Re: [Tigress] Sketching a simple design
Eric Rescorla <ekr@rtfm.com> Tue, 15 August 2023 12:24 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tigress@ietfa.amsl.com
Delivered-To: tigress@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9370DC151548 for <tigress@ietfa.amsl.com>; Tue, 15 Aug 2023 05:24:21 -0700 (PDT)
X-Quarantine-ID: <K2GRuYJVTTjg>
X-Virus-Scanned: amavisd-new at amsl.com
X-Amavis-Alert: BANNED, message contains application/octet-stream,.dat,favicon.ico
X-Spam-Flag: NO
X-Spam-Score: -5.894
X-Spam-Level:
X-Spam-Status: No, score=-5.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DOTGOV_IMAGE=1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20221208.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K2GRuYJVTTjg for <tigress@ietfa.amsl.com>; Tue, 15 Aug 2023 05:24:17 -0700 (PDT)
Received: from mail-yb1-xb2e.google.com (mail-yb1-xb2e.google.com [IPv6:2607:f8b0:4864:20::b2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17F02C14CF18 for <tigress@ietf.org>; Tue, 15 Aug 2023 05:24:17 -0700 (PDT)
Received: by mail-yb1-xb2e.google.com with SMTP id 3f1490d57ef6-d659ad4af70so4644814276.1 for <tigress@ietf.org>; Tue, 15 Aug 2023 05:24:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20221208.gappssmtp.com; s=20221208; t=1692102256; x=1692707056; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HBztr3tycDvcuwRt4hV4+pptfT+66z+1x8USO72ajQo=; b=32YWUdgKEf32SJdYAU19+I7y83wbzMdE+zeSj5OFozIMZfGpxhMr450tz7aIQ9dTRa Day/2/0asUXbrM3+7xnXtCr5jZynp9amC3cuBkQESr6arSEQmG5pOZfyha+5PrwbIjOV Tmd06A1KrLfXonDOObbF6aqqsX/gZqOmHXIyLCadJOkRaBzMr1BSUQ3BnMUUUv8qX5BY j2sQbSBnO9Vhsgy8Jo3SWGDOyDKAfnAK9aSNkrPpoXlTCR+Ow/s11eRGmpivJr4vyWLx s/nc4mgJuZ67ms7Y4ys8P0a1/y9GtNj+Qe9b+dACXKlp4njU+YGDCsfWb8QuN7OSu/NN YADw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692102256; x=1692707056; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HBztr3tycDvcuwRt4hV4+pptfT+66z+1x8USO72ajQo=; b=a8X2Zs7PJI7dHRrseSSFKEi38Yc5tnwh48aRYqFm5MD8v5t9H7egJiB1tHkuzYpelQ JCljDSE8qOjxpm/zLNQZTVS+gIGPDFRDufYK6Temy6J0EgUaTzQAmPJhaviYsL9VARLS xD6DrZvypKn5aiGEVWrVDj5ZJnn09gCmW7oKi9vd5AZBnLlfV9MASX3gFjxsvnblZobZ rAIccPc8qVejthajb1gtRH7Avip+kWjGpGXrxmlrFFNXcOSoSEp0uaQXVvHPJbbdG50D ZNfFvyri00e8uv0l0UewAVIQVrMqmRDONdaXg7yI9zbPK6R2vzJXdgERVr9dAljbhHvQ XLfw==
X-Gm-Message-State: AOJu0Yy9EDqkaeiTVnPD4hhbijZRWlT9DHBPkUaJw6WPFeFeTempP8H4 aBU8n5J5kEjrsrUw+s9cGnubr6uTe/KgGb6+PHZ+/ETXYkype897
X-Google-Smtp-Source: AGHT+IEhGQF1IYelAIIHJzju/Iv64EyTtYZECHVdtrnp3aMMpXz6pU4wulW9Pt5qJadywwuRrxPiU15gjjLpGSA4D7s=
X-Received: by 2002:a25:ad65:0:b0:d0c:110b:2f1a with SMTP id l37-20020a25ad65000000b00d0c110b2f1amr16125609ybe.54.1692102255839; Tue, 15 Aug 2023 05:24:15 -0700 (PDT)
MIME-Version: 1.0
References: <43DADE5A-4557-462F-AB68-F8B1761AAB31@apple.com> <0A5DC1A2-EEEF-4C93-9AC5-C1BBC84C36B8@heapingbits.net> <BF7DB124-C231-48E0-8345-2FC44954A927@apple.com>
In-Reply-To: <BF7DB124-C231-48E0-8345-2FC44954A927@apple.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 15 Aug 2023 05:23:38 -0700
Message-ID: <CABcZeBNVAE5nHrqHAnwyEavsa+rjExKLqbC6pb6V7-DA8s=ewA@mail.gmail.com>
To: Yogesh Karandikar <ykarandikar@apple.com>
Cc: Christopher Wood <caw@heapingbits.net>, tigress@ietf.org
Content-Type: multipart/related; boundary="000000000000e2d4b90602f5419c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tigress/QFyXDwOF1oEeyWn3P-8B3HbtDWA>
Subject: Re: [Tigress] Sketching a simple design
X-BeenThere: tigress@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Transfer dIGital cREdentialS Securely <tigress.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tigress>, <mailto:tigress-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tigress/>
List-Post: <mailto:tigress@ietf.org>
List-Help: <mailto:tigress-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tigress>, <mailto:tigress-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Aug 2023 12:24:21 -0000
