[01:19:28] chi.jiun.su leaves the room
[01:30:46] chi.jiun.su joins the room
[01:53:42] chi.jiun.su leaves the room
[02:09:50] tale leaves the room
[11:29:48] kivinen joins the room
[11:29:53] kivinen leaves the room
[12:31:04] jmagallanes joins the room
[13:49:06] andrew_campling joins the room
[13:51:25] Christian Huitema joins the room
[13:56:08] Cullen Jennings joins the room
[13:56:43] adam joins the room
[13:56:44] Yoshiro Yoneya / 米谷嘉朗 joins the room
[13:58:35] alex-meetecho joins the room
[14:00:01] Andrew McConachie joins the room
[14:00:01] Chris Lemmons joins the room
[14:00:01] Yuichi Takita joins the room
[14:00:01] Markus Zeilinger joins the room
[14:00:01] Markus joins the room
[14:00:01] Michael Gibbs joins the room
[14:00:01] Kazunori Fujiwara joins the room
[14:00:01] Zaid AlBanna joins the room
[14:00:01] Moritz Müller joins the room
[14:00:01] Daniel Migault joins the room
[14:00:01] Christopher Inacio joins the room
[14:00:01] Meetecho joins the room
[14:00:01] Mike Bishop joins the room
[14:00:01] Tommy Jensen joins the room
[14:00:01] Kohei Isobe joins the room
[14:00:01] Christian Huitema_452 joins the room
[14:00:02] Erik Kline joins the room
[14:00:02] Neil Cook joins the room
[14:00:02] Puneet Sood joins the room
[14:00:02] Pieter Lexis joins the room
[14:00:02] Tommy Pauly joins the room
[14:00:02] Jerome Vacek joins the room
[14:00:02] Francois Ortolan joins the room
[14:00:02] Glenn Deen joins the room
[14:00:02] Jason Weil joins the room
[14:00:02] Taiji Kimura joins the room
[14:00:02] Alessandro Ghedini joins the room
[14:00:02] PE joins the room
[14:00:02] Hannu Flinck joins the room
[14:00:02] Paul Adair joins the room
[14:00:02] Christopher Wood joins the room
[14:00:14] Scott Rose joins the room
[14:00:25] Markus Zeilinger leaves the room
[14:00:28] Markus Zeilinger joins the room
[14:00:52] Barry Leiba joins the room
[14:01:08] <Christian Huitema> Hello!
[14:01:13] Hugo Salgado (jabber) joins the room
[14:01:18] Adam Roach joins the room
[14:01:25] Yoshiro Yoneya joins the room
[14:01:26] Andrew Campling joins the room
[14:01:54] Tobia Castaldi joins the room
[14:01:55] Robert Story joins the room
[14:02:02] <Daniel Migault> I glenn, can we just make sure the audio works ?
[14:02:03] Jorge Cano joins the room
[14:02:18] Ralf Weber joins the room
[14:02:34] Frode Kileng joins the room
[14:02:46] <Paul Adair> sound is good so far
[14:02:51] Chris Box joins the room
[14:03:01] Juliana Guerra joins the room
[14:03:02] Stephen Farrell joins the room
[14:03:11] Eric Orth joins the room
[14:03:26] dschinazi@jab.im joins the room
[14:03:31] Chi-Jiun Su joins the room
[14:03:37] Daniel Gillmor joins the room
[14:03:39] Eric Rescorla joins the room
[14:03:42] Simon Vera-Schockner joins the room
[14:03:44] David Schinazi joins the room
[14:03:45] Barry Leiba leaves the room
[14:03:50] Barry Leiba joins the room
[14:04:04] Tirumaleswar Reddy.K joins the room
[14:04:06] avezza joins the room
[14:04:15] Scott Rose leaves the room
[14:04:30] Alister Winfield joins the room
[14:04:34] Mohamed Boucadair joins the room
[14:04:45] Scott Rose joins the room
[14:04:45] Wes Hardaker joins the room
[14:04:48] Barbara Stark joins the room
[14:04:51] Carrick joins the room
[14:04:53] Samuel Weiler joins the room
[14:04:55] <Andrew Campling> Glenn's going for the sympathy vote early!
[14:04:56] Scott Rose leaves the room
[14:04:56] Scott Rose joins the room
[14:05:06] Farni Boten joins the room
[14:05:09] <Tommy Pauly> Looks good
[14:05:11] <Chris Lemmons> Works great.
[14:05:12] <dschinazi@jab.im> Working great!
[14:05:14] <Tommy Jensen> lgtm
[14:05:19] sftcd joins the room
[14:05:24] Dirk Hugo joins the room
[14:05:33] Eva Ignatuschtschenko joins the room
[14:05:36] Tero Kivinen joins the room
[14:05:36] Wes Hardaker clone joins the room
[14:05:39] Ralph Dolmans joins the room
[14:05:43] Mark Andrews joins the room
[14:05:50] Cullen Jennings_463 joins the room
[14:05:55] Barbara Stark-jabber joins the room
[14:06:05] Kirsty P joins the room
[14:06:06] Swapneel Sheth joins the room
[14:06:07] ko-isobe joins the room
[14:06:11] Joe Harvey joins the room
[14:06:11] Peter Koch joins the room
[14:06:28] Tadahiko Ito joins the room
[14:06:37] Steve Olshansky joins the room
[14:06:40] Valery Smyslov joins the room
[14:06:52] Martin Thomson joins the room
[14:07:01] Jim Reid joins the room
[14:07:03] Paul Hoffman joins the room
[14:07:17] Patrick McManus joins the room
[14:07:23] Jonathan Reed joins the room
[14:07:26] Dan Druta joins the room
[14:07:29] Kris Shrishak joins the room
[14:07:36] Duane Wessels joins the room
[14:07:38] Eva Ignatuschtschenko leaves the room
[14:07:46] Eva Ignatuschtschenko joins the room
[14:07:56] Kazuho Oku joins the room
[14:07:56] Jiankang Yao joins the room
[14:07:57] Stephan Emile joins the room
[14:08:04] Ray Bellis joins the room
[14:08:06] <Daniel Migault> I will have to jump to drip right after my presentation so I apology for leaving the meeting.
[14:08:10] Stuart Cheshire joins the room
[14:08:10] Chris Inacio joins the room
[14:08:12] <Tommy Jensen> @glenn - for certain definitions of "fun"
[14:08:17] rickwilhelm-Verisign@jabb3r.org joins the room
[14:08:20] Paul Wouters joins the room
[14:08:35] Mohit Sethi joins the room
[14:08:39] Doug Stamper joins the room
[14:08:40] Takahiro Nemoto joins the room
[14:08:42] Monika Ermert joins the room
[14:08:44] John Border joins the room
[14:08:47] <Christian Huitema> Meat & Co.
[14:08:50] Richard Wilhelm joins the room
[14:08:53] Sam Weiler joins the room
[14:08:54] Nick Sullivan joins the room
[14:08:55] <Barbara Stark-jabber> https://codimd.ietf.org/notes-ietf-108-add?view
[14:08:56] <dschinazi@jab.im> @Christian Nice :)
[14:08:57] Doug Stamper leaves the room
[14:08:57] Doug Stamper joins the room
[14:09:06] Frode Kileng leaves the room
[14:09:10] Vittorio Bertola joins the room
[14:09:10] Jason Livingood joins the room
[14:09:11] Alissa Cooper joins the room
[14:09:14] Eliot Lear joins the room
[14:09:20] Petr Spacek joins the room
[14:09:21] tale joins the room
[14:09:23] Matthew Miller joins the room
[14:09:44] m&m joins the room
[14:09:52] Allison Mankin joins the room
[14:09:53] Warren Kumari joins the room
[14:10:03] moritz joins the room
[14:10:04] Diego Lopez joins the room
[14:10:08] Robert Stepanek joins the room
[14:10:11] Ulrich Wisser joins the room
[14:10:17] Frode Sorensen joins the room
[14:10:25] Ted Lemon joins the room
[14:10:36] Ulrich Wisser leaves the room
[14:10:40] tale joins the room
[14:10:51] Ulrich Wisser joins the room
[14:10:51] kivinen joins the room
[14:11:04] Mark Nottingham joins the room
[14:11:05] Joey Salazar joins the room
[14:11:05] Xavier de Foy joins the room
[14:11:05] Alister Winfield2 joins the room
[14:11:10] Burt Kaliski joins the room
[14:11:14] Alexander Mayrhofer joins the room
[14:11:15] chi.jiun.su joins the room
[14:11:21] Benjamin Schwartz joins the room
[14:11:23] Matt Green joins the room
[14:11:32] Michael Breuer joins the room
[14:11:34] <Martin Thomson> Glenn, you might want to try denying people time in future.
[14:11:35] Jari Arkko joins the room
[14:11:39] Bernie Innocenti joins the room
[14:11:44] Andrew S joins the room
[14:11:50] <Jim Reid> What is Labour day?
[14:12:00] Renjie Tang joins the room
[14:12:02] <sftcd> the one before birth day
[14:12:17] Warren Kumari leaves the room
[14:12:18] <Jim Reid> Thanks Dave
[14:12:36] Desiree Miloshevic joins the room
[14:12:37] Jonathan Lennox joins the room
[14:12:50] Sandeep Rao joins the room
[14:12:56] Shumon Huque joins the room
[14:13:09] Alexander Mayrhofer leaves the room
[14:13:10] Dan Wing joins the room
[14:13:12] Alexander Mayrhofer joins the room
[14:13:14] Jana Iyengar joins the room
[14:13:22] Simon Hicks joins the room
[14:13:28] Shumon Huque_ joins the room
[14:13:30] Willem Toorop joins the room
[14:13:37] Simon Hicks leaves the room
[14:14:04] Avri Doria joins the room
[14:14:07] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:14:11] <Martin Thomson> Datatracker only shows 3 presentations.  What is missing?
[14:14:16] Hugo Salgado (jabber) joins the room
[14:14:18] Simon Hicks joins the room
[14:14:23] Diego Lopez leaves the room
[14:14:26] Diego Lopez joins the room
[14:14:37] <Chris Box> I found links to all presentations at the bottom of the agenda
[14:14:53] <Martin Thomson> In the agenda, I will try that.
[14:15:12] Hitesh Kotian joins the room
[14:15:13] Erik Nygren joins the room
[14:15:14] Gianpaolo Scalone joins the room
[14:15:15] <andrew_campling> The  list at the end of the agenda updated earlier today
[14:15:19] <Martin Thomson> I only see links to drafts.
