[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Ben Schwartz <bemasc@meta.com> Tue, 23 July 2024 20:56 UTC
Return-Path: <prvs=2934cffcc9=bemasc@meta.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F21BC151984 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 13:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.802
X-Spam-Level:
X-Spam-Status: No, score=-2.802 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4cAuUGWebvLr for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2024 13:56:55 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8CE0EC14F689 for <dnsop@ietf.org>; Tue, 23 Jul 2024 13:56:55 -0700 (PDT)
Received: from pps.filterd (m0044012.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 46NIxXoS001377; Tue, 23 Jul 2024 13:56:52 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=from :to:cc:subject:date:message-id:references:in-reply-to :content-type:mime-version; s=s2048-2021-q4; bh=qhre8J8Vj5BEl4YO b7TtkQS11Ukr8/Opbw6HA1g3XBA=; b=XQ4ORvVCZ63ZPA3RbsFrtGiXAGfJ9OaK Kwm1OXx9ZBwIqGoYbb3O2mDzg53Oqss/vYM5GLB0HJRitjuF1W2zKNRY0psG0qcG FxuGJ0LeowR5vN8+0jc7VHkq6C7sRYoRrkYha9v5tDyjm7ISe6kx4jCtPrH/hCtz cxr3a6cchFro5m2bgLcaZjYOHkQp4pm6XacPzHlX5uBxH/GQQfSs+wUtZ9sz9Q1n CNlhRyBjfUua4JOmWkvIZ5TXshx00JZw9/cI/Hmq/JEDArvRsKxv5c9uI4VW7YHO FAnDoZQZWJtE0loxIt9rAN8zBUrC+Vj1B4AOD65l9e9GvbM3pmhy0Q==
Received: from nam10-mw2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2042.outbound.protection.outlook.com [104.47.55.42]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 40jd4sk7wt-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 23 Jul 2024 13:56:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=gtsP1hxzLjrTYYyDx1YTsRApdBIYzG+P8Qjg+gJUFSSEq8k5YS6yjm0HOp0kt7vpo5ZARrigXlSU+eE8/CNf+BuiKZsohEOnr1WM8lxfVp/X3k3naCOhFl2an9XNelzpCSi6w4PnmlIcvZoZnABlklhRgyoGExC7TZFxpwN2/suvO7LWxQ7bcq86BJ5adaql4E/xFdW7gAfpCbjXFbm/xTGngyx/U1+4MxNS9/92VJZaRytVKFXobnc0Q6qD6vzTIXO/lLea5jqq4x4TTn2HMTmOMdFpvDSYgrBo8BAsTZvn1tk7K2k1itFIAGF+1FLxMX5MY8CWWpM3Tpr4IXZ6Pw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=UOGTVUXFgaZxPq62TqpercrjthsSdhYnmUKstMd8qt8=; b=hpfDcrKanNy2FB5kDt0KD9gjz3DsXfq7hr827izeDrZdMLhf8ocAGE2dY1MGZOOXQSidOsfvBe6nY5nMVItAxvqL7ZopL71zlNL65DZY85+vYbCha5o9bX0DCIDCs/P2RF9LeLeglIxPZPtkzTzONQSTkyYru+puABZh0oECcDBM/3MJd5k8JhfmyI34lJc/SO/Avq2GOTMgxr9rrIoGmrJXR7/ojLbhgvKHxZKrbm4h55jRCq8ro64qA/tpsdU3S0K5HLcE9lolzkGyyZqeXT5KlY7gSg3T6DmDpq2R3A+TAAqU29uoTroyG1Cv1jzZn484BvhSCjsE4/7e1P4ZfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by SJ0PR15MB5824.namprd15.prod.outlook.com (2603:10b6:a03:4e7::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7762.28; Tue, 23 Jul 2024 20:56:50 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.7784.016; Tue, 23 Jul 2024 20:56:50 +0000