On Mon, Aug 14, 2023 at 11:19 PM Yogesh Karandikar <ykarandikar@apple.com> wrote: > Hi Chris, > > > On Aug 14, 2023, at 3:02 PM, Christopher Wood <caw@heapingbits.net> wrote: > > Hi Yogesh, > > On Aug 14, 2023, at 4:35 PM, Yogesh Karandikar <ykarandikar= > 40apple.com@dmarc.ietf.org> wrote: > > Hi Eric, > > Please see replies inline. > > Thanks, > Yogesh > > > On Aug 11, 2023, at 7:04 PM, Eric Rescorla <ekr@rtfm.com> wrote: > > Yogesh, > > I attempted to address a number of these points in the message you are > responding to, but perhaps not clearly enough, so let me try again. > > > > Hi Eric, Dmitry and Brad, > > > > Thanks for kicking off this conversation. > > > > The solution that Eric (ekr) has proposed is elegant and simple. It > > relies on the assumption that R is secret. > > > > If R is not secret, then an attacker can easily modify or delete R.1, > > R.2 etc. > > > > Unfortunately secrecy of R can not be assumed. > > > > The extra layer that Brad discussed in his side conversation seems > > like a variant of Device Claim from draft-art-tigress. > > > > As Brad pointed out, it’s good that various potential solutions are > > headed in same direction. > > > > Coming back to the secrecy of R in invitation, we have tried to > > capture that requirement in the text ekr quoted. > > > > > An invitation for a shared credential transfer, sent to the > Receiver > > > device shall be a self-contained and self-sufficient data > (e.g. token, > > > URL, or QR code) allowing a user of the Receiver device to > start a > > > process of transferring and adding a new credential. Such > invitation > > > should be allowed to be sent over any generic communication > channel > > > (e.g. sms, email, NFC). > > > > Example of sms implicitly hints that the invitation is sent over > > non-secure channel. But it does not explicitly spell it out. > > Indeed it does not. We routinely treat SMS and email as secure > channels (e.g., for 2FA or account recovery). Of course, their > security properties are far from ideal, but they're also fairly > far from just posting the message publicly. > > > > Perhaps it might be worth discussing the requirement in detail. > > Yes, I think the WG should discuss this requirement, as it seems clear > that there's not agreement on this point and at least I didn't even > understand that some people thought this text had this implication. > > > > Thanks for pointing it out. We’ll certainly address this with a PR to the > requirements document. > > > > I’ll try to describe the requirements in a use case format. > > > > - PersonA has a credential for AccessPointA. > > - PersonA should be able to share that credential to anyone. > > - They should be able to post an invitation at a town square to share > > it. That invitation can look like this: > > "Invitation to get credential for AccessPointA. It’s present at > > mailbox address R. First person to act will get the shared > > credential.” > > - If PersonY is the first person to reach the mailbox R, only PersonY > > gets that credential. Also nobody else is able to thwart the sharing > > process by modifying or deleting any messages in the exchange. > > > > Thoughts? Suggestion? Questions? > > I would make several points. First, ignoring how this is implemented, > this seems like an extremely bad set of properties, in that they > create a race condition between the receiver of the credential and the > attacker. We should expect the attacker to win a significant number of > those races, with the result that not only is he able to disrupt the > transfer of the credential, he actually ends up with it. That doesn't > > seem like a secure system and I don't think the IETF should > standardize that. > > > Being able to deliver the invitation to intended recipient securely is the > ideal property. > > But we can *not* make assumptions about identity of the recipient or > security of OutOfBand channel that carries the invitation. (From Tigress > perspective the channel that carries the invitation is the OOB channel). > E.g. Email is one such OOB channel. I can hope that this email lands in > the mailbox of intended recipients