Thank you to Yoav Nir for taking notes.

Session began on time 15:23.  Only Alexey chairing this time.

Alexey reviewed document status: 

  * Dragonfly in AUTH48

  * EC-Curves in RFC Editor's queue

  * EdDsa by Simon and Ilari adopted

  * PAKE:

  * requirements updated

  * spake2 (ladd) updated

  * augpake (-04) no update

  * Exctended hash-based signatures - draft-irtf-cfrg-xmss-hash-based-signatures-01 - not updated

  * rfc6090bis - possible work item

  * hash-sigs (expired earlier, but now updated) - possible work item?


EdDSA draft has Ed25519, Ed25519ph, Ed448, Ed448ph.
Hash choice for Ed448 pending. Ed25519 done
Need test vectors
Plenty of on-list discussion on hash for Ed448.
Some concern that SHA3-512 is not performant enough.
Will poll on the mailing list.

Rich presented (no slides) about MTI crypto (starting at 3:33)
Rich says we should not adopt crypto without public review as an MTI algorithm

EKR talked about key lifetime (starting 3:35)
How long can we use a symmetric key before the need to renegotiate.
TLS allows 2^64 records for the likes of AES-GCM. There was some
discussion on the list.
DKG says that there was a concern that all-zero padding in TLS might
cause an issue with allowing to identify the zero-padding. But we don't
know exactly what that was about.
So EKR is asking the advice of CFRG on how much we can encrypt with a
single key.

Next (3:42) Akuhiro Kato from NTT about identity-based authenticated key
exchange
Credentials for IoT. Typically raw key, psk, or certificate.
2-3 billion devices by 2020.
Credential management will be a problem
Hannes says there are a lot of proposals for identifiers on chips. What
are the benefits over existing schemes? There are concerns about
security with ID-based.
Hannes: for what devices is this applicable. IoT? STB?
Alexey: what do you want from CFRG? Review? Adopt? Will discuss later.

What should CFRG work on next?

  * Bryan Ford: Standardize Merkle tree

  * Bryan Ford: Protocols to not leak so much metadata (what kind of
    file is going through, what protocol is this?)

  * Stephen Farrell: not sure how protocols use fields is cryptography

  * Stephen Farrell: how to do padding right

  * Bryan: agree

  * DKG: important for traffic analysis (or rather combating it)

  * DKG: With EC out the door, post-quantum

  * EKR: Could be useful.  Perhaps a survey of the state-of-the-art

  * EKR: Guidance on compression (maybe just "don't")

  * DKG: combining post-quantum and regular algorithms, because
    post-quantum algorithms are not yet proven.

  * Robert: Perhaps anonymization techniques.

  * RSalz: +1 for Merkle tree. ctrans and now some more.

  * MThomson: encourage those who got up to the mic to actually do the work.

Stephen Farrell: people should propose what they want to do
EKR: some way to get people who do formal protocol verification
involved. Somewhat of a black art, but getting less so.


WebCrypto API has a set of algorithms being added. Would want guidance
on what purposes each algorithm is appropriate for. 
They're adding stuff for EC and need guidance.
Alexey: chair like to adopt. One reply on the list.