IETF 100 - https://datatracker.ietf.org/meeting/102/materials/agenda-102-ace/
[13:26:35] francesca has set the subject to: ACE meeting - IETF 102 - https://datatracker.ietf.org/meeting/102/materials/agenda-102-ace/
[13:26:56] Marco Tiloca joins the room
[13:27:18] Anthony Kirby joins the room
[13:27:52] Anthony Kirby leaves the room
[13:27:53] Anthony Kirby joins the room
[13:28:05] <jimsch> @Marco have you checked you meetecho link?
[13:28:07] Anthony Kirby leaves the room
[13:28:25] <Marco Tiloca> Yes, I am in now
[13:28:54] Bjorn Hjelm joins the room
[13:29:38] Anthony Kirby joins the room
[13:31:47] <jimsch> @ meetecho we have no mics at the moment - they seem to have been shut off
[13:31:48] <Benjamin Damm> mics in the room are not working
[13:32:03] <meetecho> Will notify the AV team
[13:32:23] Benjamin Damm is acting jabber scribe. Please be patient as it is his first time doing it. Feel free to tell me what I ought to be doing.
[13:33:06] Anthony Kirby leaves the room
[13:33:34] Anthony Kirby joins the room
[13:34:32] Olaf Bergmann joins the room
[13:36:21] francesca leaves the room: Connection failed: connection closed
[13:36:25] francesca joins the room
[13:36:29] <francesca> can you guys on remote here Mike?
[13:36:43] <francesca> hear*
[13:36:44] Stefanie Gerdes joins the room
[13:36:44] <Marco Tiloca> I hear him
[13:36:50] Antti Kolehmainen joins the room
[13:36:58] kaduk@jabber.org/barnowl joins the room
[13:38:59] <Benjamin Damm> Hello, please put "mic:" in front of comments you would like taken to the mic.
[13:41:17] <meetecho> Looking into the bad audio for remotees
[13:43:27] <kaduk@jabber.org/barnowl> Even in-room the eq levels might be a bit funky; I couldn't see if
someone is still adjusting
[13:43:43] Shahid Raza joins the room
[13:43:48] <Benjamin Damm> Can remotes hear Tschofenig ok?
[13:44:00] <Olaf Bergmann> no, not really
[13:44:02] <Marco Tiloca> lot of background noise
[13:44:26] <meetecho> Yes, still looking into the muffled audio, sorry about that
[13:44:34] <Benjamin Damm> "KeyID debate we had, I think we definitely discussed it on th elist but not clear conclusion"
[13:45:04] <meetecho> Can you confirm the main speaker audio is mostly fine, and the issue is more with the mic line?
[13:45:08] <Benjamin Damm> Can you hear Jones ok?
[13:45:28] <Marco Tiloca> correct, speaker's and chairs' mics are fine
[13:46:38] <Benjamin Damm> Jim Schaad speaks:
[13:46:58] <Benjamin Damm> "I cannot say that I felt that the whole issue of reference by key ID was adequately addressed in the document"
[13:47:11] <Benjamin Damm> "whole lot of ussues that haven't been thought about, problematic, and need to be documented far clearer"
[13:47:25] <Benjamin Damm> "there may be a couple of other issues, one other, did not feel was directly dealt with"
[13:48:10] <Benjamin Damm> "I think the concept that you're going to end up with a single AS control aiuthorizes .. on an RS.. is probably not correct"
[13:48:20] <Benjamin Damm> and those AS's need to co-operate and is not covered
[13:48:27] <Benjamin Damm> far beyond classic oauth
[13:48:37] <Benjamin Damm> "oauth has a thin sec model and we need to expand in this world
[13:48:54] <Benjamin Damm> "the issue is not one of tricking you to iusing th wrong key, it's tricking you to giving me perms I don't have
[13:49:19] <Benjamin Damm> "we we have the time to expose that"
[13:49:25] <Benjamin Damm> Ludwig speaks
[13:49:34] <Benjamin Damm> Seitz
[13:49:43] <Benjamin Damm> The problem is you get an AS to isusue token bound to key with ID 1
[13:49:51] <Benjamin Damm> attacker uses another A with token bound to key ID also 1
[13:49:55] <Benjamin Damm> the attackers all using key B
[13:50:01] <Benjamin Damm> the clients using my token bound to key a
[13:50:07] <Benjamin Damm> submits to RS and it stores
[13:50:12] <Benjamin Damm> with key id 1 and id …..