and no-one else has access to its > contents. But I can’t be sure of that. > > We are just trying to acknowledge the limitations of the current methods > to deliver the invitation. > > I’m not sure if the probability that the invitation gets securely > delivered to intended recipient will ever reach 100%. > > We still need a Tigress channel to complete the exchange after the > invitation is delivered and acted upon by the recipient. > > > I can’t speak for Eric, but I think what he’s saying is that these > non-secure channels are consistently used for second factor authentication > mechanisms all the time. For example, they deliver one-time codes or > password reset secrets fairly regularly. I just used a password reset email > today, in fact! > > > Just trying to establish a baseline here. > > We have some consensus that certain channels like SMS are not considered > secure. Right? > > There is plenty of research about vulnerabilities where an attacker can > easily get SMS intended for someone else. > > I found couple of interesting articles in a few minutes of searching : > > > Security Analysis of SMS as a Second Factor of Authentication - ACM Queue > <https://queue.acm.org/detail.cfm?id=3425909> > queue.acm.org <https://queue.acm.org/detail.cfm?id=3425909> > [image: favicon.ico] <https://queue.acm.org/detail.cfm?id=3425909> > <https://queue.acm.org/detail.cfm?id=3425909> > > Bolstering Data Privacy and Mobile Security: An Assessment of IMSI Catcher > Threats > <https://www.nist.gov/speech-testimony/bolstering-data-privacy-and-mobile-security-assessment-imsi-catcher-threats> > nist.gov > <https://www.nist.gov/speech-testimony/bolstering-data-privacy-and-mobile-security-assessment-imsi-catcher-threats> > [image: favicon.ico] > <https://www.nist.gov/speech-testimony/bolstering-data-privacy-and-mobile-security-assessment-imsi-catcher-threats> > <https://www.nist.gov/speech-testimony/bolstering-data-privacy-and-mobile-security-assessment-imsi-catcher-threats> > > > > > I don’t see a technical reason as to why the Tigress use case is unique > and these channels cannot work for similarly sensitive secrets, such as > those proposed in Eric’s solution sketch. And given that it greatly > simplifies the design space here, I’d like to see us pursue that option. > > > The non-secure channels are used for delivering a second factor. Also > typically the OTP is only valid for a few seconds (enough time for > legitimate user to enter it but not enough for attacker to use it). > > Can we safely assume that the 2FA over non-secure channels is considered > acceptable for a few seconds? > > For Tigress, we want to acknowledge that the channels are non-secure. Yet, > we want to let people use those channels. Because what happens after using > those channels is expected to be secure. Also note that the after is the > Tigress domain. > > > The solution that Eric has proposed is simple and elegant. But it relies > on the assumption that the mailbox address (R) is secret. > > That solution does not work when the channel used to deliver the R can not > keep the R secret. > Yogesh, Putting aside the security properties of SMS for a second, I've already explained twice, first in my original message, and then in my response to you yesterday, how my design can provide the at-most-once semantics you are asking for. I would appreciate it if you would address that (perhaps by explaining why I'm wrong) rather than just continuing to assert that it doesn't. -Ekr > > Thanks, > Yogesh > > > Best, > Chris > > > > > > > > > > > > Second, as I indicated in my response to Dmitry, although the basic > scheme I described does not provide these "at-most-once" properties, > later in my message I do describe an enhancement which is intended to > provide them, under the heading "Restricting the exchange to two > participants". Briefly, the idea is that the Sender's initial message > contains an additional secret X1 which is used along with R to > generate the address of the receiver's