IETF Logo Mail Archive

Re: [Lake] January lake wg virtual interim webex details

Göran Selander <goran.selander@ericsson.com> Thu, 09 January 2020 14:20 UTC

Return-Path: <goran.selander@ericsson.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 94E111200B9 for <lake@ietfa.amsl.com>; Thu, 9 Jan 2020 06:20:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bPpRYaHCOLMq for <lake@ietfa.amsl.com>; Thu, 9 Jan 2020 06:20:06 -0800 (PST)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DB080120824 for <lake@ietf.org>; Thu, 9 Jan 2020 06:20:05 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eqvsFkM7DIDAjv5CGQAjguL2+XboEIh+tM/Ebl2QUL+cVqPbMzahe/LKfOFDOT7ftiRxq2IzedfN2fBnc4tSu2WTdY4ooUq19VVywIVIfqNvx7vqiZ/HmbgJi/dloCNFGYA6uKu24JH3JHKtzkMTDAydns2xEzwssCE9RECgm1w47QN8a12UpRCuqBhq2oimMUj0aZqR6+moOZ4ntHH0uLLCsRH7Oma1IyZFFPwxpgRmigFqLxUXy9+PqXVG4V2BpcmX60JQ0/RX3jDO4hKyyjfKODuZToFTV/XmPKghpDqQJi+Tp+vwWmMhuE4vsjWXuqkgYsfNhjxf0A2GoyHllA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CoIOLj8wUlNteB3tlhrvM4GxTLK3DxJL4pDyMD2VzPs=; b=cCrkhrpUTgOxRizWJZzIRezDGY0uNgO+hcAjpF0trBhszObS4m0pLge3SZPzQ2jPiNV7LT7lUGwYy/pjF5U+tzF26JxIaagJevJnH0yDomqZU/X+QhEUzvKt7FSkDowxxwbHvJg17tuHIZDW82bnY/0aTviCqYcEuKzYxCwf8lL0EPo1RPlweC+IQsn7XCTH9XNr1lkFULRm+BMzkhgArJL+/E5lNqi6ZvhX4SzMJGKUukgyUnBe+5QBEivhxFMPIZWuI6d+zpVd0iTeVS2fCfFIMxjt41FKk68vjeTUCW6MJmmYmEHXbuAXzA5XVXAADgSWvGNyW4MmRBrvmpD3hg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CoIOLj8wUlNteB3tlhrvM4GxTLK3DxJL4pDyMD2VzPs=; b=UXDzdfJcRA/SPhAZQJA12aiskdZXPhpNFwCUlvnp5uufIl+S/+pKz1FjjPViFDo+DIU2yV0UVRZ+iGw4Sq+whLR8kE3VFggg2vay0/Q/yqPyooxSZll8YTuP2JkTKLzHB+n1yGfYxQTW75M50Xzx3yEY6qiAjh+9p/XPko9h93Q=
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com (20.176.163.140) by HE1PR07MB3353.eurprd07.prod.outlook.com (10.170.244.29) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.6; Thu, 9 Jan 2020 14:20:03 +0000
Received: from HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::538:4bc2:5936:6252]) by HE1PR07MB4172.eurprd07.prod.outlook.com ([fe80::538:4bc2:5936:6252%3]) with mapi id 15.20.2644.006; Thu, 9 Jan 2020 14:20:02 +0000
From: Göran Selander <goran.selander@ericsson.com>
To: Eric Rescorla <ekr@rtfm.com>
CC: "lake@ietf.org" <lake@ietf.org>, Stephen Farrell <stephen.farrell@cs.tcd.ie>
Thread-Topic: [Lake] January lake wg virtual interim webex details
Thread-Index: AQHVtRn8YVwfhvlN10qeZvLsfFU506fDLTMAgAyyFQCAErcKAA==
Date: Thu, 09 Jan 2020 14:20:02 +0000
Message-ID: <4DF53144-9195-42F1-8BB1-2F968A0894A2@ericsson.com>