From: Ben Schwartz <bemasc@meta.com>
To: Paul Vixie <paul@redbarn.org>, Paul Wouters <paul@nohats.ca>
Thread-Topic: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
Thread-Index: AQHayMBg6kjNpOFYMU6jFYLXgA5D67Hb73JZgCeWt7WAAATOvoAADTyAgAE9sYCAAAxMAIAAAqMAgAAOxS0=
Date: Tue, 23 Jul 2024 20:56:50 +0000
Message-ID: <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <4FF4AA72-5E91-4980-A4B4-80E59F64B76C@nohats.ca> <2334040.7YbXXFKy9f@heater.srcl.tisf.net>
In-Reply-To: <2334040.7YbXXFKy9f@heater.srcl.tisf.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|SJ0PR15MB5824:EE_
x-ms-office365-filtering-correlation-id: c7ef0a10-356f-4098-6ece-08dcab59f94b
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|38070700018;
x-microsoft-antispam-message-info: ruSzS4zJmXmfqT69ERz2aTu1CFBJpjxGsGuTr+fGdXhfHxej/WaHbnB6ZUdBsWQRhpGoxLd6htIXaxBeVXZAujpWAaToz3Cds5nxft6gnP7i5FoEI85BubmVbd4qdtSyBLQiq3PrQhzxLn+ggSeXt7o8P9egjYMwy3TMw/DP7BcpuZbt453bPacKPeWLm3EQ3B3rTx6afrRZQQ/+Vfu8m+1zJaJ03I+0xeEYMYoFRmDJq2l3c+7BF4/Xu2OoHURzn6FMvbqNOc3tKGKyQlbDJvAxRyPebnE7h06sQey31HA/IRuzLP3K+tMYpBJv1R+AcOKalqDnUoGToks39m5BUz98G5DMsKK/xzPSpN/9kjvLR3Y2FgRsMFKj7Zozscyyy8B5/2sV1CHaeQhwDtweslRcST4PSpgzkdFayw5FWax4PBYhZgDQW3I+hIW6VZsZthaweYKv6kMvvJGIQq/FIc1wJP4O1rhClpqEMIn3c5HX5tuGMhIiKeHIP4CVSoifAVCyO0rB1r0i7oyQ0tJER1KmBIV97wOGG7UQjeKHuvexCjV2dwrs0s16AOH5IyzJJ8f/zJTcfhx6+bcqTgdiL+cWQ/UKx5PelITLURSkJ/yPeBUjfybMG4Zowf2kOo6zOicQBvVGr+Z8UJi6RmommahvppfstOehuUiV0Ja2Cf5x3HDDbL/moCne9Yq9Ge/wlcLk7TCT7/hAVqdI9n/VKIyOqF4wWrADEBiO5F/BpWaqQAkKbGFP5uFVHehPlvEfhlD6eSeMNr8tfkXlzZfu1qjU3eVAM3lULvNKD+86qHr53fvOS8FC8eE+sLuOose0KAXEIv/Yozu7P1UNBglqePe3XL7V6SuNHnGATHd3HcdPjl3d1SlM85dMSH+Xf/G8iTT+TlX9NqoC/pveBRzAoMgkYNbMtn5ggJ0uAx04DB9pOhn6FbbbBAIzzRKNfPgVvOgo+iMJdH+IAxNHsRePE56+3AYlYHjnHq6CSrp054oS9SDVvBFQ1RMW4AMqVXA4BfFpx4YLX1/lFLHwFywAfEAe0xJRZ7usAAD7GKd2pHCPheIa7nUNvRSt0nBkHgh0NEfLAoB+9fVZ2q4s+Qbqk6DeOLqQRInfqPUL3zE3LmJtRTRxmc59N/8CJoPQI70EmxjrO9ehRdZx62ciR8KgVe+3atlgkimHodOBHhHpbrr0r4fHnN7CSplTs/6KAHy+l3RtTfhpmEhOXACZSc69r4h54ue8GGg/3y9r4JnzG9/SgpWuKaZaQytx5Z+Bornc71/DOjcz8kO1iCa/myLE5cfKjdurRz4JMrs4Zj/N2sNf819+4GdMWQY1EzzcX+LhmQ9pZ0eUz4Co0IF7ifN1iTsv/5g3DD0NRrCQJizoz5XEEUbb27IiAwZsTCA6GI8SSglDTT5Lm9pqxzjrTPvdEQ==