[13:50:20] <Benjamin Damm> then comes attacker with another key linked to ID 1
[13:50:22] <Benjamin Damm> and somehow
[13:50:31] <Benjamin Damm> gets tricked to RS to accept token and key B, id 1
[13:50:38] <Benjamin Damm> thus gains access wrights of first token
[13:50:50] <Benjamin Damm> don't see how the last step is supposed to happen
[13:51:21] <Benjamin Damm> Michael Jones replies
[13:51:43] <Benjamin Damm> Regardless of that, I agree with Jim this is an issue we need to document, not 100% sure this needs to go in this document
[13:51:50] <kaduk@jabber.org/barnowl> The RS cannot use the keyid as an internal index or identifier for its
authorization cache or other data store
[13:51:58] <Benjamin Damm> Did you want that spoken
[13:52:01] <kaduk@jabber.org/barnowl> No
[13:52:06] <Benjamin Damm> Please put "mic:" if so
[13:52:07] <Benjamin Damm> ok
[13:52:18] <Benjamin Damm> Hannes… the key is limited in context
[13:52:24] <Benjamin Damm> "putting the key..."
[13:52:32] <Benjamin Damm> the described attack scenario should be documentd
[13:52:41] <Benjamin Damm> in oauth (?)
[13:52:48] <Benjamin Damm> there you have the AS server, RS server, multiple of them
[13:53:03] <Benjamin Damm> from what ludwig xplained, they KIDs
[13:53:13] <Benjamin Damm> … but sitll we've seen with simoler cases implementation can make mistakes
[13:53:16] <Benjamin Damm> worthwhile to highlight.
[13:53:21] Christian Amsüss leaves the room
[13:53:22] <Benjamin Damm> Russell Howsley
[13:53:28] <Benjamin Damm> I disagree with Hanns
[13:53:37] <Benjamin Damm> Because the keyID has different uses
[13:53:40] Abdur Rashid Sangi joins the room
[13:53:53] <Benjamin Damm> there should be a warning in this document, put warning, discuss key collision
[13:54:43] <Benjamin Damm> Sorry group, speakers are a bit faster than I can type
[13:55:04] <kaduk@jabber.org/barnowl> They are generally faster than anyone can type; you're doing a great
job, and thank you!
[13:57:42] <jimsch> @benjamin - you don't need to do the summary of what is being said in the room
[13:58:01] <Benjamin Damm> I was just running the commentor's mic because it seems folks on the line could not hear
[13:58:07] <Benjamin Damm> but if it is done now I will stop
[13:58:40] <Benjamin Damm> I'll continue the next time a commentor comes to the mic, and if folks on the line can hear fine then I'll stop. Someone volunteer to let me know?
[13:58:53] <kaduk@jabber.org/barnowl> It's still unclear to me whether the mic queue's mic is actually doing
much for the remote stream, yeah
[14:00:31] <francesca> guys on remote: if you cannot hear, I am taking notes in the etherpad http://etherpad.tools.ietf.org:9000/p/notes-ietf-102-ace so no need to report here as well (or you can help out there :) )
[14:01:04] <Olaf Bergmann> @francesca thx
[14:01:42] <francesca> no problem! let us know if you cannot hear the comments mic (next time there is a comment)
[14:02:03] <Olaf Bergmann> surel will do
[14:02:49] shinta joins the room
[14:03:29] Christian Amsüss joins the room
[14:04:01] <Olaf Bergmann> queue mic works fine
[14:04:31] <Benjamin Damm> Thx!
[14:14:11] <Olaf Bergmann> Hannes cannot be heard from remote
[14:14:44] <Benjamin Damm> Ok, I'm going to type here as before, and if they ends up in the etherpad, then that's great, I'm not sure both can b done
[14:14:52] <Benjamin Damm> Hannes: Fillow up on this one
[14:15:01] <Benjamin Damm> A topic will have discussion on JThursday in Oaiuth wG
[14:15:14] <Benjamin Damm> Poptalk useage overalap in ACE and oauth dedicated discusion slot
[14:15:21] <Benjamin Damm> anyone interested come to 1st day oauth
[14:15:22] <jimsch> Is that better or do I need to get him to change how he talks.  It seems fine in the room
[14:16:03] <Olaf Bergmann> maybe he just needs to talk more directly into the mic?
