IETF Logo Mail Archive

RE: SNI Extension for Alt-Svc

Mike Bishop <mbishop@evequefou.be> Thu, 30 November 2017 19:00 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45D2C127444 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Nov 2017 11:00:32 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.899
X-Spam-Level:
X-Spam-Status: No, score=-6.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=evequefou.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d_h8kQvX_wov for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Thu, 30 Nov 2017 11:00:30 -0800 (PST)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67463126CC4 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Thu, 30 Nov 2017 11:00:30 -0800 (PST)
Received: from lists by frink.w3.org with local (Exim 4.89) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1eKTxL-0003l0-Qm for ietf-http-wg-dist@listhub.w3.org; Thu, 30 Nov 2017 18:53:07 +0000
Resent-Date: Thu, 30 Nov 2017 18:53:07 +0000
Resent-Message-Id: <E1eKTxL-0003l0-Qm@frink.w3.org>
Received: from titan.w3.org ([128.30.52.76]) by frink.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from <mbishop@evequefou.be>) id 1eKTx9-0003kB-6F for ietf-http-wg@listhub.w3.org; Thu, 30 Nov 2017 18:52:55 +0000
Received: from mail-bn3nam01on0123.outbound.protection.outlook.com ([104.47.33.123] helo=NAM01-BN3-obe.outbound.protection.outlook.com) by titan.w3.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.89) (envelope-from <mbishop@evequefou.be>) id 1eKTx2-0002hY-MZ for ietf-http-wg@w3.org; Thu, 30 Nov 2017 18:52:54 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=evequefou.onmicrosoft.com; s=selector1-evequefou-be; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=nIaOOWW8x2PrjQ/YDXE0mim66mu6kGSnGXXN1KKj00I=; b=BeWviHPIM603q+QYs4DPN8n8FXRJuQzNM2AbSeSexCmwmaLXh62Lt4PVftTsRnJbEplBF1ShR6kN+X3cVR+MsITJyklWm69mDbA96pdXi+axhL/fuuLvRCwjjeV1yJJ51o18SF8MC9aXHuXv0StAwzjuRBYFpaoWw+zp5AGHRzs=
Received: from MWHPR08MB2432.namprd08.prod.outlook.com (10.169.203.136) by MWHPR08MB2429.namprd08.prod.outlook.com (10.169.203.20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.282.5; Thu, 30 Nov 2017 18:52:21 +0000
Received: from MWHPR08MB2432.namprd08.prod.outlook.com ([10.169.203.136]) by MWHPR08MB2432.namprd08.prod.outlook.com ([10.169.203.136]) with mapi id 15.20.0282.007; Thu, 30 Nov 2017 18:52:21 +0000
From: Mike Bishop <mbishop@evequefou.be>
To: "ilariliusvaara@welho.com" <ilariliusvaara@welho.com>
CC: Lucas Pardue <Lucas.Pardue@bbc.co.uk>, Mark Nottingham <mnot@mnot.net>, HTTP Working Group <ietf-http-wg@w3.org>, Patrick McManus <mcmanus@ducksong.com>
Thread-Topic: SNI Extension for Alt-Svc
Thread-Index: AdNqA3gwKumJHfvEQQWiuzGoNk95hwABEN+AAAA6WMA=
Date: Thu, 30 Nov 2017 18:52:21 +0000
Message-ID: <MWHPR08MB2432A269D3B59D893455A899DA380@MWHPR08MB2432.namprd08.prod.outlook.com>
References: <MWHPR08MB243210349ABEB2B0E48123E0DA380@MWHPR08MB2432.namprd08.prod.outlook.com> <20171130181916.GA21518@LK-Perkele-VII>
In-Reply-To: <20171130181916.GA21518@LK-Perkele-VII>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=mbishop@evequefou.be;
x-originating-ip: [38.134.241.6]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; MWHPR08MB2429; 6:G9mwoiZM1QQ16d5M/pha6DARyehtRXSWTJGk17H2yfxlflU9FWWL0kCZoRsJffziSaIb+Drv14IRJ2xTEf1k1H/ExKX/8BO63H9sRCJHTNFi7Pu7f+atYga6Pa/NUE6OioX6EP6XJG/o4U0TJN6vIByhNxhmVAjeiS7F0wUjAbsvM6Fz/Z/LpOR+grG/jkM0+mbuAAyza4HmICaIAs0XRSvDMQKiAkSIINQAdT0ZfWhwT+IVkTGEJMiToTYuu9z5C/4I5m+PWUdRPlqpa/pFBbG88pnxCK2SunW3oVVLLUQI4QTT6rZw2RPvJCfw1NjlFzgs7PyFP74TW2KTbkvsMD2YqSSu/RCkjCLeHF5+a+o=; 5:vZDZ+ta09TIicCNmI+5g5CuNcL3YkWy8n+Mvu2sFGAswJXf6e2azhyDuasQWXyyebnIsD8ixLSaTZ82UY2NTImEMWXcxKrX13S66AS4CkAy28IED8T0AJtZvHa0Cd64PpvV1XR7ZxROM8Cx4P2aOhlvOoDtTVhWtCsw5Pw3VVjc=; 24:G7NfO2ykL2HVqlRFqFkiXLnme/LuQnkWFzo7xQ3vPX5jIUxcNKjsAgLMhaZnFMZWDxxMPvebqvrYyM4sk6rxvHG/gnRWbbcGinA9oQs8UO8=; 7:IvQQh7UgN1AxSul2F1mqXQxFWXXzKoAURrtF/ZJOIkJgLWENZwlAhAdKfFWukQwc2+wsCD3jDw4I8Qs3lo+uT/7Bwi95jeQ7pojlEjZKHHVnl8cQDkYLEdyKwUrByfq8vehjH5riz3Z6RbiEKI/PDkEVKiGwFzoPZnS15ELGhqAcNlWOiCD7LKzsIxJ+FOQgbbumJ8cUKqsiRi7O1SKzVlxGV17lUqHRiMdevki6USTJBypgpc4nIyVuyTejwSIs
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 05e5321d-d330-4dcb-9c9e-08d538237d2e
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(4534020)(4602075)(4603075)(4627115)(201702281549075)(5600026)(4604075)(2017052603286); SRVR:MWHPR08MB2429;
x-ms-traffictypediagnostic: MWHPR08MB2429:
x-microsoft-antispam-prvs: <MWHPR08MB24290A93A6911CBFB7E42891DA380@MWHPR08MB2429.namprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(150554046322364)(227612066756510)(127952516941037);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231022)(3002001)(6041248)(2016111802025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123564025)(20161123562025)(20161123555025)(20161123560025)(20161123558100)(6072148)(6043046)(201708071742011); SRVR:MWHPR08MB2429; BCL:0; PCL:0; RULEID:(100000803101)(100110400095); SRVR:MWHPR08MB2429;
x-forefront-prvs: 05079D8470
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(376002)(39830400002)(346002)(366004)(24454002)(189002)(13464003)(199003)(68736007)(97736004)(14454004)(6306002)(6436002)(4326008)(2501003)(6506006)(33656002)(229853002)(8936002)(316002)(5640700003)(77096006)(478600001)(55016002)(105586002)(81156014)(3660700001)(81166006)(189998001)(3280700002)(2906002)(9686003)(966005)(101416001)(54906003)(86362001)(8676002)(1730700003)(106356001)(53546010)(76176010)(54356010)(50986010)(25786009)(53936002)(2351001)(74482002)(102836003)(6116002)(3846002)(2900100001)(7736002)(305945005)(99286004)(66066001)(6916009)(2950100002)(5660300001)(7696005)(74316002)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR08MB2429; H:MWHPR08MB2432.namprd08.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: evequefou.be does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: evequefou.be
X-MS-Exchange-CrossTenant-Network-Message-Id: 05e5321d-d330-4dcb-9c9e-08d538237d2e
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Nov 2017 18:52:21.6135 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 41eaf50b-882d-47eb-8c4c-0b5b76a9da8f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR08MB2429
Received-SPF: pass client-ip=104.47.33.123; envelope-from=mbishop@evequefou.be; helo=NAM01-BN3-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: titan.w3.org 1eKTx2-0002hY-MZ 0b5c0476cde5f57c1f7f5190cf8c36c7
X-Original-To: ietf-http-wg@w3.org
Subject: RE: SNI Extension for Alt-Svc
Archived-At: <https://www.w3.org/mid/MWHPR08MB2432A269D3B59D893455A899DA380@MWHPR08MB2432.namprd08.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/34897
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <https://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Good scenario -- I hadn't thought about that one.  I've updated the copy on GitHub to say that the client should use Secondary Certs if the certificate in the TLS handshake is not also authoritative for the origin that published the alternative.

