Re: [OPSEC] Operational Security Considerations and Encrypted Client Hello

Andrew Campling <andrew.campling@419.consulting> Tue, 28 March 2023 04:37 UTC

From: Andrew Campling <andrew.campling@419.consulting>
To: "opsec@ietf.org" <opsec@ietf.org>
CC: Arnaud Taddei <arnaud.taddei@broadcom.com>, Warren Kumari <warren@kumari.net>
Thread-Topic: [OPSEC] Operational Security Considerations and Encrypted Client Hello
Thread-Index: AdlCz8Exwj57s8YcQViYTBEc2ziV4AOc39CAA/rF9vA=
Date: Tue, 28 Mar 2023 04:35:49 +0000
Message-ID: <LO2P265MB51607552E05427E52B059635C2889@LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM>
References: <CWXP265MB51533022E8400931CDF545C4C2A19@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CAHw9_iL_GEvSLeY1a9z=GcSOhBJFv6zKrQLqYDRzb2Gpc1jBbA@mail.gmail.com>
In-Reply-To: <CAHw9_iL_GEvSLeY1a9z=GcSOhBJFv6zKrQLqYDRzb2Gpc1jBbA@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 4BVTVHxfiYvV95hdhhz3FtprIeRRyrLYnnbUImgHMnFLxAIvcA3yinPhfOC+WfnBASzZFTxEVcNTl/9jZks8k7u8kg4XFq/Hmz4q1wux7azDrr6MbfaxZfUY7NWNMiOgXRNVJDHiM5RmmJOHiYFah4HSxKzHMlbSN/lavrY1DBUpulpSi1/K5H6P42v+2vgQJXXnGPv5zeVRaTmdMgxNsM2TjaN+iw0B1qm90hFJMNScpxKYXIeekUWN7FIdccMtIQWMzuSl/wUBwAwZeB6DV6Z19h43ILn/FOumrPhHGa4+cuuA+1U9WU1dXrMEW8vd0kVjtD60H3UHcdl0yDeYTRlDzmrTlI9KMstxK8fLNukH3X0j0In2WdL0mK32u4UELpNScJ3WKf+wX4hezdvInYzelO/UlI/35JkXdMPjr8BOlcpJ1H2TlXwGM5VdJSWPk4SNwQDGQ8IDld4tzcoX1C/tD2clSkPPAeCG+hvGoggJK3aWi7PcAzW/jLW7orInP663W96wZFpE1PMHGuHSVQtrLpVtFnEsmKRQnc8dZgCr9m016WMfzSEcSnz01DdL2jxl/rzEv9daaWKXuDe+U+s08Oj6SD4dU1ItLYoin+NG9FwXMkwjA5DSAtPteFZnelE/TAfSUv6Lctd1ZYha6rBCP2fDbezoaH4toJkiZPWkDCtZJMeSWiTA6BQHIvHObs9P06xxygD2LB6bw0fS456VsXo8bj5TdcFKtClmm8fnyI7i2pmaL15k5bZZkJyNNRX53uE2pbxMI6Tyqd6ZtpYgjaNohwdkRnAOragOON2GM6x9+ww9TpacPAaflsmbhVWuVCfLrjsZv3HNlsUtH9574xqJtwnnm+sayoXOS1Adgv1NC8o4pj7vAZ66nIj+x+jkMfgkpDDiLcvyT/QPHiGQ6BGodnfrcg86wnamYcdDxfghjd3/xrgaSibd33r0Ncv/yrq/eJyZI/e77+16eE+IrfzsxpHcKTZe0ho0CjvLWiF2Yxn1X+9hhDvnyTEg6GXQ/jWCskZbxGMTzWy8EWxUkdhDqEJ5PlHw0xAyD5vDKLov87ItBSMjtuBtC0keh3D+4NhpSc2Mc69l4MmMX5ikT34Pa8YLWYhcOi23MWzEV+wuEhTgi+ks0VkhF/acB8LHePbmbPBzVmMuG/5JNZ0S9Vhe1lP/u5QdQJfqW4EkpVgSQOUfK/d6n1LakRB4IvAc421c8PZMZXIKQ6LOWRC8RC1NWSky9gPLClmUp8fixDzaS0EfG88dJYNx5f0bHkPuTyEsQNxeObYdGUvpMcsA0qM26dZ3etzdzI6wNlbtyUcDoBOfaaH/SPIlOuB4Vh+2n6kUlXRIyEPofIv4opkns9O6uMAAD0955BUHhPDexEzAg3jv2kZmtXZxQJKXBAeJfaepY6Vgtx6cK+it82w26t+8xRAmdyIN9t/eLPz/QTH13tNUnLgJUcWoEQvJ6rVOto782wtHi5+d/H5k4fZL1J9ee2cxVVa0g0iMYuNqjPCfBGkfzGKD6bAzn2scIQRFrbgRQMFu9fB6cWJwWdGmBJF1R7q/sLjLSAyjJaaB/oBuZFQ7+mk5ZEQfC5nWmXazcg2T+oWryEh9wZEzVQ==
Content-Type: multipart/alternative; boundary="_000_LO2P265MB51607552E05427E52B059635C2889LO2P265MB5160GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LO2P265MB5160.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 5d3855be-8e53-4d68-7be8-08db2f45e83e
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Mar 2023 04:35:49.8192 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 5XBji9I1heQX7CX4rObcc97fXkapq5DlJoNifMpaKU4kEQCyq0HBJMbrso234bEsZ3hxpaFoJ4btFlODvBv2dLqEF5zwFZkRRHzeiml16Hw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: LNXP265MB2522
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/03U2oLyeojZ9zaTWXkrSR5ZN50A>
Subject: Re: [OPSEC] Operational Security Considerations and Encrypted Client Hello
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Mar 2023 04:37:12 -0000

