Re: [OPSEC] Operational Security Considerations and Encrypted Client Hello
Arnaud Taddei <arnaud.taddei.sdo@gmail.com> Tue, 14 March 2023 15:59 UTC
Return-Path: <arnaud.taddei.sdo@gmail.com>
X-Original-To: opsec@ietfa.amsl.com
Delivered-To: opsec@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 952E0C16950B for <opsec@ietfa.amsl.com>; Tue, 14 Mar 2023 08:59:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QrZHzflgrfaB for <opsec@ietfa.amsl.com>; Tue, 14 Mar 2023 08:59:25 -0700 (PDT)
Received: from mail-wm1-x330.google.com (mail-wm1-x330.google.com [IPv6:2a00:1450:4864:20::330]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF5EDC169508 for <opsec@ietf.org>; Tue, 14 Mar 2023 08:59:25 -0700 (PDT)
Received: by mail-wm1-x330.google.com with SMTP id p16so10685378wmq.5 for <opsec@ietf.org>; Tue, 14 Mar 2023 08:59:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; t=1678809563; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:from:to:cc:subject:date:message-id:reply-to; bh=xkqYegeAuj/uIvS7meYxx5178VLJKLylonRUWcwlxxQ=; b=BAAVDBZ5AewTvxwtNrP7xNVMe+rf+98qjAgpIOKDMcE3tlnBiHTUZK2pTaFWP9L6Ii B+pRBNwpxxsfh63KyvgRFrgM5t6v23AFwfcbPKOpEkhNhuAOVNIHQRhkMmzUg2H+4IoR ZvGy8qlzYCQfT/KRW+GYyh5P42L/HyAXcUyV7aGUAD8+iPpEnd9acNmpykrYc585XyAT JPbjHRedvGn/4pxSweRLV/FH89UP0WZZBswpmusx2PSHrLzEmmYBIAk9PojBRYv8nJKx nhdcnCrXwkDKiCbXEovZ9JYgXMa/85xuDDT7kR49TttfA0Y1BtWBh97fPDvK4EJW0hya mQfQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678809563; h=references:to:cc:in-reply-to:date:subject:mime-version:message-id :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=xkqYegeAuj/uIvS7meYxx5178VLJKLylonRUWcwlxxQ=; b=ti+6YKc+JF+yBm4qBlrj5sFC8tU5Y/Od+ZRVb1xU+DQD/jm6cfUzexfyVSUBTv9um+ 3SUo6VN/+IuZuz4ijFuWn6oIMTjgbGZ+BEgvWlMiedDmQmXSdvcvyUbG3o/xVClamN7a RbYEa17x0fu3/rmFEzxGDrvGBUuVafyeMVdaBuOzR/QwO7m+3sMA76AbNKRwiFg9JO0i RV0Q2N5bGtbIP4dAA2j2yxZ3XE08r8l1hntcDOOA/TEl20aQnbV4gIRedTBQA6T+F9GV lj3g6qzFtXEmYsUVVtrHupKYEmz7SL2OLd0vraADtBgAlIhXISXJidnQy7QsL0O1IifF hHiQ==
X-Gm-Message-State: AO0yUKWFQQSuAVHbc6Uin6S8gY5xN+S4TJAoSSqzAx/0O1OhYF5AdQ38 Z+HP92nuihJIMCsbkTklCE8=
X-Google-Smtp-Source: AK7set9q6bq3RXYEs7uBEL0fy5cr2auemXu8gW6IfiOQ6Fkuj0vBCsZR1prcWnwCgZ0vPfh0NAfh6g==
X-Received: by 2002:a05:600c:a41:b0:3eb:9822:f0 with SMTP id c1-20020a05600c0a4100b003eb982200f0mr15822567wmq.30.1678809563494; Tue, 14 Mar 2023 08:59:23 -0700 (PDT)
Received: from smtpclient.apple ([2a01:e0a:b16:f660:f0c3:5611:e:d8ab]) by smtp.gmail.com with ESMTPSA id p1-20020a1c7401000000b003e1202744f2sm3122866wmc.31.2023.03.14.08.59.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Mar 2023 08:59:22 -0700 (PDT)
From: Arnaud Taddei <arnaud.taddei.sdo@gmail.com>
Message-Id: <B1901045-FDEA-4912-8D02-CC26F30E6CD8@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2F84BE91-4BFE-4602-8BE0-F1E42EC445EA"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Tue, 14 Mar 2023 16:59:11 +0100
In-Reply-To: <CAHw9_iL_GEvSLeY1a9z=GcSOhBJFv6zKrQLqYDRzb2Gpc1jBbA@mail.gmail.com>
Cc: Andrew Campling <andrew.campling@419.consulting>, opsec@ietf.org
To: Warren Kumari <warren@kumari.net>
References: <CWXP265MB51533022E8400931CDF545C4C2A19@CWXP265MB5153.GBRP265.PROD.OUTLOOK.COM> <CAHw9_iL_GEvSLeY1a9z=GcSOhBJFv6zKrQLqYDRzb2Gpc1jBbA@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsec/gcwnMBZRCVfhWASPT1kO60NxCRQ>
