Davejonasw, SamWhited - Just running through the Council Agenda for tomorrow - is it only my two ProtoXEPs come in since last time?
SamWhitedNothing new from me, just a few old things that have been festering
danielDave: there is the Avatar conversion
Ge0rGhas left
pep.has joined
jonaswDave, three, what daniel said
Ge0rGhas left
danielhas left
danielhas joined
vanitasvitaehas left
Ge0rGhas left
jerehas joined
jerehas joined
Davehas left
Davehas left
Ge0rGhas left
DaveThe state of isr-sasl2 seems confused - Council voted, that vote has presumably timed out, but no votes at all are recorded in Trello?
Ge0rGhas left
KevIt wasn't clear to me which of the several versions of ISR we were voting on from the minutes. So I sent out a vote based on what I thought we were voting on, and a -1 otherwise.
DaveLooks like Daniel, Kev and I all voted for.
DaveKev, I think his latest advertised is what's in the inbox. I was assuming we were voting for the isr-sasl2.html in the inbox anyway.
Ge0rGI think the general idea is to accept something that looks generally implementable and to finish the spec afterwards?
KevAh, ok. I thought his latest wasn't in the inbox yet.
KevGe0rG: As long as it doesn't look harmfully the wrong approach for some reason, I accept generally, yes.
Ge0rGSo the exact version in the inbox doesn't matter too much?
KevThere is an argument to be made for that, yes.
DaveGe0rG, Yes, although ironically I thought I'd implement this afternoon and found I can't because he's tied it into the SASL mechanism, which I hadn't really appreciated.
jerehas left
jerehas joined
Ge0rGDave: I'd really love to scale back the SASL thing and just let ISR be an additional token that immediately gives you your old 0198 session
DaveGe0rG, Why? The immediacy can be achieved simply enough without tying it into a SASL mechanism, and gives us flexibility over authentication.
KevAnd I'm interested in using 'instant re-auth with this key' without involving 198, FWIW.
Davehas left
KevBecause I think fast resync is a worthwhile problem to solve, without 198.
DaveKev, CLIENT-KEY can do that, longer-term. But it does mandate an atomic counter at both ends, which might be painful in a cluster.
DaveKev, Flow's HT-* mechanism family should manage it, but it's tied into 198 quite heavily.
Ge0rGhas left
Ge0rGKev: I'd say that a instant re-auth that's tied to a short-lived 0198 after-session is technically not a new authentication, as opposed to something like CLIENT-KEY
jonaswhas left
Ge0rGhas left
DaveGe0rG, Well, you connect, do *magic* and then the server knows who you are.
DaveGe0rG, Which makes me suspect that *magic* includes an authentication.
jerehas joined
Davehas left
Ge0rGhas left
jerehas joined
danielhas left
danielhas joined
jonaswhas joined
jonaswhas left
jonaswhas joined
danielhas left
Ge0rGhas left
danielhas joined
Kevhas left
vanitasvitaehas joined
danielhas left
danielhas joined
Tobiashas joined
Davehas left
Tobiashas joined
Ge0rGhas left
ralphmhas joined
vanitasvitaehas left
Ge0rGhas left
SouLhas left
Davehas left
Ge0rGhas left
danielhas left
danielhas joined
SouLhas left
Davehas left
Ge0rGhas left
jonaswhas left
SouLhas left
jonaswhas joined
danielhas left
danielhas joined
Ge0rGhas left
Davehas left
danielhas left
danielhas joined
Ge0rGhas left
danielhas left
danielhas joined
SouLhas left
danielhas left
danielhas joined
SouLhas left
Ge0rGhas left
Davehas left
Davehas left
Tobiashas left
Tobiashas joined
danielhas left
danielhas joined
Ge0rGhas left
SouLhas left
SouLhas left
Ge0rGhas left
Davehas left
Kevhas left
Ge0rGhas left
Ge0rGDave: so I have a TCP session with TLS on top of it that I didn't send any data over for half an hour, and then I send another packet, and the other side knows it's from me - is that authentication as well?
SouLhas left
Ge0rGHow often do I need to enter an OTP code?
ZashWith every TCP segment!
Ge0rGZash: TCP is a stream of bytes. So I think you mean with every byte.
Ge0rGBut then again, there is TLS overhead.
ZashTLS uses blocks somewhat larger than single bytes IIRC
Ge0rGNow you made me wonder how TLS operates. Does it fill up its data up to the MSS? Is it playing weird games with Nagle?
Ge0rGDo I really want to know?
ZashYou probably don't want to know.
Ge0rGSo back to my original question. When does it stop to be the continuation of an ongoing authenticated session and begins to be a new authentication?
SamWhitedhas joined
Ge0rGDoes it need to run in the same TLS session? Same TCP session? Same pair of entities? What if I export the TLS state from one entity to another?
ZashThere's some framing, padding to the cipher block size and a MAC.
Ge0rGZash: that totally doesn't answer my question.
ZashI was just telling you what you don't wanna know.