IETF Logo Mail Archive

[OPSEC] Operational Security Considerations and Encrypted Client Hello

Andrew Campling <andrew.campling@419.consulting> Fri, 17 February 2023 13:15 UTC

Return-Path: <andrew.campling@419.consulting>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E4CC0C14CE4A for <opsec@ietfa.amsl.com>; Fri, 17 Feb 2023 05:15:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.116
X-Spam-Level:
X-Spam-Status: No, score=-1.116 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=netorgft5189650.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UFKBQCwnHZuv for <opsec@ietfa.amsl.com>; Fri, 17 Feb 2023 05:15:04 -0800 (PST)
Received: from GBR01-LO2-obe.outbound.protection.outlook.com (mail-lo2gbr01on060b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe15::60b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACA0BC14CF05 for <opsec@ietf.org>; Fri, 17 Feb 2023 05:15:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TmYEdlaEKXM/szCejmOI8iyC/biIZArL0SIoDyu/TeR0crPim9oBrWbUabwsJjii6A3jQtlL8hGP4ynqrW7KPD6UBJmhFduglNYhMasuN10DmvbcNAsG0rCN5v7eSBg4tJtwFSuO6suTMB4RcxxONVX+WGXUNqypPaewgQNhMUdnlKrzs4oFii8N89SxEy7uHb48FBNsj8qSg9sSdy1nyniF3gVgfJ7ohMUh7TGPaBgEdiJ5HATL4p21KdZmTs59Vlfr99yPLiYxXk0/X4TqMJQWKa2xScLHqeoOx4ZWNYFErkUrqGgf4cdaprAoysPt/bd5mmJLAoj8fbj7rWS38A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=I9UtOR52fzQRuHp+ie4oIy+6Vgm3S8UnVZVLLMCZWLs=; b=BoDPBdnfD5LkcLcKgW9naWdNF2iJhGiSHAKfBQvtoeuBc24nS8ENs3DWClJ2IptyXcppI28g//BPDQh83JUZHUj4RI8wUp9ijiY56VM34N7z+5WK3+3V1vwDzD5BTr3zA2S+6HXHdptwJBa4eKFqfIr5AIx8YYeQUQ1ugJwBzCdEMAG+/fRfXlzLqSggcp9i38s/dqgL9yeaUbPY7GjoUtQVuSTtpKwXxicrmIZ47oJLnRLOoTI8YvjSEd23oxqC4LZKdiFNKDJ57CATbrMYhnQDaTj/JkInHCIm1ME1TB1/vWLEQGTmhPErxnvmcDCDvzdo+WlrGhuxL/BcGU/JLw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=419.consulting; dmarc=pass action=none header.from=419.consulting; dkim=pass header.d=419.consulting; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT5189650.onmicrosoft.com; s=selector1-NETORGFT5189650-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=I9UtOR52fzQRuHp+ie4oIy+6Vgm3S8UnVZVLLMCZWLs=; b=Rzm6RxIJL+/Jvgdw3lLhS/qbaXwcxTwf78bZP1oPqi92A3Q7pWRlRrtgv+5S7XR+Rtw0Wnoy1RgBZ9mKp1eL3R7sSyY2Pwbm1L0rlOJ2JIB6Kn8a+5pCehEGUm9Pj/25bphTQOc7Cufbbd6kFoen9zz/DbsXAul0Jh/L+6SoLKA=
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:196::5) by CWLP265MB6880.GBRP265.PROD.OUTLOOK.COM (2603:10a6:400:1fd::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6111.14; Fri, 17 Feb 2023 13:15:00 +0000
Received: from CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::a256:336a:d101:1e57]) by CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM ([fe80::a256:336a:d101:1e57%7]) with mapi id 15.20.6111.013; Fri, 17 Feb 2023 13:15:00 +0000