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: DJ/ZMiVCsfZxbXlzpWsgry1GH7yGbT2a+8q0unxoxJ/twHZJNH/nwjNaBkBawzADwYm9CKEAH7omZZb2vl8r3hQqGPbGOOovYuUGjk2Dk+XknPayM/b0f3IBEtmtDIZLpKWieou88nRWRb4ijH3zl46hG1LkpfFNM2tvjDN6j7jllZ28KGkSCIeGoKm8B7f3qRdoDqkAy23GdXIg1T7cAQGaFV6SnL9eZIicONwQ/0XC2i2diPEmkI9lLwkjaEgbMON85TeE7wb8IijgubYREgzAcKOvP42+vtOchrVju4HRl4cXQPPRhrUmnCsGGlomqI78GmLnscXTnS7x5W9uz0WVra3EgTvO6SXz6h1oAdvc7YyXVTNMl4yBX0KV1EZRWaRmIi5bkkMgbfs2pZUhpTzRQ67lukqY36JTIyY3A4WcUlpU9RwmtIAzQLiLAKd04DTCrfeN8CkkR6fPFlDGaYDyfRtU551/Q82RjNhCossGmnhniHO+YGisM0YHVm80W6ut2QlF+Y/hxIR1pfv/Io1puXQpbuNhI6fsjR4+jANF4LqDqDpABrU4IubCAfcAwCUv/biPkAVPU8bjTMG/M1g5cw2Dq1YEGoduveIGdYFeaMvsTj5Wy5xIRMKHxe1SjReLNfABN6ZDzo7KcpujFaX9MfkfxsDdijV/4dk8cBCtRLd1GLtnTGzH/gsFdEjgMuoGvUVV5ynKXclHe38pz5lKU07txJPEHFHHpo6ayP5+xiXsFKuipKFy8UwiOJfk6DqM+LwKP5XskXs1qy/2WkmMQten0pK2CCouNqfPB1KO7U1SxwPdirpLJncx8R/PjB+KhDn78OV33flzsd5jaeemuhivl97Up4lATSDo1AZWW3wcqY3fyBaE7fcgLkxufTLmEh0tsZRpaQjxrnMgCSlb4G+7J31ozAggSL+nNynchakb9SPnUlGPts0GUVR/hL11mn5nULokOFalPTitoty57pQyd9Ya52oTHmoSp5RwxHXFGRG1cPEetekjyLayYFx4JhECeieE6ctjkJHsXtmNcOYZ3E9m7G1RtXyH7aueAOzLUOgXtdfE7jQ57RzeriFwjbuKwz5T1b1q8fSyy9+XSxLoO5ru1AhjI76NtxA7KCW3EAYHVvOHqKD6CjbIz5JeYx1OIEUWdY5BpDcM3u6m8xBLYATUn7k4ES8zMoEOTfgZFt/wDDynD2KbTDjuAA/ASANoi1vGjCv8UajIuMo64Nuc5h+D93ounrawr9ruk3aFkR5WqCRSpLQTF2kgx7xMdwidrGpWvTfHmQRIAUqTDtXVkpMsVsEdSD7kPwlNQNlKz9PDPNCyh8ic/m2FYQAp3V1Ato0FiMKg+akCY2gwbiS4x+HomFeW9NjT+24JI++HFtwUwsEvlwtXUMT8HOJD7wlA8VU27DQYZZfyFTH4q40kThHYC650k7xL9LKEWk94nwsYXiIlhxlJoK/GNkP4ODTjMuKmd65RTeL+Ta4JplCYzb0dw/j1U7u8ZIl0NEjSJzBdT4NrMMAGXvVKOrJPWQnmZHzoDn6kA6zjXdo9PI9AOp7SAokliHcoEqAs6u8KN/gOMq/yW1zTUqFutN/GHb8SSJgGHZe/2ppHL/2YnvkUrp3WjWL1XSTUaI8=
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92SA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c7ef0a10-356f-4098-6ece-08dcab59f94b
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jul 2024 20:56:50.2523 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 1e7/x8lW+4/KCCx1SETWv6Mj3MnuF+XaGs9hIhUQSZMXPGq3g2+mfq0ebI1vdGqD
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR15MB5824
X-Proofpoint-GUID: YIOvslU1Mtg7wQV-p_WBIsGBTng1JyEt
X-Proofpoint-ORIG-GUID: YIOvslU1Mtg7wQV-p_WBIsGBTng1JyEt
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1039,Hydra:6.0.680,FMLib:17.12.28.16 definitions=2024-07-23_12,2024-07-23_02,2024-05-17_01
Message-ID-Hash: 45ESJQKZD2NQKM7DRK267DXJN75F4XF5
X-Message-ID-Hash: 45ESJQKZD2NQKM7DRK267DXJN75F4XF5
X-MailFrom: prvs=2934cffcc9=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Tommy Jensen <Jensen.Thomas@microsoft.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/V9n7VOEi1wo16uTF4jTBcW3xN0g>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
