Monday, September 13, 2021< ^ >
Meetecho-alex has set the subject to: LAMPS at IETF 111
Room Configuration
Room Occupants

[13:50:08] Scott Fluhrer_web_944 joins the room
[13:50:08] Michael Jenkins_web_211 joins the room
[13:50:08] Deb Cooley_web_685 joins the room
[13:50:08] Mike Ounsworth_web_189 joins the room
[13:50:08] Kris Kwiatkowski_web_935 joins the room
[13:50:08] Leonie Bruckert_web_596 joins the room
[13:51:01] Leonie Bruckert_web_596 leaves the room
[13:51:52] Deb Cooley_web_685 leaves the room
[13:51:56] Deb Cooley_web_456 joins the room
[13:52:35] Deb Cooley_web_456 leaves the room
[13:52:46] Quynh Dang_web_442 joins the room
[13:52:51] Kris Kwiatkowski_web_935 leaves the room
[13:52:56] Kris Kwiatkowski_web_848 joins the room
[13:53:29] Deb Cooley_web_113 joins the room
[13:54:44] Russ Housley_web_210 joins the room
[13:54:50] Leonie Bruckert_web_141 joins the room
[13:55:03] Quynh Dang_web_442 leaves the room
[13:55:09] Quynh Dang_web_148 joins the room
[13:55:27] <Scott Fluhrer_web_944> Does anyone else have problems connecting to the media feed?
[13:55:45] <Deb Cooley_web_113> yes
[13:55:48] <Quynh Dang_web_148> Yes I do
[13:56:09] Alison Becker_web_227 joins the room
[13:56:09] <Kris Kwiatkowski_web_848> yup
[13:56:30] Alison Becker_web_227 leaves the room
[13:56:48] <Russ Housley_web_210> I am unable to connect to the media feed or load the slides
[13:56:52] Alison Becker_web_217 joins the room
[13:56:53] Kris Kwiatkowski_web_848 leaves the room
[13:56:57] Kris Kwiatkowski_web_691 joins the room
[13:57:01] Nicholas Gajcowski_web_623 joins the room
[13:57:19] Jonathan Hammell_web_170 joins the room
[13:57:23] Yoav Nir_web_441 joins the room
[13:57:25] Antonio Vaira_web_860 joins the room
[13:57:31] Kris Kwiatkowski_web_691 leaves the room
[13:57:37] <Michael Jenkins_web_211> short meeting?
[13:57:40] Kris Kwiatkowski_web_649 joins the room
[13:57:47] Nicholas Gajcowski_web_623 leaves the room
[13:57:53] Yoav Nir_web_441 leaves the room
[13:58:08] Markku-Juhani Saarinen_web_879 joins the room
[13:58:14] David Cooper_web_363 joins the room
[13:58:22] Nicholas Gajcowski_web_889 joins the room
[13:58:31] Daniel Van Geest_web_785 joins the room
[13:59:31] Elena Lang_web_401 joins the room
[14:00:15] Sean Turner_web_264 joins the room
[14:00:17] Roman Danyliw_web_795 joins the room
[14:00:34] Yoav Nir_web_191 joins the room
[14:00:40] John Gray_web_800 joins the room
[14:00:46] PRAT Julien_web_552 joins the room
[14:00:50] <Sean Turner_web_264> I am having the same issue BTW
[14:00:51] Roman Danyliw_web_795 leaves the room
[14:00:55] Roman Danyliw_web_730 joins the room
[14:00:58] <Russ Housley_web_210> I have sent an email to the meetecho support team, and they are looking into the problem.  Please stand by
[14:01:02] Rebecca Guthrie_web_328 joins the room
[14:01:06] Tim Hollebeek_web_284 joins the room
[14:01:10] Serge Mister_web_223 joins the room
[14:01:19] PRAT Julien_web_552 leaves the room
[14:01:22] Alessandro Amirante_web_538 joins the room
[14:01:23] PRAT Julien_web_966 joins the room
[14:01:35] <Sean Turner_web_264> restored!