-----Original Message-----
From: ilariliusvaara@welho.com [mailto:ilariliusvaara@welho.com] 
Sent: Thursday, November 30, 2017 10:19 AM
To: Mike Bishop <mbishop@evequefou.be>
Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>; Mark Nottingham <mnot@mnot.net>; HTTP Working Group <ietf-http-wg@w3.org>; Patrick McManus <mcmanus@ducksong.com>
Subject: Re: SNI Extension for Alt-Svc

On Thu, Nov 30, 2017 at 05:56:58PM +0000, Mike Bishop wrote:
> I was already planning to spin up a thread on that draft today, so 
> thanks for deciding what I'm doing next today!  😉  Forking a separate 
> thread.
> 
> 
> WG, https://tools.ietf.org/html/draft-bishop-httpbis-sni-altsvc-00
> proposes a new parameter for Alt-Svc suggesting that a client use a 
> different (presumably generic) hostname in the TLS SNI extension, and 
> instead gain Alt-Svc "reasonable assurances" by requesting the 
> origin's certificate via Secondary Certificates (which is currently 
> under Call for Adoption).  It gives a solution, albeit HTTP-specific, 
> to SNI privacy by providing a discoverability path for which generic 
> hostname can be used to reach a more sensitive origin under 
> encryption.

There's also the case where the primary connection certificate is also valid for the authority (and the primary certificate was validated).

Should the secondary certificate request be suppressed in that case?

E.g. the alt-svc has wilcard certificate and it wants to hide the subdomain from snoopers.


-Ilari

v2.23.0 | Report a Bug | By Email