[14:15:25] Willem Toorop (jabber) joins the room
[14:15:29] Melinda joins the room
[14:15:33] <andrew_campling> Scroll to teh bottom for links to slides
[14:16:06] Chris Lemmons leaves the room
[14:16:09] Chris Lemmons joins the room
[14:16:22] <tale > We will be sure to update the meeting materials today as well
[14:16:22] vladimir.cunat joins the room
[14:16:23] Chris Seal joins the room
[14:16:27] <Martin Thomson> Nope, no dice.
[14:17:00] Francois Ortolan leaves the room
[14:17:04] <andrew_campling> Try at https://datatracker.ietf.org/meeting/108/session/add
[14:17:04] Frode Kileng joins the room
[14:17:06] Francois Ortolan joins the room
[14:17:19] Ralf Weber leaves the room
[14:17:21] Ralf Weber joins the room
[14:17:35] Mirja Kühlewind joins the room
[14:17:38] Chris Seal leaves the room
[14:17:40] Chris Seal joins the room
[14:17:41] Pete Resnick joins the room
[14:18:06] <Barbara Stark-jabber> I'm also posting link in codimd notes
[14:18:18] Oliver Borchert joins the room
[14:18:23] <tale > Thank you Barbara
[14:18:52] <Paul Wouters> all of these options are "trust what I am saying". I dont see that model working successfully on the internet :P
[14:19:06] Emmanuel Bretelle joins the room
[14:19:20] <Martin Thomson> OK, I got slides.  How Daniel thought that this would fit in 10min is beyond me.  That's a lot of material.
[14:19:26] Oliver Borchert leaves the room
[14:19:39] <Martin Thomson> Thanks Andrew.  Seems like a DT problem.
[14:19:45] Craig Taylor joins the room
[14:21:09] Dan Druta leaves the room
[14:21:12] Mallory Knodel joins the room
[14:21:22] Dan Druta joins the room
[14:21:48] Dan Druta leaves the room
[14:21:52] <Paul Wouters> CPE either is provisioned by ISP, or I do my own thing. I dont really see the value of this half-half method ?
[14:21:52] Dan Druta joins the room
[14:22:17] Lucas Pardue joins the room
[14:22:19] Jason Weil leaves the room
[14:22:19] Jason Weil joins the room
[14:22:25] ekr@jabber.org joins the room
[14:22:45] <ekr@jabber.org> What's the point of going through the IP address rather than just as pecial use domain
[14:22:47] Eliot Lear leaves the room
[14:22:50] Dan York joins the room
[14:22:55] John Woodworth joins the room
[14:23:06] Murray Kucherawy joins the room
[14:23:12] <Christian Huitema> Is that two or three levels of indirection, starting with STUN. What can possibly go wrong?
[14:23:18] <Tirumaleswar Reddy.K> ya, SUDN works for legacy routers
[14:23:38] Juliana Guerra leaves the room
[14:23:46] Juliana Guerra joins the room
[14:24:03] <Paul Wouters> why not just a new DOT/DOH   dhcp option ?
[14:24:05] <sftcd> homenet is not exactly the most active entity with which to work (a pity but true)
[14:24:06] <ekr@jabber.org> I don't get this, the SUDN thing will always work, so why not just do it
[14:24:20] <ekr@jabber.org> The problem with the DHCP thing is that it doesn't work with legacy CPE
[14:24:27] <Martin Thomson> a DHCP option won't propagate past a DNS proxy
[14:24:37] <Christian Huitema> Will STUN discover the local gateway or the CGNAT?
[14:24:44] m joins the room
[14:24:54] <Jana Iyengar> ekr: what's SUDN?
[14:24:55] <Martin Thomson> STUN will discover a reflexive address, based on where the STUN server is
[14:24:57] frodek joins the room
[14:25:01] <Martin Thomson> SUDN special use domain name
[14:25:12] <Tirumaleswar Reddy.K> special use domain name
[14:25:12] <Jana Iyengar> thanks
[14:25:13] <sftcd> like .gnu :-)
[14:25:17] <Barbara Stark-jabber> An ISP can make DHCP options propagate across their gateway.
[14:25:25] <Martin Thomson> time check
[14:25:28] <ekr@jabber.org> special use domainname
[14:25:29] <Christian Huitema> So the resolver ultimately depends on which STUN server you use?
[14:25:47] Simon Hicks leaves the room
[14:25:48] <ekr@jabber.org> @Barbara: yes, they can, but what happens when I have my own WiFi router attached to the gateway
[14:25:49] Michael Richardson joins the room
[14:26:04] Michael Richardson leaves the room
[14:26:06] Michael Richardson joins the room
[14:26:32] <tale > we're only a minute behind
[14:26:32] nygren joins the room
[14:26:35] <vladimir.cunat> I also don't get what is gained by the IP discovery.
[14:26:35] Tirumaleswar Reddy.K leaves the room
[14:26:37] Tirumaleswar Reddy.K joins the room
[14:26:37] <ekr@jabber.org> @MT: did he say "STUN" somewhere?
[14:26:47] Craig Taylor leaves the room
[14:26:52] Craig Taylor joins the room
[14:27:07] Simon Hicks joins the room
[14:27:14] <vladimir.cunat> @ekr: it's on slide 10
[14:27:24] Tirumaleswar Reddy.K leaves the room
[14:27:24] Simon Hicks leaves the room
[14:27:32] Simon Hicks joins the room
[14:27:43] <Christian Huitema> STUN to get the outside address of the gateway, the reverseDNS to get the name, then SVCB lookup
[14:27:46] mcr joins the room
[14:27:48] <Martin Thomson> huh, video finally started up
[14:27:50] Craig Taylor leaves the room
[14:28:01] Craig Taylor joins the room
[14:28:14] <mcr> @Glenn, , @tale, I'm the backup presenter for Tiru, if his internet is not working.
[14:28:14] <ekr@jabber.org> @Christian: yeah, this doesn't seem to make any sense
[14:28:22] Tirumaleswar Reddy.K joins the room
[14:28:31] <tale > thank you, mcr
[14:28:33] Craig Taylor leaves the room
[14:28:38] Craig Taylor joins the room
[14:28:40] Francois Ortolan leaves the room
[14:28:42] Francois Ortolan joins the room
[14:28:47] Tobia Castaldi leaves the room
[14:29:00] Shwetha Bhandari joins the room
[14:29:10] Tobia Castaldi joins the room
[14:29:18] Willem Toorop leaves the room
[14:29:18] Willem Toorop joins the room
[14:29:28] <ekr@jabber.org> But you didn't get the identity of the Do53 resolver securely!
[14:29:29] Daniel Migault leaves the room
[14:29:32] <ekr@jabber.org> you got it from DHCP
[14:29:35] Tobia Castaldi leaves the room
[14:29:46] <Martin Thomson> so even if I configure 192.168.0.254, that can't be authenticated either
[14:29:56] <ekr@jabber.org> well, we could pretend that was true, with an IP cert :)
[14:29:59] <vladimir.cunat> DoT seems as much securable as DoH (same TLS)
[14:30:01] <Paul Wouters> if you trust the ISP, you trust the ISP ? :P
[14:30:25] <Martin Thomson> I want an IP cert for that, and 192.168.0.1 please
[14:30:30] <Martin Thomson> and 10.0.0.1
[14:30:32] <ekr@jabber.org> Oh, oops, yeah.
[14:30:32] <Tirumaleswar Reddy.K> DoT in strict privacy profile is as secure as DoH
[14:30:42] <ekr@jabber.org> Wasn't paying attention to the IP addr.
[14:30:56] Jay Daley joins the room
[14:30:56] <Tommy Jensen> @ekr - section 5 of the draft shows how to securely confirm the identity retrived over plain text. It obviously can be blocked, but not hijacked. tl;dr: TLS cert declaring the recommending IP, hence it only works for public addresses
[14:30:57] mglt joins the room
[14:31:42] <Martin Thomson> Tommy, I don't parse
[14:31:43] <mcr> is IPv6 ULA public? No. Is it unique? probably.  Stop thinking about IPv4 :-)
[14:31:47] <Paul Wouters> why limit it to Foo ever? again, you either trust the ISP or not.
[14:31:48] <Martin Thomson> Do you mean ipAddr SAN?
[14:32:10] <Christian Huitema> Problem with Tommy Pauly's scheme is that it degenerates to one remote resolver per service, which is not great for privacy...
[14:32:17] Tobia Castaldi joins the room
[14:32:18] <mcr> Enterprise Private Names are good examples that "GNS" (hate the name) solves :-)
[14:32:26] <Benjamin Schwartz> Christian: That seems optimal for privacy.
[14:32:33] <Tommy Jensen> @christian - we have a privacy consideration sections discussing this with deployment reocmmendations
[14:32:37] <mcr> +1 on Christian. I hate this resolver per service.
[14:32:39] <Martin Thomson> christian: agree.  intermediation is good for privacy
[14:32:54] <mcr> Might as well just run a properly DNSSEC local resolver.
[14:32:54] <Christian Huitema> Yes, I saw that, but it seems soft and fluffy...
[14:33:00] <Martin Thomson> but the next step is oblivious DNS
[14:33:09] <Christopher Wood> ^
[14:33:10] <Puneet Sood> +1 to Christian.
[14:33:45] <Christian Huitema> Resolver per bag of service makes sense, but the client needs a list of the bags that it finds OK
[14:33:46] <Puneet Sood> And it may require a browser to maintain a large list of resolvers which will then need lifecycle management
[14:33:48] <ekr@jabber.org> Tommy, I don;t understand either. The problem isn't binding the identity of the DoH resolver to the Do53 resolver. It's that the Do53 resolver was not discovered securely
[14:34:01] <Martin Thomson> ISPs can provide odns servers to support resolver per domain
[14:34:04] Renjie Tang leaves the room
[14:34:16] <Vittorio Bertola> Unfortunately this depends on the definition of privacy. Some people think privacy = spreading my information as much as possible, some others think privacy = only putting my information into a carefully chosen single place.
[14:34:30] <Martin Thomson> why not both?
[14:34:34] Renjie Tang joins the room
[14:34:39] <Allison Mankin> why would you need resolver per domain if you have odns, Martin?
[14:34:45] <Paul Wouters> dns mixmaster :)
[14:35:10] Pete Resnick (the other one) joins the room
[14:35:13] <vladimir.cunat> I can't see why resolver per domain... when we have auth per domain.