[14:01:45] <Sean Turner_web_264> it's working now
[14:01:48] <Tim Hollebeek_web_284> i can hear you
[14:01:49] <Roman Danyliw_web_730> for me too
[14:01:50] <Quynh Dang_web_148> yes, hearing you
[14:01:56] <Deb Cooley_web_113> yay
[14:02:01] Ludovic Perret_web_621 joins the room
[14:02:47] Jonathan Hammell_web_170 leaves the room
[14:03:03] Roman Danyliw_web_730 leaves the room
[14:03:04] Paolo Saviano_web_100 joins the room
[14:03:09] Roman Danyliw_web_758 joins the room
[14:03:10] Jonathan Hammell_web_931 joins the room
[14:03:13] Andrew S_web_990 joins the room
[14:03:41] Eliot Lear_web_706 joins the room
[14:04:07] Deb Cooley_web_113 leaves the room
[14:04:08] Jonathan Hammell_web_931 leaves the room
[14:04:08] Mike Ounsworth_web_189 leaves the room
[14:04:17] Deb Cooley_web_889 joins the room
[14:04:23] Mike Ounsworth_web_467 joins the room
[14:04:43] Hendrik Brockhaus_web_360 joins the room
[14:05:01] Ludovic Perret_web_621 leaves the room
[14:05:16] <Roman Danyliw_web_758> Reschedule; or send around a link to the slides again and everyone can walk through them on the local copy?
[14:05:30] Paolo Saviano_web_100 leaves the room
[14:05:31] Elena Lang_web_401 leaves the room
[14:05:32] <Roman Danyliw_web_758> I see the slides
[14:05:37] Elena Lang_web_333 joins the room
[14:05:37] Jonathan Hammell_web_491 joins the room
[14:06:26] Ludovic Perret_web_786 joins the room
[14:06:30] Ludovic Perret_web_786 leaves the room
[14:06:31] Ludovic Perret_web_539 joins the room
[14:06:44] Sean Turner_web_264 leaves the room
[14:06:57] Sean Turner_web_954 joins the room
[14:06:59] Uri Blumenthal_web_208 joins the room
[14:07:05] Ali Noman_web_583 joins the room
[14:07:51] Eliot Lear_web_706 leaves the room
[14:07:54] Uri Blumenthal_web_208 leaves the room
[14:08:04] Eliot Lear_web_178 joins the room
[14:08:26] Uri Blumenthal_web_391 joins the room
[14:08:51] Uri Blumenthal_web_391 leaves the room
[14:08:55] Uri Blumenthal_web_814 joins the room
[14:08:58] <Yoav Nir_web_191> Do we expect every one of a-h to end up as a separate RFC?
[14:10:15] <Tim Hollebeek_web_284> I have not heard that expectation
[14:10:33] <Tim Hollebeek_web_284> and it seems like an unhelpful restriction to me
[14:12:02] <Russ Housley_web_210> @Yoav: Maybe.  Depends on the way that thing actually progress
[14:14:52] <Jonathan Hammell_web_491> RFC 5990 (RSA KEM) uses KeyTransRecipientInfo.
[14:17:27] <Scott Fluhrer_web_944> I don't expect the parameters sets will be fully defined at the end of this year
[14:17:32] <Michael Jenkins_web_211> why all the fretting about algs? Isn't this task to design a framework for whatever the algs end up being?
[14:18:04] <Yoav Nir_web_191> It's not like *our* process doesn't take 1-2 years.
[14:18:37] <Roman Danyliw_web_758> The milestone is a marker we needed for chartering.  We can easily slip it.  We should not rush into even a -00 because the charter says "Oct 2021".
[14:29:04] <Roman Danyliw_web_758> Concur with Russ.  We should down-select on the approach and then ask CFRG.
[14:30:31] <Uri Blumenthal_web_814> Contrary to Scott, I do expect *some* parameter sets to be fully defined by the end of January. Maybe there'd be *new* sets later on, but they aren't supposed to invalidate or replace what will be published in Jan.
[14:32:12] <Roman Danyliw_web_758> I recommend that the WG at least agree on the broad strokes of the approach before adopting.
[14:33:54] <Markku-Juhani Saarinen_web_879> NSA has explicitly said no hybrid :)
[14:34:00] <Yoav Nir_web_191> @Uri: IETF documents typically don't describe algorithms or parameters in any great detail. It's mostly "use the foo algorithm with the bar parameter set as described in [some-external-document]"
We do define encoding, but for the most part, if we reference a NIST draft document and the document later changes, we should not need to change our draft.
[14:34:31] <Markku-Juhani Saarinen_web_879> So French certifications will require Hybrid perhaps, but NIAP explicitly no hybrid.
[14:35:31] <Yoav Nir_web_191> It takes a long time to get confident that a new algorithm is not vulnerable to classic attacks.
[14:38:18] <Uri Blumenthal_web_814> @Markku-Juhani, on Hybrid KE I have to reason to disagree with NSA - my analysis seems to concur with whatever they used to arrive at their conclusion.
