Re: [art] Artart early review of draft-ietf-tls-wkech-04
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 02 April 2024 12:25 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: art@ietfa.amsl.com
Delivered-To: art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BCCFAC14F6AD; Tue, 2 Apr 2024 05:25:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1mVdeG41MiX; Tue, 2 Apr 2024 05:24:59 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on2130.outbound.protection.outlook.com [40.107.7.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DF073C14F697; Tue, 2 Apr 2024 05:24:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eaT9jcx2+KemFHJQZEsx1hiPzPFxd6YXIKCW1zy27EAqqe+av4gyVJHi6+6ek54i5uIzE3hhaZMof6xw3P912gYcPOSzq57NfZGJg4ovba8M6li1h99o6RWCu6I/G/seyfRIRzvWw8O4r1VGc0Oi7NkAhmwu5QmB9fr3NzYj7wgHggv1B+jMGHozM/c8BivOmNgM9Zen0Ny79o63BheBYBsYHlVKLqEc7ncerJRPrTSteqKJ2fLEtSN/1+wZ7OKHcyx/PIPGpf7vj76aMtqtsAPXdwhXI57W2t4A9T6ZZzpdGL0ZY15SDXUJP0c7hYxWNibhyfyjSVFpuKrjyGpBLw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nMmq4yZ6N3aaSxSpNLClenlRHgtlKW2iWNocOmq3pHA=; b=aKytMPRnWIJEseOXb+stWJwWIF7J4s4Oepe+7ghE4WS3MkXpxWd9buOtmbNRePJ5ON7o34FBTbiJ3w8IPEz/Eg0uuewGtlqK8lyDfARDBAuQGYlRmlHdBHntbZUD5T3rgFkxc3yhKU5dRuu96mpTMUV637dXj9BE0QxZ8jr9cB9FIi/m31PBQM1yRaKNC0aumXu47ifZEHWXYYPCO2sTcQTubV4qOz+fx99rqimTItBD1kkHs55PYk9P56zzVZR7PdYx8ohrAx29ULCaCp12UprOXuTZiMa1Voxf86NBLWsJKUhGPMr+1S5OV5wVIpo3LP+jzpngSzfkSSpSXAFVLQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nMmq4yZ6N3aaSxSpNLClenlRHgtlKW2iWNocOmq3pHA=; b=bHHyibFhsHwiLWfYM9eQ3wHl/5L4cHLN62kwf5J4YmOhxc2BSyTNliTXszvkeq2R7IE/yEqqUYyower+WJb81Ts7W0xycjwgw87vQBt6MRS5tgFHENcVq6fae9Wz3bKMauoiTOJttXqYD63cs2qDaXTBeAmXhew8IGrcNKJV3neCguKJ5WE1sdhN2H8q2Uu6goycMu0ZGtZc1JYiL6IoqPOi4aTdLMGZF5Y36DcI7z/YLL4sxtW79eH0XnbO4qO8u2U0G4Pnppd7LiZLxsDsyTif53IObXkbfPsk4iGE4PmJvbKmyCepTFJgDO7Sj3fEQ/guqQ+ppli6wMzDYfsAig==
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DU0PR02MB9586.eurprd02.prod.outlook.com (2603:10a6:10:41e::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7409.46; Tue, 2 Apr 2024 12:24:50 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4421:1ca6:59b4:20c9%7]) with mapi id 15.20.7409.042; Tue, 2 Apr 2024 12:24:50 +0000
Message-ID: <67f31aff-e4ef-48aa-8b88-11d92bd733ec@cs.tcd.ie>
Date: Tue, 02 Apr 2024 13:24:45 +0100
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Martin Thomson <mt@lowentropy.net>, art@ietf.org
Cc: draft-ietf-tls-wkech.all@ietf.org, tls@ietf.org
References: <171201483192.38704.16487013536788858054@ietfa.amsl.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <171201483192.38704.16487013536788858054@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------a6MHe7wfCv0iIhdrJa1wAWCG"
X-ClientProxiedBy: DU6P191CA0007.EURP191.PROD.OUTLOOK.COM (2603:10a6:10:540::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB7PR02MB5113:EE_|DU0PR02MB9586:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: 5b5N1PvzQHNCKTMQMRfo8Gv1gLeUmE961GCYDStZscZv/dKbh0FI2mcdtqEaVbm2SQHf+7VJrudJXjdsD471v2ENiM7RMh0eELJLGE7MKfuvoRS4Wrv8EC514x412J6FgVBiqM0oO/Z9p5mEfGORazNvWM/2DXzdgZkNus4FVwUJa5rNfy/MK5GplguMu3Hut+et8Xi7no4fg0hfVVRLUkpUGENWztImTZuxskhKHgQCEkL7u10egqbwuZ4tUWLWDgJjewEv559RbnnAdbci4S0B2zrNEoyJ71qMV5dMOqN0pDVYqvBp0ZsZDUBVhwyd71VL7bApg15tNgHr5YoR1b6IohhfJ7SVJDH9Pck+hILTfwhuStAU65HjKw//mks5rote9LvrSe+Nr+B1bB3c4AkUsNKppNWa+f7hqtBjOvbuW90D0xjHGyLfx5ITNi0eYOj66S0HhHM+bc7Nul5CV5yy+K/g6/enD0fkU/ew/yJzsH2A0hHmv7NR3PRdAPlWTLG0hQleyGeXYeS14UUYX9R9mVmIQub2nps9GiXvVCYKucJBRxDOzlb86HtlYL0ApSo5xpoYBL+BQmaojqqJnNIPxeuW/QShqHowOenDeZ9NidGJaJSIqlSy3Lg4U1RYaYO1sSEsfjAPLjwT2I2icyvYaViokRmdKoAFZ4Ykigo=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(376005)(1800799015)(366007); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: DQEus/8f621Nxf+ZFAhFB21sYIwREA/3HNFnIqydphPJ/0UxqhtoUaGwNWDG5V2u3yKUwyYFd0hMCL/GKlbH4qq2W4p3lhtOwmhqf0J/lWrwMd/2FTOzvnP0PetAo+6dJ/f0z26aB/rq1TrZhU1RWSHGdiQKsddB6NyL5A+5ZXok2EaCInufT7eOJMyHsWVO8t7N/8cBi30wMIRY6mCF8xWQWYcJQ8cTR6Aye1HWlE0LzsvHuhAHeZEzRKRmUKQBFrLqBJqX+6u99IkUxio3qo+OCMbwYznj+wqDqmATOgJjGV0a31KAxVAddl+BjzFfcz+sELjW0lihPo5k5Oal/xLZS7LdvQ87SlxrrsJy4gNoV90FCZt+bup7whH1RX3fpRvF/7T4DgPETFCpUVYfQJGHFpocPeWmIm2V2t58+/f5cJ97/kELR5dT68tuJyqoIOyYSvayon+dsNuPXK1VANikAj4FFbpbDfujNYM/cbJUI2bTqta7Xa6S2RyZKRmKcZQ3Hw9rpeg/xZjZPbED9s5fLvmjSiLcJ5OEGm4VkJ2CIXH+OTlSXk+mQgBJEn3zzGUErYVRNqx+hnwVumnYECqLOSKN2LyoXUXgFaRdDJhyo0cF3OSkOv39KkCSK87IJnBC9YqKvcGFXPzYnM5T95o7EtuA8YuL8AeeH86y9FUoD2LQOjX9MZe2Av5LV5khbtGHwoTc8oRERH9sWQGkgCoV3K3IV+YiH5Z8/5N17KottWwRpguHy085IfW4EONQJj/6leKEVloTstJEJgpUGV5M60KtHh1e2aUPjjA7miXCeKWhCmaYcPIXtDz7G8LzL1ni726wG78zxNp3ObydZe58yesH+olayoDXr5L+yC0OjwvlVluDnl5VVFyXs1xy/q3XIbTQo4R32jw1/7bi7nmPb4xS/e0j5m35U6Q49oB5EMdjmzL+BnLYxWuF3jEfhAJ/Qsf2oZJf7FqCnZGB5DsFm4UzV6KEOHpgk/XKjBEGVBqAgDi0HHJ+kMAAhGoTTmAEXmnLotY6DOpQnvEtBn2v2vkH/l/n9qfkxkZ7a/TIO4sFFvyJM9Z/nGttYc6Eg17VnGAcpTeGWbzDTwTj3SXDup0zchLDjj3GbMpg5TzLOzGVaRfTsDR4W9Bo4XBOvmlmE6x+jycvqlkY+DkjoagJfkYT9UO8CTvqDE+jph3MYVjTOvFN6R0x6+zmKMZPhr0/W/O8xaHPXDsH4YGn581bw2doAWN+m2mM3pVBiORFNWYM5duKpDuX0+79JY/MOkau42QSJ8V7JtrliN+sq7AdlMxyC/LrstGF+JPY0TaT26FeVVzCwAcbIuugs7R2KAHxan1qLsKS5HBMYXhEBDFMIVM9OfL56ICpRUcXxmEx/Lyv0AT/3rBqjosuMK6qVtWksQEBA/BF3e74/vXJwtk0YnMy1+Fo6VOuDC8TcO6GI8Z2C8JhzvtqXZW20VkeaQh/JcWX6/E3+VyVyBz2cv/suvHxOthfQtNeDOo7RyemRtLQT95Vi9VMVSzXgEw0yu0E5hQVNreaoO8uzGLtZ21wzjel/56274snPsrrCHs5ttpsiMrVP75TL2FJxGQ7
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: fb59f600-09ee-43b0-0ef3-08dc530fe2c4
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Apr 2024 12:24:49.9371 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: XL6pc5Za6mocNqp9XqDRCflxGbQ/enPDUe/7UOm/B4WVlYntLOMkSTJUHnGujvY0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DU0PR02MB9586
Archived-At: <https://mailarchive.ietf.org/arch/msg/art/upIFrsr3lsfRb7Fmtdli1DrCqv8>
Subject: Re: [art] Artart early review of draft-ietf-tls-wkech-04
X-BeenThere: art@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Applications and Real-Time Area Discussion <art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/art>, <mailto:art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/art/>
List-Post: <mailto:art@ietf.org>
List-Help: <mailto:art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/art>, <mailto:art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Apr 2024 12:25:03 -0000
Hi Martin, Thanks for the review. (More such are v. welcome esp as ECH is now past WGLC.) On 02/04/2024 00:40, Martin Thomson via Datatracker wrote: > Reviewer: Martin Thomson > Review result: Not Ready > > This document describes how an HTTP origin can publish information about its > ECH configuration so that other nodes can aid it in setting up the DNS records > necessary to run DNS. > > Issues: > > Most of the document talks about having the back-end servers produce content > for the well-known resource, but there is mention of other servers being > involved as well. ECH depends on having shared configuration at the > client-facing side for servers, so any configuration process should probably > involve something different. That is, having each server produce information > about its own (perceived) configuration, with the zone factory being > responsible for synthesizing the information from each into a coherent whole. > > In that design, a back-end server would indicate that they are using a shared > client-facing server, and point to it. The client-facing server would supply > its ECH configuration (which might be different for different back-end > servers). There are cases where a client-facing server might be able to > produce the content for a back-end server, so that a single resource could make > sense. That might lead to the design we see, but that is not obviously correct > for all aspects of the design. I'm not really sure how to interpret the above tbh. Was that intended as a summary of the draft or as a synopsis of the problem space? > The current design involves publishing information for a multitude of Well, s/involves/allows/ is maybe more accurate but that's a nit-pick... > ECHConfigList values and multiple target names (and ports). It is not obvious > that it is safe to have one origin speak for multiple others in this way or > what conditions might be necessary to have that happen safely. If there is a > validation process involved, that might work. The process in S6 is too loose > for me to be confident in that being sufficient. That's fair. What's defined now supports (hourly) ECH key rotation for the set of test servers I have on different ports of the same VM. In that case, there's a different http server implementation listening on each port, which I guess would be an extremely unlikely production configuration, but OTOH, it seems right to be able to support that odd case. And I think if we can support that odd case, then we'll also be ok for more likely production cases. > The design for publishing alias records is something I cannot decipher at all. > There's a description of the field, but no real supporting material for that. Also fair. Will add more description of that and we can see if it makes more sense then. I'm a bit unsure what to add right now though given it's been hard to test aliasMode - does anyone know if browsers now support that (with ECH)? (Been a while since I tried that, but will do some more testing as we produce a -05 draft.) > The different deployment options need to be more clearly articulated in support > of different modes of use, along with any validation that is needed. Happy to document the validation more, but the basic idea is that the ZF checks ECH works, and if it does, then the ZF is ok to re-publish. If anyone has ideas on other kinds of checks that'd be sensible, be happy to consider incorporating those. > > It might be the case that the design is fundamentally sound, but it isn't clear > to me that this is true. I'm happy to try convince you over time:-) More concretely, I can try add text to the security considerations that argues that the design meets some security goal(s) and we can discuss that text as we go forward. > > Nits: > > Titles are not sentences. Lose the period. Where? (Sorry, not sure, but the RFC editor will fix anyway so no worries.) > > S1, typo: ECHConflgList Fixed. > Use of the term "front-end" and "back-end" is likely confusing for some > consumers of this specification. Front-end overwhelmingly refers to the > development of web-facing content, whereas back-end refers to the development > of servers and services. Why not use client-facing as the ECH specification > does? I'll give it a shot, but have always found that terminology a bit confusing. I could also add a diagram too I guess, which may help the reader a bit. > > S3, please avoid using things like "cronjob". Periodic is fine and doesn't > presume the use of a particular tool. It's an example, but a fairly well known one. Will look at the wording though. > > S3, typo: regularaly Fixed. > > S4: > >> The well-known URI defined here MUST be an https URL and therefore the ZF > verifies the correct BE is being accessed. If no new ECH value resulting > "works," then the zone factory SHOULD NOT modify the zone. > > This is two very different concepts in the one paragraph. The first is about > authenticating the content at the .w-k resource. The second is about > validating it. There is no segue between the two. Maybe you could say "The ZF > MUST validate any ECHConfig that it obtains before publishing information to > the DNS zone." > > Also, avoid "scare quotes" and say what you mean by "works". Ack. Will split/re-word. >> Note that a consequence of the URL above is that back-ends that wish to use > different ECH settings are very likely to have to use different "DocRoot" > settings. > > What is DocRoot? (Really. I don't know what this means.) The directory where a web server stores static resources on disk. E.g. if the DocRoot is "/www/" then there'd likely be a file like "/www/index.html" that'd be what you get when you access the web site. I think that's an apache term, but dunno if there's a good generic term for it. (We could maybe just delete the sentence as it was just noting a change in -04 compared to earlier versions.) > More generally, I would prefer a use case or goal-motivated structure to the > document than a format-based one. That is, consider answering some questions: > what information would a back-end server produce? what would a front-end > produce? what would you include (and validate) if you wanted to have aliases? That's also fair. The draft as of now is v. terse, but I'll work on some text for the above. Given all the above, it's probably fine if you wait 'till there's a -05 done before we chat more, (assuming you have time), but happy to discuss via email in the meantime too of course. Cheers and thanks again, S. > >
- [art] Artart early review of draft-ietf-tls-wkech… Martin Thomson via Datatracker
- Re: [art] Artart early review of draft-ietf-tls-w… Stephen Farrell
- Re: [art] Artart early review of draft-ietf-tls-w… Martin Thomson