**Session Date/Time:** 16 Mar 2026 06:00 # [LAKE](../wg/lake.html) - IETF 125 Meeting Minutes **Date:** Monday, March 2025 (IETF 125, Brisbane) **Chairs:** Mališa Vučinić, Renzo Navas **AD:** Paul Wouters (Outgoing), Roman Danyliw (Incoming context mentioned) **Note Takers:** Marco Tiloca, Giosuè Fedrecheski --- ## Summary The LAKE working group met to discuss the progress of its active drafts, focusing heavily on formal analysis results for Pre-Shared Key (PSK) authentication and Remote Attestation (RA). The group is transitioning into its newly approved charter, which includes maintenance of the EDHOC protocol (RFC 9528) and the standardization of new authentication methods, particularly those based on Key Encapsulation Mechanisms (KEMs) for post-quantum security. Significant updates were presented for authorization and application profiles, with several documents now entering the queue for Working Group Last Call (WGLC). --- ## Key Discussion Points ### 1. Working Group Status and Recap **Presenter:** Mališa Vučinić * **Slide Title:** [00-Chairs' slides](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-00-chairs-slides-01) * EDHOC (RFC 9528) is deployed and stable. * The new charter allows for KEM-based authentication methods and protocol maintenance (new cipher suites, transport overhead reduction). * `draft-ietf-lake-edhoc-grease` will move to WGLC immediately after the meeting. ### 2. EDHOC-PSK: Formal Analysis and Status **Presenters:** Dekra Mahmoud, Elsa Lopez * **Slide Titles:** [01-Mahmoud-Formal Analysis of EDHOC-PSK](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-formal-analysis-of-edhoc-psk-01) | [02-Lopez-EDHOC Authenticated with Pre-Shared Keys](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-edhoc-authenticated-with-pre-shared-keys-00) * **Discussion:** Dekra Mahmoud presented findings using Tamarin and Proverif. Forward secrecy is not achieved if an attacker has a discrete logarithm oracle. A potential vulnerability regarding the unlinkability of the initiator was identified if a responder's error handling reveals information about the `ID_CRED_PSK`. * **Technical Point:** Jonathan Hoyland and John Mattsson discussed the binding of `ID_CRED_PSK` to the PSK. Current draft assumes secure provisioning, but formal analysis suggests explicit cryptographic binding might be needed, though John Mattsson noted that every byte counts in constrained environments. * **Updates:** Elsa Lopez noted that `draft-ietf-lake-edhoc-psk` test vectors have been updated and verified across Rust and C implementations. ### 3. Remote Attestation (RA) over EDHOC **Presenters:** Elsa Lopez, Usama Sardar, Yuxuan Song * **Slide Titles:** [03-Lopez-Formal Analysis of Remote attestation over EDHOC](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-formal-analysis-of-remote-attestation-over-edhoc-00) | [04-Sardar-From formal analysis of attested TLS to attested EDHOC](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-formal-analysis-of-attested-edhoc-00) | [05-Song-Remote Attestation over EDHOC](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-remote-attestation-over-edhoc-01) * **Formal Analysis:** Elsa Lopez's analysis found that channel binding did not hold in version -03 (evidence could be replayed across sessions if authentication keys were leaked). Usama Sardar argued that attacks found in attested TLS apply to attested EDHOC due to structural analogies. * **Mitigation:** Yuxuan Song presented updates in `draft-ietf-lake-ra-04`, introducing an "attestation binder" (a hash of M1 and M2 or an exporter-derived value) included in the evidence to cryptographically bind the attestation to the EDHOC session. * **Dispute:** Yuxuan Song and Usama Sardar disagreed on the applicability of certain TLS-derived attacks to EDHOC. Mališa Vučinić requested Usama Sardar publish the specific EDHOC model/traces for WG review. ### 4. Lightweight