[14:39:00] <Uri Blumenthal_web_814> @Yoav, NTRU KEM has been around for two decades, right? No classic attacks so far?
[14:39:04] <Markku-Juhani Saarinen_web_879> To clarify for wider public since there was a private question about this: The info on "PQ-CNSA" is from William Layton, tech director at a public talk in ICMC '21 two weeks agoi.
[14:40:14] <Sean Turner_web_954> Let's call it FRED :)
[14:40:15] <Markku-Juhani Saarinen_web_879> @yoav, there has been a ton of attacks on NTRU parameters from 2 decades ago.
[14:40:44] <Uri Blumenthal_web_814> @Markku-Juhani, do you have a reference (URL?) for that PQ-CNSA document? I'd like to see it, if possible.
[14:40:44] <Markku-Juhani Saarinen_web_879> sorry that was not to yoav but you know what I mean :)
[14:41:03] <Scott Fluhrer_web_944> There were a ton of attacks on the padding of NTRU (which they have addressed); I don't know if there were many parameter-set-specific attacks.
[14:41:20] <Uri Blumenthal_web_814> @Markku-Juhani :-)
[14:41:56] <Markku-Juhani Saarinen_web_879> scott, well they had things like power-of-two n for ntru, not anymore..
[14:43:15] <Uri Blumenthal_web_814> @Scott, if I understand correctly - the NTRU *algorithm* has been found solid, parameters were adjusted as experience grew, padding problem was discovered and remedied; currently NTRU with its published parameter sets is considered secure.
[14:43:30] <Markku-Juhani Saarinen_web_879> uri, icmc is a public conference but had a registration fee but I did live tweet it
[14:45:32] <Uri Blumenthal_web_814> @Markku-Juhani, thanks! I think I can get to it via MIT Libraries.
[14:46:00] <Markku-Juhani Saarinen_web_879> they said it takes 2 weeks to put the recorded talks online, so that should be pretty soon
[14:47:10] <Roman Danyliw_web_758> Sounds like we need to tee up a conversation again to compare and contrast
[14:47:15] <Uri Blumenthal_web_814> :thumbsup:
[14:48:24] <Jonathan Hammell_web_491> The certificate extensions were put in ITU-T X.509:2019.  X.510 defines an overarching protocol.
[14:49:00] Paolo Saviano_web_470 joins the room
[14:49:04] <Mike Ounsworth_web_467> Russ, can you mute yourself when not talking?
[14:49:51] Paolo Saviano_web_470 leaves the room
[14:50:44] <Uri Blumenthal_web_814> I just browsed through the slides @Markku-Juhani posted on Twitter. Overall, I concur - except for the hash-based signatures (IMHO, they may be more trouble management-wise than they're worth).
[14:53:19] <Jonathan Hammell_web_491> +1 Russ re separate documents
[14:57:16] <Eliot Lear_web_178> Are there specific applications driving all of these code paths that we can test?
[14:57:49] <Markku-Juhani Saarinen_web_879> On explicit parameter is the SHA-3 pre-padding used by signature algorithms (which are not hash-and-sign).
[14:59:00] <Markku-Juhani Saarinen_web_879> For example no has really discussed how one would perhaps use SHA-2 with post-quantum signatures.
[14:59:08] <Mike Ounsworth_web_467> LAMPS _does_ need to define algs for CMP, no?
[15:00:03] <Scott Fluhrer_web_944> @Markku Actually, Sphincs+ does specify SHA-256-based parameter sets
[15:00:08] Eliot Lear_web_178 leaves the room
[15:00:18] <Michael Jenkins_web_211> what was decided?
[15:00:32] <Michael Jenkins_web_211> oh. okay.
[15:00:58] <Hendrik Brockhaus_web_360> CMP should be capable to reuse the PKIX alg definitions
[15:01:00] <Markku-Juhani Saarinen_web_879> @scott  well yeah. I was thinking of the finalists. well, Rainbow uses SHA-2 in all kinds of weird and wonderful ways too :)
[15:01:30] <Roman Danyliw_web_758> This is a significant decision.  We're at time and should take this a list.
[15:02:32] <Yoav Nir_web_191> Flexibility is usually not a good thing for security. We (or someone else) should specify the pairs. Whether the format is one way or the other is less important.
[15:02:33] Deb Cooley_web_889 leaves the room
[15:02:43] Deb Cooley_web_379 joins the room
[15:03:16] <Mike Ounsworth_web_467> There are two different questions here:1. Do we want multi pub key format to be generic (algIDs specified at runtime) or Explicit (algIDs specified by OID).2. Should LAMPS specify pairs?