[14:35:17] Stuart Cheshire leaves the room
[14:35:23] <Martin Thomson> Allison: good question, I think that it provides privacy against intermediaries
[14:35:36] Eric Kinnear joins the room
[14:35:36] <Tommy Jensen> @ekr - discovering the resolver insecurely is the reality of today. Until networks have a secure way to provision new clients, that's what we have to work with. The benefit of Adaptive is we bootstrap ourselves into DoH server we can confirm are owned by the domains we're connecting to
[14:35:38] Eva Ignatuschtschenko leaves the room
[14:35:46] <Paul Wouters> a resolver service per domain is called a recursive nameserver
[14:35:46] Eva Ignatuschtschenko joins the room
[14:35:50] Eva Ignatuschtschenko leaves the room
[14:35:53] Carrick leaves the room
[14:35:53] Carrick joins the room
[14:35:58] Willem Toorop (jabber) leaves the room: Disconnected: closed
[14:36:02] Stuart Cheshire joins the room
[14:36:04] Craig Taylor leaves the room
[14:36:09] <Mike Bishop> Resolver per domain offers a privacy improvement on the assumption that the service you're looking up will learn your identity when you connect anyway.
[14:36:10] Craig Taylor joins the room
[14:36:11] Robert Stepanek leaves the room
[14:36:13] <Allison Mankin> Hmm, I feel like a resolver service per domain is called the authoritiative :-)
[14:36:14] Jiao Kang joins the room
[14:36:20] <ekr@jabber.org> I want to distinguish between two functions of this draft:  (1) The part where it lets the origin steer you somewhere for its resoltuion and (2) upgrading your local resolver
[14:36:23] <Christian Huitema> It does make sense to ask facebook to resolve (face, insta, messenger) or to ask Akamai to resolve (Site distributed by Akamai). This does NOT spread data around. But the degenerate case is worrysome.
[14:36:25] <ekr@jabber.org> The first part seems fine-ish
[14:36:29] <Alister Winfield> Except most services us a 3rd party for DNS ...
[14:36:32] <ekr@jabber.org> The second part seems like it's pushing on jello
[14:36:42] <Neil Cook> @ekr: +1
[14:36:43] Mohit Sethi leaves the room
[14:36:46] Mohit Sethi joins the room
[14:36:54] <vladimir.cunat> The main caveat I see is that auths don't have secure transports standardized yet.
[14:37:04] <Chris Box> Overall a good starting point for a design but it needs to work for home CPEs – are the authors expecting dynamic generation of a certificate for the public IP of the CPE, or tunnelling everything to the core network?
[14:37:05] Craig Taylor leaves the room
[14:37:13] Alissa Cooper leaves the room
[14:37:16] Alissa Cooper joins the room
[14:37:21] <Daniel Gillmor> vladimir ++  that hump of hte camel does need work
[14:37:26] Francois Ortolan leaves the room
[14:37:28] Francois Ortolan joins the room
[14:37:30] <Tommy Jensen> @ekr - please start a thread on the list so we can talk about this in detail
[14:37:41] Alissa Cooper leaves the room
[14:37:42] <Tommy Jensen> Your poitns are good and this meeting is dense with content
[14:37:47] <Tommy Jensen> points*
[14:37:48] Alissa Cooper joins the room
[14:37:51] Oliver Borchert joins the room
[14:37:52] Willem Toorop (jabber) joins the room
[14:37:52] <mcr> @Chris, I have running code for public anchored certificate for home CPE.
[14:37:54] Jason Livingood leaves the room
[14:38:02] Jason Livingood joins the room
[14:38:07] <Chris Box> @mcr Great will take a look
[14:38:28] Jason Livingood leaves the room
[14:38:31] Desiree Miloshevic leaves the room
[14:38:32] <Martin Thomson> Chairs: this is not a useful way to spend my time.  I have read the drafts, and I have seen this presentation before.  How are we going to resolve the question of what to standardize?
[14:38:35] <Paul Wouters> inefficient is not my problem when i care about privacy.
[14:38:37] Desiree Miloshevic joins the room
[14:38:46] Vittorio Bertola leaves the room
[14:38:51] Vittorio Bertola joins the room
[14:39:04] Desiree Miloshevic leaves the room
[14:39:06] Desiree Miloshevic joins the room
[14:39:25] Jason Livingood joins the room
[14:39:26] <Christian Huitema> We could have summarized this and the two previous solutions in one slide...
[14:39:41] <ekr@jabber.org> Huitema: +1
[14:39:43] <tale > I understand, Martin, and think that's an apt criticism.  
[14:39:52] <Daniel Gillmor> "for this host" ?
[14:40:02] Jason Livingood leaves the room
[14:40:10] Randy Turner joins the room
[14:40:19] <Chris Box> I think it's for the hostname rather than the domain but could be wrong
[14:40:20] <ekr@jabber.org> @tale: we really need to figure out what we are trying to do here
[14:40:35] <ekr@jabber.org> It seems like there are two problem statements:
[14:40:37] <Mohit Sethi> what is the vetting procedure?
[14:40:43] Tirumaleswar Reddy.K leaves the room
[14:40:46] Tirumaleswar Reddy.K joins the room
[14:40:55] <Daniel Gillmor> that would be worth clarifying.  it's particularly weird if it's just about "how to look up the DNS records for this specific hostname, which you must have already done because you're talking to it"
[14:41:00] <Mohit Sethi> how do browsers decide who is on the list and who is not
[14:41:05] <mglt> @ekr: The IP used is the one use by the ISP not your system.
[14:41:05] <Christian Huitema> The one thing I don't see in any draft is the relation with ESNI
[14:41:06] <ekr@jabber.org> 1. Allow people to discover what DoH server is affiliated with their local network 2. Allow people to discover what resolver a given domain prefers
[14:41:07] <tale > Also agreed, ekr.
[14:41:18] <mcr> Mozilla has a vetting process, @Mohit. ekr has linked to it many times.
[14:41:19] <ekr@jabber.org> This is an answer to (2)
[14:41:39] <ekr@jabber.org> The previous did both but via somewhat different mechanisms
[14:41:40] Juliana Guerra leaves the room
[14:41:41] <ekr@jabber.org> RDP is (1)
[14:41:44] Juliana Guerra joins the room
[14:41:47] Blaine Mulugeta joins the room
[14:42:01] <Mohit Sethi> mcr: vetting process for doh servers?
[14:42:10] <mcr> pretty sure, yes.
[14:42:12] <Martin Thomson> this tracking thing is totally manageable
[14:42:33] <Tommy Jensen> @christian - Tommy Pauly's draft reuses the ECH (artist previously known as ESNI) requiring record so clients can request the same record per domain and get both sets of information
[14:42:38] <Mallory Knodel> trusted recursive resolver https://www.google.com/url?sa=t&amp;rct=j&amp;q=&amp;esrc=s&amp;source=web&amp;cd=&amp;cad=rja&amp;uact=8&amp;ved=2ahUKEwjYiJvymvXqAhVfhHIEHfDKCt0QFjAAegQIARAB&amp;url=https%3A%2F%2Fwiki.mozilla.org%2FTrusted_Recursive_Resolver&amp;usg=AOvVaw0ne1xZxnNl45AUA-Kkar2m
[14:42:39] <Christian Huitema> @mt sure, we have a stellar track record of managing tracking
[14:42:40] Al Morton joins the room
[14:42:45] <ekr@jabber.org> Addiitonally, I think we need to figure out what the constraints are. Specifically, does this need to work with unmodified local CPE
[14:42:57] <ekr@jabber.org> And if so, what are the properties that we assume those CPEs have
[14:43:05] <mcr> funny that your URL goes through google tracker :-)
[14:43:09] <Mallory Knodel> (i don't love that!)
[14:43:19] <Vittorio Bertola> Privacy by a restricted list of people that are given the opportunity to track you does not seem like a great idea
[14:43:19] <ekr@jabber.org> Nick Sullivan, nice way to get through your presentation efficiently.
[14:43:21] <ekr@jabber.org> Seriously
[14:43:28] <Paul Wouters> optimal unrelated to level of privacy
[14:43:48] <Barbara Stark-jabber> TRR is a Mozilla construct. What Mozilla choose to trust and their requirements for establishing trust are not my (end user) requirements.
[14:44:07] <Chris Box> Designation is intended to apply at the hostname level, i.e. for all paths within this hostname there is a recommended DoH server X. But where some paths within that are delegated to other back end servers, this runs the risk of conflicting recommendations arising. Seems better to store this information in the DNS where it’s guaranteed to apply to the entire name.
[14:44:14] <Vittorio Bertola> Also, any allow-list is exclusionary to smaller operator and self-hosted services that will never get onto it.
[14:44:26] Carrick leaves the room
[14:44:29] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:44:31] Carrick joins the room
[14:44:37] Hugo Salgado (jabber) joins the room
[14:44:44] <Daniel Gillmor> without an allow-list, tracking is significantly easier to do
[14:44:48] <Mohit Sethi> sure. i am aware of TRR and comcast being part of TRR. but if every domain starts running a doh server, how will mozilla do the vetting?
[14:44:56] <Paul Wouters> yeah. the next scary step can be "we only feed DNS to trusted resolvers - you must use it to resolve our network"
[14:45:23] <Paul Wouters> s/our network/our domain/
[14:45:53] <Christian Huitema> If not served by a trusted DoH/DoT/DoQ, it makes sense to fallback to local resolver, since local router will see traffic anyhow.
[14:46:16] Igor Lubashev joins the room
[14:46:17] <Christian Huitema> Unless ESNI/ECH of course
[14:46:29] <Tommy Jensen> +1 to the comments about having pre-approved lists not scaling nor serving privacy interests long term
[14:46:45] Jiao Kang leaves the room
[14:46:49] Jiao Kang joins the room
[14:46:52] <Paul Wouters> all of this is really beocming a CAB/forum for DNS. It's scary.
[14:46:59] Jiao Kang leaves the room
[14:46:59] <Tommy Jensen> It obviously works as a crawl, walk, run first step
[14:47:55] <Barbara Stark-jabber> Mozilla vets however Mozilla decides to vet. I think a more important point is how users and every other OS and app that wants to do DoH does its vetting and how the DoH servers have to try to satisfy every entities requirements whose program they want to be a part of.
[14:47:55] Neil Cook leaves the room
[14:48:22] <Martin Thomson> Don't squander your lead Glenn
[14:48:24] <Daniel Gillmor> historically, how has the user chosen those preferences?
[14:48:27] <sftcd> would it be unfair of me to conclude that, so far, none of these work well enough despite piling in complexity?
