[02:21:32] Daoquan joins the room [02:36:18] Daoquan leaves the room [03:35:47] sideshowbarker joins the room [03:36:33] sideshowbarker leaves the room [03:36:51] sideshowbarker joins the room [04:27:26] sideshowbarker leaves the room [04:33:52] Raman joins the room [04:33:57] Raman leaves the room [04:37:19] PHB joins the room [04:37:47] Hello, anything happening? [04:40:51] Raman joins the room [04:41:56] tlyu joins the room [04:42:33] Hey, is this local time? [04:43:29] of coz [04:43:49] Google thinks that it is 12:43 in Beijing, [04:44:05] The Jabber log seems to be reporting 11:43 [04:44:11] There is a difference [04:44:43] Of course it could just be that PSI or the Jabber server is set wrong [04:45:35] Raman leaves the room [04:49:22] Cullen joins the room [04:51:18] Is anyone there in the room? [04:59:15] I'm remote [04:59:31] You hearing anything on the audio? [05:01:38] yoav.nir joins the room [05:02:16] i hear nothing on audio, just some background hiss. [05:02:39] I'm not even hearing the background hiss [05:02:51] I am not even hearing that, but I may have mucked up my audio [05:03:10] I had the dalek voice synthesizer hooked up earlier [05:03:25] i hear audio on some other streams [05:04:27] Raman joins the room [05:04:54] Same here. [05:04:55] OK, tried Valley A and heard something, but nothing on Valley B [05:05:20] audio is working for the the codec meeting [05:05:27] I just IM Joel [05:05:57] Well audio SHOULD work for the codec meeting, [05:06:07] If they can't work it... [05:06:19] it's codec, not codec.dogfood... [05:06:46] I don't know - they have not finished a codec yet so hard to imagine how they got it to work [05:07:13] Min Huang joins the room [05:09:24] I sent Joel IM nut not sure if he got it or not [05:09:38] Kepeng Li joins the room [05:09:52] Ohhh hearing voices [05:09:54] I also sent email to the NOC [05:10:31] Geonung Kim joins the room [05:10:36] You are? [05:10:53] some more noise, with quiet random tones. [05:11:02] I They are only comming through in waves [05:11:02] some noise [05:11:14] Distant voices on the horizon [05:11:23] I can't hear what they are saying [05:11:32] I stopped and restarted and then I could hear [05:11:35] Ah that is better [05:11:36] ok now [05:11:39] now i hear actual voices [05:11:41] OK now [05:11:51] Hyong-Jong Paik joins the room [05:11:55] Andrew joins the room [05:12:08] tanizawa joins the room [05:12:18] bhoeneis joins the room [05:12:24] Linyi Tian joins the room [05:12:33] Paul Hoffman joins the room [05:12:36] I am here! [05:12:38] mlepinski joins the room [05:12:40] =JeffH joins the room [05:12:42] Barry Leiba joins the room [05:12:45] Simon Perreault joins the room [05:13:00] If you prefix comments with "mic:", I'll channel them in the room. [05:13:07] Thanks Barry, [05:13:26] sftcd joins the room [05:13:37] Yes, thanks Barry. :-) [05:13:37] Simon Perreault leaves the room [05:13:42] simon.perreault joins the room [05:13:53] yoiwa joins the room [05:14:02] beautyminded joins the room [05:14:03] Just as FYI, the jabber servers do not seem to be letting some people into the room [05:14:03] beautyminded leaves the room [05:14:08] jhildebr@cisco.com joins the room [05:14:14] Dave Thaler joins the room [05:14:23] stpeter joins the room [05:14:52] beautyminded joins the room [05:15:05] stpeter has set the subject to: WebSec WG | http://tools.ietf.org/wg/websec/ [05:17:41] Alissa Cooper joins the room [05:17:59] richard joins the room [05:18:14] tanizawa leaves the room [05:18:47] Geonung Kim leaves the room [05:19:42] tanizawa joins the room [05:20:49] jhildebr@cisco.com is now known as hildjj [05:25:57] =JeffH leaves the room [05:26:04] g.e.montenegro joins the room [05:26:31] audio is getting faint [05:27:58] Can y'all hear the floor mikes? [05:28:04] tlyu: did you hear Joe from the floor? [05:28:12] hear Joe somewhat faintly [05:28:21] not very clear [05:28:23] kind of low SNR [05:28:52] g.e.montenegro leaves the room [05:29:12] julio joins the room [05:29:26] Switching laptops....... [05:29:59] Moving on. [05:32:31] Did people hear Richard, or only Jeff's repeating? [05:32:54] I heard Richard, somewhat less loud than Jeff [05:33:16] One of the A/V guys went and told the secretariat. [05:33:46] simon.perreault leaves the room [05:33:47] unfortunately for me and everyone else, i think i'm proxying for ekr, since he can't join the chat room either. [05:33:52] simon.perreault joins the room [05:34:02] Ooh, loud! [05:34:39] What if you have multiple keys per service? [05:34:52] What if you are doing ECC and RSA in parallel? [05:35:09] PHB: don't know, just doing this off the top of my head [05:35:16] Please prefix with "mic: if you want me to take it to the microphone. [05:35:38] yoav: apparently the secret is to be really close to the mic [05:35:48] Joe is clipping; not sure if that's better. would be more impressive at EKR speed. [05:36:49] mlepinski leaves the room [05:37:27] LimingWang joins the room [05:38:54] mic: There are two ways to meet this requirement, [05:39:07] mic: One is to tell clients only to trust certain certs [05:39:26] mic: another is to tell CAs who is actually authorized to issue for a domain [05:39:50] [I read the drafts, I have comments] [05:39:59] PHB: Latter is useless, since CAs can do what they want [05:40:34] Richard, they can do what they want, but if they are violating the audit standards we can dump their roots out of the browser for cause [05:40:34] tanizawa leaves the room [05:41:18] Ted joins the room [05:41:36] PHB: I would rather rely on layer 4 than layer 9 for these sorts of things [05:41:55] I would rather have both [05:42:18] But I can deploy the CA version in the next 6 months and have some effect across every browser immediately [05:42:31] =JeffH joins the room [05:42:37] Which is what I am proposing in CABForum at the moment [05:43:11] PHB: Why do you need a standard for that? Can't the CAs just have a "do not issue" registry where sites can list themselves in? [05:43:31] g.e.montenegro joins the room [05:43:32] richard: sure, it is called the DNS [05:43:32] tanizawa joins the room [05:44:16] PHB: Why futz with the DNS when you can just have, like a web form that a domain admin can fill out [05:44:20] tanizawa leaves the room: Logged out [05:44:30] tanizawa joins the room [05:44:31] you don't need to authenticate ownership [05:46:36] +1 [05:46:48] (That was to Paul's comment) [05:46:50] spturner joins the room [05:49:48] resnick joins the room [05:50:43] sukmoonlee joins the room [05:51:16] (Richard, because nobody would maintain them, and we would need a whole rack of practices to manage the system) [05:51:51] hildjj leaves the room: Replaced by new connection. [05:52:52] If you manage to get bad information into the DNS, you can have the DNS say that www.cnn.com is STS, whereas www.cnn.com has only HTTP, not HTTPS. Compliant clients will not be able to connect. [05:53:16] Of course, if you can inject anything you want into the DNS, you can break CNN in other ways as well. [05:53:23] jhildebr@cisco.com joins the room [05:53:30] YATSUGATAKE joins the room [05:53:46] YATSUGATAKE leaves the room [05:53:52] jhildebr@cisco.com is now known as hildjj [05:54:03] Martin J. Dürst joins the room [05:54:08] tlyu leaves the room: Disconnected [05:54:52] Andrew leaves the room [05:54:55] tlyu joins the room [05:55:13] mic: worse! I tell them you do only HTTPS, and make them unable to connect to your HTTP-only server [05:55:35] Paul Hoffman leaves the room [05:57:36] never mind. the context has expired [05:58:00] I've sat and never minded. [05:58:28] mic: HSTS gains you the ability to deploy right now and with a well defined set of security tools. DNS is going to depend on DNSSEC and in particular issues to do with the practices of DNS. [05:59:08] mic: So I see a value in HSTS even though I have been working on using DNS for over a year. [05:59:22] Alissa Cooper leaves the room [05:59:48] PHB: some of us have been using DNS for more than a year! :) [06:00:25] Linyi Tian leaves the room [06:00:33] Andrew joins the room [06:00:37] I just use a 4 GB /etc/hosts file [06:00:42] since the mic line is closed: HSTS still offers value if not all users are being MITM'd - some will get the right stuff [06:01:05] Richard: True, but I am a security guy and I am really cautious and risk