Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]

Tim Wicinski <tjw.ietf@gmail.com> Thu, 19 July 2018 17:53 UTC

Return-Path: <tjw.ietf@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53E15130E20; Thu, 19 Jul 2018 10:53:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSnI4BPyHZpz; Thu, 19 Jul 2018 10:53:30 -0700 (PDT)
Received: from mail-wm0-x230.google.com (mail-wm0-x230.google.com [IPv6:2a00:1450:400c:c09::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA491130DE4; Thu, 19 Jul 2018 10:53:29 -0700 (PDT)
Received: by mail-wm0-x230.google.com with SMTP id s14-v6so7313060wmc.1; Thu, 19 Jul 2018 10:53:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=VtBxJgYxghsdMjHx7GQxPNHCZUaflHR77vP605d4L8w=; b=dmrghrInR1BEfZZme+h9/XApzzrH6ftnD8ijgaiBnb2TPrSifamrSnYd26PVZ38dDX RDSIlmi87/psWR2RX9rWppMRK8Q+xz9Y/K1ab/dqMBDUUcLS+HM1cFm/j85gOUB+dfpy /VBklZSrNiXI7myRxo98MJN8KhYzz/3/WTYBUhIY2V8txyWxIJfKKR0YtR8d7g0mmhQv EJ/gxb9ftUaDg/F4GOQCJV+z6x0gi6p4pZFiRhuT4W3ejA8txqoAF+b4ltXmFJ5RHitc C3/mdz1m8iTz9gDIGBjd1wC1qKUUzvTHYxl3I9r18y7NcjBMY5Nqwz4AXPhrkRkfEfz4 S+Ng==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=VtBxJgYxghsdMjHx7GQxPNHCZUaflHR77vP605d4L8w=; b=rDU7DkTnZ3IU5tXDbKUvFAYDNt6jkh5HJ5FAkZOgBmxytUv0uvBpw4/CjbTRR9JsfR ukC2VS//yXf+btfFHtjwNzDx/4tH4dgXMNrDvzZdoj0/NLTja2XV6hWd0TcTyfxINV/S Rcb3/FDoVzU1nM+P+oKZhnlvTK7FvCVbgnsCh0Or7yU/WutyiIvPcxsm7YG0tNpse/UX I2Rcvr+EHMlCBmKh2uhnlkp/oBFm1QZ6C/zckkTDDXCbx7u80rqStiMawS06FJddv9lZ 3XGRbJ/s3C0nfDXsSM56KNCE14TuQygkV4yxp6DJPswBtTpw2Q4gkcibeLnrQA+vbLk/ sfPw==
X-Gm-Message-State: AOUpUlG2xSANNFJ5sUfrUje6vGAbB5rdOgmeMqV6/7p3hq6nvJkoXZAl w6SYxuez8j6qRUwALUdtx7lvSTSIwykSZdL0Rge70UD5axc=
X-Google-Smtp-Source: AAOMgpewuMWG99FNKgcr4jQGbS07YtbydC18FHL0G5+1PpIpZUbMDqHmgfVlc7QSHv8Kkdnr051qYbCc+XisSveuMk4=
X-Received: by 2002:a1c:1509:: with SMTP id 9-v6mr4579661wmv.142.1532022808278; Thu, 19 Jul 2018 10:53:28 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:adf:a414:0:0:0:0:0 with HTTP; Thu, 19 Jul 2018 10:53:27 -0700 (PDT)
In-Reply-To: <CAOdDvNpWs3_+c3=pdYjxm+UrEfBUawcTKXY4ks0VbuGSts+q7Q@mail.gmail.com>
References: <20180707191900.7jjaxklib3tlixgb@nic.fr> <CAM1xaJ_jcMunvfuqqgoe-5hTSE1t=A4ELWF1j0SBsztoZ_1S=w@mail.gmail.com> <CAOdDvNpWs3_+c3=pdYjxm+UrEfBUawcTKXY4ks0VbuGSts+q7Q@mail.gmail.com>
From: Tim Wicinski <tjw.ietf@gmail.com>
Date: Thu, 19 Jul 2018 13:53:27 -0400
Message-ID: <CADyWQ+HwNsvgs0BnQ3NqnEob6xZrcbmk_qVOX58UCW4rFrmahg@mail.gmail.com>
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: =?UTF-8?B?SmFuIFbEjWVsw6Fr?= <jv@fcelda.cz>, dnsop <dnsop@ietf.org>, draft-rescorla-tls-esni@ietf.org
Content-Type: multipart/alternative; boundary="0000000000004682b805715ddbb1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/YGYhP8wFFR3XQsb9mQPhboERwzk>
Subject: Re: [DNSOP] [internet-drafts@ietf.org: I-D Action: draft-rescorla-tls-esni-00.txt]
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Jul 2018 17:53:32 -0000

Patrick

Can I go and order a SSL Cert with a standard name and a wildcard name for
SNI?  We do that now.

So, I think Jan is onto something.


On Thu, Jul 19, 2018 at 1:47 PM, Patrick McManus <pmcmanus@mozilla.com>
wrote:

>
> On Thu, Jul 19, 2018 at 1:36 PM, Jan Včelák <jv@fcelda.cz> wrote:
>
>> Hey,
>>
>> I just scanned the draft and focused mainly on the DNS bits. The
>> described method for publishing encryption keys for SNI in DNS won't
>> allow use of wildcard domain names.
>>
>>
> Thanks!
>
> I believe the draft is OK on this point because wildcards aren't needed.
> While certificates can be valid for wildcard domains, the SNI is always a
> specific hostname (and the plaintext hostname informs the DNS question)
>
>
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
>