Informal Minutes of the IEEE P1363 Teleconference. 15 July 1997, 10 am PDT. In attendance: Lily Chen, David Jablon, Burt Kaliski, David Kravitz, Mike Markowitz, Leo Reyzin, Roger Schlafly. Issues discussed: 1. Leo detailed the changes that he had made to the editorial contribution since the June meeting. He added the full EC section, and combined EC and DL schemes into one separate section. He changed IF private keys to be abstract, as discussed in June. The auxiliary functions section has been improved, OAEP in particular. The primitives have been changed to clearly state that they are defined only on the appropriate inputs, as discussed at the June meeting. Other changes, mostly editorial, have been made as well. 2. There were some comments and suggestions for further changes. In particular, David K. reported that he believed the term "forward secrecy" had never been used before, and that our usage of it was rather different from the common usage of "perfect forward secrecy." We agreed to eliminate "perfect forward secrecy" from the document (it is currently used only once, in the definitions section, defined as synonymous to "forward secrecy"). Other editorial comments were recorded by Leo. 3. Burt reported that the IEEE New Standard Committee (NesCom) did not approve our PAR for the supplement to the standard. He is planning to discuss with NesCom members the reasons for this and report in detail at a later date. The reasons are currently not entirely clear. 4. We decided that we cannot approve this document as a draft (as authorized at the June meeting) until more information is available on the NesCom decision about our supplement, since the decision to split off the supplement was based on the presumption that it could be worked on in parallel and did not require a revision of the base standard. Many felt that we may want to reconsider that decision depending on NesCom's position. However, we did agree to authorize Leo to post the current document, amended according to the comments during the teleconference, onto our web site (under password protection) in order to get wider exposure before the August Crypto meeting. 5. There was some discussion of issues relating to the small subgroup test for EC Diffie-Hellman. Some people felt that mandating a check that may not be necessary in some cases is unwise. Roger suggested that if we were to mandate the check, we should make the cofactor k a part of the EC parameters rather than part of the computation in the primitive. He also felt that the restriction on when k is to be computed is arbitrary and too tied to the particular algorithm for computing k. We agreed that we need to revisit these issues when Jerry Solinas is present, hopefully in August. Leo suggested that an email discussion prior to the August meeting would be of value. 6. We discussed the issue of the special restrictions on the MQV keys. The discussion was inconclusive, and, as with the previous item, we decided to defer it to email and the August meeting. 7. Burt requested suggestions for naming techniques in the standard while avoiding attributions (such as Diffie-Hellman or Bellare-Rogaway), as we had earlier discussed. We will address this issue further in August. 8. Burt reported that PKCS #5 was moving ahead and he hoped to have a proposal for P1363 key derivation and mask generation functions based on that work. He said that the hope was to reconcile the efforts of many groups that are working on the problem of deriving long random sequences from secret and/or public information. David J. pointed out that this issue has some potential overlap with key establishment using low-entropy passwords, which we had earlier deferred to the addendum. We agreed that we need to be aware of that as we work on the key derivation and mask generation. We adjourned at about 11 am PDT.