Friday, November 12, 2021< ^ >
Room Configuration
Room Occupants

[11:30:13] Meetecho joins the room
[11:35:00] alexamirante joins the room
[11:44:05] Ash Wilson joins the room
[11:44:37] Yoshiro Yoneya joins the room
[11:45:07] Ash Wilson_web_501 joins the room
[11:45:07] Tim Wicinski_web_680 joins the room
[11:45:07] Shigeya Suzuki_web_729 joins the room
[11:45:07] Michael Jenkins_web_564 joins the room
[11:45:07] Roman Danyliw_web_182 joins the room
[11:45:07] Lorenzo Miniero_web_974 joins the room
[11:45:49] Alessandro Toppi_web_467 joins the room
[11:46:25] Yoshiro Yoneya_web_374 joins the room
[11:47:53] Paul Wouters_web_914 joins the room
[11:49:28] Bill Woodcock_web_521 joins the room
[11:49:48] Wes Hardaker_web_964 joins the room
[11:51:01] Tim Wicinski_web_680 leaves the room
[11:51:05] Tim Wicinski_web_651 joins the room
[11:51:41] Chi-Yuan Chen_web_533 joins the room
[11:51:47] <Lorenzo Miniero_web_974> I already imported the slides
[11:51:48] Chi-Yuan Chen_web_533 leaves the room
[11:51:48] Sandoche Balakrichenan_web_510 joins the room
[11:51:51] Kazunori Fujiwara_web_110 joins the room
[11:51:52] Chi-Yuan Chen_web_110 joins the room
[11:52:06] <Lorenzo Miniero_web_974> They should already be available
[11:52:57] <Roman Danyliw_web_182> Thanks Lorenzo
[11:53:24] <Lorenzo Miniero_web_974> There's just 5 decks, though, no chair slides and no agenda slides
[11:54:01] Peter van Dijk_web_343 joins the room
[11:54:21] <Peter van Dijk_web_343> "dance chair" I chuckled
[11:54:55] Mark McFadden_web_718 joins the room
[11:54:55] Jonathan Hammell_web_557 joins the room
[11:55:23] Suzanne Woolf_web_790 joins the room
[11:55:50] <Lorenzo Miniero_web_974> I refreshed the materials page, and imported the chair slides
[11:56:11] Michael Richardson_web_529 joins the room
[11:56:36] <Roman Danyliw_web_182> Again, much appreciate Lorenzo
[11:57:04] Suzanne Woolf_web_790 leaves the room
[11:57:05] Yoshiro Yoneya has set the subject to: IETF112
[11:57:08] Suzanne Woolf_web_215 joins the room
[11:57:18] Todd Herr_web_174 joins the room
[11:57:21] <Tim Wicinski_web_651> thx lorenzo
[11:57:34] James Galvin_web_682 joins the room
[11:57:45] Tero Kivinen_web_434 joins the room
[11:57:48] Benjamin Schwartz_web_806 joins the room
[11:57:50] Ken Renard_web_605 joins the room
[11:57:54] Dirk Kutscher_web_391 joins the room
[11:57:57] Michael Hollyman_web_214 joins the room
[11:58:12] Andrew S_web_193 joins the room
[11:58:24] Göran Selander_web_363 joins the room
[11:58:28] Andrew Fregly_web_118 joins the room
[11:58:32] Robin Wilton_web_579 joins the room
[11:58:51] mcr joins the room
[11:58:55] Gustavo Lozano_web_813 joins the room
[11:59:05] Yuji Koyama_web_123 joins the room
[11:59:07] Peter Yee_web_584 joins the room
[11:59:11] Yuji Suga_web_743 joins the room
[11:59:13] Brett Carr_web_707 joins the room
[11:59:22] Natalie Ennis_web_543 joins the room
[11:59:53] Shumon Huque_web_694 joins the room
[11:59:59] <Tim Wicinski_web_651> Lorenzo - can anyone hit the reload button under meeting materials to reload from the datatracker?
[12:00:16] Wei Pan_web_477 joins the room
[12:00:52] <Tim Wicinski_web_651> All Presenters have arrived
[12:00:57] <Suzanne Woolf_web_215> Love the preloaded slides too :-)
[12:01:00] Alyssa Thompson_web_437 joins the room
[12:01:08] Tommy Jensen_web_318 joins the room
[12:01:10] Allison Mankin_web_350 joins the room
[12:01:19] Korry Luke_web_122 joins the room
[12:01:25] Trent Adams_web_764 joins the room
[12:01:32] <Shumon Huque_web_694> "DANCE = DANE Authentication for Network Clients Everywhere" :)
[12:01:38] Prapanch Ramamoorthy_web_564 joins the room
[12:01:49] <Shumon Huque_web_694> (Credit: Scott Rose)
[12:01:52] Samuel Weiler_web_137 joins the room
[12:02:03] David Oliver_web_736 joins the room
[12:02:12] Deb Cooley_web_193 joins the room
[12:02:13] Daniel Gillmor_web_954 joins the room
[12:02:30] Richard Wilhelm_web_486 joins the room
[12:02:30] Jim Reid_web_813 joins the room
[12:02:41] Olle Johansson_web_113 joins the room
[12:02:52] dkg joins the room
[12:02:55] Samuel Weiler joins the room
[12:02:58] Göran Selander_web_363 leaves the room
[12:03:02] Göran Selander_web_374 joins the room
[12:03:03] Steffen Fries_web_391 joins the room
[12:03:28] David Lawrence_web_727 joins the room
[12:03:34] Shigeya Suzuki_web_729 leaves the room
[12:03:36] <Olle Johansson_web_113> Yes, let's start DANCING!