[14:48:27] <Chris Seal> Is the idea that DoH hinted at for a domain name 'only' applies to queries to the same domain?  Or more generically i.e. to all ads / other content on the webpage even if from different domain.  If the browser / app uses the hinted at DoH, it opens the door for a domain to not serve / delay responses for DNS queries from non-favoured domains.  How do we ensure DoH remains a neutral service if domains can steer / give hints for domains they don't control
[14:48:29] <Sam Weiler> no, I want to ask about the hints draft…
[14:48:30] <ekr@jabber.org> MOVE ON
[14:48:34] <Chris Box> Bootstrap looks good to me; now I just need my smart TV to support it. What could be the incentive for an IoT manufacturer to implement this?
[14:48:39] <ekr@jabber.org> Maybe if we add more complexity
[14:48:46] <Daniel Gillmor> (hint: the user has not ever specified these preferences))
[14:49:01] <Mohit Sethi> +! chris box
[14:49:06] Dominique Lazanski joins the room
[14:49:13] <Mohit Sethi> barbara: i can imagine other peices of software using the trr.
[14:49:18] Hugo Salgado (jabber) leaves the room
[14:49:19] Erik Kline leaves the room
[14:49:27] <Martin Thomson> didn't Nick specifically address that point?
[14:49:29] <Daniel Gillmor> i agree with barbara that it's troubling to see the authority placed in the browsers here
[14:49:31] <Tommy Jensen> +1 ekr, we can do questions at the end, let's not risk missing presentations
[14:49:31] <Vittorio Bertola> Also having to meet 5-10-20 different requirement sets and procedures (potentially contradictory) just to be an allowed option in all the different OSes/browsers/whatever is a problem for smaller ISPs/DNS operators
[14:49:32] Neil Cook joins the room
[14:49:34] <Mohit Sethi> at least for trusted CA lists that is the case
[14:49:38] Jay Daley leaves the room
[14:49:50] Hugo Salgado (jabber) joins the room
[14:49:52] <Daniel Gillmor> but the authority has traditionally been placed in the network
[14:50:07] <Daniel Gillmor> which is an even more dubious proxy for user choice
[14:50:28] Chris Seal leaves the room
[14:50:34] Chris Seal joins the room
[14:50:42] <Mallory Knodel> trr makes a solid business case for privacy as a service. A+, more please.
[14:50:46] <Vittorio Bertola> @dkg again, whether the network or the browser is more trusted by the user really depends on each specific case
[14:50:56] Dan McArdle joins the room
[14:50:57] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:51:03] <Martin Thomson> MP_NOT_FOUND!
[14:51:05] <Daniel Gillmor> Vittorio, i agree
[14:51:07] <Benjamin Schwartz> No one is denying the user that choice.
[14:51:21] <Tommy Jensen> lol Martin, same
[14:51:23] <sftcd> @mallory: I like TRR but don't like that TRR too;-)
[14:51:25] Jason Livingood joins the room
[14:51:29] <Daniel Gillmor> Ben, we're talking here about defaults and things that happen automatically
[14:51:31] dmcardle joins the room
[14:51:31] <ekr@jabber.org> As @Ben says, I believe every browser allows the user to just fall back to Do53
[14:51:38] <Wes Hardaker clone> @mallory: I'd argue privacy should be a default and shouldn't need a business.  But I recognize that economics may prevent that ideology.
[14:51:39] <sftcd> in the end I setup my own DoH server
[14:51:40] Hugo Salgado (jabber) joins the room
[14:51:44] Ralf Weber leaves the room
[14:51:44] <Paul Wouters> mallory: see recent VPN providers with "no logs" exposed with full detail logs.
[14:51:54] Ralf Weber joins the room
[14:51:59] <Paul Wouters> you can't trust claims made by parties you cannot verify
[14:52:02] Stephan Emile leaves the room
[14:52:02] <Chris Lemmons> Vetted lists also tend to consolidate the power to the powerful. You can pretty easily imagine a situation where getting a new system available to the users requires satisfying a few very large industry players.
[14:52:11] <Paul Wouters> and if you start verifying claims, you get CAB/forum :/
[14:52:11] <Daniel Gillmor> by "no" we mean "lots of"
[14:52:16] Stephan Emile joins the room
[14:52:27] <Sam Weiler> Question to the chairs re: the interim poll: what TIME are you targeting on each of those dates?
[14:52:27] <Mallory Knodel> @wes when business cases conflict with privacy by defaul it's a useful reframe of the problem. obvs i'm more on the side of dkg and others wrt user choice. same conclusion/different argument
[14:52:42] <Allison Mankin> Ekr, falling back to Do53 only?
[14:52:57] Ralf Weber leaves the room
[14:52:58] <Martin Thomson> Sam: 4am AEST, I'll bet
[14:53:00] <Christian Huitema> Funny relationbetween privacy and centralization. Privacy by mixing in crowds, centralization by serving large crowds...
[14:53:01] <ekr@jabber.org> Just as a clarification point: CABF mostly just sets basic standards. The browsers select their own roots from CAs which are compliant with the BRs.
[14:53:04] Ralf Weber joins the room
[14:53:04] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:53:17] <Sam Weiler> mt, sympathies
[14:53:36] <Martin Thomson> it's OK, I get to miss the meeting without feeling guilty
[14:53:44] <ekr@jabber.org> @Alison: correct. Firefox in particular has three basic settings (1) let us select a DoH server for you automatically (2) use a specific DoH server, including your own (3) disable DoH
[14:53:49] Hugo Salgado (jabber) joins the room
[14:54:45] <ekr@jabber.org> I don't know what settings others have in detail
[14:54:47] Moritz Müller leaves the room
[14:54:52] moritz leaves the room
[14:54:53] <andrew_campling> @Christain Jari's paper on centralisation highlights some of the various downsides, and then of course there's all the antitrust aspects
[14:55:01] <Martin Thomson> I can see Barbara twitching sporadically as people keep saying "CPE"
[14:55:03] Tirumaleswar Reddy.K leaves the room
[14:55:06] Tirumaleswar Reddy.K joins the room
[14:55:16] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:55:48] <Chris Box> :-) (I'm guilty of that too)
[14:55:48] <Tommy Jensen> @mt - ah, good reminder. Are there good short terms for "CPE that are ISP provided" and "CPE that are customer provided"?
[14:55:56] John Levine joins the room
[14:55:58] Hugo Salgado (jabber) joins the room
[14:56:02] Paul Hoffman leaves the room
[14:56:03] <Neil Cook> managed CPE vs unmanaged CPE
[14:56:08] <ekr@jabber.org> Customer Premises Equipment (CPE) and Customer Provided Equipment (CPE)
[14:56:08] Peter Koch leaves the room
[14:56:10] <ekr@jabber.org> :)
[14:56:13] <Christian Huitema> There has to be an acronym for that
[14:56:22] <Martin Thomson> Barbara had a term in the mail.  I am sorry to say that I forgot what that was.
[14:56:28] <Daniel Gillmor> is my laptop a customer provided equipment?
[14:56:40] <Jana Iyengar> dkg: depends
[14:56:48] <Barry Leiba> SCGFA: Stuff the Customer Got From Amazon
[14:56:50] <ekr@jabber.org> @dkg: it was before I swapped it out in Singapore
[14:56:51] <Glenn Deen> @SAM - likely morning ET, early morning PT (6am or 7am?)
[14:56:51] <Martin Thomson> customer"
[14:56:55] <Tommy Jensen> @ekr :rofl:
[14:57:02] <Martin Thomson> "customer" is as dehumanizing as "consumer"
[14:57:08] <Glenn Deen> afternoon GMT
[14:57:10] <ekr@jabber.org> Now it's Attacker Provided Equipment
[14:57:18] <Daniel Gillmor> EPS: ekr provided equipment
[14:57:19] <Mohit Sethi> Not a fan of the term 'authentication domain name', but what mohammad is presenting seems fine.
[14:57:22] <Pete Resnick (the other one)> Meta-question: Is the agenda going to simply be presentations and very short comments? If so, I can read them offline and see the minutes, and for now I can run off and get other work done if there's not going to be any in-depth substantive discussion. (Not trying to be snarky; just trying to manage my time.)
[14:57:23] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:57:39] <Martin Thomson> Glenn: thanks, that's maximally hostile for me, but expected.
[14:57:57] <Barbara Stark-jabber> @Martin: :)
[14:58:02] Hugo Salgado (jabber) joins the room
[14:58:16] Francois Ortolan leaves the room
[14:58:32] <Martin Thomson> Abuse of minorities is a signature property of the IETF.
[14:58:39] Francois Ortolan joins the room
[14:58:46] <tale > We do have time at the end, Pete, but yes I agree,  This is something Glenn and I will be working on remedying, and working with Barry on
[14:58:46] Tirumaleswar Reddy.K leaves the room
[14:58:48] Tirumaleswar Reddy.K joins the room
[14:58:54] Igor Lubashev leaves the room
[14:58:54] Francois Ortolan leaves the room
[14:59:11] <Tirumaleswar Reddy.K> "authentication domain name" is defined in RFC8310
[14:59:26] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[14:59:27] Francois Ortolan joins the room
[14:59:27] Julien Maisonneuve joins the room
[14:59:32] Igor Lubashev joins the room
[14:59:51] Randy Turner leaves the room
[15:00:04] <Barry Leiba> The plan is that after this shotgun thing, the WG will trim the list of suitable candidates for adoption and discuss them in more detail.  I look forward to the interim.
[15:00:11] Hugo Salgado (jabber) joins the room
[15:00:13] <Christian Huitema> Isn't the CPE Cert problem a variation of delegated certificates?
[15:00:15] <Pete Resnick (the other one)> Thanks tale. Maybe I'll try and drop back in at the end. Thanks for looking into remedies.
[15:00:23] <Tommy Jensen> @barry - aren't there more drafts lined up for the interim?
[15:00:26] <Barry Leiba> We probably should have gone for two sessions here at 108, but many proposals didn't come in in time to plan that.
[15:00:44] Paul Adair leaves the room
[15:01:23] <ekr@jabber.org> II suggest we merge all of these
[15:01:37] Peter Feil joins the room
[15:01:38] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:01:41] <Glenn Deen> @Tommy - the link to the additional drafts that didn't make the agenda are at the bottom of the agenda
[15:01:55] <Christian Huitema> @ekr reviewing one 100pages draft is so much easier than 10 10 pages..