References: <4cb9f698-d7b6-2f5d-c853-1679ea6ddd8f@cs.tcd.ie> <3d77de35-8a6a-82ee-bb05-4de0e716d731@cs.tcd.ie> <34e0d061-e826-6c9d-6fee-3ea81915fedb@cs.tcd.ie> <D0083AF6-A7E4-4E00-90A2-E4E38C269C12@ericsson.com> <CABcZeBNBGLFt8ns1chCiKuYH_4CYJj+32hSH2wu1PrFS1iPcww@mail.gmail.com>
In-Reply-To: <CABcZeBNBGLFt8ns1chCiKuYH_4CYJj+32hSH2wu1PrFS1iPcww@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.20.0.191208
authentication-results: spf=none (sender IP is ) smtp.mailfrom=goran.selander@ericsson.com;
x-originating-ip: [192.176.1.87]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 0462b84f-245c-44fd-74af-08d7950f048b
x-ms-traffictypediagnostic: HE1PR07MB3353:
x-microsoft-antispam-prvs: <HE1PR07MB3353F3772EEDC6929EBA1034F4390@HE1PR07MB3353.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 02778BF158
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(396003)(376002)(346002)(199004)(189003)(71200400001)(66946007)(45080400002)(66446008)(4326008)(64756008)(4001150100001)(5660300002)(6486002)(81166006)(81156014)(8936002)(6512007)(8676002)(91956017)(66476007)(66556008)(76116006)(66574012)(26005)(186003)(33656002)(2906002)(54906003)(85182001)(316002)(2616005)(30864003)(6506007)(53546011)(86362001)(478600001)(6916009)(36756003)(16799955002)(85202003)(966005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR07MB3353; H:HE1PR07MB4172.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9T92K1CnIErgGNx6jR0fkNlN0O/C07VT6GXCNcbg/IetvhJgZBezWXA7rurNBYo5yGAlDzhaIJPNVOnjf+vV28Xv2I291wPgaQwkCN0D8c6ojapFQLuUiTaujUS90h/1PeuMGzAhUhM/n30xJHBmwrdEcm0dOtOtNUrf4/N+elOv/WnA1u7lT7XQVaZNTotMuM2MubykOwEsuus2lDSdJ5BQL1N+W/XLXSVWRpCfpXZ8sX+zyoNifV3pbxnMCIZ8WaOv4IzY/wwSUgtDQ6IwNdgS1Wiah51+xJvDRcnzSzrSaueLo+f59WFe4OfIuj4MPxwIV+StgiYDW7pSBvkfreLEKigY8T/tS/pskxFd0qwrtEmfVQC6m5G+TXQA8Br5dtE/MAKcPnMJLFnQdKwzsbPNKQyexqL7tzA2CxL9XxU8UmABpu/mSsRu5rMvgv/8SB9SAo/TsQbYr346pqbfdwrX/9NMVHi4u6WSTa7mZ1FwEsUMyxC1reMrUBMLQ0qPaSIt35/AWdeW0/l4KutzIQ==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_4DF53144919542F18BB12F968A0894A2ericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0462b84f-245c-44fd-74af-08d7950f048b
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2020 14:20:02.8051 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qrX/fiM9qVHcEa3K2wDXoi//LwdSKjGz6UoJefyO2zqB5SnTIrpwFrNjuT+oNjWW1G+pteW+V0vXOLxgh3HidD/vbuu0SkselfJJ/4wBlqs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3353
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/3vdbLt0uSqZMxHN_JNI6vDqksPc>
Subject: Re: [Lake] January lake wg virtual interim webex details
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Jan 2020 14:20:11 -0000

