Re: [Crypto-panel] Request for review: OPAQUE
Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com> Tue, 12 September 2023 07:47 UTC
Return-Path: <jeanphilippe.aumasson@gmail.com>
X-Original-To: crypto-panel@ietfa.amsl.com
Delivered-To: crypto-panel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 01448C16B5C7 for <crypto-panel@ietfa.amsl.com>; Tue, 12 Sep 2023 00:47:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DOHBo8i3LVH9 for <crypto-panel@ietfa.amsl.com>; Tue, 12 Sep 2023 00:47:03 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2C0C16B5CA for <crypto-panel@irtf.org>; Tue, 12 Sep 2023 00:47:03 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id 2adb3069b0e04-502a4f33440so5562122e87.1 for <crypto-panel@irtf.org>; Tue, 12 Sep 2023 00:47:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1694504822; x=1695109622; darn=irtf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=QBnDqYTjyzZl1hmB62WUEeZA4vmsYyL4NW55h3Y6ftQ=; b=szxY7d6UvHUAC4EHT9si5vPtb10cti4dVeQuN74bBw6lYauqYE7gU7z93PV8heXJ8i ps97GlF7bSVZ26YE8wCLGtd2XiIVmOxQ996KIFoQu4dIlZJAm8jNSJxt1gWskYbFNzC4 wvnbFEHgu9bisx2JwL4QZ1U2ns0SkjPITayto51G6LHPwgYI+Fsk6cdGDh5BQGR/XLTn o1dK9Sq/RDxsKcz1BSyfv0rVpTYlRn9+tj984mNoQZhPyC/RB/QS1foy8IIxeivudAUO QT6sp2zi9/OSGqGDiWdV19LCsrFBCOs3twOqNiezlfwUf4btiZVCiKSeu+XlqSE4XqzP SCfw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694504822; x=1695109622; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=QBnDqYTjyzZl1hmB62WUEeZA4vmsYyL4NW55h3Y6ftQ=; b=T2hV/Rv9C5r9tYzqqGVXx2a8FKBV1lblkQ4zNk34Eg7dmLNGtThOHRM1ODhFK42Iek InpFoWy6vAa4W9B3G5odc5ry3aBW1DTF2uG/SOBywVWvurrRuJ60fmcblK6SnU8rzqQy Oaz1qALH5Rs5C8ju8tEi6rPD4BBnGUuqzk9TfUggmKZine50rh1pi9yNOxt0ebj+PzIl TKxmQ5HrPdy0Tz3tOKfOv3LaqrpBZgMWJtmTSEH+px8CtcetVLar7IMz1ULBelOWAUGH B5qcx8nPBJW/bqW3VrX3Nz1svwsSSf9t1Ak9YS1TTU3XkkH0RnPbAQA3t3IwWsJ+Z3ge pDpg==
X-Gm-Message-State: AOJu0YxUcin05WwTWNyVDP3ABH09yII+IGk6gw39UWot2JJW2mIxmIRs LREu+TE1ATOGhUBauBG97GGHaxJts+Nmlwge66Y=
X-Google-Smtp-Source: AGHT+IGTIe3aqo88vR3ltIwAQitpmX5sIYC9i3khvRX8Fo0LM4HChC7mKQguE5wzjB5+VkahtmujLQkaUCdOn/p0d/U=
X-Received: by 2002:ac2:4c48:0:b0:500:c765:bbe with SMTP id o8-20020ac24c48000000b00500c7650bbemr11677470lfk.0.1694504821274; Tue, 12 Sep 2023 00:47:01 -0700 (PDT)
MIME-Version: 1.0
References: <CAMr0u6mQXUk+DiJpKg1vLYMrPw_eMMH_Y0ohLLZU_gGEo7A-jA@mail.gmail.com> <CAGiyFdfsgzd8S4X+ZcnuF0+=A77oQ5iTM33uwb8Qj3v9eHaSzw@mail.gmail.com> <CAMr0u6kxifRMmKHykb+ucGCL1vnOU+6jvdM+-SU_ChRM4Cmq8A@mail.gmail.com> <CAL+7JtQdThQtL99OVqBGHAwPvJaJruTs4tQf+x=buwf4xetNXA@mail.gmail.com> <CAMr0u6=zB_B83x8+RRQERwbmYnTY-6guBYS9T7Hm8FS2umVrfQ@mail.gmail.com> <CAMr0u6kUwP4FQmoFY=grVzpSaKuoKCRG=NWTxSSBFV-V52SeGg@mail.gmail.com> <CH0PR11MB54442C12AA045EA05CDE1D29C11EA@CH0PR11MB5444.namprd11.prod.outlook.com> <CH0PR11MB5444D78CB5932C783941D2ADC1E8A@CH0PR11MB5444.namprd11.prod.outlook.com> <CACitvs86GmqxudApcwCc=XLRfgAm_Tu0BB2u9-UtGZ6OvA5kfg@mail.gmail.com> <CAGiyFdf=jM9Nah1KHN1vQ0T3b+uF0Ddv5YycLJFqGDgMnCWNxw@mail.gmail.com> <CACitvs9nxMwu6XHyWOM_NsaAC_2TVmbKmx3VT2dwWmjn_sW8jw@mail.gmail.com>
In-Reply-To: <CACitvs9nxMwu6XHyWOM_NsaAC_2TVmbKmx3VT2dwWmjn_sW8jw@mail.gmail.com>
From: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
Date: Tue, 12 Sep 2023 09:46:43 +0200
Message-ID: <CAGiyFdfMvZOx4+g-+28y8M1oZV5NXMLu7d+xZ-X1gRjdTW4q-w@mail.gmail.com>
To: Kevin Lewi <klewi@cs.stanford.edu>
Cc: Bjoern Tackmann <bjoern.tackmann@ieee.org>, Chloe Martindale <chloemartindale@gmail.com>, Christopher Wood <caw@heapingbits.net>, Julia Hesse <juliahesse2@gmail.com>, Julia Hesse <jhs@zurich.ibm.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer@cisco.com>, "Scott Fluhrer (sfluhrer)" <sfluhrer=40cisco.com@dmarc.ietf.org>, "Stanislav V. Smyshlyaev" <smyshsv@gmail.com>, cfrg@ietf.org, "cfrg-chairs@ietf.org" <cfrg-chairs@ietf.org>, "crypto-panel@irtf.org" <crypto-panel@irtf.org>, "draft-irtf-cfrg-opaque@ietf.org" <draft-irtf-cfrg-opaque@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f13d53060524a5d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/crypto-panel/ncXqkf40cifQrjRbbSMyzOIsIZE>