[15:02:00] <Mohit Sethi> @tiru: indeed. but that doens't make it a good term. 'authentication domain name' make me wonder:
[15:02:01] Markus leaves the room
[15:02:04] <ekr@jabber.org> We'll use STUN to look up an IP address which we then do a reverse query on and then look up HTTPSVCB and then check it against a certificate that is authenticated via BRSKI
[15:02:12] <Tommy Jensen> @glenn ah ok so the primary agenda is adoption discussion? That's great
[15:02:19] <sftcd> @ekr: what about CRLs?
[15:02:19] Hugo Salgado (jabber) joins the room
[15:02:26] Pete Resnick leaves the room
[15:02:36] <Martin Thomson> I suggest that we agree on which problems we want to solve, then agree on what principles apply to each, then have small, uncomplicated drafts that enact those choices.
[15:02:37] <ekr@jabber.org> sftcd: sorry, short-lived certs issued via EST
[15:02:44] Al Morton leaves the room
[15:02:59] Igor Lubashev leaves the room
[15:02:59] <ekr@jabber.org> @MT: that was my proposal before, but now I'm into the bad-attitude phase of the meeting
[15:03:00] <tale > ack mt.  
[15:03:11] Ralf Weber leaves the room
[15:03:12] Ralf Weber joins the room
[15:03:17] Melinda leaves the room
[15:03:27] Melinda Shore joins the room
[15:03:30] <Petr Spacek> +1 to mt
[15:03:43] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:03:49] <Daniel Gillmor> MT: if we do that, how will we make it complicated enough to be sure that there are no obvious mistakes?
[15:03:49] <nygren > Has the "how to usefully get TLS certs to CPE and bootstrap trust within the home" been tackled somewhere?  That's going to be a pre-req for anything trying to do DoH/DoT to a CPE.
[15:04:15] Jonathan Lennox leaves the room
[15:04:25] <mcr> nygen, I have running code for TLS cert to CPE.
[15:04:28] Hugo Salgado (jabber) joins the room
[15:04:38] <Martin Thomson> This draft and presentation are overcomplex, but there is a kernel in it that is reasonable.
[15:04:47] <Chris Box> Generally a very useful draft. I'd like to see it adopted, or at least agree this problem space, and then have the group work on that.
[15:04:54] <Tirumaleswar Reddy.K> we have running code avaiable of DNSDist ported to OpenWRT and modified
[15:04:55] <mcr> there are some issues.  (I have dropped out of ADD to pay attention to DRIP)
[15:04:56] <sftcd> @nygren: same here wrt running code - if you have a namespace and a VPN server doing IPv6, it's not hard
[15:05:11] <Mohit Sethi> +1 for draft: there is something useful here
[15:05:17] <Martin Thomson> If you think that you can upgrade these devices.
[15:05:29] <Christian Huitema> Seems like the CPE needs a certficate delegated from the ISP. Just like delegated certs
[15:05:32] <tale > mcr are you up for tiru's next preso?
[15:05:33] Ted Hardie joins the room
[15:05:39] <Alister Winfield> Oh its worse protecting a cert on a CPE is hard and avoiding a lets encrypt cert being created for the same 'name' is somewhat unlikely to work out well...
[15:05:44] <Tirumaleswar Reddy.K> yes, ready
[15:05:48] <mcr> I think so. I was not briefed on those slides. which one is it?
[15:05:56] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:06:01] <sftcd> I'm behind in reading ADD drafts (unsurprisingly) but would argue to not adopt anything seen so far today simply as they're almost all over complex
[15:06:17] Tirumaleswar Reddy.K leaves the room
[15:06:17] Julien Maisonneuve leaves the room
[15:06:20] Tirumaleswar Reddy.K joins the room
[15:06:23] Julien Maisonneuve joins the room
[15:06:32] <mcr> @tale, I'm not clued into add-server-policy-selection, but I can wing it. But here's Tiru again.
[15:06:36] <Barbara Stark-jabber> What are you wanting the cert on the CE router to tell you about the CE router? Are you wanting it to say "The ISP trusts your router to do what the ISP wants?"
[15:06:37] Hugo Salgado (jabber) joins the room
[15:06:37] <Mohit Sethi> too early to adopt but useful blocks here
[15:06:56] Wei Pan joins the room
[15:07:27] <ekr@jabber.org> Any situation in which you and I are co-customers of ISP X and your CPE contains a certificate which lets you be my DoH server seems problematic
[15:08:06] <ekr@jabber.org> I mean, it kind of obviates the point of DoH
[15:08:07] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:08:13] <mcr> Barbara, good question. @ekr, that seems like it would indeed be a problem of authorization.
[15:08:16] <ekr@jabber.org> LOLOL. EV.
[15:08:22] <Barbara Stark-jabber> @ekr: We agree!
[15:08:30] <sftcd> primary use case for cert on CPE router is so that the password to control the thing isn't sent in clear over n/w
[15:08:38] Juliana Guerra leaves the room
[15:08:42] Alexander Mayrhofer leaves the room
[15:08:42] Paul Adair joins the room
[15:08:44] Alexander Mayrhofer joins the room
[15:08:45] Hugo Salgado (jabber) joins the room
[15:08:50] <Christian Huitema> How about TLS to ISP server, then redirect from there to selected CPE?
[15:09:00] Tim Chown joins the room
[15:09:01] <Paul Wouters> sftcd: but it is safe over its own VLAN :)
[15:09:08] <mcr> or, that there is no passwords required at all, because the client TLS keys are pinned.
[15:09:23] Kirsty P leaves the room
[15:09:26] <sftcd> TLS client auth to CPE router seems like fiction to me
[15:09:43] Alissa Cooper leaves the room
[15:09:47] <Tommy Jensen> ekr, Barbara... this all comes back to a bigger-than-DNS problem: lcoal networks can't securely comminucate with non-pre-configured clients. I'm not sure the WG can really adopt the mission of "secure conenctions to RFC1918 addresses" until that changes or until we scope to network-owned devices only (not helpful for home users)
[15:09:47] Alissa Cooper joins the room
[15:09:54] <mcr> sftcd, running code man.
[15:10:09] Shwetha Bhandari leaves the room
[15:10:11] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:10:12] Alissa Cooper leaves the room
[15:10:13] <Barbara Stark-jabber> @Tommy J: Yes
[15:10:13] <ekr@jabber.org> @Tommy: I agree with this. I just don't think there is consensus on it, so I was hoping to get agreement on a more limited thing
[15:10:13] <sftcd> sure, I could build it too, but don't see it being deployable
[15:10:14] Shwetha Bhandari joins the room
[15:10:16] <Tommy Jensen> @mcr, I owe your running code a look for sure
[15:10:23] Alissa Cooper joins the room
[15:10:47] <Alister Winfield> CPE 'could' run a service on it public IP allowing only the LAN network to talk to it... but its trivial to attack from inside the LAN side of the network.
[15:10:49] <mcr> there is a PoC in 2019, and the alpha will go home with people as soon as lockdown is over.
[15:10:51] <ekr@jabber.org> This is Son of P3P
[15:10:54] Hugo Salgado (jabber) joins the room
[15:11:01] <nygren > Getting some sorts of certs / key pairs is "easy" (although far too often involve very unfortunate shipping of private keys on devices).  Establishing a meaningful trust model (especially in the face of a mixture of ISP-provided, purchased-from-Amazon, opensource, and user-tampered-with) CPEs is really hard.  
[15:11:02] <Christian Huitema> Great. Same trust to DoH as to various VPN servers...
[15:11:34] <mcr> @nygren, you are certainly right, that it can be difficult to get the authorization.
[15:11:52] Frode Sorensen leaves the room
[15:11:56] Frode Sorensen joins the room
[15:12:12] <ekr@jabber.org> who is going to consume this information?
[15:12:15] <Chris Seal> The biggest benefit of ISP resolving is proximity - lower RTT to resolve.  In 5G especially the radio latency to edge servers is significantly lower than latency to near data center.  So I'm looking for solutions that allow ISP to be the primary / default DNS resolver but of course individuals should be free to select any other of their choice and/or domains express their preference.
[15:12:16] Benjamin Kaduk joins the room
[15:12:20] Shwetha Bhandari leaves the room
[15:12:20] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:12:41] Shwetha Bhandari joins the room
[15:12:44] <Tommy Jensen> @ekr - scoping is good. Unfortunately, I see no path to success within our charter for the scope "secure to RFC1918 when a non-technical device owner connecting to home ISP" which is an important scope for many of us. If we can limit to "enterprise or similar who own all devices allowed to connect" then we could make progress.
[15:12:51] <ekr@jabber.org> Tommy: +1
[15:13:02] Hugo Salgado (jabber) joins the room
[15:13:06] Francois Ortolan leaves the room
[15:13:08] Shwetha Bhandari leaves the room
[15:13:16] Shwetha Bhandari joins the room
[15:13:16] Wei Pan leaves the room
[15:13:17] Francois Ortolan joins the room
[15:13:27] Peter Feil leaves the room
[15:13:40] Jiankang Yao leaves the room
[15:13:43] Jiankang Yao joins the room
[15:13:53] <mcr> when I was little, I thought "Anne with an E" (as in Gables), meant, "EANN"
[15:13:59] Jiankang Yao leaves the room
[15:14:04] Jiankang Yao joins the room
[15:14:17] Peter Feil joins the room
[15:14:18] <nygren > Tommy: +1, but this may be an important topic for another WG or forum to pick up since I think this is going to come up increasingly.   (eg, for secure communications to printers at home, etc).
[15:14:19] Yuichi Takita leaves the room
[15:14:21] Yuichi Takita joins the room
[15:14:27] <Benjamin Schwartz> What's a printer?
[15:14:28] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:14:44] m leaves the room
[15:14:46] <sftcd> @ben: a mechanical device that breaks
[15:14:47] m joins the room
[15:14:48] <mcr> a printer is a thing you use to communicate with lawyers and doctors.
[15:14:56] <Tommy Jensen> @nygren - +1. I will happily join that conversation wherever it is appropriate, as this isn't deflection but a recognition of the problem's true scope
[15:14:56] Stephan Emile leaves the room
[15:14:58] Stephan Emile joins the room
[15:14:59] <mcr> and tax collectors.
[15:14:59] Francois Ortolan leaves the room
[15:14:59] Francois Ortolan joins the room
[15:15:00] <nygren > But without an AuthN+AuthZ model that works within home networks and non-technical device owners we're going to keep getting stuck here.
[15:15:10] Hugo Salgado (jabber) joins the room
[15:15:10] m leaves the room
[15:15:10] m joins the room
[15:15:11] <ekr@jabber.org> @mcr: that's a fax machine
[15:15:11] <Carrick> I just printed out some drafts the other day. Am I doing it wrong?