Ekr,

Thanks, comments inline.

From: Eric Rescorla <ekr@rtfm.com>
Date: Saturday, 28 December 2019 at 18:33
To: Göran Selander <goran.selander@ericsson.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, "lake@ietf.org" <lake@ietf.org>
Subject: Re: [Lake] January lake wg virtual interim webex details

Goran

Thanks for posting this. Some thoughts below.

> 1. Public key credentials
>
> Both public key certificates and raw public keys need to be
> supported. Certificates are needed for generic zero-touch
> deployment. Raw public key is a significant message size optimization
> if the public key is already trusted. Two different public key types
> have been discussed: public signature keys and static Diffie-Hellmann
> keys. In the latter case signatures are replaced with MACs leading to
> a significant reduction of message size. Hence static DH keys are
> desirable to support.
>
> Working assumption: support for signature based and static DH based
> authentication.

Yes, I think I agree with this, but as soon as you introduce
this much flexibility, we have to ask whether it's negotiable
or whether you just assume that the RP will support whatever
the AP wants to offer. My sense is that negotiable is actually
required in at least some cases, but maybe others feel
differently.


GS: Agree about negotiation. Responder needs to be able to verify which method is being used.


> 2. Mixed credentials
>
> Mixed credentials, one party certificate and the other RPK, are
> motivated by a use case. Because of 1 we also need to support mixed
> types of public key credentials.
>
> Working assumption: support for mixed signature and static DH based
> authentication.

Agreed.



> 3. PFS against compromise of which key material?
>
> Examples:
>     - protection against the loss of long-term keys at the initiator
>     - protection against the loss of long-term keys at the responder
>     - protection against the loss of ephemeral keys
>     - protection against a bad RNG at initiator or responder
>
> Working assumptions:
>     - Protection against loss of long-term keys at initiator and responder.
>     - Protection against bad RNG using randomness improvements such as
>       draft-irtf-cfrg-randomness-improvements and analogously for
>       symmetric keys

Agreed.


> 4. Number of round trips/messages and frame sizes
>
> Mutual authentication requires at least 3 AKE messages. In radio
> technologies such as 6TiSCH and LoRaWAN performance is affected by AKE
> messages fitting into radio frames. The amount of data available for
> AKE messages is not fixed but depend on radio configuration such as
> scattering factors, data rates, number of hops etc.
>
>     - The AKE could be spread out over 4 messages of smaller size
>       (compare SIGMA-I and SIGMA-R). In principle, for certain AKE
>       message sizes and radio configuration, the number of radio
>       frames could be smaller with 4 AKE messages instead of 3. In
>       practice, the number of radio frames may be either smaller or
>       larger with 4 AKE messages instead of 3.
>
>     - With 3 AKE messages, the OSCORE request may be sent together
>       with AKE message 3 resulting in 1 round trip before sending
>       encrypted traffic data. If the AKE has 4 messages, then the
>       protocol is never 1 RTT before traffic data, which increases the
>       time for completing the protocol.
>
>     - Experience from IKE shows that 4 messages are preferred for
>       unreliable transport such as UDP. For LAKE, however, we assume
>       transport over CoAP or other reliable transport.
>
> Working assumption: The AKE shall have 3 messages.

It's probably useful to distinguish *messages* from *flights*. I agree
that we want three flights, but it seems clear that for some radio
technologies, it's not possible to get a full signature-based
exchange in three frames, so there needs to be fragmentation
somewhere. The question then becomes where that fragmentation
should happen and whether the AKE should be aware of it. That
seems like a more complicated question, especially with very
small frame sizes.

GS: I didn’t understand the difference. Current terminology is in terms of “messages” (AKE units) and “frames”/”packets” (radio layer units). We want to minimize the number of radio layer units needed, but technology, regulations, configuration, etc. affect the size of the radio layer units. As you say, the AKE message may be fragmented by lower layers, but I don’t think we can require that the AKE layer to be aware or have any control of that. What we can do in design time is to keep the AKE units small and few so that the number of frames/packets are in general few, and optimal when the radio layer so permits. We can use “flight” instead of “message” to describe the AKE unit but I don’t see how that makes a difference. Perhaps I misunderstood?


> 5. Number of round trips/messages and identity protection
>
> What identifying information shall be protected against what
> adversaries? As much as possible of the identifying information should
> be protected, but protecting all identifying information has impact on
> the properties, in particular number of messages/round trips.
>
>     - Encrypting PSK identity with DH shared secret protects against
>       passive network adversaries, but does not allow authentication
>       of responder within 3 messages
>
>     - Encrypting crypto algorithms does not allow negotiation of
>       cipher suite within 3 messages
>
>    - Encryption of connection identifier only works in asymmetric case
>      and does not results in arbitrarily short identifiers
>
>  Working assumption: The following data need not be encrypted:
>     - PSK identifier
>     - cipher suite
>     - connection identifier

Agreed.