From: Andrew Campling <andrew.campling@419.consulting>
To: "opsec@ietf.org" <opsec@ietf.org>
Thread-Topic: Operational Security Considerations and Encrypted Client Hello
Thread-Index: AdlCz8Exwj57s8YcQViYTBEc2ziV4A==
Date: Fri, 17 Feb 2023 13:15:00 +0000
Message-ID: <CWXP265MB51533022E8400931CDF545C4C2A19@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=419.consulting;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CWXP265MB5153:EE_|CWLP265MB6880:EE_
x-ms-office365-filtering-correlation-id: 27ad9119-dd93-4165-59b0-08db10e8f945
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yor4oXz/63WQpfGZ7hc3mFGGLrifKWL46TDfkRzAiJQs/0AY1tM0w46TecGUvI+r8xWJDkmpHcRYqePi7A7cFjwdd015iBKRyD81IpzBWCClJ+icuFG1ABzbBnif3zesHP/FGYQYr+wAssjwwhXstXwfWJKKVVJJpqMaU3S2hEADBGFe8qw9fl2qBKoQNJqi3M9PO+nyz8IDzOBNDgxGQqwahgKIofpkiSE/QzNC19bajZqPJ86rd3cIkgKYRRD5r1CV3q5CKUd343eZEUh7cbQMG2QivGzXTbEbMdYtPnZMqPt3Oe4uGjHj15EyS0RH167hi9iTfP7aopl9kCNio/zn1s2F7ctlF2Sh9baHl+wQ/1hADPSfG3x9stSJ9jKJSB/2XvzsB2fb5fCB+B3FbwObNF16mQ1RGu8WpA01SIvJkRbwywajNGA/eRCH0CKDH2zO8cJo7VTy1csdR7OnZzJ2Rq/BtTLoe87FcDhlCmuS+tREX9u/63VudmPmhQHHSAfJ2HPyaIg4EPeT9gI8HMh53uUmcaG6cx+WUDT3O7GlUk5S6jmGHJZzIyUTok0EqENnVM/CTD8YmiUNpuHc4dXZ5yMxxLLRf8cautOGdIU6gQXKRPHXr4j8aXLOT0RrYy7x2gRgW2iPnpoD96yADFH/JkbuDTrxLnwdWY3kWh0Obfs0HuGNbZCl+A5pS9+zEIkHC5p+gCRN50aH4dgVeg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(396003)(136003)(366004)(39830400003)(346002)(376002)(451199018)(2906002)(44832011)(15650500001)(4744005)(86362001)(83380400001)(166002)(38070700005)(122000001)(55016003)(66556008)(76116006)(66476007)(66946007)(8676002)(64756008)(66446008)(316002)(8936002)(6916009)(5660300002)(52536014)(41300700001)(38100700002)(4743002)(6506007)(186003)(26005)(9686003)(71200400001)(33656002)(966005)(478600001)(7696005)(46492015); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ukeTZk1ol6C7U1vLEmc/rAL+f1mQozSABehXE+pKvrGt5XLG46ulX52qvIKa1tjSP5S149eZw7Sd365u20PlrujslptHs7Gvl96xrI4QY9nU3lNfR9XLvHWb4TFwSJiwgVUMZ4auwQKub1n2mT5d9Bwq6twvBFg/h7SCINdTj7gj2ZRE9jXOcXMsODlcnElvExECF8DT2S8t2ue599xJHypRwTzuhP7T9ce2UzXbbwxJbmybl2FEnwnGAiRdAagx+Rn2/sVGfdlC4oDdLraJK3BuJbRsAiDbS+vQ+izxZ5UOjrE1CdhxbW1x2lLBMfsAcwbgGGMApkqGDVG/jkoZUuOLXkzunvWWNLHVA/6vOv9yOSUozoQMNeRUvUB7Xi4ttR5LwPuJ+VsMHQ1GjMkbkA+QqG/jjUoPYBhz2rKNXxR5xGFSAbWtvQ3JN4JCdE85apIdb9rdV8QqdUkoahQSbbGWxG/daVHQ6D5GOv9FS9UXqRi8MyVgyYTnsCmCXBMi1KWAzvCWUzr/GXWQNS9fcxi9WOSn4YEwpenwJgoLABThOsNct8UHt1pwtvMUcVYfb/KhiBGib733veouRpV4ljbeZESF9jJdDXs75sLzAy6kmzOO/5VaQrLc28JqHoZt9aEEH2iuSLPhFcb9Ggx15co1NT/TXH+b2CcKbJ/JWxNOChPQVUPfVzZ7eb4wufsz7an5Kcr/RkKCqiqHuX1zmUJLtV4iu70vuZK+ipok9s1XcZ3+uO5vK/7msz83DrKsLP+DX//kkfgWf4Misl0iaxAphswXsPOubIQ5MOFzTxfwpG6COFmdQZDBHplFqwYHa0Cs0E9pEFGrdZnSzVJNDqNo5uSn/f8HqVTZVOmkLZr50eWXQiFLcvdRy7xBPAyVt997HldMTwnVsBggoELN42xI17cV1HhIPlgWumLNURVxnwnNHKYA1E42g8ma6HbtLEcwgZZHY+ouUWYYyGHHNVWxLsVtBOQClyR9d9SsyUEjV/bB6OJICzHkgVFy5Jkv7jPu/IyzrBaAmQNsshuvPu2k4sgQeekPPJ3a6wd+EPmspqsPKU+ewWu7Bk7Ht/EaXT3i3Dd2dV3eqqHdBhX7wJn0kIMo8RInqLmM0dDJ9KV0t8OpHoc7EUSw3XkMwE+ORKDVQBNTTfNevUiOAHaM0vvhMDV8grZgg57iF9g1scqPsR+aE0mVUIky7PnkM4tJqttuFLJthTcbpe9TQjNNESFC8DKwIGX7pjKO1JU/X7Cj64ZiTzdVgrZMWrobEqRhfbT8Z5CZU3LKnbf/1ggg5AfhN93QRg5sxxFeaKuzaEokFbZPaNst+UbLfe5tnCYas4YhDtpZMyO5RAnzUzu7Hk38xc4hYosU5srzmPUutOBTOt9xIqo4WZ51QWzGzk5Mjb4sjB6fKxqZbl5si3bNViUjtfK85Csl8LzOY9YSYyGmqmwl7zutg4kl6Rj4C9AIFNwXXot6Q6uyKYN9Ogkt7uZwY3AJhOmttCQd//bxhv9IzNG+lfxrEPMWkGoh1/k851PmZw2DzTUMbCd626sL/TzMRsPUtveH+XDILRl9+5V1rM89G41O+QYEREGtDymCHu4/zh8kOZ1NYqB7DiN8kw==
Content-Type: multipart/alternative; boundary="_000_CWXP265MB51533022E8400931CDF545C4C2A19CWXP265MB5153GBRP_"
MIME-Version: 1.0
X-OriginatorOrg: 419.consulting
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 27ad9119-dd93-4165-59b0-08db10e8f945
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Feb 2023 13:15:00.3429 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9c2ced3e-7522-4755-87dc-f983abc66ec3
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CLY8D5Mlz8EYBCY2DYc7s8rGndORPEjMh0k6X5s2dx1DE/vw5m9B5iqmN3c8ofI/7z1ky1Q25Mhefu4fphCRU/Y+YBMXPh1j+FCb09s7ucg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CWLP265MB6880
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/MmKM_KZjx7PFdy-f2JQqwfkaXPU>
Subject: [OPSEC] Operational Security Considerations and Encrypted Client Hello
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Feb 2023 13:15:06 -0000

Hi Opsec wg
You may be aware that some of us have been looking at the potential impact of the deployment of Encrypted Client Hello (ECH), an extension to TLS1.3+.  We are continuing to develop the draft, which is accessible at https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/.  You will note that many of the issues that we have identified relate to various aspects of operational security in a variety of contexts.

We have been encouraged to share the draft with the Opsec working group to see if there is interest in the topic within the group, hence this post.  I and at least one of my co-authors will be present in Yokohama for the IETF 116 meeting and will be happy to present the highlights of the draft if time is available on the wg agenda.


Andrew

v2.23.0 | Report a Bug | By Email