[15:15:12] <Christian Huitema> Something so HP can export your documents to whoever they choose.
[15:15:30] Jiankang Yao leaves the room
[15:15:33] Jiankang Yao joins the room
[15:15:35] <mcr> @ekr, shows up in the printer dialogue, right?
[15:15:43] <Tommy Jensen> @carrick - unless you printed to PDF, yes
[15:15:57] Chris Seal leaves the room
[15:16:00] <Carrick> Tommy: D:
[15:16:05] Chris Seal joins the room
[15:16:05] <nygren > printer: a device for turning trees and plastic powder into drafts
[15:16:20] Chris Seal leaves the room
[15:16:24] Chris Seal joins the room
[15:16:26] <Jana Iyengar> Oh, so that's what the RPC does?
[15:16:38] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:16:51] <mcr> @nygren: now that our drafts are XML+SVG, can we include 3D-printing instructions?
[15:17:00] <Martin Thomson> nygren: you seem to be doing it wrong
[15:17:19] Hugo Salgado (jabber) joins the room
[15:17:21] <sftcd> @mcr: you mean we should 3D print the next RSE?
[15:17:48] <mcr> I like the slide background with the tunnel of binary data.  
[15:18:05] <Tommy Jensen> @andrew, @chris, I would love to know if you agree with those of us saying the secure negotiation with networks is bigger than DNS. I see the value in solving the problem, I just don't think the ADD charter will cover it and we'll hack something together we can't reuse and we'll all hate for the next five decades
[15:18:09] <mcr> @sftcd, I actually believe that Eliot Lear might have been 3D printed.
[15:18:52] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:19:03] <Chris Box> @Tommy as I said on the list, I do accept the problem space is larger than DNS. But I have no idea what the correct scope and working group home for this would be.
[15:19:16] Cullen Jennings leaves the room
[15:19:24] Stephan Emile leaves the room
[15:19:27] Francois Ortolan leaves the room
[15:19:28] Hugo Salgado (jabber) joins the room
[15:19:30] Francois Ortolan joins the room
[15:19:41] Stephan Emile joins the room
[15:19:43] <Tommy Jensen> @chris - sorry, I'm losing thrack of that now very large thread. Cool. My IETF experience is insufficient to answer that question
[15:19:46] m leaves the room
[15:19:46] <nygren > +lots to Tommy
[15:19:50] m joins the room
[15:19:52] <sftcd> @Chris: If someone came up with a usable useful well-supported mechanism for that larger space, I doubt finding a venue would be hard
[15:19:56] <Martin Thomson> pedantic nitpick: many people use this, therefore it is clearly valid is a logical error
[15:20:03] <Tommy Jensen> I'll hit the list with a fresh thread to gather wisdom on that points
[15:20:04] <Vittorio Bertola> Also I think deferring to a broader work is fine if we also have a way to deal with the interim situation. Not if it means no discovery of local DoH resolvers for the next 3 years.
[15:20:14] <Mike Bishop> Secdispatch?
[15:20:16] <Barbara Stark-jabber> Homenet tried to consider a security framework in the context of homenet. Everyone wants it. Nobody has figured out how to do it.
[15:20:54] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:21:06] <Tommy Jensen> @barbara - see, this scares me because if we want to block draft adoption on nto solving a known hard problem, we're doomed to leave encrypted DNS deployment unattended even longer
[15:21:30] <Tommy Jensen> @mike - I'm certainly open, would emailing that list and asking be appropriate?
[15:21:37] Hugo Salgado (jabber) joins the room
[15:21:47] <ekr@jabber.org> It's worth noting that this doesn't meet the reqt that Andrew mentioend earlier
[15:22:15] <Tommy Jensen> @vittorio - this surprises me. Why must you have DoH to CPE (of either kind) immediately? If what you have currently works, what's the rush to not take the time to do it right?
[15:22:37] <Vittorio Bertola> Well, this current presentation (or something like that) is meant to provide a reasonable interim solution while we work on something bigger and better, but that depends on what one considers acceptable as an interim solution
[15:22:45] Paul Hoffman joins the room
[15:23:02] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:23:03] <Vittorio Bertola> This draft doesn't to DoH to CPE
[15:23:04] <Chris Seal> Latency to CPE &lt;1ms,  Latency to edge servers 1-5ms.  Latency to Cloud 10-100ms.
[15:23:15] <Mike Bishop> I think secdispatch would be the right place to take a proposal and get it spun up to a working ground / directed to one.  However, the bigger issue is having ideas on how to solve that big problem.
[15:23:17] <Vittorio Bertola> Only discovery of ISP DoH resolver via CPE
[15:23:32] <Desiree Miloshevic> we can go to gather
[15:23:46] Hugo Salgado (jabber) joins the room
[15:23:50] <Martin Thomson> we don't need proposals, we need consolidation of drafts
[15:23:55] <Martin Thomson> not all consolidation is bad
[15:24:00] <Tommy Jensen> @vittorio - so our draft's position is there's no need for a draft to address opportunistic because we could do that today just by DoT knocking (RFC7858 says auth isn't required)
[15:24:03] <Tommy Jensen> Do you agree?
[15:24:11] <nygren > There may be value in a BOF or mailing list to have a focused discussion here?   A closely related use-case is authentication to localhost services.
[15:24:20] <andrew_campling> @Tommy J - in addition to providing acess to DNS encryption for the majority of European users, you may also need DoH in order to access other privacy optinos (eg ECH as currently drafted)
[15:24:21] <Doug Stamper> +1 to Martin
[15:24:30] <Tirumaleswar Reddy.K> opportunistic is specific to DoT, no such mode for DoH
[15:24:36] <Neil Cook> Saying DoT solves it ignores the fact that all browsers are doing DoH and not DoT
[15:24:43] <Benjamin Schwartz> Note that Android is already doing DoT knocking.  If you deploy that on your managed CPE, Android will encrypt DNS.
[15:25:12] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:25:19] <mcr> https://doodle.com/poll/zyppxqte8pcwex3p <- cause it took me more than a minute to find that link.
[15:25:22] <mcr> in the agenda.
[15:25:32] <vladimir.cunat> not sure why there are some many claims that implementing DoT is harder than DoH
[15:25:33] <Vittorio Bertola> If browsers only do DoH, offering DoT is not very useful
[15:25:47] <mcr> IoT devices are better off doing DoT :-)
[15:25:49] <Tommy Jensen> Saying browsers aren't trying opportunistic sounds like a feature request and not a standards request :)
[15:25:51] <mcr> why do DoH?
[15:25:55] Hugo Salgado (jabber) joins the room
[15:26:18] <mcr> (DoH wins, because it's hidden from hostile regimes. The use cases are not the same)
[15:26:28] <sftcd> +1 to de-cruft
[15:26:30] Kirsty P joins the room
[15:26:38] <Mohit Sethi> +1 to martin
[15:26:44] <Vittorio Bertola> But how could browsers try opportunistic DoH to the local DoH resolver if there is no standard way to discover the local DoH resolver?
[15:26:45] <Tommy Jensen> +1 to mcr: DoH and DoT need not compete
[15:26:50] <andrew_campling> @Martin at least two of teh proposals do solve the same provider auto upgrade problem for current network operator architecture  
[15:27:09] <andrew_campling> *the
[15:27:17] <nygren > I also suspect that DoQ may end up being a good solution for many things in the longer-term.  (Although probably more as a good solution for recursive to authoritative.)
[15:27:19] <Ted Lemon> I can't find what Martin said in the log
[15:27:19] <Martin Thomson> Andrew, yes, but you have to dig for that.
[15:27:19] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:27:28] <Martin Thomson> Ted, it was at the very beginning.
[15:27:33] <Tommy Jensen> @vittorio - I'm saying ask browsers to implement DoT if you need opportunistic ASAP. DoH isn't a good solution for connecting to RFC1918 addresses.
[15:27:35] <Neil Cook> @tommy why is only no-encryption or fully authenticated. Why not opportunistic as a stepping stone from no-encryption?
[15:27:43] Jason Livingood leaves the room
[15:27:45] Jason Livingood joins the room
[15:28:04] Hugo Salgado (jabber) joins the room
[15:28:07] <Tommy Jensen> @neil - I am suggesting opportunistic, I'm just saying it requires no additional standard work
[15:28:18] <Daniel Gillmor> @Neil opportunistic is a reasonable stepping stone
[15:28:19] <nygren > The use-cases are important as they also define what level of authorization is needed.
[15:28:23] <Neil Cook> @tommy by saying use DoT if I understand
[15:28:36] Jiankang Yao leaves the room
[15:28:37] <Vittorio Bertola> @Tommy then browsers will reply that they already implemented DoH so why should they also spend energy in implementing DoT. But happy to be proven wrong
[15:28:41] Jiankang Yao joins the room
[15:28:43] <Daniel Gillmor> @Tommy -- it can be useful to have guidance for implementers about how to do opportunistic
[15:28:50] m leaves the room
[15:28:51] <Benjamin Schwartz> Browsers don't need to implement opportunistic DoT if the OS does it.
[15:28:52] sftcd is generally a fan of opportunistic if there is a path to authenticated for later
[15:28:54] m joins the room
[15:29:09] m leaves the room
[15:29:14] <Daniel Gillmor> just because i've seen *lots* of engineers do opportunistic in really odd ways
[15:29:29] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:29:45] Andrew S leaves the room
[15:29:54] <Ted Lemon> got it
[15:29:58] <Joey Salazar> I would also like DNSSEC to be required in most drafts, like in pauly's, instead of recommended, but this is a topic for the ml/interim I think
[15:30:13] Jason Weil leaves the room
[15:30:13] Hugo Salgado (jabber) joins the room
[15:30:21] Roman Danyliw joins the room
[15:30:59] <Vittorio Bertola> I also think that an agreed requirements draft would be useful
[15:31:02] Jason Weil joins the room
[15:31:05] <Neil Cook> +1 to requirements
[15:31:07] <Tommy Jensen> @daneil and others ... hmm, fair enough. I'll talk to the other Tommy when he's free about that
[15:31:09] <andrew_campling> @Ekr it's worth bearing in mind that bypassing the CPE will have consequences for the user
[15:31:20] <Martin Thomson> I wrote a long email about 18 months ago that outlined principles and threat model and other things.  Nothing has changed as far as I can tell.
[15:31:26] <Tommy Jensen> @daniel * sorry
[15:31:34] <Chris Seal> +1 requirements
[15:31:38] Renjie Tang leaves the room
[15:31:39] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:32:11] <andrew_campling> Permission problem on Apple device for Ralf?  