X-Mailman-Approved-At: Tue, 12 Sep 2023 08:49:34 -0700
Subject: Re: [Crypto-panel] Request for review: OPAQUE
X-BeenThere: crypto-panel@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Review Panel review coordination <crypto-panel.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/crypto-panel/>
List-Post: <mailto:crypto-panel@irtf.org>
List-Help: <mailto:crypto-panel-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/crypto-panel>, <mailto:crypto-panel-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Sep 2023 07:47:06 -0000
Thanks Kevin for taking the time to respond to my comments, I reviewed the PR and the changes look good to me. On Mon 11 Sep 2023 at 23:55 Kevin Lewi <klewi@cs.stanford.edu> wrote: > Thanks JP for the review! I went through with the edits you suggested, > and they are incorporated in this PR: > https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/422 > > Here are my responses, inline: > > On Sun, Sep 10, 2023 at 1:27 AM Jean-Philippe Aumasson < > jeanphilippe.aumasson@gmail.com> wrote: > >> Please find my comments below. I could not spend as much time as I >> probably should have for a comprehensive, detailed review (approx. 2 >> hours), but I hope this will be helpful nonetheless. I apologize in advance >> if some of these points have already been discussed and resolved. >> >> # 2.1 >> >> "SerializeElement(element): Map input element to a fixed-length byte >> array buf." >> >> Is it necessary and IETF-standard to name the output value variable? >> This function's output is later assigned to other variables such as >> "blinded_message = SerializeElement(blinded_element)" (5.2.1) >> > > Thanks, good catch, removed the "buf" from the sentence. > > >> >> >> # 2.2 >> >> Not really expecting this to be revised, but mentioning it FTR: >> >> The Expand()/Extract() API is specific to HKDF, and not a standard >> crypto primitive API. This precludes the (direct) use of other KDFs than >> HKDF. It might have been more "inclusive" to use standard KDF or XOF >> APIs. >> > >> > >> >> "a collision-resistant Message Authentication Code (MAC)" >> This is not a cryptographically standard security notion, as a MAC's >> security goal is unforgeability. If some collision resistance is >> additionally required, it should be specified that we're talking (I >> suppose) of collisions with a same secret key. >> Also, these combined requirements will imply in practice the use of a >> PRF, so it might be simpler to require a PRF and restrict its output >> size to greater than some security bound. >> > > Thanks for bringing this up as well. Actually, after some comments from > Hugo Krawczyk, we are changing this to require: "random key robust" instead > of "collision-resistant" MAC. Additionally, we are adding the following > definition for a random key robust MAC, under the Security Considerations > section: > > "The random-key robustness property is only needed for the MAC function: > the > property being that, given two random keys k1 and k2, it is infeasible > to find a > message m such that MAC(k1, m) = MAC(k2, m)." > > Changes are on github here (search for "random key robust"): > https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/419 > > >> # 3 >> >> nit: the "authenticated key exchange" is mentioned, and then 3.1 refers >> to it as the "AKE", but it may not be obvious to all readers that it's >> the "authenticated key exchange". Suggested change: "authenticated key >> exchange (AKE)" in 3. >> > > 👍 > > >> >> # 3.1 >> >> "chooses a seed (oprf_seed) of Nh bytes for the OPRF": >> Is this consistent with earlier statement "all random nonces and seeds >> used in these dependencies and the rest of the OPAQUE protocol are of >> length Nn and Nseed bytes, respectively, where Nn = Nseed = 32."