response. The receiver deletes > the sender's message after reading it, with the result that any > subsequent participant is unable to generate the appropriate return > address. It's of course possible I've missed something and this > doesn't work. The cookie system designed in Brad's message also seems > like it would address this issue, and IMO it's a lot simpler than > adopting all of the machinery in draft-art-tigress. > > > Both of those approaches can work but they essentially shift the work of > Req-ConnectionIntegrity into the protocol that is going to use the Tigress > channel. > > Those protocols are defined out of scope of IETF and could chose whatever > X1 and PseudoRandom functions. They could even define a completely > different approach if they wish. > > That increases the complexity of clients trying to implement the > credential transfer solutions. The client has to implement n different > methods for Req-connectionIntegrity to support n different verticals. > > Whereas draft-art-tigress handles that complexity and provides a simple > channel interface for clients. > > As an implementer, I would prefer the Tigress channel to handle the > complexity and provide Req-ConnectionIntegrity. > > > > Note that AFAIK none of these approaches prevents the race condition I > alluded to above, which is why I still think it's necessary to assume > R is secret or to have some other piece of secret material shared > between sender and receiver. However, it does provide security againt > subsequent leaks of R. > > -Ekr > > P.S. Whatever you are doing when you respond seems to be be breaking > threading, at least in gmail. Are other recipients having this issue? > > > > > > > > > > > > > > > On Fri, Aug 11, 2023 at 9:03 PM Yogesh Karandikar <ykarandikar= > 40apple.com@dmarc.ietf.org> wrote: > >> Hi Eric, Dmitry and Brad, >> >> Thanks for kicking off this conversation. >> >> >> The solution that Eric (ekr) has proposed is elegant and simple. It >> relies on the assumption that R is secret. >> >> If R is not secret, then an attacker can easily modify or delete R.1, R.2 >> etc. >> >> Unfortunately secrecy of R can not be assumed. >> >> The extra layer that Brad discussed in his side conversation seems like a >> variant of Device Claim from draft-art-tigress. >> >> As Brad pointed out, it’s good that various potential solutions are >> headed in same direction. >> >> Coming back to the secrecy of R in invitation, we have tried to capture >> that requirement in the text ekr quoted. >> >> An invitation for a shared credential transfer, sent to the Receiver >>> device shall be a self-contained and self-sufficient data (e.g. >>> token, >>> URL, or QR code) allowing a user of the Receiver device to start a >>> process of transferring and adding a new credential. Such invitation >>> should be allowed to be sent over any generic communication channel >>> (e.g. sms, email, NFC). >>> >> >> Example of sms implicitly hints that the invitation is sent over >> non-secure channel. But it does not explicitly spell it out. >> >> Perhaps it might be worth discussing the requirement in detail. >> >> I’ll try to describe the requirements in a use case format. >> >> - PersonA has a credential for AccessPointA. >> - PersonA should be able to share that credential to anyone. >> - They should be able to post an invitation at a town square to share it. >> That invitation can look like this: >> "Invitation to get credential for AccessPointA. It’s present at >> mailbox address R. First person to act will get the shared credential.” >> - If PersonY is the first person to reach the mailbox R, only PersonY >> gets that credential. Also nobody else is able to thwart the sharing >> process by modifying or deleting any messages in the exchange. >> >> >> Thoughts? Suggestion? Questions? >> >> Thanks, >> Yogesh >> >> >> >> >> >> >> >> >> *From: *Brad Lassey <lassey@google.com> >> *Subject: **Re: [Tigress] Sketching a simple design* >> *Date: *August 8, 2023 at 2:33:25 PM PDT >> *To: *Eric