[15:32:16] <ekr@jabber.org> @Andrew: I do have opinions but right now I'm not espousing anything in particular other than that we need to agree on what we are trying to do
[15:32:21] m joins the room
[15:32:23] Hugo Salgado (jabber) joins the room
[15:32:31] <andrew_campling> @ekr agreed
[15:32:31] <tale > I can jabber for you, ralf
[15:32:32] Hannu Flinck leaves the room
[15:32:34] <mcr> no mic icon for Ralf, I think that he didn't get hand-mic vs play-mic
[15:32:35] <Paul Wouters> selection the video camera does NOT enable your audio feed. you need to enable BOTH
[15:32:38] <dschinazi@jab.im> You need to click both "join video" and "join audio" to get audio, I think Ralph only clicked "join video"
[15:32:47] Hannu Flinck joins the room
[15:33:06] Hannu Flinck leaves the room
[15:33:06] Hannu Flinck joins the room
[15:33:14] Hannu Flinck leaves the room
[15:33:20] Hannu Flinck joins the room
[15:33:26] Dragana Damjanovic joins the room
[15:33:26] <Daniel Gillmor> @tommy, it's possible that the "opportunistic privacy profile" in RFC 7858 is sufficient guidance though (at least for DoT -- but it probably wouldn't take much to translate it to DoH if folks are serious about wanting opportunistic "DoH knocking")
[15:33:30] <Ralf Weber> Mic: Agree with a lot of the comments before - we should do the easy one resolver upgrade first. We do have a solution for designating domains. It is regular resolving. If people want that they should work with dprive on securing recursing to authoritative.
[15:33:32] <mcr> https://doodle.com/poll/zyppxqte8pcwex3p poll for interim in september.
[15:33:34] Peter Feil leaves the room
[15:33:36] Roland van Rijswijk-Deij joins the room
[15:33:39] <andrew_campling> Agreed on GDPR (and Californian and poss other equivalents)
[15:33:42] <tale > got it ralf
[15:33:45] Greg Wood joins the room
[15:33:51] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:34:00] <nygren > @mt: would that email be good for a start for a draft?   (I also had a similar blog post about 18 months ago…)
[15:34:07] Greg Wood (IETF LLC) joins the room
[15:34:12] <Tirumaleswar Reddy.K> @Martin - agree on the threat model; we tried to cover several possible attacks in https://tools.ietf.org/html/draft-btw-add-home-07#section-9
[15:34:33] Hugo Salgado (jabber) joins the room
[15:34:35] <Martin Thomson> nygren: possibly, I also note that I sent another 4 months ago, maybe I needed to write a draft
[15:34:39] Lucas Pardue leaves the room
[15:34:46] John (Clone) Levine joins the room
[15:34:54] <Carrick> +1 to all comments given so far
[15:34:56] <Tommy Jensen> @ralf - I disagree on the designation work because it's so integral to discovering DoH resolvers
[15:35:04] <Tommy Jensen> possibly a fuzzy overlap between the WGs
[15:35:07] Barbara Stark leaves the room
[15:35:11] Tirumaleswar Reddy.K leaves the room
[15:35:11] Barbara Stark joins the room
[15:35:13] Tirumaleswar Reddy.K joins the room
[15:35:44] <Tommy Jensen> @daniel - I'm opposed to opportunistic DoH as it means opportunistic HTTPS which I'm not ok with
[15:35:48] Francois Ortolan leaves the room
[15:35:49] Francois Ortolan joins the room
[15:35:57] <Ralf Weber> There are lot of overlaps at the moment - ns2 was e.g presented in dnsop
[15:35:57] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:36:01] <Jari Arkko> FWIW, I agree with Eric Orth that better breakdown. However, I would argue that priority should be solving the origin server problem, because that would have the biggest chance of affecting improper concentration of queries to too few hands by the well known actors.
[15:36:06] <Chris Seal> The fact that RFC8484 allows HTTP Cookies to be used (say SHOULD NOT, not MUST NOT) is part of the problem for GDPR.  GDPR include the requirement to do 'Privacy by Design' and criteria for minimising what's shared to essential only etc
[15:36:14] <Chris Box> +1 to Ben that we needed to explore ideas first. Now can do the requirements properly.
[15:36:21] <Daniel Gillmor> @tommy that makes sense to me, but it does mean asking the DoH implementers to roll out DoT for opportunistic work.
[15:36:23] <Daniel Gillmor> that's probably fine
[15:36:26] m leaves the room
[15:36:37] <Daniel Gillmor> DoT is pretty simple by comparison to DoH
[15:36:41] Hugo Salgado (jabber) joins the room
[15:36:46] m joins the room
[15:36:53] <Daniel Gillmor> ( because TLS is simple compared to HTTPS )
[15:37:15] m leaves the room
[15:37:15] <Tommy Pauly> Yeah, DoT is trivial to implement. If you can do DoH, you can do DoT. We added support for both at the same time, for example.
[15:37:23] Ulrich Wisser leaves the room
[15:37:28] m joins the room
[15:37:41] <Tommy Jensen> @daniel - as a DNS client who will have to do additional work, I agree. If browsers don't want to support it, they can defer to the OS instead ;)
[15:37:43] m leaves the room
[15:37:48] <Chris Seal> If you can do Do53 then you can do DoT :-)
[15:37:52] m joins the room
[15:37:57] <Benjamin Schwartz> After writing a multithreaded DoT resolver thread pool in C++ I wouldn't say it's trivial.
[15:38:05] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:38:07] Christopher Wood leaves the room
[15:38:17] <Chris Box> @TommyP do you mean iOS 14 beta is probing port 853? I missed that.
[15:38:27] <sftcd> nice to end on optimism (though I wonder how long it'll last:-)
[15:38:50] Hugo Salgado (jabber) joins the room
[15:38:51] <Christian Huitema> DoQ is even simpler -- I have a single threaded implementation
[15:38:54] <Tommy Pauly> @Chris, no, not doing any opportunistic right now. But we have the protocol support for DoT and DoH in general.
[15:38:59] <andrew_campling> @tale worth putting the doodle poll URL in the chat / jabber?
[15:38:59] <Chris Box> ok
[15:39:01] <Neil Cook> DoT still doesn't solve the problem for CPEs doing forwarding
[15:39:03] Frode Sorensen leaves the room
[15:39:04] Taiji Kimura leaves the room
[15:39:09] <tale > sure one se
[15:39:12] Matthew Miller leaves the room
[15:39:14] <Paul Hoffman> Early for West Coast is OK. Heck, we had to do 4AM yesterday.
[15:39:16] <Neil Cook> You need a DNS lookup for that
[15:39:18] <mcr> flat earth.
[15:39:24] <Alissa Cooper> Rotate your meeting times
[15:39:25] Mohamed Boucadair leaves the room
[15:39:27] <Puneet Sood> If the default position is that the OS provides DoT, we need a common API for apps to discover the OS DNS state
[15:39:28] Tirumaleswar Reddy.K leaves the room
[15:39:30] <tale > https://doodle.com/poll/zyppxqte8pcwex3p    target time is probably around 14h UTC
[15:39:31] Tadahiko Ito leaves the room
[15:39:31] Tirumaleswar Reddy.K joins the room
[15:39:37] <mcr> move to discworld.
[15:39:38] <tale > give or take
[15:39:40] <Carrick> Choose a time that's inconvenient for everyone to make it fair
[15:39:49] m leaves the room
[15:39:53] <Alissa Cooper> If you always follow a poll, the same people will be time zone disadvantaged over and over
[15:39:53] m joins the room
[15:39:54] <Tommy Jensen> @neil - wait, why? The client (OS, browser) doing DoT to the CPE allows the CPE to then forward wherever it wants. What am I missing?
[15:39:55] <Mark Nottingham> Distribute the pain; it's not acceptable to make it always easier for some people.
[15:39:57] <Benjamin Schwartz> Puneet: Android has such an API.  (The Android APIs are in Java so they're typically not shared with other platforms.)
[15:40:08] m leaves the room
[15:40:14] <Neil Cook> @tommy the point is that the CPE doesn't support DoT
[15:40:15] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:40:22] m joins the room
[15:40:23] m&m leaves the room: Disconnected: closed
[15:40:25] Andrew S joins the room
[15:40:29] chi.jiun.su leaves the room
[15:40:45] Christian Huitema_452 leaves the room
[15:40:48] <tale > agree mnot, it's a challenging problem.   unfortunately the bulk of people working here seem to be western hemisphere.   i personally (no hat?) am open to other times though; i don't mind middle of the night for me
[15:40:49] Christian Huitema_214 joins the room
[15:40:53] <Neil Cook> @tommy hence why you need to do a DNS lookup to find the DoH/DoT resolver "behind" the forwarder
[15:40:58] Hugo Salgado (jabber) joins the room
[15:41:06] Mark Nottingham leaves the room
[15:41:07] Samuel Weiler leaves the room
[15:41:07] Greg Wood leaves the room
[15:41:08] Jari Arkko leaves the room
[15:41:09] Ray Bellis leaves the room
[15:41:09] Adam Roach leaves the room
[15:41:09] Paul Wouters leaves the room
[15:41:10] <Mallory Knodel> 1- ask for preferred times, 2- cluster them into 3 options, 3- rotate amongst them.
