2017-11-13 15:52:03+0800 ------------------------ IETF 100 trans WG dkg taking notes rsalz jabber scribing ---------- Question to room: are there objections in the room to Melinda and Paul knocking out text to clear AD review for threat analysis draft? No objections in the room. ---------- Linus Nordberg presents about Gossip open question about whether we should refactor it. Not many people have read the gossip draft. ---------- 6962bis has no editors in the room. ekr went through the revised document. the issues he found should be resolvable relatively quickly. ---------- Diego Lopez presents short-lived certs first proposal seems to mix the idea about short-lived certs with privacy-focused cert redaction. STAR proposal has one long metacertificate which covers a range of short-lived certificates. This appears to be the moral equivalence of OCSP-must-staple ekr+david+rsalz says that the it's unsafe to issue certs with less than 1 day because clients clocks are sloppy Without this STAR "collapsed cert series" proposal, log size will grow, increasing cost to log operators (storage + bandwidth) and log monitors (bandwidth). Yoav Nir announces discussion about short-term certs Thursday evening. ------------------ Tadahiko Ito (Secom) presents Name Redaction draft-strad-trans-redaction-01 motivates the need for this based on IoT devices that do not need full web visibility. some discussion around whether redaction is hash-based or just entirely scrubbed. open question about whether geo-information in certificate signed by public CA is even possible. symantec has issued 2 billion device certificates, to external devices. some dispute over whether the use case described actually makes sense -- if these are public devices, they should be on the public infrastructure. if they're not, they can use private CAs. Ben Schwartz: raises DoS attack on the basis of domain name publication. Melinda Shore suggests returning to the CAB Forum Hum: should IETF work on name redaction? some hums for yes, silence for no. What's going on with the Client Behavior draft? we need browser vendors to supply a draft, but none are volunteering. Chrome CT folks aren't present at all. ekr says we should shut down the group if there are no active drafts.