Subject: Re: [OPSEC] Operational Security Considerations and Encrypted Client Hello
X-BeenThere: opsec@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: opsec wg mailing list <opsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsec>, <mailto:opsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsec/>
List-Post: <mailto:opsec@ietf.org>
List-Help: <mailto:opsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsec>, <mailto:opsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Mar 2023 15:59:26 -0000
Thank you Warren, we appreciate be given a chance to present. Please note we issued revision -04 and plan a revision -05 by Monday 27th of March. https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/ One question as we are working on the best way to make our Github public. I observed that there is a ’tslwg’ Github entity which is hosting for example the ECH repo. Is there an equivalent ‘opsecwg’ entity we should be using to host our repo and have all the magic links done (notifications, etc.) through this working group mailing list? Sorry if this is a naive question. Trying to do the right things the right way. Best > Le 7 mars 2023 à 23:22, Warren Kumari <warren@kumari.net> a écrit : > > Hello WG! > > I'd encourage the WG to review this document - it's relatively short, and is an easy read. > > ECH is likely to be a fairly active topic in the IETF, and has significant Opsec implications. The document is on the OpSec agenda, and so having read it before the meeting will be really helpful.. > > W > > > > On Fri, Feb 17, 2023 at 8:15 AM, Andrew Campling <andrew.campling@419.consulting <mailto:andrew.campling@419.consulting>> wrote: >> Hi Opsec wg >> >> You may be aware that some of us have been looking at the potential impact of the deployment of Encrypted Client Hello (ECH), an extension to TLS1.3+. We are continuing to develop the draft, which is accessible at https://datatracker.ietf.org/doc/draft-campling-ech-deployment-considerations/. You will note that many of the issues that we have identified relate to various aspects of operational security in a variety of contexts. >> >> >> >> We have been encouraged to share the draft with the Opsec working group to see if there is interest in the topic within the group, hence this post. I and at least one of my co-authors will be present in Yokohama for the IETF 116 meeting and will be happy to present the highlights of the draft if time is available on the wg agenda. >> >> >> >> >> >> Andrew >> >> >> >> _______________________________________________ >> OPSEC mailing list >> OPSEC@ietf.org <mailto:OPSEC@ietf.org> >> https://www.ietf.org/mailman/listinfo/opsec >> > > > _______________________________________________ > OPSEC mailing list > OPSEC@ietf.org > https://www.ietf.org/mailman/listinfo/opsec
- [OPSEC] Operational Security Considerations and E… Andrew Campling
- Re: [OPSEC] Operational Security Considerations a… Warren Kumari
- Re: [OPSEC] Operational Security Considerations a… Arnaud Taddei
- Re: [OPSEC] Operational Security Considerations a… Jen Linkova
- Re: [OPSEC] Operational Security Considerations a… Andrew Campling