[DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
tirumal reddy <kondtir@gmail.com> Thu, 25 July 2024 11:19 UTC
Return-Path: <kondtir@gmail.com>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C132EC18DBBB for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KQI1GVKDsl6I for <dnsop@ietfa.amsl.com>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
Received: from mail-ej1-x632.google.com (mail-ej1-x632.google.com [IPv6:2a00:1450:4864:20::632]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48938C18DB8B for <dnsop@ietf.org>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
Received: by mail-ej1-x632.google.com with SMTP id a640c23a62f3a-a7a9f831d47so2872466b.2 for <dnsop@ietf.org>; Thu, 25 Jul 2024 04:19:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721906395; x=1722511195; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=X1441U53/evjmwnGEUdCB+ovmaY239xBVm8oNpE6gyY=; b=DpkYCtWybMCGqKnoFS9bd+RpdgK/6hx703hOsS3yHsVfEl89kf74p2ZojhuMHj0WT8 CJvTu8w88xHFmb6NqOZxNcgtVmvZn57q1NnIZcljCkaEKh4PGDtM89rbvjs8bm2u5qph 9R/hyrk4K2+fKwiPs3cC9zNMfHzNGnR2rNZjSOvLDdHwtONKX2aqtHRMvXXMY9rVDkZM 5Av9Z1YjxHvVjkiewupmINpmJ6g1t3CqcsbcgdMBzSadKj90IuAAM07Qb//8eVr8/Nx4 752j+0QqBm4e+8n5kbiCErNyj9jndWzsXJQ62pn21mM/zzuEmpTlOHirfrqIixbQNpmP SG1w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721906395; x=1722511195; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=X1441U53/evjmwnGEUdCB+ovmaY239xBVm8oNpE6gyY=; b=scJUBP+UBvf+68sZoOv/5Jpvm8LyMnog/17vJRTt3XEi+Y+TCHsVJZqd7lZZQJhlYV sGkshnzav9/FZAbb9mu5pweI1h+1c0VkqY03u2PXtZTVCoM2xrqS74/HhzQtu2ZntG2S EOIb2RCsNxaaXG3MKFd7BGaXNO/P0no7VkRca9UUl+6K5fKatwo54ec3iXqRATe8k1on TIOn641lvAuzINPBe0dW0PFRfc4ef3nCi8gEILOS2soyonvN2144BcJ7rcdkrljVmjXS MvpZSPgY8yivxm9YO94Tt7241hs6gbA7IDk6hdloWLF6FlvAg63ctRqOXD64aYnHMn+C dEig==
X-Forwarded-Encrypted: i=1; AJvYcCXMH9XPN51/AO2NvWuqh6R3zT67WQYi0fnqVjBgkmRRZUUobwocKI9OUftB2zo2/5nFuenQAQ==@ietf.org
X-Gm-Message-State: AOJu0Ywp5UAu1QtZMWDIAdsUEbn7qtXKNjDCtr8U8B/PGExchrB2X7o1 eJJRDWB6ATWhPOpfhuaGiwFUkGX9OgsoNMoZY24+4WcR2WsHgz5JjmOgixCVx+zUajEAcrtLer8 YD3UXLFxqzfd13Z8U/TNRXKeQMGs=
X-Google-Smtp-Source: AGHT+IGWqpMtzOnJ22j3SQ4d4bfEs5BtRim7T55uUtqSZ6xHUedlUOsjhxrEYcTv3v11bqy7Tjsz/zvKUK/Os5CMv4c=
X-Received: by 2002:a17:907:9802:b0:a7a:9e11:e875 with SMTP id a640c23a62f3a-a7ac5b1ce00mr97097666b.6.1721906394896; Thu, 25 Jul 2024 04:19:54 -0700 (PDT)
MIME-Version: 1.0
References: <3321551.kGzlxMrEDr@heater.srcl.tisf.net> <4FF4AA72-5E91-4980-A4B4-80E59F64B76C@nohats.ca> <2334040.7YbXXFKy9f@heater.srcl.tisf.net> <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
In-Reply-To: <SA1PR15MB437001C4B67FA2B45FA1E2BAB3A92@SA1PR15MB4370.namprd15.prod.outlook.com>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 25 Jul 2024 16:49:17 +0530
Message-ID: <CAFpG3gfX-fiB3j1m-ZGeq5+5RCwMXiHQdWfbQta17-zcG=Oa+Q@mail.gmail.com>
To: Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000012055061e109307"
Message-ID-Hash: TOQN2PG2ODRF5EWCAFP46B6S5XQS3NPD
X-Message-ID-Hash: TOQN2PG2ODRF5EWCAFP46B6S5XQS3NPD
X-MailFrom: kondtir@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Paul Vixie <paul@redbarn.org>, Paul Wouters <paul@nohats.ca>, Tommy Jensen <Jensen.Thomas@microsoft.com>, dnsop <dnsop@ietf.org>, "Damick, Jeffrey" <jdamick@amazon.com>, "Engskow, Matt" <mengskow@amazon.com>, Jessica Krynitsky <Jess.Krynitsky@microsoft.com>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [DNSOP] Re: [EXTERNAL] New Version Notification for draft-tjjk-cared-00.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/iN7b3Dd7kPnNyDNlLYl9viuh0dY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>