[12:03:37] David Blacka_web_359 joins the room
[12:03:38] Shigeya Suzuki_web_562 joins the room
[12:03:41] Shigeya Suzuki_web_562 leaves the room
[12:03:45] Shigeya Suzuki_web_542 joins the room
[12:04:23] Karen Staley_web_862 joins the room
[12:04:27] Jean-Michel Combes_web_391 joins the room
[12:05:03] <Tim Wicinski_web_651> say what Mr Tale?!?
[12:05:07] Shigeya Suzuki_web_542 leaves the room
[12:05:15] <David Lawrence_web_727> shhhh it's okay nothing to see here
[12:05:19] Shigeya Suzuki_web_533 joins the room
[12:05:41] <Tim Wicinski_web_651> I must put down this kitten now.
[12:05:44] David Goldstein_web_146 joins the room
[12:05:47] Peter van Dijk_web_343 leaves the room
[12:05:51] Peter van Dijk_web_270 joins the room
[12:05:54] Gustavo Lozano_web_813 leaves the room
[12:05:58] Gustavo Lozano_web_468 joins the room
[12:06:03] Paul Muchene_web_709 joins the room
[12:06:31] <Tim Wicinski_web_651> I plan on capturing most comments, but also Action Items for the chairs
[12:06:40] Benno Overeinder_web_208 joins the room
[12:07:04] <Paul Muchene_web_709> Happy to dance today
[12:07:29] Viktor Dukhovni_web_476 joins the room
[12:07:40] Peter Koch_web_172 joins the room
[12:08:11] Christopher Inacio_web_677 joins the room
[12:08:41] Chen Li_web_451 joins the room
[12:08:57] <Olle Johansson_web_113> Validation should happen in the resolver first
[12:09:01] <Olle Johansson_web_113> or?
[12:09:06] Antoin Verschuren_web_838 joins the room
[12:09:40] Valery Smyslov_web_575 joins the room
[12:09:53] Patrick Tarpey_web_714 joins the room
[12:10:18] <Olle Johansson_web_113> "awful hacka ways" - agree :-)
[12:10:29] John Preuß Mattsson_web_686 joins the room
[12:11:33] Xavier de Foy_web_127 joins the room
[12:13:09] <dkg> "we need client auth" seems like an assumption that isn't necessarily warranted.  why don't we need anonymous tokens that grant access instead?
[12:13:45] Paul Wouters_web_914 leaves the room
[12:14:04] Wei Pan_web_477 leaves the room
[12:14:08] Wei Pan_web_620 joins the room
[12:14:10] <David Lawrence_web_727> David Bowie is going to be stuck in my head all day now, isn't he?
[12:14:21] <Samuel Weiler> and how does this help with DoS attacks?  
[12:14:40] <dkg> weren't we just talking yesterday about needing theme music for each WG?
[12:15:05] <David Oliver_web_736> @dkg where would the anonymous token come from?
[12:15:08] <Samuel Weiler> @dkg, which WG gets meatloaf?  ("I won't do that")
[12:15:12] <dkg> Sam: it seems like it might increase load, thereby exacerbating DoS attacks
[12:15:36] <Olle Johansson_web_113> So we need a vote on "Dancing queen" - ABBA or "Let's Dance" - Bowie. It's going to be hard.
[12:15:44] <Peter van Dijk_web_270> Samuel, that's DONT - DNS Over New Transports
[12:15:48] <dkg> David: good question, but definitely not a dealbreaker (e.g. privacypass or related work)
[12:15:49] <Ash Wilson> DANCE me to the end of the Internet
[12:15:58] Gustavo Lozano_web_468 leaves the room
[12:16:01] <Samuel Weiler> @Olle, "Shut up and dance with me"?
[12:16:02] Gustavo Lozano_web_711 joins the room
[12:16:10] <David Oliver_web_736> @dkg agreed, but folks get queasy about that, no??
[12:16:12] <dkg> come on, no one is mentioning Zappa's "Dancing Fool" ?
[12:16:49] <dkg> folks get queasy about authenticated clients too -- DNS queries that are tied tightly to client identity are a serious privacy concern
[12:16:54] <Olle Johansson_web_113> With all these options, we will certainly need an interim for wg theme music
[12:16:55] <Tim Wicinski_web_651> +1 Peter
[12:17:47] <David Oliver_web_736> @dkg agreed of course (just pushing on this point)
[12:17:56] James Galvin_web_682 leaves the room
[12:18:00] James Galvin_web_840 joins the room
[12:19:07] <dkg> Viktor: can you say more about what you mean by maintenance?
[12:19:50] <Bill Woodcock_web_521> Doctor, it hurts when I do this.
[12:20:10] <Bill Woodcock_web_521> That makes sense to me.
[12:21:06] <Bill Woodcock_web_521> My ears are open...  Do you have some other solution to the problems I have?
[12:21:35] <Bill Woodcock_web_521> Isn't that what blinded certs are for?