> 6. Application data
>
> Applications may want to transport application data within the AKE to
> reduce round trips and number of messages.
>
> Working assumptions:
>    - The protection properties of the application data provided by the
>      AKE depends on which protocol message (see Section 2.6 of [00])
>
>    - The application data must not violate the AKE security
>      properties. The assumptions on the application data needs to be
>      detailed by the specification.

Hmm.. Maybe. I think this gets back to the question of messages
versus flights. I agree that you want to be able to send application
messages in the same flight as AKE messages, but "within the AKE"
seems too strong, and would violate key separation.

GS: Right, the formulation “within the AKE” is not optimal, we should change that. What is meant is in the same message/flight as the AKE message, i.e. together with the AKE message. Now key separation impacts the message size, so there is a tradeoff to make here. It would be good to list what kind of key separation is actually important. Separation between flights/messages, separation between traffic data and session resumption, they both seems relevant. But it was not clear to us that the attack surface is expanded in any significant way with using a separate key for one flight and the kind of application data we expect to be used in this flight like an access token, authorization voucher, etc.  One interesting comparison is with certificates, would you require a separate key to encrypt the authentication certificate in the AKE?


> 7. PAKE support
>
> LAKE is focused on the setting of low latency, large number of
> devices, automated deployment, e.g. industrial IoT. The use of
> passwords has not been requested in this context.
>
> Working assumption: PAKEs are out of scope for this version

Agreed.


> 8. PQC support
>
> There are currently no standardized PQC key exchange algorithms.
>
> Working assumption: PQC is out of scope for this version

Well, sort of. It would be bad if we couldn't easily add PQC,
but I agree we don't need to standardize it now.

GS: I think we agree on this. PQC signatures should be straightforward to add, but less clear what change a PQC key exchange would require. Also, that would probably not be suitable for the most constrained setting.


> 9. Selfie attack
>
> The protocol is assumed to be two-party PSK, i.e. need not protect
> against attacks when more than two parties share keys.
>
> Working assumption: The AKE need to protect against reflection attacks
> but need not protect against attacks when more than two parties
> legitimately share keys.

Agreed on the second point. I'm not yet sure if we need internal
anti-reflection mechanisms or just key role sepatation.

GS: The intention with “the AKE need to protect against reflection attacks” was as a high level requirement without go into the solution space. Key role separation is one solution. Can we formulate the requirement better?



> 10. Extensibility
>
> By supporting COSE, the AKE supports new algorithms, new certificate
> formats, ways to identify credentials, etc. The AKE may need to
> support new AKE methods, e.g. to later add PAKE support. Since
> simplicity is one objective with this work, care needs to be taken to
> avoid extensions working against this.

I'm not sure I understand what this means in practice.

GS: This was an attempt to say that there is a trade-off between extensibility and complexity. Future extensions may have different objectives, but the current version of the protocol must not become heavy just to incorporate a generic extension mechanism. Other formulations are welcome.


> 11. Support for different MACs in AKE and OSCORE
>
> Longer MAC length for AKE than OSCORE may give better security
> properties.
>
> Working assumption: The AKE shall support different AEAD/MAC
> algorithms for OSCORE and AKE

This seems unnecessarily concrete. I tend to think we want to uplevel
the question and ask what the security requirements for the AKE are as
compared to the transport (OSCORE). This pulls in questions of key
separation, strength of the handshake integrity check, etc., but
it's not limited to OSCORE MAC.

GS: This is a good discussion point for the interim. OSCORE needs AEAD, HKDF, Master Secret, Master Salt and Connection IDs. The potential relationship/independence between these and those of the AKE are relevant to document. Was this what you were thinking of?

Göran




On Fri, Dec 20, 2019 at 6:39 AM Göran Selander <goran.selander=40ericsson.com@dmarc.ietf.org<mailto:40ericsson.com@dmarc.ietf.org>> wrote:
Hi,

To stimulate further discussion, here are some things that have been discussed and are addressed in latest version of the requirements draft [00].