Authorization (ELA) **Presenter:** Giosuè Fedrecheski * **Slide Title:** [06-Fedrecheski-Lightweight Authorization using Ephemeral Diffie-Hellman Over COSE](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-lightweight-authorization-using-ephemeral-diffie-hellman-over-cose-ela-01) * **Draft:** `draft-ietf-lake-authz-07` * **Major Change:** The protocol was updated to move authorization requests from EDHOC messages 1 & 2 to messages 3 & 4. This ensures authentication happens before authorization, preventing an identity leak where an attacker could learn if a device is authorized before proving their own identity. * **Concerns:** Christian Amsüss expressed that moving to M3/M4 might be premature and could hinder use cases like Constrained Join Protocol (CoJP) that benefit from earlier exchanges. ### 5. Implementation Considerations and Application Profiles **Presenter:** Marco Tiloca * **Slide Titles:** [07-Tiloca-Implementation Considerations for Ephemeral Diffie-Hellman Over COSE (EDHOC)](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-implementation-considerations-for-ephemeral-diffie-hellman-over-cose-edhoc-00) | [08-Tiloca-Coordinating the Use of Application Profiles for Ephemeral Diffie-Hellman Over COSE (EDHOC)](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-coordinating-the-use-of-application-profiles-for-edhoc-00) * **Drafts:** `draft-ietf-lake-edhoc-impl-cons` and `draft-ietf-lake-app-profiles`. * **Updates:** `draft-ietf-lake-edhoc-impl-cons` now includes considerations for peers learning credentials on-the-fly (e.g., in ELA). `draft-ietf-lake-app-profiles` added support for advertising EDHOC capabilities via DNS SVCB records. * **Status:** Both drafts are considered functionally complete by the authors. ### 6. Post-Quantum (PQ) and KEM-based Authentication **Presenters:** Lydia Pocero, Clément Papu * **Slide Titles:** [09-10-Pocero-Updates on KEM-based Authentication methods for EDHOC](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-updates-on-kem-based-authentication-methods-for-edhoc-00) | [11-Papon-Post-Quantum EDHOC - Initiator and Responder using signature and/or KEM](https://datatracker.ietf.org/meeting/125/materials/slides-125-lake-post-quantum-edhoc-initiator-and-responder-using-signature-andor-kem-00) * **Discussion:** Proposals for new EDHOC methods (4, 5, and 6) using KEMs for authentication to avoid the overhead of PQ signatures. Clément Papu proposed 3-message handshakes combining signatures and KEMs for efficiency when the responder's identity is known. * **Next Steps:** John Mattsson suggested forming a design team. The chairs agreed to a dedicated interim meeting on PQ/KEM-based EDHOC. --- ## Decisions and Action Items 1. **WGLC Queue:** The chairs will launch Working Group Last Calls sequentially for: * `draft-ietf-lake-edhoc-grease` (Immediate) * `draft-ietf-lake-edhoc-impl-cons` * `draft-ietf-lake-app-profiles` 2. **EDHOC-PSK:** Authors of `draft-ietf-lake-edhoc-psk` to work with the formal analysis team to clarify `ID_CRED_PSK` binding/error handling. 3. **Remote Attestation:** Usama Sardar to publish formal model/attack traces for `draft-ietf-lake-ra`. Authors and researchers to hold an off-list meeting to reconcile findings. 4. **Authorization:** Giosuè Fedrecheski and Christian Amsüss to hold an off-list meeting regarding the message flow (M1/M2 vs M3/M4) in `draft-ietf-lake-authz`. 5. **Formal Analysis Call:** Chairs to launch an official call for formal analysis on `draft-ietf-lake-ra` to assist researchers in justifying their work. --- ## Next Steps * **PQC Design Team:** A design team will be formed to consolidate proposals for KEM-based authentication and PQ-resistant EDHOC. * **Interim Meeting:** An interim meeting is planned for May 2025 focusing on Post-Quantum/KEM authentication methods. * **WGLC Sequence:** Proceed with the identified documents as they reach stability.