It seems like there's some confusion here. ECH is an extension to TLS that is still under development (and now nearly final). Use of ECH is optional in TLS 1.3. Any entity that can control the TLS version in use also has the ability to disable ECH, so allowing TLS 1.3 does not require an administrator to permit ECH. --Ben Schwartz ________________________________ From: Paul Vixie <paul@redbarn.org> Sent: Tuesday, July 23, 2024 4:01 PM To: Paul Wouters <paul@nohats.ca> Cc: Tommy Jensen <Jensen.Thomas@microsoft.com>; Ben Schwartz <bemasc@meta.com>; dnsop <dnsop@ietf.org>; Damick, Jeffrey <jdamick@amazon.com>; Engskow, Matt <mengskow@amazon.com>; Jessica Krynitsky <Jess.Krynitsky@microsoft.com> Subject: Re: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt -- P Vixie On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote: > On Jul 23, 2024, at 12:09, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> wrote: > > Making TLS 1.2 available as a fallback is vital. Many secure private edge > > networks will never allow TLS 1.3 because of ECH. > > You can do TLS 1.3 without ECH ? if an endpoint wants TLS 1.3 with ECH, there's no way to negotiate them down to TLS 1.3 without ECH. there is a way to negotiate them down to TLS 1.2. > Making a weaker version of TLS mandatory would be unwise, unless it’s to > give more time for migration away from it. migration for military, government, and many corporate networks can't happen. for reasons of law, regulation, or policy, they must see the client hello before they can decide whether to block the flow. "just secure your devices" can't work due to the way the supply chain works. the only alternative will be to block outbound entirely and force all traffic through a non-intercepting proxy. ietf knew this, but RFC 8890 forbade us to consider it. i was a dissenter. the fact that you refer to TLS 1.2 as "weaker" may indicate a preference that we mandate a technology that often _cannot_ be used even those the alternative ("effective mandate") will be a technology (explicit proxy) which is in fact weaker than TLS 1.2. we should not argue from talking points. don't put it in terms of migration. just recommend that fallback be allowed. 50 years from now, smarter people than us can think of a better way forward. as things are today, secure private edge networks including military, government, and many commercial networks, will not allow TLS 1.3 to be used. paul
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Erik Nygren
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Wouters
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz