Re: [dispatch] dispatching draft-farrell-tls-wkesni
Ben Schwartz <bemasc@google.com> Tue, 05 April 2022 14:18 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dispatch@ietfa.amsl.com
Delivered-To: dispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78B133A0859 for <dispatch@ietfa.amsl.com>; Tue, 5 Apr 2022 07:18:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.609
X-Spam-Level:
X-Spam-Status: No, score=-17.609 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PuevUUxR3lhN for <dispatch@ietfa.amsl.com>; Tue, 5 Apr 2022 07:18:23 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB1C83A0864 for <dispatch@ietf.org>; Tue, 5 Apr 2022 07:18:22 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id r11so9323928ila.1 for <dispatch@ietf.org>; Tue, 05 Apr 2022 07:18:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8QYq4nyZUIG7EGFz/pGJNKbatlq0wHJ3vi2j5nMScRE=; b=i2aAO2Reywhf+O8X6y5CAlz/mFES9v7Y1n5eGh2LqvxTTi+QinUj279wgVPOyvvtOB sO4wUoKkFSzbrI8CCZ+tyfGWwwbGMCTddNuGciOiob1bX2/dPfKQ4XL3bBG0PS3sqX7T RA9r6c4VWqnEhWh6Gf3Ca9vrR4xjMXXRvJHZyXlm2KgkNcu9thy/u3W6WpdQinrPU7Ac UdxEINO6pfalcx1WDsC9uszDrs91IBzo3OhOJdjEUxmNePTi9a2J+G1fQmcbLhdIoLd/ 1g2mVMUJWLbC5K3V1O/xeyeKMvDBNESUcNAyqt1zBk441TQkvxpEYkjuOVD2t227F6Za fTyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8QYq4nyZUIG7EGFz/pGJNKbatlq0wHJ3vi2j5nMScRE=; b=Xs2yAlTyTA+YbE37rI34LjTuarmjmBtklke4YTIQw6jJmDoFOKvMQ3qXSrRcMr6h0W RK8+Xt+txOYbe8EwNJnbK/GiRLU/h4odxhJEdp0cZw3m4PWGzExkXz9N8uyqNdeeBgLY nnhYvZnRhoq+K1lpatYzsNIV5/ve2UG40dF1ivzVFd4bmfiS7S/M5AUGVcWY4NNBITKL dcK0IBEX3XjpX0X+PLPdeegh6MT0mYWoM1qXvu/o821T1rTkwPnjpUcaTiVt/P5nPgxr MplYW010kyjQgtkxzrTRgAWcC2Su1DPn2dhEKuJexOldFPEM4zjZmu7/9wXfbsyH/z3J lSvQ==
X-Gm-Message-State: AOAM532+mq+mtI+7w1f5GVzkkJtsavE+/LObkvlc/YAcO31EKRnzIWVr bTxr5bKuW/vObtJGQU6GabWFI9/9xG8FUVTKp7XB/OfPXOw=
X-Google-Smtp-Source: ABdhPJyC5ix5Lu0Esfc1AGiHo+Vi3h/GyFbvI2fshOMGmIAc0AOb9Rl/X4CRwoRDkUTFg1erTbg0XWA+nh1yx99oUhc=
X-Received: by 2002:a05:6e02:1788:b0:2ca:5573:dfe7 with SMTP id y8-20020a056e02178800b002ca5573dfe7mr1907165ilu.310.1649168301306; Tue, 05 Apr 2022 07:18:21 -0700 (PDT)
MIME-Version: 1.0
References: <0bea9330-4c05-05e8-323a-a5474be6c515@cs.tcd.ie>
In-Reply-To: <0bea9330-4c05-05e8-323a-a5474be6c515@cs.tcd.ie>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 05 Apr 2022 10:18:10 -0400
Message-ID: <CAHbrMsBibu9XiGjax6+bRJGt+TxpRQO0z6nXu6m+Bwa4QdX6sg@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: DISPATCH list <dispatch@ietf.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="000000000000ce822805dbe8ea07"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dispatch/aj5GbUmH3e9FLnekRD-nnmJp5ZA>
Subject: Re: [dispatch] dispatching draft-farrell-tls-wkesni
X-BeenThere: dispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: DISPATCH Working Group Mail List <dispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dispatch>, <mailto:dispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dispatch/>
List-Post: <mailto:dispatch@ietf.org>
List-Help: <mailto:dispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dispatch>, <mailto:dispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Apr 2022 14:18:28 -0000
I support dispatch to the TLS WG. On Mon, Apr 4, 2022 at 7:07 PM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: ... > I figure though that there's a useful guideline we can use > here. The relevant HTTP server for this spec is the ECH > private key holder. The ECH private key holder processes > the outer ClientHello so whatever they wish to ask be used > there by eventual TLS clients, in the outer ClientHello, > seems like it should be supported here. And that's the > ECHConfigList which is already an extensible structure > and is the meat of the HTTP response defined here. > This is an interesting observation, and I agree that it supports dispatch to TLS, because both the client and server of this protocol are TLS servers in this view. I also think this raises some questions about whether HTTP is the appropriate transport for this information. If we assume, as you propose, that (1) client and server are both TLS servers and (2) origin->DNS sync is handled through some other means, then there are many other possible ways to convey this information. Two that come to mind are (1) reading the ECHConfigList out of the fallback ServerHello and (2) publishing the ECHConfigList in a SVCB record. What ought be in the inner ClientHello is up to the > eventual/backend web origin (the "publisher" of the > HTTPS/SVCB RR) Note that this is true only in true "split mode" deployments. In ordinary shared hosting, the origin should normally publish a CNAME or AliasMode HTTPS/SVCB record, in order to avoid this entire synchronization problem. To me, this suggests that what is really needed here is an "ECH Deployment Architectures" draft or similar. Regardless, that would happen in the TLS WG.
- [dispatch] dispatching draft-farrell-tls-wkesni Stephen Farrell
- Re: [dispatch] dispatching draft-farrell-tls-wkes… Ben Schwartz
- Re: [dispatch] dispatching draft-farrell-tls-wkes… Stephen Farrell