? >> >> Maybe mention earlier that Nn = Nseed = Nh = 32? >> >> > For SHA512 outputs, Nh = 64, whereas for SHA256, Nh = 32. So, Nh would be > an instance of the exception "*Unless said otherwise*, all random nonces > and seeds..." > > >> >> # 3.2 >> >> For the avoidance of doubt, it may be added that "export_key" is a >> symmetric key, not a public key or a private key. >> > > Added this text: "The client output of this stage is a single value > `export_key` that the client may use for application-specific purposes, > e.g., *as a symmetric key* used to encrypt..." > > >> # 4 >> >> This section was not clear to me: >> it starts by introducing the concept of Envelope structured, then says >> "The following types of application credential information are >> considered", from which a reader might understand "are part of the >> Envelope" or "may be part of the Envelope". >> Right after that, the text says "These credential values are used in the >> CleartextCredentials", when in fact it's only 3 out of the 5 values. >> > > I see 👍. To help make things clearer, I changed the text to say, "*A > subset of* these credential values are used in ..." > > >> >> # 4.1.1 >> >> "nonce: A unique nonce" >> It may be specified that it is unique with respect to the set of users >> of a given application (and set of parameters thereof) >> >> Wouldn't it be safer to "bind" values derived from the nonce to the >> server's identity/publickey? In that case, the nonce should be unique >> only per server, rather than per application parameters. >> But maybe that's on purpose, to allow the use of the same nonce with >> multiple servers? >> > > Hmm. This nonce is meant to be sampled randomly upon each envelope > creation (based on the line `envelope_nonce = random(Nn)`). So actually, we > do not want this nonce to ever be reused. Perhaps it would help to clarify > that this nonce is "randomly-sampled" instead of just saying "unique > nonce"? I amended the text to read: "nonce: A randomly-sampled nonce ..." > in hopes of clearing up this confusion. > > >> >> >> # 4.1.3 >> >> " If !ct_equal(envelope.auth_tag, expected_tag) >> raise EnvelopeRecoveryError" >> >> We may add that, in such a case, all the previously computed >> values/key/credentials must be discarded/deleted. >> > > Added the text: "In the case of `EnvelopeRecoveryError` being raised, all > previously-computed intermediary values in this function MUST be deleted." > > >> >> # 5.2.1 >> >> "password, an opaque byte string" >> >> The definition of an opaque string in this context seems necessary, as >> it may confuse readers (e.g., as related to opaque types). >> >> > Indeed what we mean here by "opaque byte string" is: a string of bytes of > unspecified format. Perhaps @Christopher Wood <caw@heapingbits.net> can > chime in on this for suggestions on how we can clarify, as I was assuming > it is the unambiguous terminology for these sorts of things :) > > >> # 6.3.2.2 >> >> "It is RECOMMENDED that a fake client record is created once (e.g. as >> the first user record of the application) and stored alongside >> legitimate client records. This allows servers to locate the record in >> a time comparable to that of a legitimate client record." >> >> This part wasn't clear to me first (regarding the purpose "to locate"). >> It may be clarified that storing such fake record (or, even better, many >> such records and pick a random one) saves the cost/time of computing >> one, thus avoiding potential timing side channels. >> > > I clarified by rephrasing the words "to locate" to "to retrieve". > > >> >> # 7 >> >> "is 128-bits" -> "is 128 bits" (or "is 128-bit"). >> >> It may be added that the recommended configurations target 128-bit >> security. >> > > Thanks, also added after the configurations, the sentence: "The above > recommended configurations target 128-bit security." > > >> # 10 >> >> Totally trivial and obvious, but shouldn't the security considerations >> mention somewhere the risk of weak/short passwords? >> Here of maybe in section 5 (Offline Registation) >> > > > Added a sentence at the end of the "## Password Salt and Storage > Implications" section: > > "In general, passwords should be selected with sufficient entropy to avoid > being susceptible to recovery through dictionary attacks, both online and > offline." > > >> >> >> On Fri, Sep 8, 2023 at 1:22 AM Kevin Lewi <klewi@cs.stanford.edu> wrote: >> >>> Hi Scott, >>> >>> Replies inline: >>> >>> >>>> >>>> >>>> - The draft mentions that it supports multiple AKE and OPRF >>>> algorithms, and that the server may want to select between them (based on >>>> hardware support). However, the client initiates the transaction, and the >>>> generation of the KE1 message would appear to require knowledge of the OPRF >>>> used; how does the client know this? Is it communicated out-of-band (say, >>>> in the DNS record)? Is there expected to be a preliminary (outside the >>>> protocol) phase where the client asks the server? Or, does the client take >>>> a guess and if the server doesn’t support that, it informs the client of >>>> the one it does expect (and if so, from the KE1 message, how does the >>>> server know which one the client guessed)? I couldn’t find any discussion >>>> of such issue in the draft, and I don’t believe it would serve the >>>> implementors right by having them try to figure this out for themselves. >>>> - This question comes up because one scenario I envision for >>>> Opaque is “the user has a PC (or tablet or phone) which might not be the PC >>>> he registered with, and wants to log into the server using his password. >>>> The PC has no stored information about the server” – how does this work? >>>> >>>> >>> IMO this is outside of the scope of the protocol and the draft. In the >>> Protocol Overview section, under Setup, we say "Prior to both stages, the >>> client and server agree on a configuration that fully specifies the >>> cryptographic algorithm dependencies necessary to run the protocol; see >>> {{configurations}} for details." In the past we discussed this and decided >>> to leave it up to the implementers, primarily because there are many ways >>> this negotiation could happen in practice, and if we pick one format, it >>> may be suitable for some but not for others. >>> >>> >>>> >>>> - The draft includes support for Ristretto, which is itself >>>> currently a CFRG draft. Is it expected that Ristretto will become an RFC >>>> before this does? >>>> >>>> >>> Yes. We also have a dependency on voprf, which itself has a dependency >>> on Ristretto anyways. >>> >>> >>>> >>>> - At one point, the draft uses “RFCXXXX” as a protocol identifier >>>> in the preamble; is that expected to be replaced by the assigned RFC >>>> number? If so, I would suggest you add instructions to the RFC editors to >>>> that effect. >>>> >>>> >>> Done! Put up a PR for this change: >>> https://github.com/cfrg/draft-irtf-cfrg-opaque/pull/420 >>> >>> >>>> >>>> - >>>> - Question about 4.1.2: if the DeriveDiffieHellmanKeyPair has a >>>> nonzero (but low) failure rate, why doesn’t the Store functionality retry >>>> it internally, rather than asking for the server application to perform >>>> that logic? Of course, this would need to include some sanity limit (to >>>> prevent a bogus input from causing an infinite loop); IMHO, this is >>>> something that the application shouldn’t be tasked with. >>>> >>>> >>> The failure scenario for DeriveDiffieHellmanKeyPair comes from voprf's >>> "DeriveKeyPair" function: >>> https://www.ietf.org/archive/id/draft-irtf-cfrg-voprf-21.html#section-3.2.1 >>> which already does the retry logic that you are describing before raising >>> the error. Presumably it would be unnecessary for us to introduce yet >>> another layer of a retry loop in DeriveDiffieHellmanKeyPair, no? >>> >>> Thanks for the comments! >>> >>> On Tue, Sep 5, 2023 at 10:59 AM Scott Fluhrer (sfluhrer) < >>> sfluhrer@cisco.com> wrote: >>> >>>> Here is my review of the latest Opaque draft: >>>> >>>> >>>> >>>> It looks pretty good; I do have a few questions and nits: >>>> >>>> >>>> >>>> - The