[15:41:10] Stephen Farrell leaves the room
[15:41:12] John Levine leaves the room
[15:41:12] Kris Shrishak leaves the room
[15:41:12] Jonathan Reed leaves the room
[15:41:13] m leaves the room
[15:41:13] Zaid AlBanna leaves the room
[15:41:14] Jim Reid leaves the room
[15:41:14] PE leaves the room
[15:41:15] Chi-Jiun Su leaves the room
[15:41:15] Wes Hardaker leaves the room
[15:41:15] Steve Olshansky leaves the room
[15:41:15] Patrick McManus leaves the room
[15:41:15] John Border leaves the room
[15:41:16] Dan McArdle leaves the room
[15:41:16] John (Clone) Levine leaves the room
[15:41:16] Carrick leaves the room
[15:41:16] m joins the room
[15:41:16] Jerome Vacek leaves the room
[15:41:16] Ted Hardie leaves the room
[15:41:16] Shumon Huque leaves the room
[15:41:17] Matt Green leaves the room
[15:41:17] Jorge Cano leaves the room
[15:41:17] Kirsty P leaves the room
[15:41:17] Emmanuel Bretelle leaves the room
[15:41:17] Eric Orth leaves the room
[15:41:18] Hitesh Kotian leaves the room
[15:41:18] Dan Wing leaves the room
[15:41:18] Christian Huitema_214 leaves the room
[15:41:18] Richard Wilhelm leaves the room
[15:41:19] Eric Kinnear leaves the room
[15:41:19] Barry Leiba leaves the room
[15:41:19] Valery Smyslov leaves the room
[15:41:20] Hannu Flinck leaves the room
[15:41:20] Paul Hoffman leaves the room
[15:41:20] dmcardle leaves the room
[15:41:20] Benjamin Kaduk leaves the room
[15:41:20] Alissa Cooper leaves the room
[15:41:20] Roland van Rijswijk-Deij leaves the room
[15:41:20] Dan York leaves the room
[15:41:21] Dan Druta leaves the room
[15:41:21] Monika Ermert leaves the room
[15:41:21] Duane Wessels leaves the room
[15:41:21] Shumon Huque_ leaves the room
[15:41:21] Dragana Damjanovic leaves the room
[15:41:21] Pieter Lexis leaves the room
[15:41:22] Murray Kucherawy leaves the room
[15:41:22] Mike Bishop leaves the room
[15:41:22] Julien Maisonneuve leaves the room
[15:41:23] Alexander Mayrhofer leaves the room
[15:41:23] Simon Hicks leaves the room
[15:41:23] Tim Chown leaves the room
[15:41:24] Joe Harvey leaves the room
[15:41:24] Michael Gibbs leaves the room
[15:41:24] Paul Adair leaves the room
[15:41:25] Jason Weil leaves the room
[15:41:25] rickwilhelm-Verisign@jabb3r.org leaves the room
[15:41:25] <Puneet Sood> Looks like IOS will provide this in the next version.
[15:41:26] Mark Andrews leaves the room
[15:41:26] Kazuho Oku leaves the room
[15:41:26] Stephan Emile leaves the room
[15:41:26] Eric Rescorla leaves the room
[15:41:27] Allison Mankin leaves the room
[15:41:27] Tommy Pauly leaves the room
[15:41:27] Robert Story leaves the room
[15:41:27] Sandeep Rao leaves the room
[15:41:27] Francois Ortolan leaves the room
[15:41:27] Frode Kileng leaves the room
[15:41:29] Mallory Knodel leaves the room
[15:41:30] Roman Danyliw leaves the room
[15:41:30] Andrew Campling leaves the room
[15:41:31] Chris Lemmons leaves the room
[15:41:31] Desiree Miloshevic leaves the room
[15:41:31] m leaves the room
[15:41:31] Simon Vera-Schockner leaves the room
[15:41:31] Andrew McConachie leaves the room
[15:41:32] Bernie Innocenti leaves the room
[15:41:34] Vittorio Bertola leaves the room
[15:41:37] Alister Winfield leaves the room
[15:41:37] Andrew S leaves the room
[15:41:37] Chris Box leaves the room
[15:41:38] Swapneel Sheth leaves the room
[15:41:39] Ralf Weber leaves the room
[15:41:41] Wes Hardaker clone leaves the room
[15:41:41] Ted Lemon leaves the room
[15:41:42] m joins the room
[15:41:43] Avri Doria leaves the room
[15:41:49] tale leaves the room
[15:41:49] Ralph Dolmans leaves the room
[15:41:59] <mcr> I agree with rotating the time. I'm willing to spread the pain.
[15:42:03] mcr leaves the room
[15:42:04] Christopher Inacio leaves the room
[15:42:07] Mirja Kühlewind leaves the room
[15:42:11] Michael Richardson leaves the room
[15:42:11] Barbara Stark-jabber leaves the room
[15:42:14] Yoshiro Yoneya / 米谷嘉朗 leaves the room
[15:42:14] Barbara Stark leaves the room
[15:42:18] Chris Seal leaves the room
[15:42:18] Tirumaleswar Reddy.K leaves the room
[15:42:20] Yuichi Takita leaves the room
[15:42:20] m leaves the room
[15:42:22] Diego Lopez leaves the room
[15:42:22] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:42:23] Joey Salazar leaves the room
[15:42:24] Tero Kivinen leaves the room
[15:42:26] dschinazi@jab.im leaves the room
[15:42:28] ChrisBox joins the room
[15:42:32] Tadahiko Ito joins the room
[15:42:33] <Tommy Jensen> +1 to rotating
[15:42:36] frodek leaves the room
[15:42:44] Dominique Lazanski leaves the room
[15:42:44] Tadahiko Ito leaves the room
[15:42:45] Jiankang Yao leaves the room
[15:42:52] <Daniel Gillmor> if all three clusters are close to each other, that's bad
[15:43:05] Doug Stamper leaves the room
[15:43:06] Xavier de Foy leaves the room
[15:43:07] Hugo Salgado (jabber) joins the room
[15:43:08] <Tommy Jensen> @neil - but presenters were saying there's value in fwding to the CPE...? Agree with others we need stronger requirements for this case
[15:43:09] Dirk Hugo leaves the room
[15:43:10] David Schinazi leaves the room
[15:43:20] <Daniel Gillmor> if what we're saying is choose 3 points that are 8hrs rotated, then we don't even really need to ask for preferences
[15:43:26] Melinda Shore leaves the room
[15:43:26] <tale > I dunno about Glenn, but I'm open to restarting the poll.
[15:43:35] Stuart Cheshire leaves the room
[15:43:37] <Daniel Gillmor> 8=(24/3)
[15:43:39] Petr Spacek leaves the room
[15:43:41] Puneet Sood leaves the room
[15:43:42] Willem Toorop leaves the room
[15:43:42] Glenn Deen leaves the room
[15:43:45] <tale > ,.. with guidance on how people would like to see it constructed
[15:43:48] Yoshiro Yoneya leaves the room
[15:43:49] Kazunori Fujiwara leaves the room
[15:43:50] Mohit Sethi leaves the room
[15:43:52] Kohei Isobe leaves the room
[15:44:00] <Neil Cook> @tommy yes for some use-cases. I'm just trying to solve the use-case of doing any kind of discovery when a forwarder is in the way
[15:44:07] Jason Livingood leaves the room
[15:44:08] <Tommy Jensen> going back to gather.town, see y'all
[15:44:11] Erik Nygren leaves the room
[15:44:13] Jana Iyengar leaves the room
[15:44:17] Sam Weiler leaves the room
[15:44:24] Burt Kaliski leaves the room
[15:44:26] John Woodworth leaves the room
[15:44:26] <Neil Cook> .
[15:44:31] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[15:44:31] Neil Cook leaves the room
[15:44:34] vladimir.cunat leaves the room
[15:44:35] Nick Sullivan leaves the room
[15:44:37] Tommy Jensen leaves the room
[15:44:38] Cullen Jennings_463 leaves the room
[15:44:38] Markus Zeilinger leaves the room
[15:44:38] Michael Breuer leaves the room
[15:44:38] Farni Boten leaves the room
[15:44:38] Tobia Castaldi leaves the room
[15:44:38] Oliver Borchert leaves the room
[15:44:38] Blaine Mulugeta leaves the room
[15:44:39] Martin Thomson leaves the room
[15:44:39] Takahiro Nemoto leaves the room
[15:44:39] Benjamin Schwartz leaves the room
[15:44:39] Alessandro Ghedini leaves the room
[15:44:39] Daniel Gillmor leaves the room
[15:44:39] Gianpaolo Scalone leaves the room
[15:44:39] Shwetha Bhandari leaves the room
[15:44:43] adam leaves the room
[15:45:32] ko-isobe leaves the room
[15:45:48] Willem Toorop (jabber) leaves the room
[15:46:11] <nygren > BTW, people with opinions on the CPE topic should also look at and comment on draft-ietf-v6ops-464xlat-optimization-03 if you haven't as it uses the CPE resolver to do special things (ie, effectively injecting IP NAT46 rules into the CPE routing table)
[15:49:49] ChrisBox leaves the room
[15:52:07] nygren leaves the room: Disconnected: closed
[15:52:38] m&m joins the room
[15:53:59] Greg Wood (IETF LLC) leaves the room
[15:54:22] ekr@jabber.org leaves the room
[15:56:29] Meetecho leaves the room
[15:58:04] kivinen leaves the room
[16:02:08] m&m leaves the room
[16:03:04] sftcd leaves the room
[16:11:56] avezza leaves the room
[16:43:13] alex-meetecho leaves the room
[16:46:19] jmagallanes leaves the room
[17:12:25] tale leaves the room
[17:20:33] ChrisBox joins the room
[17:27:29] ChrisBox leaves the room
[17:29:02] neednnelg@sure.im joins the room
[17:34:10] Christian Huitema leaves the room: Disconnected: closed
[17:38:47] nygren joins the room
[17:42:56] nygren leaves the room
[17:45:00] andrew_campling leaves the room
[17:56:11] Scott Rose leaves the room
[18:15:59] Chris Inacio leaves the room: Disconnected: Replaced by new connection
[18:15:59] Chris Inacio joins the room
[18:20:31] ChrisBox joins the room
[18:20:55] ChrisBox leaves the room
[18:31:40] mglt leaves the room
[19:02:53] Alister Winfield2 leaves the room
[19:04:53] tale joins the room
[19:19:32] Alister Winfield2 joins the room
[19:30:57] tale leaves the room
[20:04:21] Hugo Salgado (jabber) joins the room
[20:05:46] neednnelg@sure.im leaves the room: Away
[20:08:52] Hugo Salgado (jabber) leaves the room: Connection failed: connection closed
[20:35:04] tale joins the room
[20:40:20] neednnelg@sure.im joins the room
[20:40:29] neednnelg@sure.im leaves the room: Away
[20:57:14] tale leaves the room: Disconnected: closed
[21:04:55] nygren joins the room
[21:10:18] andrew_campling joins the room
[21:11:46] andrew_campling joins the room
[21:17:38] tale joins the room
[21:18:35] neednnelg@sure.im joins the room
[21:18:53] neednnelg@sure.im leaves the room: Away
[21:27:13] Chris Inacio leaves the room: Disconnected: Replaced by new connection
[21:27:13] Chris Inacio joins the room
[21:28:12] andrew_campling leaves the room
[21:40:15] Alister Winfield2 leaves the room
[21:53:26] andrew_campling leaves the room
[22:20:22] neednnelg@sure.im joins the room
[22:20:31] neednnelg@sure.im leaves the room: Away
[22:24:25] neednnelg@sure.im joins the room