Re: [dispatch] dispatching draft-farrell-tls-wkesni
Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 05 April 2022 15:22 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B80803A0A8C for <dispatch@ietfa.amsl.com>; Tue, 5 Apr 2022 08:22:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.01
X-Spam-Level:
X-Spam-Status: No, score=-2.01 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I5z5Wrz8WEEd for <dispatch@ietfa.amsl.com>; Tue, 5 Apr 2022 08:22:41 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on20724.outbound.protection.outlook.com [IPv6:2a01:111:f400:7d00::724]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 669073A0AA7 for <dispatch@ietf.org>; Tue, 5 Apr 2022 08:22:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oX13dZhpfGRKGYm/Sz6QpKkjQMKlw7+VwoZGXg+DWtpPDg2EbSlnWHcEHv6JxWXvZOLfX82VWVsiK9FGXDSI2pYVzn4whoP5Nn4dAF2vfZ/FNlj294Xw2XczvLyzJfplZbQDqO1KEKyYh7kcSn3h9q6DvNdT6gebd2crJ7V3I9EGbDlJ8d8NA1AAd77tZb1Y3a6hPAUr9GUsowGG0bT+d8qFD2h1noK1OvMgNWRdWWKW4olLDzNXCr2jD8WZzG6iV8wfM7T+wjQ4xTK9fNMCT7M6XPcIL3mb7EZ00gFSrkqoX7itiCKgi3S095+Mzaa1GwKA2GiRAK9dqq+etVscPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2ZXeofKIsGCbK5FiXT95ryCSU/7+ddP+eRqJJkCfRqM=; b=KKI//TMtOTsjhHX9eseVcNNFB4LgmIxBWQeRX9MljVhu7/kI+CpvfUEjGwx2im5Ipq0M/FgyTzIbLZuGTS0QsbYrQY+BSQPaHYZ4SVAluhYkc6SNo7R4R/mOjP9zyVEfeqUPQC6ZxmrOqxVFTigFsSUOOs5zGA/GdADaxwfjPkOm+o7uZ4nnkrG3GkKdPDlrgZNppo99gzhOdBknehUGmV4bc0s8N9+ahczAfkD9U3xhbHTlU/hRuL2p7DVgZO3FP1MDJwstFRHF4Y7F3o2G7AgzQ/Mv22QMicT9VE4S4/WcR0STeXiuvsKXW3WyNK74j1yNOnoU1fD/15e/Dcc1Nw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2ZXeofKIsGCbK5FiXT95ryCSU/7+ddP+eRqJJkCfRqM=; b=IzGQ5aSRUgyPf9mSf3W16iYcjsBO0eeWkFmu/j7zX6B6Y0lJgm2oZRMQFr0QXJBR295NN9gEEGhG4kEEcg5/Hp4yZFVc90Y89uG4oqlTpzYlEaE8n7BTa8gdQ6vFnzSmU2bGwOHi6eANm7TtPpDEei4pRcjNFNVnaej1snTL20QyaYP5LkBjUt91rqs05WE1sSbi+mxAl10HVVB9D5sm72YV2kqvBNLbEgqD9dNOyWqzkFsJ6O52+YV0EG9CxR9/A4KHTT1oYqJPfEnM59eX0oRXUbP2gl6ZWxtRitZKz0sbqZ9kY/MFbMtwzdkD4qareiecegRn/44GDlxrc2W9bw==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by AM6PR02MB5029.eurprd02.prod.outlook.com (2603:10a6:20b:83::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5123.31; Tue, 5 Apr 2022 15:22:33 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::c183:9519:74b5:b606]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::c183:9519:74b5:b606%7]) with mapi id 15.20.5123.031; Tue, 5 Apr 2022 15:22:33 +0000
Message-ID: <b3694d71-8acb-d914-c307-01663becfcb1@cs.tcd.ie>
Date: Tue, 05 Apr 2022 16:22:31 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0
Content-Language: en-US
To: Ben Schwartz <bemasc@google.com>
Cc: DISPATCH list <dispatch@ietf.org>
References: <0bea9330-4c05-05e8-323a-a5474be6c515@cs.tcd.ie> <CAHbrMsBibu9XiGjax6+bRJGt+TxpRQO0z6nXu6m+Bwa4QdX6sg@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
In-Reply-To: <CAHbrMsBibu9XiGjax6+bRJGt+TxpRQO0z6nXu6m+Bwa4QdX6sg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------P0ro0rS3nUBWkpRgSSFydYmD"
X-ClientProxiedBy: DB6PR1001CA0036.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:55::22) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 18af5f96-a136-407b-7ebc-08da17181b6f
X-MS-TrafficTypeDiagnostic: AM6PR02MB5029:EE_