averse [06:01:24] PBH has been hand-coding hosts files for a loooong time. [06:01:29] PHB has [06:01:56] Linyi Tian joins the room [06:02:39] I left the line, because we need to move on, but I'm worried that people are forgetting that DNSSEC _by design_ allows end clients to get DNSSEC from a recursive resolver. [06:02:56] PHB has a 15GB hosts.txt [06:02:57] Paul, please speak up (or get closer to the mic)! [06:03:09] That might be a bad idea for this, but the current proposals seem to depend on validation on end clients [06:03:13] and there is pressure against that. [06:03:24] Not any more, I am no longer with VRSN [06:03:27] martin: he's holding the lav mic. that seems to be the best that can be done [06:03:40] Andrew: remind us what the rationale is for offloading validation to the resolver? [06:04:01] Everybody was much less low-value [06:04:10] Hyong-Jong Paik leaves the room [06:04:10] ... and can't the host see the validation result in the AD flag? [06:04:16] Having never registered my own domain, I don't know the answer to this. But with the cheap packages you get from ISPs, do they let you put anything you want in a DNS record? If we standardize some DNS record that says this server has STS, can I get it registered in DNS, if I'm not as big or as rich as paypal.com ? I can configure Apache to hand out any headers I want. [06:04:21] (given that the resolver is already trusted) [06:04:26] Martin J. Dürst: Paul is plenty loud in the room [06:04:27] it's threefold: 1. easy deployment 2. caching efficiencies 3. put the expensive work up in the high-powered server and not on (say) your phone [06:05:32] @yoav: I believe it varies by provider [06:05:37] Many DNSSEC geeks think the AD bit is actually really for debugging. But anyway, you need to have a secure channel in the last hop or the AD bit doesn't help you. (This is a complication in the watch sense, but it needs to be remembered) [06:05:56] I don't think anything is as bad as email as far as fuzzy semantics are concerned [06:06:02] <=JeffH> or run a resolver locally [06:07:25] I'll also remind people that if you were trying to use DNSSEC on your host in this hotel's network, it would always break [06:07:26] Min Huang leaves the room [06:07:31] it would be nice to have a solution for non-HTTP protocols as well. [06:07:51] Paul Hoffman joins the room [06:08:02] (None of this is a criticism of the DNS-based stuff. I like it. I just want people to be realistic about what work is involved.) [06:08:07] hildjj: that might be a little unrealistic, given the variability in security mechanisms among applications [06:08:14] what's the issue in this hotel's network? [06:08:22] it lies to you [06:08:36] how? [06:08:56] richard: stamping those variations out is a good goal, when they vary for unimportant reasons. [06:09:00] (someone reported needing their own DNS server when using their VPN, for instance. This is the classic DNS-interception-and-gives-wrong-answers) [06:10:10] @richard: was that how for me? [06:10:19] Min Huang joins the room [06:10:30] Andrew: yes, but never mind [06:10:39] https://datatracker.ietf.org/doc/draft-hallambaker-esrv/ [06:11:01] ok. Would it help if I sent an outline of how that kind of failure works to the list? We have some RFCs about this, but a quick outline is easy [06:11:34] mic: Agree that we need both. Ubiquitous DNSSEC and support in all browsers is years away. No opinion about ESRV vs some new record, although ESRV might be easier to get your registrar to add. [06:11:47] It was a security AD suggested that to me! [06:11:49] Andrew: we can talk offline. don't know if other folks are interested [06:11:53] ok [06:12:08] <=JeffH> Andrew: wrt getting dnssec info to client over "last hop" -- Adam Langley (of chrome team) has some thoughts/code -- http://www.ietf.org/mail-archive/web/keyassure/current/msg00374.html [06:12:26] <=JeffH> fyi [06:12:57] Oh, right! Thanks for the reminder [06:12:58] =JeffH: There's also this: https://addons.mozilla.org/en-US/firefox/addon/64247/ [06:13:13] (firefox add-on that does DNSSEC validation) [06:13:21] <=JeffH> cool [06:13:44] richard: but it doesn't do the validation itself :( [06:13:45] but they had to build a whole DNS library into the extension to do it :/ [06:14:07] simon: now that you mention it, i remember that's right; i forgot :/ [06:14:15] never mind [06:14:22] Richard, I once wrote an ASN.1 parser in javascript, DNS is easy in comparison [06:14:25] Is it going into the regular FF or regular Chrome any time soon? [06:14:40] yoav.nir: no, it's a dirty hack [06:14:54] i've had some initial chats with the mozilla folks, but there's not any momentum in that direction [06:15:17] So realistically, we need to wait for the OS to support DNSSEC [06:15:27] beautyminded leaves the room [06:17:01] Geonung Kim joins the room [06:19:34] simon.perreault leaves the room [06:23:05] simon.perreault joins the room [06:27:34] Value suddenly much better, thanks! [06:27:54] tidty joins the room [06:28:43] tidty leaves the room [06:29:00] These are actually Attributes that describe the Protocol Security Policy, they are not a Security Policy in themselves. The reason I raise this issue being that a lot of people have been impressing on me the undesirability of attempting to tackle the AI-complete problem of machine decidable security policy. We are not attempting anything difficult [06:30:11] I am willing to write [06:30:31] In fact I probably have much text written already. [06:31:23] tidty joins the room [06:31:52] Geonung Kim leaves the room [06:32:36] tidty leaves the room [06:36:21] glad to know i'm in so cool with Paul :) [06:37:59] mic: I think the main difference between me and Paul is simply the specific plumbing we are embedded in. [06:39:01] mic: I am heavily in DNS at the moment, I have a very good idea about the HTTP layer but that is not what I am focused on right now. [06:39:46] Ted leaves the room [06:39:56] Bye, all. Adjourned. [06:40:00] Barry Leiba leaves the room [06:40:39] Raman leaves the room [06:40:53] tlyu leaves the room [06:41:04] hildjj leaves the room: Disconnected. [06:41:16] stpeter leaves the room: Disconnected: connection closed [06:41:35] simon.perreault leaves the room [06:42:02] Min Huang leaves the room [06:42:15] LimingWang leaves the room [06:42:25] bhoeneis leaves the room [06:42:55] yoiwa leaves the room [06:43:03] g.e.montenegro leaves the room [06:43:05] sftcd leaves the room [06:43:24] Paul Hoffman leaves the room [06:43:38] tanizawa leaves the room [06:43:45] Kepeng Li leaves the room [06:44:08] richard leaves the room [06:44:17] PHB leaves the room [06:44:27] Cullen leaves the room [06:44:54] Cullen joins the room [06:44:56] julio leaves the room [06:48:10] yoav.nir leaves the room [06:49:26] Andrew leaves the room [06:50:50] tidty joins the room [06:50:54] tidty leaves the room [06:51:36] =JeffH leaves the room [06:57:14] exit [06:57:19] spturner leaves the room [06:58:02] sukmoonlee leaves the room [06:59:33] resnick leaves the room [07:03:21] Linyi Tian leaves the room [07:07:02] Cullen leaves the room [07:14:08] richard joins the room [07:15:36] richard leaves the room [07:18:56] Dave Thaler leaves the room [07:19:27] Dave Thaler joins the room [07:21:35] Paul Hoffman joins the room [07:22:16] Dave Thaler leaves the room [07:29:04] Linyi Tian joins the room [07:34:46] stpeter joins the room [07:37:18] jhildebr@cisco.com joins the room [08:10:50] jhildebr@cisco.com leaves the room: Disconnected. [08:25:07] bhoeneis joins the room [08:36:58] Andrew joins the room [08:37:10] Andrew leaves the room [08:44:58] Paul Hoffman leaves the room [09:27:42] stpeter leaves the room: Logged out [09:32:42] Linyi Tian leaves the room [09:32:57] bhoeneis leaves the room [09:38:38] Linyi Tian joins the room [09:42:38] Linyi Tian leaves the room [10:22:17] Martin J. Dürst leaves the room [13:44:19] bhoeneis joins the room [13:44:58] bhoeneis leaves the room [13:45:04] bhoeneis joins the room [14:15:28] bhoeneis leaves the room [14:17:29] bhoeneis joins the room [14:18:28] bhoeneis leaves the room [14:27:41] bhoeneis joins the room [14:28:58] bhoeneis leaves the room [14:30:11] bhoeneis joins the room [14:30:58] bhoeneis leaves the room [15:53:55] bhoeneis joins the room [16:04:29] bhoeneis leaves the room [16:04:49] bhoeneis joins the room