jonasw, SamWhited - Just running through the Council Agenda for tomorrow - is it only my two ProtoXEPs come in since last time?
SamWhited
Nothing new from me, just a few old things that have been festering
daniel
Dave: there is the Avatar conversion
Ge0rGhas left
pep.has joined
jonasw
Dave, three, what daniel said
Ge0rGhas left
danielhas left
danielhas joined
vanitasvitaehas left
Ge0rGhas left
jerehas joined
jerehas joined
Davehas left
Davehas left
Ge0rGhas left
Dave
The state of isr-sasl2 seems confused - Council voted, that vote has presumably timed out, but no votes at all are recorded in Trello?
Ge0rGhas left
Kev
It wasn't clear to me which of the several versions of ISR we were voting on from the minutes. So I sent out a vote based on what I thought we were voting on, and a -1 otherwise.
Dave
Looks like Daniel, Kev and I all voted for.
Dave
Kev, I think his latest advertised is what's in the inbox. I was assuming we were voting for the isr-sasl2.html in the inbox anyway.
Ge0rG
I think the general idea is to accept something that looks generally implementable and to finish the spec afterwards?
Kev
Ah, ok. I thought his latest wasn't in the inbox yet.
Kev
Ge0rG: As long as it doesn't look harmfully the wrong approach for some reason, I accept generally, yes.
Ge0rG
So the exact version in the inbox doesn't matter too much?
Kev
There is an argument to be made for that, yes.
Dave
Ge0rG, Yes, although ironically I thought I'd implement this afternoon and found I can't because he's tied it into the SASL mechanism, which I hadn't really appreciated.
jerehas left
jerehas joined
Ge0rG
Dave: I'd really love to scale back the SASL thing and just let ISR be an additional token that immediately gives you your old 0198 session
Dave
Ge0rG, Why? The immediacy can be achieved simply enough without tying it into a SASL mechanism, and gives us flexibility over authentication.
Kev
And I'm interested in using 'instant re-auth with this key' without involving 198, FWIW.
Davehas left
Kev
Because I think fast resync is a worthwhile problem to solve, without 198.
Dave
Kev, CLIENT-KEY can do that, longer-term. But it does mandate an atomic counter at both ends, which might be painful in a cluster.
Dave
Kev, Flow's HT-* mechanism family should manage it, but it's tied into 198 quite heavily.
Ge0rGhas left
Ge0rG
Kev: I'd say that a instant re-auth that's tied to a short-lived 0198 after-session is technically not a new authentication, as opposed to something like CLIENT-KEY
jonaswhas left
Ge0rGhas left
Dave
Ge0rG, Well, you connect, do *magic* and then the server knows who you are.
Dave
Ge0rG, Which makes me suspect that *magic* includes an authentication.
jerehas joined
Davehas left
Ge0rGhas left
jerehas joined
danielhas left
danielhas joined
jonaswhas joined
jonaswhas left
jonaswhas joined
danielhas left
Ge0rGhas left
danielhas joined
Kevhas left
vanitasvitaehas joined
danielhas left
danielhas joined
Tobiashas joined
Davehas left
Tobiashas joined
Ge0rGhas left
ralphmhas joined
vanitasvitaehas left
Ge0rGhas left
SouLhas left
Davehas left
Ge0rGhas left
danielhas left
danielhas joined
SouLhas left
Davehas left
Ge0rGhas left
jonaswhas left
SouLhas left
jonaswhas joined
danielhas left
danielhas joined
Ge0rGhas left
Davehas left
danielhas left
danielhas joined
Ge0rGhas left
danielhas left
danielhas joined
SouLhas left
danielhas left
danielhas joined
SouLhas left
Ge0rGhas left
Davehas left
Davehas left
Tobiashas left
Tobiashas joined
danielhas left
danielhas joined
Ge0rGhas left
SouLhas left
SouLhas left
Ge0rGhas left
Davehas left
Kevhas left
Ge0rGhas left
Ge0rG
Dave: so I have a TCP session with TLS on top of it that I didn't send any data over for half an hour, and then I send another packet, and the other side knows it's from me - is that authentication as well?
SouLhas left
Ge0rG
How often do I need to enter an OTP code?
Zash
With every TCP segment!
Ge0rG
Zash: TCP is a stream of bytes. So I think you mean with every byte.
Ge0rG
But then again, there is TLS overhead.
Zash
TLS uses blocks somewhat larger than single bytes IIRC
Ge0rG
Now you made me wonder how TLS operates. Does it fill up its data up to the MSS? Is it playing weird games with Nagle?
Ge0rG
Do I really want to know?
Zash
You probably don't want to know.
Ge0rG
So back to my original question. When does it stop to be the continuation of an ongoing authenticated session and begins to be a new authentication?
SamWhitedhas joined
Ge0rG
Does it need to run in the same TLS session? Same TCP session? Same pair of entities? What if I export the TLS state from one entity to another?
Zash
There's some framing, padding to the cipher block size and a MAC.