[14:16:22] <Benjamin Damm> Everyone seems to have this problem. Not being close enough is a systemic human issue
[14:18:48] <Benjamin Damm> I'll see what I can do
[14:20:59] <Benjamin Damm> cArsten: the shortest numers are -24 to +23
[14:22:08] <Benjamin Damm> Carsten: Waste a lot of time discussing this things tweaks to further order
[14:22:13] <Benjamin Damm> I think sombody should do that
[14:22:17] <Benjamin Damm> write up a good decision whould be
[14:22:23] <Benjamin Damm> then we just… steps away)
[14:22:26] <Benjamin Damm> Mike Jones MS
[14:22:32] <Benjamin Damm> My suggestion is that you work with
[14:22:35] shinta leaves the room
[14:22:38] <Benjamin Damm> the distinguished experts for
[14:22:42] <Benjamin Damm> CWT claim registration
[14:22:48] <Benjamin Damm> and ask them to make a proposal maybe
[14:22:58] <Benjamin Damm> these are the values we think are generaply purpsoe claims low, mid high rang
[14:23:01] <Benjamin Damm> and get feedback
[14:23:07] <Benjamin Damm> extent aling with cwt claims
[14:23:12] <Benjamin Damm> then you should b eplanning to register it
[14:23:18] <Benjamin Damm> ta;lk to the xperts now
[14:23:59] <Benjamin Damm> Carsten:
[14:24:18] <Benjamin Damm> Not sure we have a lot of discussion about this issue of how RS can point to client
[14:24:22] <Benjamin Damm> to info about how to gt authz
[14:24:29] <Benjamin Damm> gnerally preyty easy to get into RD
[14:24:32] <Benjamin Damm> define relation type
[14:24:33] shinta joins the room
[14:24:36] <Benjamin Damm> so if describes authz req
[14:24:40] shinta leaves the room
[14:24:46] <Benjamin Damm> then could dfine relation type
[14:24:50] <Benjamin Damm> and point elsewhere to get info about that
[14:24:57] <Benjamin Damm> that would b a goo activity
[14:25:03] <Benjamin Damm> for how this info would look like
[14:25:09] <Benjamin Damm> so take pressure off need to be comprehensive
[14:25:12] <Benjamin Damm> for how RS gets authz req
[14:25:26] <Benjamin Damm> (replies)
[14:25:33] <Benjamin Damm> its'a  relationtype
[14:25:41] <Benjamin Damm> I think it's a worthwhile indenp. effort
[14:25:47] <Benjamin Damm> not necessary synchronzi4d
[14:25:57] <Benjamin Damm> should be something basic about what a RS does for unauth req
[14:26:05] <Benjamin Damm> but we can always provide other channels for relationtype
[14:26:09] <Benjamin Damm> and putting into RS would be one
[14:26:13] <Benjamin Damm> (replies)
[14:26:47] <Benjamin Damm> The same mech could be used in …? not just resource dirs
[14:26:51] <Benjamin Damm> P:eter van der stok
[14:27:05] <Benjamin Damm> I agree this time with Carsten esp. about independent effort
[14:27:41] <Benjamin Damm> Carsten to mic:
[14:27:46] <Benjamin Damm> Did we identify versions
[14:27:49] <Benjamin Damm> of this document as impl, drafts
[14:27:56] <Benjamin Damm> Maybe we should do that
[14:28:00] <Benjamin Damm> explicity with the next rev e
[14:28:09] <Benjamin Damm> event though we are no starting a wg call next week
[14:29:29] <Shahid Raza> One from RISE for Contiki
[14:36:17] <Benjamin Damm> Carsten to mic
[14:36:20] <Benjamin Damm> Do you mean resourced?
[14:36:22] <Benjamin Damm> resource?