On Wed, 24 Jul 2024 at 02:29, Ben Schwartz <bemasc=40meta.com@dmarc.ietf.org> wrote: > It seems like there's some confusion here. ECH is an extension to TLS > that is still under development (and now nearly final). Use of ECH is > optional in TLS 1.3. Any entity that can control the TLS version in use > also has the ability to disable ECH, so allowing TLS 1.3 does not require > an administrator to permit ECH. > Yes. In addition, TLS 1.2 would reveal the device (or user) identity to eavesdroppers and is not a viable option. -Tiru > > --Ben Schwartz > ------------------------------ > *From:* Paul Vixie <paul@redbarn.org> > *Sent:* Tuesday, July 23, 2024 4:01 PM > *To:* Paul Wouters <paul@nohats.ca> > *Cc:* Tommy Jensen <Jensen.Thomas@microsoft.com>; Ben Schwartz < > bemasc@meta.com>; dnsop <dnsop@ietf.org>; Damick, Jeffrey < > jdamick@amazon.com>; Engskow, Matt <mengskow@amazon.com>; Jessica > Krynitsky <Jess.Krynitsky@microsoft.com> > *Subject:* Re: [DNSOP] Re: [EXTERNAL] New Version Notification for > draft-tjjk-cared-00.txt > > > > > -- > P Vixie > > On Tuesday, July 23, 2024 12:52:28 PM PDT Paul Wouters wrote: > > On Jul 23, 2024, at 12:09, Paul Vixie <paul=40redbarn.org@dmarc.ietf.org> > > wrote: > > > Making TLS 1.2 available as a fallback is vital. Many secure private > edge > > > networks will never allow TLS 1.3 because of ECH. > > > > You can do TLS 1.3 without ECH ? > > if an endpoint wants TLS 1.3 with ECH, there's no way to negotiate them > down > to TLS 1.3 without ECH. there is a way to negotiate them down to TLS 1.2. > > > Making a weaker version of TLS mandatory would be unwise, unless it’s to > > give more time for migration away from it. > > migration for military, government, and many corporate networks can't > happen. > for reasons of law, regulation, or policy, they must see the client hello > before they can decide whether to block the flow. "just secure your > devices" > can't work due to the way the supply chain works. the only alternative > will be > to block outbound entirely and force all traffic through a > non-intercepting > proxy. > > ietf knew this, but RFC 8890 forbade us to consider it. i was a dissenter. > the > fact that you refer to TLS 1.2 as "weaker" may indicate a preference that > we > mandate a technology that often _cannot_ be used even those the > alternative > ("effective mandate") will be a technology (explicit proxy) which is in > fact > weaker than TLS 1.2. we should not argue from talking points. > > don't put it in terms of migration. just recommend that fallback be > allowed. > 50 years from now, smarter people than us can think of a better way > forward. > as things are today, secure private edge networks including military, > government, and many commercial networks, will not allow TLS 1.3 to be > used. > > paul > > > _______________________________________________ > DNSOP mailing list -- dnsop@ietf.org > To unsubscribe send an email to dnsop-leave@ietf.org >
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Erik Nygren
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Tommy Jensen
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Wouters
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Jessica Krynitsky
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Paul Vixie
- [DNSOP] Re: [EXTERNAL] New Version Notification f… tirumal reddy
- [DNSOP] Re: [EXTERNAL] New Version Notification f… Ben Schwartz