Rescorla <ekr@rtfm.com> >> *Cc: *Dmitry Vinokurov <dvinokurov=40apple.com@dmarc.ietf.org>, >> tigress@ietf.org >> >> >> On Tue, Aug 8, 2023 at 8:52 AM Eric Rescorla <ekr@rtfm.com> wrote: >> >>> > Hi Erik, >>> >>> Eric. >>> >>> >>> > One potential but rather low risk is that R generated by a client >>> > (collision risk) vs R generated by server - if implemented properly on >>> > server, there is less chance of collision. >>> >>> R obviously has to be of sufficient size, but assuming it is (say 256 >>> bits) then the chance of collision is vanishingly small. >>> >>> We routinely assume that randomly generated values of sufficient size >>> do not have collisions in situations where the results will be far >>> more serious if they do, so I don't think this is a realistic >>> objection. >>> >>> >>> > Tigress requirements document doesn't mandate that the invitation URL >>> > be sent over secure channel. Therefore we have to operate under >>> > assumption that the channel may be insecure - such as SMS/ email; >>> > hence, the invitition URL - e.g. https://<server>/R can be intercepted >>> > (or mistakenly sent to a wrong receiver) - which is accepted and known >>> > risk. >>> > >>> > This is identified as a high risk in the Threat model >>> > document. Tigress proposes to mitigate this risk with the secret sent >>> > out of band and additional second factor (verification code). >>> >>> It's unfortunate that the requirements are so unclear on this topic, >>> as I had understood from previous conversations that we *were* >>> assuming the integrity of the channel. I would note that the document >>> tend to support this and are at best ambiguous. >>> >>> From Section 9 of the Requirements Document: >>> >>> An invitation for a shared credential transfer, sent to the Receiver >>> device shall be a self-contained and self-sufficient data (e.g. >>> token, >>> URL, or QR code) allowing a user of the Receiver device to start a >>> process of transferring and adding a new credential. Such invitation >>> should be allowed to be sent over any generic communication channel >>> (e.g. sms, email, NFC). >>> >>> >>> And S 5.2.2 of the threat model: >>> >>> Solution should require an end-to-end encrypted messaging channel >>> or otherwise specify a way to send a secret out of band. >>> >>> Moreover, if your concern is that the URL will be compromised and >>> everything is protected by some short code, then we have other >>> problems. So, I think we probably should discuss the threat model >>> some more. >>> >>> >>> > Therefore, we assume that we can not guarantee that the communication >>> > via intermediate server is completely secure, but we want the protocol >>> > to guarantee that once the first receiving device starts the transfer >>> > flow, it can successfully complete it (first come first served >>> > approach that I mentioned in IETF 117 Tigress session). The content >>> > of the data stored in the shared resource (aka mailbox) should't be >>> > spoiled or deleted before the transfer completion >>> > (Req-ConnectionIntegrity). >>> > >>> > Going back to the proposed protocol - knowing the R, malicious actor >>> > can overwrite R, R.1, R.2 with harmful code (e.g. cat pictures, virus, >>> > spam information, ads) or just delete R, R.1, R.2 etc. There is a >>> > chance that this might happen just by mistake, not with harmful >>> > intent. In any case, this breaks the (Req-ConnectionIntegrity). >>> >>> This is correct for the basic protocol but I believe not for the one I >>> describe later in the message under the heading "Restricting the >>> exchange to two participants". >>> >>> >>> > If we say that we want to delegate this responsibility to the client >>> > protocol, we also need to define an additional protocol for the >>> > communication between sender and receiver clients. I don't really see >>> > any benefits in adding a second protocol for the clients if this can >>> > be addressed in a single server protocol with resource locking between >>> > just 2 clients. I