[14:36:30] <Benjamin Damm> Endpoint is a server
[14:36:42] <Benjamin Damm> Palombini using ACE terminology
[14:37:22] <Benjamin Damm> Jim Shaad
[14:37:30] <Benjamin Damm> Is the symmetric one here asking for
[14:37:35] <Benjamin Damm> a updated syummetric key?
[14:37:39] <Benjamin Damm> as upposed to when doing join?
[14:38:00] <Benjamin Damm> Palombini: yes (more)
[14:38:02] <Benjamin Damm> Jim:
[14:38:13] <Benjamin Damm> Ah, based purely on simplicity I would not be in favor
[14:38:20] <Benjamin Damm> of having multiple resources do this, prefe
[14:38:24] <Benjamin Damm> prefer doing in resource
[14:38:29] <Benjamin Damm> (request?)
[14:38:43] <Benjamin Damm> Palombini replies
[14:39:07] <Benjamin Damm> Jim: 'd have to think about it
[14:39:54] <Benjamin Damm> Peter to mic
[14:40:08] <Benjamin Damm> Peter vn der stok
[14:40:11] <Benjamin Damm> Q, two drafts now
[14:40:15] <Benjamin Damm> about group comms
[14:40:20] <Benjamin Damm> why two drafts insted of one draft?
[14:40:36] <Benjamin Damm> hopes to get more visibility
[14:40:41] <Benjamin Damm> on the issue (group comm)
[14:41:51] <Benjamin Damm> PEter
[14:42:02] <Benjamin Damm> I understand the purpose of argument to compare and use similar tech
[14:42:04] <Benjamin Damm> still worried
[14:42:47] <Benjamin Damm> Moving on…. pubsub profile now
[14:43:49] <Benjamin Damm> We can hear and see you
[14:44:01] <kaduk@jabber.org/barnowl> Marco's audio is great; better than several people in the room :)
[14:44:14] Simon Pietro Romano joins the room
[14:49:24] <Benjamin Damm> mic: Peter
[14:49:33] <Benjamin Damm> Peter: want to express my interest and ask we go forward
[14:56:31] Lorenzo Miniero leaves the room
[14:57:31] <Benjamin Damm> John n hamill CSC
[14:57:41] <Benjamin Damm> typically cert IDs use issuer and serial instead of cn
[14:57:50] <Benjamin Damm> for cert idents to align with CMS
[14:57:53] <Benjamin Damm> Mohit
[14:58:05] <Benjamin Damm> This seems way too cimplex for a problem we 've seen in many places
[14:58:13] <Benjamin Damm> a.g. IPv6 neighbor discovery
[14:58:21] <Benjamin Damm> and what you do is use random identity
[14:58:28] <Benjamin Damm> don't see why you can't use just random name
[14:58:34] <Benjamin Damm> what kind of limitations
[14:58:38] <Benjamin Damm> does it need to be human readabl
[14:58:50] <Benjamin Damm> way too complex
[14:58:53] <Benjamin Damm> Hannes
[14:59:05] <Benjamin Damm> initially the problem is … I tried to address
[14:59:13] <Benjamin Damm> is that we … I did it by uses we talked to it...
[14:59:20] <Benjamin Damm> provided endpoint name in two layers
[14:59:27] <Benjamin Damm> DTLS layer and again in CoAP layer
[14:59:28] <Benjamin Damm> with RD
[14:59:37] <Benjamin Damm> in DTLS/TLS layer use cryptographic authN
[14:59:47] <Benjamin Damm> so some may use serials , others may not, doesn't matter
[14:59:55] <Benjamin Damm> the problem is at higher lkayer identifier not authenticated
[15:00:05] <Benjamin Damm> get rid of duplicated application-layer ID that is not authN
[15:00:22] <Benjamin Damm> your idea is different, go back to authN server and bind what is being presented in cert with app layer
[15:00:33] <Benjamin Damm> … make sure id is equalt to cert ID then no problem
[15:00:43] <Benjamin Damm> on other hand why need to send both and then compare?
[15:00:55] <Benjamin Damm> Matthias
[15:01:06] <Benjamin Damm> To my understanding youpresent ace way but thereare otherw ays
[15:01:24] <Benjamin Damm> There is a certificate based way
[15:01:32] <Benjamin Damm> there is a field where the endpoint name comes from
[15:01:43] <Benjamin Damm> antoher way could be you hav ethis token, authority states you can use this
[15:01:50] <Benjamin Damm> authN for ...