[12:21:39] Valery Smyslov_web_575 leaves the room
[12:21:43] Valery Smyslov_web_641 joins the room
[12:22:27] <Bill Woodcock_web_521> And role authentication?
[12:23:14] <dkg> Will this work dig into those approaches?
[12:23:41] <dkg> is it a design goal here to include role authentication and blinded certs?
[12:24:11] <Bill Woodcock_web_521> The stuff I've been working with people on assumes that authentication is at least as much a role issue as an individual issue.  Knowing whether someone is in the class of people who paid their bill last month is often much more important than knowing who they are individually.
[12:24:41] Wei Pan_web_620 leaves the room
[12:24:45] Wei Pan_web_349 joins the room
[12:24:54] <dkg> agreed :)  but the default is often to tie authorization to identity (e.g. for extra billing, anti-abuse, etc)
[12:24:56] <Wes Hardaker_web_964> it's a design goal to build a flexible framework that can enable multiple future forward paths with the resulting technology.  It's not within scope to select individual ones and DANCE outputs would map to them now.
[12:25:04] Wei Pan_web_349 leaves the room
[12:25:08] Wei Pan_web_290 joins the room
[12:25:09] <Jonathan Hammell_web_557> "A screen share is being started..."  I'm not seeing the slides.
[12:25:34] Paul Wouters_web_343 joins the room
[12:25:40] <Deb Cooley_web_193> can he just open the slide deck?  instead?
[12:25:59] <dkg> slide deck is definitely preferable from a bandwidth and CPU consumption perspective
[12:26:01] <Robin Wilton_web_579> I love the adrenaline hit of waiting for Meetecho to load the slides...
[12:26:15] Gustavo Lozano_web_711 leaves the room
[12:26:19] Gustavo Lozano_web_159 joins the room
[12:26:31] Wei Pan_web_290 leaves the room
[12:26:35] Wei Pan_web_131 joins the room
[12:26:39] <Wes Hardaker_web_964> @dkg - thanks, will try to follow that in the future
[12:26:39] Wei Pan_web_131 leaves the room
[12:26:43] Wei Pan_web_586 joins the room
[12:26:48] <Jim Reid_web_813> I prefer the caffeine hit Robin: go for coffee while the slides load. :-)
[12:26:56] <Robin Wilton_web_579> lol
[12:27:39] <dkg> @wes, my ancient hardware and clunky American ISP thanks you ☺
[12:27:58] John Preuß Mattsson_web_686 leaves the room
[12:28:02] John Preuß Mattsson_web_100 joins the room
[12:29:14] <Wes Hardaker_web_964> @dkg I miss the days when the terminal room actually had terminals in it.
[12:29:20] Burt Kaliski_web_169 joins the room
[12:30:28] Antoin Verschuren_web_838 leaves the room
[12:30:32] Antoin Verschuren_web_555 joins the room
[12:34:21] <dkg> i tend to agree with Ben here
[12:34:43] Hugo Salgado_web_265 joins the room
[12:34:47] <dkg> this means that revocation isn't possible, unless there's an OCSP-stapling-style thing
[12:35:12] <Peter van Dijk_web_270> hmm, OCSP from what oracle?
[12:35:20] <Benjamin Schwartz_web_806> Revocation is not really a thing in DNSSEC.
[12:35:25] <Peter van Dijk_web_270> might make more sense to have short signature lifetimes then
[12:35:30] <Peter van Dijk_web_270> unlike the days or weeks that are common now
[12:35:39] <dkg> i'm aware :)  revocation doesn't really work anywhere
[12:35:48] Gustavo Lozano_web_159 leaves the room
[12:35:52] Gustavo Lozano_web_240 joins the room
[12:37:19] <dkg> shipping the full chain also helps a bit with privacy concerns: the person claiming the identity doesn't have to alert anyone else in the DNS that they're interested in authenticating to the given endpoint.
[12:37:45] <Shumon Huque_web_694> My comment was referring to possible use of RFC 9102 (TLS DNSSEC chain extension).
[12:37:47] <Peter van Dijk_web_270> +1 nice one dkg
[12:37:52] <dkg> this use case makes it harder for a client with short-lived DANE records to ship a full chain (if they're not on the network already)
[12:38:09] <Shumon Huque_web_694> Yes, that's true dkg ..
[12:38:21] Paul Wouters_web_343 leaves the room
[12:38:25] Paul Wouters_web_528 joins the room
[12:39:55] <Olle Johansson_web_113> Now we have another issue - Delegation from a user to a device...
[12:39:58] <Peter van Dijk_web_270> "revocation at the speed of TTL", well RRSIG expiy
[12:39:58] <Benjamin Schwartz_web_806> I think "revocation" would work by marking the name as "no longer authorized" in the database, rather than trying to deassociate the client from its name.
[12:40:22] <dkg> Ben: right, that's actually "de-authorization", not revocation
[12:40:29] <Benjamin Schwartz_web_806> Yeah
[12:40:45] <dkg> subtle and tricky :/
[12:41:13] <dkg> b/c the administrator needs to know where the given principal has been authorized
[12:41:40] <dkg> (not always possible in the distributed use case Ash is describing here)
[12:41:43] Paul Muchene_web_709 leaves the room
[12:41:47] Paul Muchene_web_894 joins the room
[12:42:35] Yuji Suga_web_743 leaves the room
[12:42:36] <Shumon Huque_web_694> On the list of use cases in the agenda, I notice the SMTP Transport Security use case is not mentioned. @victor - you could probably try to speak to that a bit at some point.