draft mentions that it supports multiple AKE and OPRF >>>> algorithms, and that the server may want to select between them (based on >>>> hardware support). However, the client initiates the transaction, and the >>>> generation of the KE1 message would appear to require knowledge of the OPRF >>>> used; how does the client know this? Is it communicated out-of-band (say, >>>> in the DNS record)? Is there expected to be a preliminary (outside the >>>> protocol) phase where the client asks the server? Or, does the client take >>>> a guess and if the server doesn’t support that, it informs the client of >>>> the one it does expect (and if so, from the KE1 message, how does the >>>> server know which one the client guessed)? I couldn’t find any discussion >>>> of such issue in the draft, and I don’t believe it would serve the >>>> implementors right by having them try to figure this out for themselves. >>>> - This question comes up because one scenario I envision for >>>> Opaque is “the user has a PC (or tablet or phone) which might not be the PC >>>> he registered with, and wants to log into the server using his password. >>>> The PC has no stored information about the server” – how does this work? >>>> - The draft includes support for Ristretto, which is itself >>>> currently a CFRG draft. Is it expected that Ristretto will become an RFC >>>> before this does? >>>> - At one point, the draft uses “RFCXXXX” as a protocol identifier >>>> in the preamble; is that expected to be replaced by the assigned RFC >>>> number? If so, I would suggest you add instructions to the RFC editors to >>>> that effect. >>>> - Question about 4.1.2: if the DeriveDiffieHellmanKeyPair has a >>>> nonzero (but low) failure rate, why doesn’t the Store functionality retry >>>> it internally, rather than asking for the server application to perform >>>> that logic? Of course, this would need to include some sanity limit (to >>>> prevent a bogus input from causing an infinite loop); IMHO, this is >>>> something that the application shouldn’t be tasked with. >>>> >>>> >>>> >>>> >>>> >>>>
- [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Jean-Philippe Aumasson
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Chloe Martindale
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Jean-Philippe Aumasson
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Julia Hesse
- Re: [Crypto-panel] Request for review: OPAQUE Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Jean-Philippe Aumasson
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] Request for review: OPAQUE Jean-Philippe Aumasson
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] Request for review: OPAQUE Jean-Philippe Aumasson
- Re: [Crypto-panel] Request for review: OPAQUE Julia Hesse
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] [CFRG] Request for review: OPA… stef
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Scott Fluhrer (sfluhrer)
- Re: [Crypto-panel] [CFRG] Request for review: OPA… stef
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Chloe Martindale
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Kevin Lewi
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Hugo Krawczyk
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Eric Rescorla
- Re: [Crypto-panel] Request for review: OPAQUE Julia Hesse
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Hugo Krawczyk
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Julia Hesse
- Re: [Crypto-panel] Request for review: OPAQUE Stanislav V. Smyshlyaev
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] Request for review: OPAQUE Julia Hesse
- Re: [Crypto-panel] Request for review: OPAQUE Russ Housley
- Re: [Crypto-panel] [CFRG] Request for review: OPA… Björn Haase
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] Request for review: OPAQUE Chloe Martindale
- Re: [Crypto-panel] Request for review: OPAQUE Kevin Lewi
- Re: [Crypto-panel] Request for review: OPAQUE Chloe Martindale