[15:03:29] <Yoav Nir_web_191> I can volunteer
[15:03:49] <Kris Kwiatkowski_web_649> With generic approach - who is going to decide if algorithm A must NOT be mixed with algorithm B. For example - ECDSA/512 shouldn't be mixed  with Falcon/512 to provide same security level
[15:04:18] <Mike Ounsworth_web_467> @Kris -- "not LAMPS" ;)
[15:04:24] <Scott Fluhrer_web_944> What does "security level" between classical and postquantum algorthms mean?
[15:06:01] <Scott Fluhrer_web_944> I personally can see ECDSA/512 (which is still fairly cheap, in terms of bandwidth) with Falcon/512 (which is considerably more expensive, and hence it makes sense to design considerably closer)
[15:06:22] Hendrik Brockhaus_web_360 leaves the room
[15:07:00] <Kris Kwiatkowski_web_649> well, yeah - ECDSA/256 is even better
[15:07:13] <Yoav Nir_web_191> If you spend $1,000,000 on your classical computer and $1,000,000 on your quantum computer, they should break the respective algorithms in a similar amount of time.
[15:07:42] <Markku-Juhani Saarinen_web_879> in 2089 dollars
[15:07:51] <Uri Blumenthal_web_814> @Yoav ???
[15:07:59] <Markku-Juhani Saarinen_web_879> joking sorry!
[15:08:07] <Yoav Nir_web_191> As am I
[15:08:23] <Kris Kwiatkowski_web_649> I think, my point is - I'm not sure allowing to freely choose pairs makes things easier.
[15:08:24] <Uri Blumenthal_web_814> @Markku-Juhani there's a lot of truth in your joke! ;)
[15:08:26] <Yoav Nir_web_191> Most "equivalent strength" definitions look something like that.
[15:09:34] Ludovic Perret_web_539 leaves the room
[15:09:38] Ludovic Perret_web_345 joins the room
[15:10:05] <Tim Hollebeek_web_284> avoiding pairs that have unnecessary common failure modes is not a bad idea
[15:10:21] <Sean Turner_web_954> Getting rid of a choice would be welcomed ;)
[15:10:27] <Tim Hollebeek_web_284> that too
[15:11:01] Sean Turner_web_954 leaves the room
[15:11:01] Roman Danyliw_web_758 leaves the room
[15:11:01] Tim Hollebeek_web_284 leaves the room
[15:11:02] <Quynh Dang_web_148> Thank you all.
[15:11:05] Jonathan Hammell_web_491 leaves the room
[15:11:07] Ludovic Perret_web_345 leaves the room
[15:11:16] Alison Becker_web_217 leaves the room
[15:11:16] Scott Fluhrer_web_944 leaves the room
[15:11:18] <Yoav Nir_web_191> Yeah.  Define two pairs, and then define a third one only if there's a deficiency in the two you already have.
[15:11:18] Kris Kwiatkowski_web_649 leaves the room
[15:11:21] PRAT Julien_web_966 leaves the room
[15:11:21] Serge Mister_web_223 leaves the room
[15:11:22] Leonie Bruckert_web_141 leaves the room
[15:11:22] Deb Cooley_web_379 leaves the room
[15:11:23] Mike Ounsworth_web_467 leaves the room
[15:11:24] Daniel Van Geest_web_785 leaves the room
[15:11:24] Ali Noman_web_583 leaves the room
[15:11:25] <Markku-Juhani Saarinen_web_879> thx! :wave:
[15:11:25] Andrew S_web_990 leaves the room
[15:11:25] Elena Lang_web_333 leaves the room
[15:11:29] Uri Blumenthal_web_814 leaves the room
[15:11:30] John Gray_web_800 leaves the room
[15:11:30] Antonio Vaira_web_860 leaves the room
[15:11:33] Markku-Juhani Saarinen_web_879 leaves the room
[15:11:34] Nicholas Gajcowski_web_889 leaves the room
[15:11:35] Russ Housley_web_210 leaves the room
[15:11:42] Quynh Dang_web_148 leaves the room
[15:11:42] Rebecca Guthrie_web_328 leaves the room
[15:11:45] Michael Jenkins_web_211 leaves the room
[15:11:49] David Cooper_web_363 leaves the room
[15:11:52] Yoav Nir_web_191 leaves the room
[15:29:22] Alessandro Amirante_web_538 leaves the room