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <AM6PR02MB5029D84B558A89D2B626E92BA8E49@AM6PR02MB5029.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: D2kAAJy7mXdt8RqLFW8AU5pabDYNUcbyCMjY5Sy5YFPBiYY8T8FB3bPUroD4L+wTxCawEktkUHkogHNgoxWTmtB6u9wSZU7NDLxrHn2efwiOeqMB3Dc2+gFfdh3N/AdILETCfidYLRJ/TX/5sObsSVkNX8euw4fRM4TFcZU4wx18T7i9xin/0gu8NpotD5sObeb+ShoZMbS3J/u0TqhbB1aFcbhFKO3q6w63awFFTpNK4DwZwvAVVUHKY8M5USI7L/85CF5YaRV18ONyILoDFAL9LhHyvrxEFEkQKZ4HBBmRemztN8c9+b2DUtkf56P6TWvAkB4COIDcBoTazExci5nx6rT57FA9Tpmn6uA6iZRcXq1+BKn8I2BNORrQmj/FtZDaeAQFdkjaKh2LP4kLJnxBYLceJ6+8NQxiNRWUKixtAElhhvLw1lr0YcU2iDgOZ4DWxTtI4tzsWRLftACS/iBMWg/q0CR55gkOZLCZAJGiluBBls+RRGt3KyPl1h/qe7iOS8omXEqT3QJ76YPO5M7BwGjp2Yf6gd0dPfIvkzkFwgbw95Pn/KchBev/Z0R+5UCTwZKvjwAiGeHrZF4+iZNdIGBPO1sPDhha4/LqMmhkxHq1bhUBHvssQV/kzvj+bSxafNmZ/ZRseQ+Qs2FnV6Z3edOxm8BNpvuE4yN4/0o/MyM5rPVjraLX6iGEUQB90xnzfNhrxAJ/UtAt83KKgYZ8B3dLKmQII3HqgxwTAto=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(36756003)(31686004)(186003)(8936002)(44832011)(2906002)(26005)(2616005)(5660300002)(235185007)(6512007)(6506007)(33964004)(21480400003)(31696002)(53546011)(6916009)(508600001)(66476007)(66946007)(4326008)(66556008)(316002)(6486002)(786003)(8676002)(86362001)(38100700002)(83380400001)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: +et3j3jcob2+w/uAiij+7gk6aqRBCSZ9no2NPXVE+9ljYfgeG8fK5emuiGq33BCTvWQNv/ChwvGWsuojVq0+Z9mNUkRN8h7T2LLMb1KfFwBRhcIbQj4+3NWgddPVQpOvyDF5YOBeQ3M2kdxGQvkcsi9QK9FF1ZsfIjptDA8u8q/nfAMsVA3O1aQPwH1UUFAg8IBkBvD7qRkEsz1zUHaOK7Asg7aYoTqh78TuBl33cSQtN/rox4AZ3k1uFs/oH6gFeZXcg+b2XNMZxbUSAyfYkZhegH87KougfEm73zWHGyTIGXOFzRMq4ryIbbpFd6K8wtrS0+RTCjJCMuSEAeBNm9HzFQ7rznHkdaLmzW+M+dBayrTLVz6sq4AaiCQdTPx5aOu+5HDCnZZWubP33oI1ekRPujN4bnyZreo/+Y/mOqYqN+5L+KoxQbiJhPhf+rbvXtiymIXI9PxgSZumizyUY/95vdlDZdpoEi3Ert0RyHVg2bkUeUQR+cqvzBM5qMgfbwy6H8OD0Wz+vwG+M+eC3o7SP1YxIbTZ2GKxNq2nq5mii5ua+l5mE/gxPHGAXJ2RPxqKKxhbInmL6GpITJPZtJ87I/B9x+xvv5MVCg79dV1rAfZpH0y7rNaHqzO2kB8CPzALjiUI6v38ybSlU1ULizG+khUCPAreWplCsZyDU9ODjElSdduOkIRtf9UJ+Dtg0otXl8qWGoadfWHTzcBIa6vJ+zWRQjKCgWS6+eArZAEEuazly+4FcuidimZVnGk0XwIIFvj20broLziXdOvt2GAbvmu6LAbnxuRRVlyqsLNCRs48BXhTM94ykV/11sWMC9jd9bZ46nMb3SLg+AjXgKo4BCIjFg3hBob26zwaBJl2MnhRrJnMHPM12Kyx986S4tWzY7FpkW0m2Xcfzl70TDZ4bkSLsetlG8ST92pp+Lmbtc7IivQ9zUH2X/sBqPvyjn2XTGp22lhOa9GkheEsNm5PLXpECJE2SAbixPRk0aoKE1zsYwWAHVGjhRludAUHk610T4U1YJ4/4pIQVACwuvHvQC6ik6ovbdcn/xtJ6XwZFZvfnrSXjmuDx+7F9lJo9D9rK3ctU2nXMhiGaSd+5TD89XzwcisqhX3RbnfKWslGNGNB4RMHt1hrnP7C5+NvcEwPSxfpsGXvqpo1bmNMjeH/HiOWkYcGB3L9joLH8oIaCNhhnQKsnNSjMWyC9bvdEBIEAjmZ/3rV/wO+OotZu0KOl4IlqifuUIppXTI2rOAo1JarxHh2LE90AIk8dRtLIgkGADjhKAzlwoSPLNq879RtA5xHJE6W2mzOcLDjPnzdQzIsqv0B8NA6CDCq0HHSLlEnIvEl50wTi/N3Q+2wZkbaT6ST98c9GCzMOpMZqffzu22nHTQWMv8vH3vCVU7irSc0uGKIt3mHsyXdvlHgqiiqXr/GZz+T5tGp+pwOvrc4lCGAcWFiCEBBcMZHqJIiArywW1AR92UfkvDszOltrnmhDCjyTCwJrn0sTS35X3hoKy+xkgizb1nCNZddfo4Uumel/7piDeT++0tGR8cwSAP9qwZ4rqJggs2KlYigWUxJEHeyUup0f54X72i6+UQf9aIFmW1c/0rpRatClmRCQHs/UaE3o15ktuZj+X4s7AQd8Rr2scZ6L7tqvxZeW4UYdDGznQIN+wMj7SyGH+scR2jRx/7mOMbwx99r67d8VeYQKJ70FnR8If4fbbtFo06+9NtM0Phu9py+Jg1nru1TPA==
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 18af5f96-a136-407b-7ebc-08da17181b6f
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 05 Apr 2022 15:22:33.4854 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 0mIiD0YrGypjJUeZ4+bGmXcHENzyk8qViJffriP6qMyckUSLsB0Nf56uW7W6q84u
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB5029
