Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
Ben Schwartz <bemasc@google.com> Wed, 10 July 2019 02:25 UTC
Return-Path: <bemasc@google.com>
X-Original-To: dns-privacy@ietfa.amsl.com
Delivered-To: dns-privacy@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D64F12008A for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 19:25:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -16.204
X-Spam-Level:
X-Spam-Status: No, score=-16.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, ENV_AND_HDR_SPF_MATCH=-0.5, HTML_MESSAGE=0.001, PDS_NO_HELO_DNS=1.295, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5, USER_IN_DEF_SPF_WL=-7.5] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=google.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2UfSzx_k1O8i for <dns-privacy@ietfa.amsl.com>; Tue, 9 Jul 2019 19:25:29 -0700 (PDT)
Received: from mail-io1-xd2e.google.com (mail-io1-xd2e.google.com [IPv6:2607:f8b0:4864:20::d2e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A8E6F120048 for <dns-privacy@ietf.org>; Tue, 9 Jul 2019 19:25:29 -0700 (PDT)
Received: by mail-io1-xd2e.google.com with SMTP id h6so1346899iom.7 for <dns-privacy@ietf.org>; Tue, 09 Jul 2019 19:25:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mtOBm3XumKtynqnX3zhUQY2RTeqZ7asQdYDrPlJ8CaQ=; b=WcY6W9Z4JRwz/Lkvmfz/9WSrkx05rNe/f+kjS0NaZXa5hiDCBrsU7GdhMxm6kgTtT2 6tc308apdWIK6NYBnlKBJf1o691zE5xIabaeXjvY4wewKrTLcvAUq5J4AShSB0YtOLw7 dxIiflUXdZDw90fkDyZ416SAkZWvwCTjP12HN/3IHJ7UgAcZ2QZvge9XBfBd7q+rl1RA Oq7NW9f1II9o7hazgrYCN65hii8GP2/mS215rw+qaE5NVqzvxK4gqK3vCoZfP4nm/maA gAgcHqusseK9U61rcl8bIT8YV9RFFUcKNHyNKLTFObd7pqJBXUvM24sfquqKhzkfm2Sh 4r2Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mtOBm3XumKtynqnX3zhUQY2RTeqZ7asQdYDrPlJ8CaQ=; b=TZjrqMwtdExLdTP/pUKXhd2hiHdAl2dJGNX1j4WiarWrRf4BqVoLrmI7G1jmCjvNCm uDG1pfXS1LJe3/TOmJjcKBJeaGeMf5pRVRM5sCWhvPmKUJWvz3POHrp5KLpKc7oWM4zs 8OOtUBN/NoQsbTMc+XDmLQUESE8ge7ICXGDkaFQzdoHgSxQWKvlFoAOpwcyO6/h/5unH nBUJQlcEcyywgW8Fved3kVbvHw+k5ThI5O+uqOTODGqFXHNSNuDrKjDpPOHfCjJcqq7m y8B/RHiNHUXlmmpLS0IYy3Ww6on9a2ocJubasvxYZ+xk21JK7F2ZW5wnCLS5mkWizwAF FYKA==
X-Gm-Message-State: APjAAAXHZ9oYryCsCHKgacdhkNqGss2VzcBAq/zypCxK7//3hsDDDLA1 BWUAtnnJgu4uQSk/RZORL/8HdQG3DRz0TmPHBPGq8/3yNmA=
X-Google-Smtp-Source: APXvYqz6V8aB3uWQyQabHX3id73BEYFAw2R6q5W53d5uPuzNflqTfuXKOxpvW45jTpmo6grL3Eaw+2cCAlLLtvD3nw8=
X-Received: by 2002:a6b:d008:: with SMTP id x8mr27361784ioa.129.1562725528665; Tue, 09 Jul 2019 19:25:28 -0700 (PDT)
MIME-Version: 1.0
References: <156242998138.15238.11931955927978549044.idtracker@ietfa.amsl.com> <20190706164823.GA29462@pinky.flat11.house>
In-Reply-To: <20190706164823.GA29462@pinky.flat11.house>
From: Ben Schwartz <bemasc@google.com>
Date: Tue, 09 Jul 2019 22:25:15 -0400
Message-ID: <CAHbrMsDQPq1hMzQViCoihWth2S_uQKvD3XgFnbY5KTW39w0TBg@mail.gmail.com>
To: Alessandro Ghedini <alessandro@ghedini.me>
Cc: dns-privacy@ietf.org
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha-256"; boundary="0000000000000c4db5058d4a6436"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dns-privacy/tdcHsUYr0t66Nurwse8dfAXa1V8>
Subject: Re: [dns-privacy] Fwd: New Version Notification for draft-ghedini-dprive-early-data-01.txt
X-BeenThere: dns-privacy@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dns-privacy.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dns-privacy/>
List-Post: <mailto:dns-privacy@ietf.org>
List-Help: <mailto:dns-privacy-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dns-privacy>, <mailto:dns-privacy-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Jul 2019 02:25:31 -0000
Thanks for writing this up. Your recommendation makes sense to me, and I think it will be useful in practice. One thought: instead of rejecting unsafe 0-RTT data with FormErr, could we tell servers to reject the early data at the TLS layer to force a retransmission? That seems like it might be simpler to implement on both sides, and just as safe. On Sat, Jul 6, 2019, 12:50 PM Alessandro Ghedini <alessandro@ghedini.me> wrote: > Hello, > > On Sat, Jul 06, 2019 at 09:19:41AM -0700, internet-drafts@ietf.org wrote: > > A new version of I-D, draft-ghedini-dprive-early-data-01.txt > > has been successfully submitted by Alessandro Ghedini and posted to the > > IETF repository. > > > > Name: draft-ghedini-dprive-early-data > > Revision: 01 > > Title: Using Early Data in DNS over TLS > > Document date: 2019-07-06 > > Group: Individual Submission > > Pages: 5 > > URL: > https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt > > Status: > https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/ > > Htmlized: > https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01 > > Htmlized: > https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data > > Diff: > https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01 > > > > Abstract: > > This document illustrates the risks of using TLS 1.3 early data with > > DNS over TLS, and specifies behaviors that can be adopted by clients > > and servers to reduce those risks. > > I've been looking for information about using TLS 1.3 0-RTT with DoT, but > all I > could find was a discussion from over a year ago on the mailing list: > > https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y > > So I wrote this document to try and document potential risks as well as > capture > requirements for DoT implementations deciding to add support for 0-RTT > (RFC8446 > in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data > without > a profile that defines its use). > > Most of the wording comes from RFC8470 and some content from the mailing > list > discussion mentioned above, though there are still some things that need > to be > filled in or expanded. > > In this new revision I expanded some of the sections as well as included > some > editorial fixes. > > The draft is maintained on GitHub at: > https://github.com/ghedo/draft-ghedini-dprive-early-data > > Would be interested to know what people think about this. > > Cheers > > _______________________________________________ > dns-privacy mailing list > dns-privacy@ietf.org > https://www.ietf.org/mailman/listinfo/dns-privacy >
- [dns-privacy] Fwd: New Version Notification for d… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Tom Pusateri
- Re: [dns-privacy] Fwd: New Version Notification f… Ben Schwartz
- Re: [dns-privacy] New Version Notification for dr… Dan Wing
- Re: [dns-privacy] [EXTERNAL] Re: New Version Noti… Livingood, Jason
- Re: [dns-privacy] New Version Notification for dr… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Alessandro Ghedini
- Re: [dns-privacy] Fwd: New Version Notification f… Christian Huitema