1. Public key credentials

Both public key certificates and raw public keys need to be supported. Certificates are needed for generic zero-touch deployment. Raw public key is a significant message size optimization if the public key is already trusted. Two different public key types have been discussed: public signature keys and static Diffie-Hellmann keys. In the latter case signatures are replaced with MACs leading to a significant reduction of message size. Hence static DH keys are desirable to support.

Working assumption: support for signature based and static DH based authentication.


2. Mixed credentials

Mixed credentials, one party certificate and the other RPK, are motivated by a use case. Because of 1 we also need to support mixed types of public key credentials.

Working assumption: support for mixed signature and static DH based authentication.



3. PFS against compromise of which key material?

Examples:
    - protection against the loss of long-term keys at the initiator
    - protection against the loss of long-term keys at the responder
    - protection against the loss of ephemeral keys
    - protection against a bad RNG at initiator or responder

Working assumptions:
    - Protection against loss of long-term keys at initiator and responder.
    - Protection against bad RNG using randomness improvements such as draft-irtf-cfrg-randomness-improvements and analogously for symmetric keys


4. Number of round trips/messages and frame sizes

Mutual authentication requires at least 3 AKE messages. In radio technologies such as 6TiSCH and LoRaWAN performance is affected by AKE messages fitting into radio frames. The amount of data available for AKE messages is not fixed but depend on radio configuration such as scattering factors, data rates, number of hops etc.

    - The AKE could be spread out over 4 messages of smaller size (compare SIGMA-I and SIGMA-R). In principle, for certain AKE message sizes and radio configuration, the number of radio frames could be smaller with 4 AKE messages instead of 3. In practice, the number of radio frames may be either smaller or larger with 4 AKE messages instead of 3.

    - With 3 AKE messages, the OSCORE request may be sent together with AKE message 3 resulting in 1 round trip before sending encrypted traffic data. If the AKE has 4 messages, then the protocol is never 1 RTT before traffic data, which increases the time for completing the protocol.

    - Experience from IKE shows that 4 messages are preferred for unreliable transport such as UDP. For LAKE, however, we assume transport over CoAP or other reliable transport.

Working assumption: The AKE shall have 3 messages.


5. Number of round trips/messages and identity protection

What identifying information shall be protected against what adversaries? As much as possible of the identifying information should be protected, but protecting all identifying information has impact on the properties, in particular number of messages/round trips.

    - Encrypting PSK identity with DH shared secret protects against passive network adversaries, but does not allow authentication of responder within 3 messages

    - Encrypting crypto algorithms does not allow negotiation of cipher suite within 3 messages

   - Encryption of connection identifier only works in asymmetric case and does not results in arbitrarily short identifiers

 Working assumption: The following data need not be encrypted:
    - PSK identifier
    - cipher suite
    - connection identifier


6. Application data

Applications may want to transport application data within the AKE to reduce round trips and number of messages.

Working assumptions:
   - The protection properties of the application data provided by the AKE depends on which protocol message (see Section 2.6 of [00])
   - The application data must not violate the AKE security properties. The assumptions on the application data needs to be detailed by the specification.



7. PAKE support

LAKE is focused on the setting of low latency, large number of devices, automated deployment, e.g. industrial IoT. The use of passwords has not been requested in this context.

Working assumption: PAKEs are out of scope for this version


8. PQC support

There are currently no standardized PQC key exchange algorithms.

Working assumption: PQC is out of scope for this version



9. Selfie attack

The protocol is assumed to be two-party PSK, i.e. need not protect against attacks when more than two parties share keys.

Working assumption: The AKE need to protect against reflection attacks but need not protect against attacks when more than two parties legitimately share keys.



10. Extensibility

By supporting COSE, the AKE supports new algorithms, new certificate formats, ways to identify credentials, etc. The AKE may need to support new AKE methods, e.g. to later add PAKE support. Since simplicity is one objective with this work, care needs to be taken to avoid extensions working against this.


11. Support for different MACs in AKE and OSCORE

Longer MAC length for AKE than OSCORE may give better security properties.