think that the fact that a off-the-shelf webserver, >>> > supporting WebDav can work for resource sharing, can't meet our >>> > security requirements (and hence we need to implement an additional >>> > protocol on the client level), is not a valid justification for using >>> > such web-server. >>> >>> I'm not sure I follow you here. I would make several points. >>> >>> 1. I believe that this does meet the security requirements, without >>> any additional protocol other than what I've sketched above. Can >>> you share your concerns about why that's not the case? >>> >>> 2. I'm not sure why you are mentioning WebDAV here. This is just >>> straight HTTP. I did at one point suggest WebDAV, but having >>> thought through the problem more, I do not believe it is necessary. >>> >>> As far as "valid justification" goes, this design has several >>> advantages over the REST API design in draft-art-tigress. First, it >>> doesn't require modifications to the Web server, as this is a >>> conventional configuration. Second, because the correctness and >>> security properties are largely enforced at the endpoints it largely >>> doesn't depend on the server behaving correctly beyond some simple >>> access control mechanisms (not allowing clients to enumerate files). >>> >>> -Ekr >>> >>> >>> -- >>> Tigress mailing list >>> Tigress@ietf.org >>> https://www.ietf.org/mailman/listinfo/tigress >> >> >> >> Thanks Eric, >> I think you made an important point at the mic during the meeting and >> that was that a lot of the complexity of the original Tigress proposal >> falls out of the fact that it is trying to have the sender and receiver >> "co-edit" the same resource. That functionality is the sort of thing that >> WebDAV set out to solve years ago, and hence why I think many of us jumped >> to that solution space. >> >> If we instead read/write separate resources sequentially, it >> simplifies things greatly. In fact, Eric Kinnear and I effectively sketched >> out the same solution you describe here in a side conversation after the >> working group meeting. It is probably a good sign that two different sets >> of people arrived at roughly the same rough conclusion independently. >> >> There were two additional ideas that we discussed that could layer on top >> of this. The first was aimed at reinforcing the "only two" property that >> Dmitry and Yogesh brought up during their presentation and that was to have >> the server set a session cookie for both the sender and receiver and >> restrict the access to /R* to only two unique session cookies. >> >> The second was to have a convention that the sender and receiver can PUT >> a file at /R.sender and /R.receiver respectively that contains a webhook >> URL and the server can ping that webhook whenever any new file is PUT to >> /R*. >> >> I think both of these things could be optional enhancements, which would >> preserve the property that you can use an off the shelf HTTP server and be >> spec compliant. >> >> -Brad >> >> >> >> >> -- >> Tigress mailing list >> Tigress@ietf.org >> https://www.ietf.org/mailman/listinfo/tigress >> > > -- > Tigress mailing list > Tigress@ietf.org > https://www.ietf.org/mailman/listinfo/tigress > > >
- [Tigress] Sketching a simple design Eric Rescorla
- Re: [Tigress] Sketching a simple design Dmitry Vinokurov
- Re: [Tigress] Sketching a simple design Eric Rescorla
- Re: [Tigress] Sketching a simple design Brad Lassey
- Re: [Tigress] Sketching a simple design Yogesh Karandikar
- Re: [Tigress] Sketching a simple design Eric Rescorla
- Re: [Tigress] Sketching a simple design Yogesh Karandikar
- Re: [Tigress] Sketching a simple design Christopher Wood
- Re: [Tigress] Sketching a simple design Eric Rescorla
- Re: [Tigress] Sketching a simple design Yogesh Karandikar
- Re: [Tigress] Sketching a simple design Yogesh Karandikar
- Re: [Tigress] Sketching a simple design Eric Rescorla
- Re: [Tigress] Sketching a simple design Yogesh Karandikar
- Re: [Tigress] Sketching a simple design Eric Rescorla