[12:42:38] <Benjamin Schwartz_web_806> Separating identification from authorization seems easier to manage to me.  The DANE validator can be fully disentangled from the deauthorization step.
[12:42:39] Yuji Suga_web_636 joins the room
[12:43:08] Benjamin Kaduk_web_603 joins the room
[12:43:18] Todd Herr_web_174 leaves the room
[12:43:38] <dkg> right: but revocation handles the case where we no longer think that a given key is securely held by the expected principal.  that's not addressed directly by tweaking authorization databases.
[12:43:54] Benjamin Kaduk_web_603 leaves the room
[12:44:13] <Olle Johansson_web_113> That is a good question
[12:44:24] Michael Breuer_web_376 joins the room
[12:44:32] <Olle Johansson_web_113> Like the "realm" in http digest challenge
[12:45:32] <Olle Johansson_web_113> There's a lot of use cases not tying to "person", but selection of credential is still a good question
[12:45:52] Gustavo Lozano_web_240 leaves the room
[12:45:56] Gustavo Lozano_web_741 joins the room
[12:46:31] <Roman Danyliw_web_182> Multiple identities seems good, but knowing which of the ones I have I should use seems like the tricky part.
[12:46:45] <dkg> Roman: i agree
[12:47:09] <dkg> Ash: thanks for emphasizing the iot/constrained use case
[12:47:34] <Robin Wilton_web_579> @Roman +1; that's the line between "persona separation" (with user agency) and "consentless tracking" (without user agency).
[12:47:41] <Benjamin Schwartz_web_806> +1 Viktor
[12:48:03] <dkg> +1 Viktor
[12:48:04] <Benjamin Schwartz_web_806> I think IoT is not a good use case for DANCE until we have a "re-provisioning" system so the owner can change the name of the device.
[12:48:44] <dkg> Ben: you don't want to move from "planned obsolescence" to "enforced obsolescence" ?
[12:48:45] <Roman Danyliw_web_182> I
[12:48:48] <Benjamin Schwartz_web_806> Sounds OK here
[12:48:49] <Roman Danyliw_web_182> I'm hearing ok
[12:48:50] <Olle Johansson_web_113> I have good audio
[12:49:03] <mcr> @ben, we can do that right now with EST.  The problem is that we can't do this quickly, it depends upon the device to poll.
[12:49:29] <Benjamin Schwartz_web_806> @mcr What's EST?
[12:49:39] <Robin Wilton_web_579> @Ben - I agree w your point about "reprovisioning" (looking at the DHCP client list on my router, and seeing a bunch of devices I can't rename...) :face_with_rolling_eyes:
[12:49:45] <dkg> EST: pre-ACME provisioning syste,
[12:49:53] <dkg> cert provisioning system
[12:50:10] Bob Moskowitz joins the room
[12:50:15] Paul Wouters_web_528 leaves the room
[12:50:22] <mcr> @Ben, RFC7030. Enrollment over Secure Transport.
[12:50:51] <mcr> @dkg, I wouldn't call it pre-ACME.  It can operate *with* ACME, as demonstrated by drafts acme-integrations.
[12:50:56] Robert Moskowitz_web_495 joins the room
[12:51:05] Paul Wouters_web_174 joins the room
[12:51:26] Alyssa Thompson_web_437 leaves the room
[12:51:30] Alyssa Thompson_web_371 joins the room
[12:51:33] <dkg> mcr: i just meant that it predates ACME.   wasn't trying to mark it "historic"
[12:52:02] Wes Hardaker_web_964 leaves the room
[12:52:05] <mcr> @dkg cool.
[12:52:06] Wes Hardaker_web_654 joins the room
[12:54:36] Doug Montgomery_web_117 joins the room
[12:54:57] Yoshiro Yoneya_web_374 leaves the room
[12:55:01] Yoshiro Yoneya_web_175 joins the room
[12:55:03] David Oliver_web_736 leaves the room
[12:55:11] Doug Montgomery_web_117 leaves the room
[12:55:15] Doug Montgomery_web_726 joins the room
[12:55:53] Gustavo Lozano_web_741 leaves the room
[12:55:56] <Deb Cooley_web_193> thanks for clarifying....
[12:55:57] Gustavo Lozano_web_433 joins the room
[12:56:02] <Deb Cooley_web_193> disturbing otherwise
[12:56:15] Doug Montgomery_web_726 leaves the room
[12:56:22] <dkg> we're sticking DNS names into the SSID now?  is that standardized someplace?
[12:57:50] <Shumon Huque_web_694> I don't think it is. But some places already do it.
[12:57:58] <dkg> does the AP prove its identity via DANE too?
[12:58:19] Dirk Kutscher_web_391 leaves the room
[12:58:24] <dkg> i mean, i can stick "isp.example" in my own AP's SSID too, despite not controlling isp.example
[12:58:38] <Bob Moskowitz> FQDN as SSID makes sense for many public WiFi networks.
[12:58:50] <dkg> (my home wifi network is called "")
[12:59:05] <Shumon Huque_web_694> Ha! :)
[12:59:26] <Bob Moskowitz> There never was authentication of SSIDs.   That is why we have so many attacks against networks with rouge APs.
[12:59:27] <Shumon Huque_web_694> The AP isn't the TLS server though.
[12:59:31] <dkg> Bob: "makes sense" is different from "is well-specified and cryptographically secure"
[13:00:23] <Bob Moskowitz> Never was cryptographically secure.  There was a presentation decades ago about using PK sigs on SSIDs, but it never survived its first presentation.
[13:00:42] <Bob Moskowitz> Oh, that was in an 802.11 plenary session.
[13:00:51] John Preuß Mattsson_web_100 leaves the room
[13:01:02] Sean Donelan_web_410 joins the room
[13:01:07] <Bob Moskowitz> 802.11 HATES BEACON bloat.  :)
[13:01:14] Xavier de Foy_web_127 leaves the room
[13:02:38] Scott Rose_web_353 joins the room
[13:02:56] Doug Montgomery_web_177 joins the room
[13:03:47] Florence D_web_796 joins the room
[13:04:42] <dkg> seems like if we're saying this is intended for wifi access, we'd need to have a clear understanding on the client side about what EAP identity to expect/require from a TLS server given the ESSID
[13:05:36] Prapanch Ramamoorthy_web_564 leaves the room
[13:05:40] Prapanch Ramamoorthy_web_756 joins the room
[13:05:50] <Roman Danyliw_web_182> A gentle reminder: we are chartered to document about all sorts of use cases so let's continue the discussion.  As to deliverables though, we made a conscious choice be narrow on what protocol work we would initially specify.
[13:05:53] Gustavo Lozano_web_433 leaves the room
[13:05:57] Gustavo Lozano_web_880 joins the room
[13:06:11] <Wes Hardaker_web_654> ack; thanks Roman
[13:06:14] <Roman Danyliw_web_182> @Viktor: Yes, the charter excluded that on purpose.
[13:06:18] <Bob Moskowitz> BTW, I am looking at this approach for DRIP's unmanned aircraft certs that are behind the whole HHIT methodology.  Aviation is/has built a bridged PKI (on my bridge PKI model from back in '98), but I have gotten their CP to include federated PKI.  So by putting UA certs in DANCE/DANE format and federating this to the IATF I meet the ICAO goals and mine.
[13:06:38] Prapanch Ramamoorthy_web_756 leaves the room
[13:06:42] Prapanch Ramamoorthy_web_721 joins the room
[13:07:17] <Wes Hardaker_web_654> Thanks Bob.  That might be helpful to write up a short description to send to the mailing list?
[13:07:39] Jen Hufford_web_782 joins the room
[13:07:41] <Shumon Huque_web_694> Viktor - have you seen: ?
[13:07:42] Prapanch Ramamoorthy_web_721 leaves the room
[13:07:44] <Bob Moskowitz> BTW, IATA is moving to DANE certs for aviation servers and we worked together for expanding the CP for federation PKI.
[13:07:46] Prapanch Ramamoorthy_web_820 joins the room
[13:07:54] <Robin Wilton_web_579> @Bob - excellent; please disregard my DM in the chat ;^)
[13:08:36] <Bob Moskowitz> @Wes.  First I have to join the list!  Then I will write it up.  I really have to get this knitted out before year's end.
[13:09:42] Paul Wouters_web_174 leaves the room
[13:09:46] Paul Wouters_web_525 joins the room
[13:10:48] Andrew S_web_193 leaves the room
[13:11:28] <Paul Wouters_web_525> (sorry for lack of my chairing ability - my ISP went down and limping over LTE)
[13:12:59] <Wes Hardaker_web_654> @Bob: you can't DANCE if you don't join the conga line
[13:15:52] Gustavo Lozano_web_880 leaves the room
[13:15:56] Gustavo Lozano_web_922 joins the room
[13:16:34] <Paul Wouters_web_525> 7250 is implemented in IoT
[13:17:09] <Bob Moskowitz> I really should have joined after ietf 111.  My bad.  Will join the line.
[13:17:12] Paul Wouters_web_525 leaves the room
[13:17:16] Paul Wouters_web_958 joins the room
[13:17:23] Eric Orth_web_843 joins the room
[13:17:56] <dkg> can we make this TLS 1.3-only?  broadcasting client identity in the clear isn't a great look in 2021
[13:18:55] <Roman Danyliw_web_182> +1 on @dkg.  Especially since this is "green field".
[13:19:00] <Tim Wicinski_web_651> +1
[13:19:05] <Olle Johansson_web_113> I think we need to discuss naming convention from an DNS standpoint - depending on the amount of identies of course.
[13:19:08] <Bob Moskowitz> For use of raw public keys in DTLS, look at draft-moskowitz-secure-nrid-c2.  For DTLS securing the link, particularly directly from the UA, raw public keys is pretty much the only way to go.
[13:19:09] <Wes Hardaker_web_654> remember that this isn't client == person though.
[13:19:26] Paul Wouters_web_958 leaves the room
[13:19:30] Paul Wouters_web_736 joins the room
[13:19:33] <Wes Hardaker_web_654> EG, MTA's are potentially mostly public already
[13:19:36] <dkg> if it's "client == phone" that's bad enough
[13:19:39] John Preuß Mattsson_web_162 joins the room
[13:19:49] <Olle Johansson_web_113> Hey! SIP use SRV a lot :-)
[13:20:16] <dkg> or "client == smartwatch", etc
[13:20:26] John Preuß Mattsson_web_162 leaves the room
[13:20:52] <dkg> just saying, some IoT objects are more "personal" than others, so claiming IoT doesn't let us ignore privacy concerns
[13:20:57] <Bob Moskowitz> DRIP has its own client DNS naming convention.
[13:21:50] <Deb Cooley_web_193> TLS servers are on Cray XMPs?
[13:22:00] <Bob Moskowitz> though Adam and I are not quite in line of the DNS hierarchy comparing draft-ietf-drip-rid and draft-ietf-drip-auth
[13:22:01] <Deb Cooley_web_193> that was definitely a blast from the past
[13:23:52] Carl Mehner_web_244 joins the room
[13:24:54] <Bob Moskowitz> @Deb, I never made the jump from the CDC 6500 to Cray.  Lucky you.
[13:25:23] <Deb Cooley_web_193> There is one in the National Cryptologic Museum too!
[13:25:24] Andrew S_web_167 joins the room
[13:25:55] Gustavo Lozano_web_922 leaves the room
[13:25:58] <Olle Johansson_web_113> The TLS WG is rather tough on not modifying 1.2
[13:25:59] Gustavo Lozano_web_975 joins the room
[13:26:14] Gustavo Lozano_web_975 leaves the room
[13:26:18] Gustavo Lozano_web_394 joins the room
[13:26:41] Benjamin Schwartz_web_806 leaves the room
[13:26:45] Benjamin Schwartz_web_795 joins the room
[13:27:19] Benjamin Schwartz_web_795 leaves the room
[13:27:23] Benjamin Schwartz_web_816 joins the room
[13:27:50] Benjamin Schwartz_web_816 leaves the room
[13:27:54] Benjamin Schwartz_web_573 joins the room
[13:28:06] <Benjamin Schwartz_web_573> RFC 8446: "Extensions in the Certificate message from the client MUST correspond to extensions in the CertificateRequest message from the server."
[13:28:20] <Benjamin Schwartz_web_573> So it's request-response, but in the opposite direction.
[13:28:38] Gustavo Lozano_web_394 leaves the room
[13:28:42] Gustavo Lozano_web_160 joins the room
[13:29:00] <Robin Wilton_web_579> @dkg +1 to that question; it seems relevant also to ?Viktor's previous comment about scalability: if you want to use DANE for the enrolment request/reply but not for every subsequent connection request, don't you need this kind of "bootstrapping" step in the protocol?
[13:29:21] <Olle Johansson_web_113> Isn't that a property of the certificate  - "validate me via DANE"
[13:29:40] <Bob Moskowitz> I had to run NASTRAN on an IBM 390J and the 5000 node model of the 1st Jeep Wrangler ran 40 hours.  It was nice when engineering snuck in an SGI and ran the same model in 30s!
[13:30:28] <Olle Johansson_web_113> The server extension could solve the part about "selection of client ID" by including a "realm"
[13:30:33] <Doug Montgomery_web_177> @Bob can you provide a link to the IATA work you reference?
[13:30:44] <Tim Wicinski_web_651> AD fail
[13:31:38] <Bob Moskowitz> @Doug.  I will see what is publicly available.  Problem is aviation plays in a private sandbox.  I will talk to my IATA colleague.
[13:31:49] <Bob Moskowitz> It will be included in my use case!
[13:32:06] <Roman Danyliw_web_182> @Shumon.  Thanks.
[13:32:52] <dkg> Ben: it might need to assemble it to ship it, though
[13:32:54] <Shigeya Suzuki_web_533> e
[13:32:55] <Shigeya Suzuki_web_533> x
[13:32:55] <Shigeya Suzuki_web_533> p
[13:32:55] <Shigeya Suzuki_web_533> i
[13:32:55] <Shigeya Suzuki_web_533> re
[13:33:04] <dkg> esp. for short-lived RRSIGs
[13:33:43] <Shigeya Suzuki_web_533> sorry, keyboard was not working well..
What happens when certs expire
[13:34:34] Prapanch Ramamoorthy_web_820 leaves the room
[13:34:38] Prapanch Ramamoorthy_web_288 joins the room
[13:34:45] <dkg> Ben: the end device could also get help from a clever resolver that could assemble the "current" chain
[13:35:02] <Bob Moskowitz> TTL = cert expiry?
[13:35:57] Gustavo Lozano_web_160 leaves the room
[13:35:58] Lixia Zhang_web_564 joins the room
[13:36:01] Gustavo Lozano_web_288 joins the room
[13:36:23] <dkg> Bob: it's not the TTL, it's the RRSIG validity window
[13:36:51] <dkg> (the assembled, shipped-in-band chain is "DNS off the back of a truck", so TTL isn't particularly meaningful)
[13:37:18] <Bob Moskowitz> Ah!
[13:37:25] <Ash Wilson> Flash storage on constrained devices typically are limited by the number of writes before media failure
[13:38:20] <dkg> Ash: that's an issue for any type of rotating certificate: DANE or otherwise, right?
[13:38:29] Craig Pearce_web_866 joins the room
[13:38:45] <Benjamin Schwartz_web_573> You can keep it in RAM :)
[13:38:52] <Olle Johansson_web_113> Viktor: +1 That's very clever!
[13:38:58] Alexey Melnikov_web_180 joins the room
[13:39:27] <Ash Wilson> @dkg, I'm thinking about updating the local DNSSEC chain on constrained devices
[13:39:38] Craig Pearce_web_866 leaves the room
[13:39:43] <dkg> Ash: right, that's effectively a "certificate"
[13:40:06] <dkg> and it needs to be rotated when any of the RRSIG validity windows is due to expire
[13:40:23] <dkg> if you shipped a short-lived X.509 certificate, you'd have the same issue
[13:40:33] <Deb Cooley_web_193> KDC = key distribution center?
[13:40:39] <Benjamin Schwartz_web_573> Specifically a short-lved X.509 intermediate
[13:40:52] <Wes Hardaker_web_654> @deb: yes, from kerberos
[13:40:57] <dkg> or an X.509 cert with a must-staple OCSP extension (you have to refresh the OCSP response)
[13:40:59] <Deb Cooley_web_193> oh got it
[13:41:09] Prapanch Ramamoorthy_web_288 leaves the room
[13:41:13] Prapanch Ramamoorthy_web_458 joins the room
[13:41:18] <Shigeya Suzuki_web_533> (I wrote a paper on keeping local DNSSEC chain 10yrs ago with bmanning.)
[13:41:32] Hugo Salgado_web_265 leaves the room
[13:41:53] <Olle Johansson_web_113> Sorry, coming back soon
[13:42:11] Tommy Jensen_web_318 leaves the room
[13:42:26] <dkg> very very quiet
[13:42:43] <Paul Muchene_web_894> Still quiet
[13:42:53] <Shigeya Suzuki_web_533> same..
[13:42:55] Tommy Jensen_web_764 joins the room
[13:42:57] <dkg> Olle says: namespace needs to be discussed with the DNS folks
[13:43:01] <Roman Danyliw_web_182> I'm hearing Olle say that "namespace needs to be discussed"
[13:43:30] <Olle Johansson_web_113> Sorry for that mess - The DNS namespace needs to be discussed so that we build a tree
[13:43:36] <Olle Johansson_web_113> instead of a flat name space
[13:43:56] <Olle Johansson_web_113> We have a potential for very large amount of clients, especially in the IOT space
[13:44:22] <Bill Woodcock_web_521> I advocate for the adoption of both of Shumon's documents.
[13:46:01] <Olle Johansson_web_113> read
[13:46:01] <Tim Wicinski_web_651> red
[13:46:01] Gustavo Lozano_web_288 leaves the room
[13:46:02] <Paul Muchene_web_894> Read
[13:46:03] <Bill Woodcock_web_521> Read.
[13:46:03] <Ash Wilson> Read
[13:46:03] Paul Wouters_web_736 leaves the room
[13:46:05] Gustavo Lozano_web_553 joins the room
[13:46:07] Paul Wouters_web_629 joins the room
[13:46:09] <Sandoche Balakrichenan_web_510> Read
[13:46:09] <dkg> ha ha "red"
[13:46:15] <Andrew Fregly_web_118> read
[13:46:22] <Jim Reid_web_813> read
[13:46:27] <Shumon Huque_web_694> read (and written :)
[13:46:32] <Bob Moskowitz> Reason why I am not responding.  I have NOT read them.  :(
[13:46:36] <Bill Woodcock_web_521> Reed.
[13:46:40] <Ash Wilson> to too two
[13:46:41] <Andrew Fregly_web_118> How about fire
[13:46:47] <Bill Woodcock_web_521> Reid?
[13:46:47] <Peter van Dijk_web_270> I did some reading in Reading where I read about reading.
[13:47:04] <Jim Reid_web_813> read and reid are spelled differently. Wes. :grinning:
[13:47:12] <Roman Danyliw_web_182> About 21 to adopt and about half that in chat saying they read them.
[13:47:17] <Ash Wilson> raise rays
[13:47:21] <Bob Moskowitz> Too many sources of English.
[13:47:30] <dkg> does the person who said "not ready"  want to explain?
[13:47:46] Patrick Tarpey_web_714 leaves the room
[13:48:25] <dkg> ok, they had a chance
[13:48:33] Jonathan Hammell_web_557 leaves the room
[13:48:44] <Ash Wilson> To DANCE
[13:48:45] <Olle Johansson_web_113> Thank you all!
[13:48:48] Benjamin Schwartz_web_573 leaves the room
[13:48:50] Florence D_web_796 leaves the room
[13:48:51] <Bill Woodcock_web_521> Thanks!
[13:48:51] <Ash Wilson> Thanks!
[13:48:53] <Paul Muchene_web_894> Bye!
[13:48:53] <Tim Wicinski_web_651> thanks
[13:48:54] Deb Cooley_web_193 leaves the room
[13:48:55] Christopher Inacio_web_677 leaves the room
[13:48:56] Andrew S_web_167 leaves the room
[13:48:56] Tommy Jensen_web_764 leaves the room
[13:48:56] Ken Renard_web_605 leaves the room
[13:48:56] Roman Danyliw_web_182 leaves the room
[13:48:58] <Bob Moskowitz> bye
[13:48:58] Gustavo Lozano_web_553 leaves the room
[13:48:58] Peter Yee_web_584 leaves the room
[13:48:58] Scott Rose_web_353 leaves the room
[13:48:59] Tim Wicinski_web_651 leaves the room
[13:48:59] Yuji Suga_web_636 leaves the room
[13:49:00] David Blacka_web_359 leaves the room
[13:49:00] Daniel Gillmor_web_954 leaves the room
[13:49:00] Michael Jenkins_web_564 leaves the room
[13:49:01] Göran Selander_web_374 leaves the room
[13:49:01] Richard Wilhelm_web_486 leaves the room
[13:49:01] Michael Hollyman_web_214 leaves the room
[13:49:01] Bob Moskowitz leaves the room
[13:49:01] Wes Hardaker_web_654 leaves the room
[13:49:02] Olle Johansson_web_113 leaves the room
[13:49:03] Ash Wilson leaves the room
[13:49:03] Alexey Melnikov_web_180 leaves the room
[13:49:04] Paul Muchene_web_894 leaves the room
[13:49:06] Viktor Dukhovni_web_476 leaves the room
[13:49:10] Yoshiro Yoneya_web_175 leaves the room
[13:49:14] James Galvin_web_840 leaves the room
[13:49:21] Meetecho leaves the room
[13:49:22] Yuji Koyama_web_123 leaves the room
[13:49:23] Yoshiro Yoneya leaves the room
[13:49:31] Jim Reid_web_813 leaves the room
[13:49:31] Sandoche Balakrichenan_web_510 leaves the room
[13:49:33] Suzanne Woolf_web_215 leaves the room
[13:49:34] Steffen Fries_web_391 leaves the room
[13:49:34] Lorenzo Miniero_web_974 leaves the room
[13:49:34] Ash Wilson_web_501 leaves the room
[13:49:34] Alessandro Toppi_web_467 leaves the room
[13:49:34] Andrew Fregly_web_118 leaves the room
[13:49:34] Mark McFadden_web_718 leaves the room
[13:49:34] Kazunori Fujiwara_web_110 leaves the room
[13:49:34] Michael Richardson_web_529 leaves the room
[13:49:34] Robin Wilton_web_579 leaves the room
[13:49:34] Chi-Yuan Chen_web_110 leaves the room
[13:49:34] Natalie Ennis_web_543 leaves the room
[13:49:34] Korry Luke_web_122 leaves the room
[13:49:34] Peter van Dijk_web_270 leaves the room
[13:49:34] David Lawrence_web_727 leaves the room
[13:49:34] Chen Li_web_451 leaves the room
[13:49:34] Shigeya Suzuki_web_533 leaves the room
[13:49:34] Trent Adams_web_764 leaves the room
[13:49:34] Allison Mankin_web_350 leaves the room
[13:49:34] Jean-Michel Combes_web_391 leaves the room
[13:49:34] Shumon Huque_web_694 leaves the room
[13:49:34] Peter Koch_web_172 leaves the room
[13:49:34] David Goldstein_web_146 leaves the room
[13:49:34] Tero Kivinen_web_434 leaves the room
[13:49:34] Bill Woodcock_web_521 leaves the room
[13:49:34] Prapanch Ramamoorthy_web_458 leaves the room
[13:49:34] Samuel Weiler_web_137 leaves the room
[13:49:34] Brett Carr_web_707 leaves the room
[13:49:34] Karen Staley_web_862 leaves the room
[13:49:34] Valery Smyslov_web_641 leaves the room
[13:49:34] Lixia Zhang_web_564 leaves the room
[13:49:34] Sean Donelan_web_410 leaves the room
[13:49:34] Eric Orth_web_843 leaves the room
[13:49:34] Carl Mehner_web_244 leaves the room
[13:49:34] Alyssa Thompson_web_371 leaves the room
[13:49:34] Robert Moskowitz_web_495 leaves the room
[13:49:34] Wei Pan_web_586 leaves the room
[13:49:34] Michael Breuer_web_376 leaves the room
[13:49:35] Benno Overeinder_web_208 leaves the room
[13:49:35] Paul Wouters_web_629 leaves the room
[13:49:35] Doug Montgomery_web_177 leaves the room
[13:49:35] Jen Hufford_web_782 leaves the room
[13:49:35] Burt Kaliski_web_169 leaves the room
[13:49:35] Antoin Verschuren_web_555 leaves the room
[13:51:42] mcr leaves the room
[14:06:38] alexamirante leaves the room
[15:40:51] Ash Wilson joins the room
[15:41:01] Ash Wilson leaves the room
[16:00:38] dkg leaves the room: leaving
[19:23:29] Samuel Weiler leaves the room
[19:34:41] Samuel Weiler joins the room
[19:36:06] Samuel Weiler leaves the room
[19:45:36] Samuel Weiler joins the room
[19:45:44] Samuel Weiler leaves the room
[19:46:42] Samuel Weiler joins the room
[20:23:55] Samuel Weiler leaves the room
[20:28:08] Samuel Weiler joins the room
[20:28:25] Samuel Weiler leaves the room
[20:42:17] Samuel Weiler joins the room
[21:01:53] Samuel Weiler leaves the room
[21:08:53] Samuel Weiler joins the room
[21:45:14] Samuel Weiler leaves the room
[21:46:39] Samuel Weiler joins the room
[21:48:48] Samuel Weiler leaves the room
[22:59:08] Samuel Weiler joins the room
[23:00:30] Samuel Weiler leaves the room
Powered by ejabberd - robust, scalable and extensible XMPP server Powered by Erlang Valid XHTML 1.0 Transitional Valid CSS!