Working assumption: The AKE shall support different AEAD/MAC algorithms for OSCORE and AKE



[00] https://tools.ietf.org/html/draft-ietf-lake-reqs-00




On 2019-12-17, 21:38, "Lake on behalf of Stephen Farrell" <lake-bounces@ietf.org<mailto:lake-bounces@ietf.org> on behalf of stephen.farrell@cs.tcd.ie<mailto:stephen.farrell@cs.tcd.ie>> wrote:


    Hiya,

    Thanks all, I've scheduled meetings for:

    - Jan 16th 1600 UTC, and
    - Jan 23rd 1600 UTC.

    I've requested 2 hour slots for both but we might
    not need that long, we'll see closer to time.

    Webex stuff below.

    We can sort out agenda early in Jan and also figure
    out if we only need one of those two meetings as
    well, and which to keep if one's enough. It'd be
    great if people can raise issues on the list (or
    in github and then the list) between now and the
    new year to help with agendising and figuring out
    who really needs to be on the call.

    Cheers,
    S.

    PS: In case someone wonders: The 23rd has one more
    person who can attend, (10 vs. 11) but I figure it's
    better to schedule both for the moment as chances are
    someone's availability will change between now and
    then in any case;-)


    LAKE WG invites you to join this Webex meeting.


    Lake virtual interim
    Occurs every Thursday effective Thursday, January 16, 2020 until
    Thursday, January 23, 2020 from 4:00 PM to 6:00 PM, (UTC+00:00) Dublin,
    Edinburgh, Lisbon, London
    4:00 pm  |  (UTC+00:00) Dublin, Edinburgh, Lisbon, London  |  2 hrs
    Meeting number (access code): 645 835 024
    Meeting password: C4j4PgDJ



    When it's time, join the meeting.
    https://ietf..webex.com/ietf/j.php?MTID=ma39f9f8ea114844f79e2c962c6efdd52<https://ietf.webex.com/ietf/j.php?MTID=ma39f9f8ea114844f79e2c962c6efdd52>

    Add to Calendar
    https://ietf..webex.com/ietf/j.php?MTID=m31715fa29e54db30d0d7ce118716a7c0<https://ietf.webex.com/ietf/j.php?MTID=m31715fa29e54db30d0d7ce118716a7c0>




    JOIN BY PHONE
    1-650-479-3208 Call-in toll number (US/Canada)
    Tap here to call (mobile phones only, hosts not supported):
    tel:%2B1-650-479-3208,,*01*645835024%23%23*01*
    1-877-668-4493 Call-in toll free number (US/Canada)
    Tap here to call (mobile phones only, hosts not supported):
    tel:1-877-668-4493,,*01*645835024%23%23*01*

    Global call-in numbers
    https://ietf.webex.com/ietf/globalcallin.php?MTID=mb28c544358b89779e001306dfd4fb04e

    Toll-free calling restrictions
    https://www.webex.com/pdf/tollfree_restrictions.pdf


    JOIN FROM A VIDEO SYSTEM OR APPLICATION
    Dial sip:645835024@ietf.webex.com<mailto:sip%3A645835024@ietf.webex.com>
    You can also dial 173.243.2.68 and enter your meeting number.


    Join using Microsoft Lync or Microsoft Skype for Business
    Dial sip:645835024.ietf@lync.webex.com<mailto:sip%3A645835024.ietf@lync.webex.com>


    Can't join the meeting?
    https://collaborationhelp.cisco.com/article/WBX000029055




    On 16/12/2019 11:46, Stephen Farrell wrote:
    >
    > Reminder:
    >
    > On 10/12/2019 21:17, Stephen Farrell wrote:
    >> Please fill in the poll before the end of Dec 16th so we can pick a
    >> time before the holidays.
    >
    > As of now, [1] it's looking like Thu Jan 16 1600 UTC is winning. If
    > that doesn't change by tomorrow I'll setup a webex thing for then,
    > and maybe a backup one for the same time the following week, in case
    > we run out of time or just like chatting a lot:-)
    >
    > Cheers, S.
    >
    > [1] https://dudle.inf.tu-dresden.de/dip-in-the-lake/
    >
    >


--
Lake mailing list
Lake@ietf.org<mailto:Lake@ietf.org>
https://www.ietf.org/mailman/listinfo/lake

v2.23.0 | Report a Bug | By Email