[15:01:55] <Benjamin Damm> more simple ways as ...
[15:01:59] <Benjamin Damm> Hannes @ mic
[15:02:03] <Benjamin Damm> you raise interesting Q
[15:02:12] <Benjamin Damm> is registration… auth… (I can't keeo up)
[15:02:17] <Benjamin Damm> then llows you to get token
[15:02:19] Panos Kampanakis joins the room
[15:02:23] <Benjamin Damm> then allows you to do authZ
[15:02:34] <Benjamin Damm> another feature not in slide but in doc in third party reg
[15:02:35] <Olaf Bergmann> never mind, audio quality is not too bad
[15:02:41] <Benjamin Damm> thank goodness
[15:02:47] <Olaf Bergmann> at least large fragments arrive
[15:06:22] Abdur Rashid Sangi leaves the room
[15:08:18] <Benjamin Damm> Hannes @ mic
[15:12:55] Ned Freed joins the room
[15:14:42] Bjorn Hjelm leaves the room
[15:20:54] metricamerica leaves the room
[15:21:40] <Christian Amsüss> hannes(?), could you step closer to the mike? you're hard to understand on the stream.
[15:23:12] Abdur Rashid Sangi joins the room
[15:26:39] 99rst joins the room
[15:28:21] Bjorn Hjelm joins the room
[15:28:48] <Christian Amsüss> meetecho: can you do anything about the volume differences btwn presenter and floor?
[15:29:48] <meetecho> Christian Amsüss: is the mic line significanntly lower than the speaker volume? We checked before and the issue seemed to be people were not talking directly in the mic
[15:29:53] <meetecho> As mics are very directionaò
[15:30:22] <Benjamin Damm> From where I sit most folks are doing well enough at this, getting within at least 15-20 cm of the mic
[15:30:37] <Olaf Bergmann> @meetecho: yes, definitely lower
[15:31:23] <meetecho> Benjamin Damm: ack, we'll ckeck again later then, thx for the heads-up!
[15:31:50] <jimsch> @meetecho:  The gain on the line mic is much lower than the gain on the presenter and chair mics based on me talking into multiple of them
[15:33:46] <meetecho> Coming to check
[15:34:57] <Benjamin Damm> Oh yeah that helped
[15:35:02] <Benjamin Damm> Whatever you just did
[15:35:04] <Christian Amsüss> thanks!
[15:35:13] <Olaf Bergmann> indeed!
[15:36:20] <francesca> Guys who go to the mic, could you also check the etherpad and fill in your comments? I had a bit of a hard time catching the last comments (Kerry, Michael)
[15:37:58] <meetecho> (y)
[15:38:14] <Olaf Bergmann> Benjamin Damm: Thank you for doing a really good job as real-time TTS system earlier in this session!
[15:38:35] <Benjamin Damm> Yw!
[15:38:41] Olaf Bergmann leaves the room
[15:47:58] cw-ietf leaves the room
[15:48:07] Marco Tiloca leaves the room
[15:48:17] Anthony Kirby leaves the room
[15:48:24] Benjamin Damm leaves the room
[15:48:26] Klaus Hartke leaves the room
[15:49:40] Ned Freed leaves the room
[15:49:40] Panos Kampanakis leaves the room
[15:49:40] Malisa Vucinic leaves the room
[15:49:40] Antti Kolehmainen leaves the room
[15:49:40] Shahid Raza leaves the room
[15:49:40] Bjorn Hjelm leaves the room
[15:49:40] Stefanie Gerdes leaves the room
[15:49:40] Abdur Rashid Sangi leaves the room
[15:49:40] Christian Amsüss leaves the room
[15:49:40] Simon Pietro Romano leaves the room
[15:49:59] meetecho leaves the room
[15:54:39] jimsch1 joins the room
[15:54:54] jimsch leaves the room
[16:02:51] Benjamin Damm joins the room
[16:03:41] francesca leaves the room: unknown reason
[16:03:55] Benjamin Damm leaves the room
[16:17:19] jimsch1 leaves the room
[17:26:13] francesca joins the room
[17:26:25] francesca leaves the room