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/JRBYNNxTwbyJI8uqr86cqlzDm6Q>
Subject: Re: [dispatch] dispatching draft-farrell-tls-wkesni
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 15:22:50 -0000
Hi Ben, On 05/04/2022 15:18, Ben Schwartz wrote: > I support dispatch to the TLS WG. > > On Mon, Apr 4, 2022 at 7:07 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> > wrote: > ... > >> I figure though that there's a useful guideline we can use >> here. The relevant HTTP server for this spec is the ECH >> private key holder. The ECH private key holder processes >> the outer ClientHello so whatever they wish to ask be used >> there by eventual TLS clients, in the outer ClientHello, >> seems like it should be supported here. And that's the >> ECHConfigList which is already an extensible structure >> and is the meat of the HTTP response defined here. >> > > This is an interesting observation, and I agree that it supports dispatch > to TLS, because both the client and server of this protocol are TLS servers > in this view. At the risk of diving too deep for dispatch (but no harm to have in the archive for later...) > I also think this raises some questions about whether HTTP is the > appropriate transport for this information. If we assume, as you propose, > that (1) client and server are both TLS servers and (2) origin->DNS sync is > handled through some other means, then there are many other possible ways > to convey this information. Two that come to mind are (1) reading the > ECHConfigList out of the fallback ServerHello That's possible, however, at least for my implementation, only one (the most recent) ECHConfig will be returned to clients that way, whereas I publish 3 in the DNS (current, previous, and one-before). I'm not sure what others do in the fallback case, but to depend on that, more text would be needed in the ECH draft. > and (2) publishing the > ECHConfigList in a SVCB record. I guess that could work if that SVCB were somewhere below the public_name, but it might get onerous if one frontend serves many backends. (It also smells a bit of turtles all the way down:-) > What ought be in the inner ClientHello is up to the >> eventual/backend web origin (the "publisher" of the >> HTTPS/SVCB RR) > > Note that this is true only in true "split mode" deployments. That's fair, yes. > In ordinary > shared hosting, the origin should normally publish a CNAME or AliasMode > HTTPS/SVCB record, in order to avoid this entire synchronization problem. Sure - as the draft says, the proposed mechanism doesn't aim to be the one-true way, but addresses a use-case that matches my existing trial deployment. I'd be v. happy for the content to evolve to better handle others, as needed. > To me, this suggests that what is really needed here is an "ECH Deployment > Architectures" draft or similar. Yeah, that'd make sense perhaps. I'd be happy to contribute text or co-author such if some others wanted to play along. (If someone wants to get started on that, and would like me to help, just ping me.) > Regardless, that would happen in the TLS > WG. Right. Cheers, S. >
- [dispatch] dispatching draft-farrell-tls-wkesni Stephen Farrell
- Re: [dispatch] dispatching draft-farrell-tls-wkes… Ben Schwartz
- Re: [dispatch] dispatching draft-farrell-tls-wkes… Stephen Farrell