Hi Opsec WG
We’re looking forward to talking about the operational considerations of Encrypted Client Hello at the working group meeting on Thursday.  In the meantime, you may be interested to note that we have just updated the I-D to version -05, which is accessible at https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/.

Andrew

From: Warren Kumari <warren@kumari.net>
Sent: 07 March 2023 22:22
To: Andrew Campling <andrew.campling@419.consulting>
Cc: opsec@ietf.org
Subject: Re: [OPSEC] Operational Security Considerations and Encrypted Client Hello

Hello WG!

I'd encourage the WG to review this document - it's relatively short, and is an easy read.

ECH is likely to be a fairly active topic in the IETF, and has significant Opsec implications. The document is on the OpSec agenda, and so having read it before the meeting will be really helpful..

W

On Fri, Feb 17, 2023 at 8:15 AM, Andrew Campling <andrew.campling@419.consulting<mailto:andrew.campling@419.consulting>> wrote:
Hi Opsec wg
You may be aware that some of us have been looking at the potential impact of the deployment of Encrypted Client Hello (ECH), an extension to TLS1.3+.  We are continuing to develop the draft, which is accessible at https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/.  You will note that many of the issues that we have identified relate to various aspects of operational security in a variety of contexts.

We have been encouraged to share the draft with the Opsec working group to see if there is interest in the topic within the group, hence this post.  I and at least one of my co-authors will be present in Yokohama for the IETF 116 meeting and will be happy to present the highlights of the draft if time is available on the wg agenda.

Andrew

_______________________________________________
OPSEC mailing list
OPSEC@ietf.org<mailto:OPSEC@ietf.org>
https://www.ietf.org/mailman/listinfo/opsec

[OPSEC] Operational Security Considerations and E… Andrew Campling
Re: [OPSEC] Operational Security Considerations a… Warren Kumari
Re: [OPSEC] Operational Security Considerations a… Arnaud Taddei
Re: [OPSEC] Operational Security Considerations a… Jen Linkova
Re: [OPSEC] Operational Security Considerations a… Andrew Campling