Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]

Patrick McManus <pmcmanus@mozilla.com> Thu, 19 July 2018 18:27 UTC

Return-Path: <pmcmanus@mozilla.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ADB7B130E27; Thu, 19 Jul 2018 11:27:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.234
X-Spam-Level:
X-Spam-Status: No, score=-1.234 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_SOFTFAIL=0.665] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMno8ZTXIJME; Thu, 19 Jul 2018 11:27:13 -0700 (PDT)
Received: from linode64.ducksong.com (www.ducksong.com [192.155.95.102]) by ietfa.amsl.com (Postfix) with ESMTP id BD78B130E1D; Thu, 19 Jul 2018 11:27:13 -0700 (PDT)
Received: from mail-oi0-f45.google.com (mail-oi0-f45.google.com [209.85.218.45]) by linode64.ducksong.com (Postfix) with ESMTPSA id C3B003A028; Thu, 19 Jul 2018 14:27:10 -0400 (EDT)
Received: by mail-oi0-f45.google.com with SMTP id w126-v6so16722088oie.7; Thu, 19 Jul 2018 11:27:10 -0700 (PDT)
X-Gm-Message-State: AOUpUlG2Ba5DUtLJ6SCt/Ur2RwOv/UpcGbv5lu2zGZ5VNbIFVvHgptUV fjjNSWqz91vUTb7wn5ZJXhTsSSnfbfYZtYExtxs=
X-Google-Smtp-Source: AAOMgpeXdNDXxbnZUIG8HyfJHFnMYaFXeyVmf23oZ6Wv1V4FwuJX4vIy+owSbxm3zfyzmAujPhSBAhu8LXBV5TfR0dQ=
X-Received: by 2002:aca:2e86:: with SMTP id u128-v6mr519500oiu.132.1532024830513; Thu, 19 Jul 2018 11:27:10 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4a:8a22:0:0:0:0:0 with HTTP; Thu, 19 Jul 2018 11:27:09 -0700 (PDT)
In-Reply-To: <CADyWQ+HwNsvgs0BnQ3NqnEob6xZrcbmk_qVOX58UCW4rFrmahg@mail.gmail.com>
References: <20180707191900.7jjaxklib3tlixgb@nic.fr> <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com> <CAOdDvNpWs3_+c3=pdYjxm+UrEfBUawcTKXY4ks0VbuGSts+q7Q@mail.gmail.com> <CADyWQ+HwNsvgs0BnQ3NqnEob6xZrcbmk_qVOX58UCW4rFrmahg@mail.gmail.com>
From: Patrick McManus <pmcmanus@mozilla.com>
Date: Thu, 19 Jul 2018 14:27:09 -0400
X-Gmail-Original-Message-ID: <CAOdDvNq65kGho6oCX=mMw+qebHOqzJq6qJ7kAWdO53wAKeyj2A@mail.gmail.com>
Message-ID: <CAOdDvNq65kGho6oCX=mMw+qebHOqzJq6qJ7kAWdO53wAKeyj2A@mail.gmail.com>
To: Tim Wicinski <tjw.ietf@gmail.com>
Cc: Patrick McManus <pmcmanus@mozilla.com>, =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <jv@fcelda.cz>, dnsop <dnsop@ietf.org>, draft-rescorla-tls-esni@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cf584d05715e53a8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/HBKeJzfX_-48109DJzoSTn5zDiA>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 18:27:17 -0000

the tls server side (aka the cert side) can definitely use a wildcard (or a
list of explicit names, or a mix of both!) But that's the SNI consumer. The
draft is about the SNI producer which does not use wildcards.

e.g. the ESNI work is about what is put in the TLS client handshake
(historically the SNI and according this draft a new extension carrying the
encrypted SNI) - and that is always an explicit name. And that's also the
subject of the DNS query in order to obtain the keys. The DNS query and SNI
leak similar amounts of information (although perhaps to different
parties), so an encrypted DoT or DoH is an important part of the system.


On Thu, Jul 19, 2018 at 1:53 PM, Tim Wicinski <tjw.ietf@gmail.com> wrote:

> Patrick
>
> Can I go and order a SSL Cert with a standard name and a wildcard name for
> SNI?  We do that now.
>
> So, I think Jan is onto something.
>
>
> On Thu, Jul 19, 2018 at 1:47 PM, Patrick McManus <pmcmanus@mozilla.com>
> wrote:
>
>>
>> On Thu, Jul 19, 2018 at 1:36 PM, Jan Včelák <jv@fcelda.cz> wrote:
>>
>>> Hey,
>>>
>>> I just scanned the draft and focused mainly on the DNS bits. The
>>> described method for publishing encryption keys for SNI in DNS won't
>>> allow use of wildcard domain names.
>>>
>>>
>> Thanks!
>>
>> I believe the draft is OK on this point because wildcards aren't needed.
>> While certificates can be valid for wildcard domains, the SNI is always a
>> specific hostname (and the plaintext hostname informs the DNS question)
>>
>>
>>
>> _______________________________________________
>> DNSOP mailing list
>> DNSOP@ietf.org
>> https://www.ietf.org/mailman/listinfo/dnsop
>>
>>
>