Re: [quicwg/base-drafts] SNI encryption (#795)
Martin Thomson <notifications@github.com> Wed, 25 October 2017 23:22 UTC
Return-Path: <noreply@github.com>
X-Original-To: quic-issues@ietfa.amsl.com
Delivered-To: quic-issues@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09D0139AB1 for <quic-issues@ietfa.amsl.com>; Wed, 25 Oct 2017 16:22:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.8
X-Spam-Level:
X-Spam-Status: No, score=-9.8 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=github.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id orUZAOMNnHLv for <quic-issues@ietfa.amsl.com>; Wed, 25 Oct 2017 16:22:27 -0700 (PDT)
Received: from github-smtp2b-ext-cp1-prd.iad.github.net (github-smtp2-ext2.iad.github.net [192.30.252.193]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D01A13F4C8 for <quic-issues@ietf.org>; Wed, 25 Oct 2017 16:22:15 -0700 (PDT)
Date: Wed, 25 Oct 2017 16:22:14 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=github.com; s=pf2014; t=1508973734; bh=nuLT5fJ0kHPu0X5aXSbgj/7rP8xcgXzhSamXWeagwfo=; h=From:Reply-To:To:Cc:In-Reply-To:References:Subject:List-ID: List-Archive:List-Post:List-Unsubscribe:From; b=ynQN9FQT17phrfIoNrDdKDyJbIOdm3uNcKwr6RDv1nuSw+uuy6m17k3Hs75fK2/42 5u56uyrfh85PDdIYS+wvhI3XaSdBDz/IGh6ndgEEyjp2ItLQ13CFkAa07KM4MJAb1+ nYGS5/f1yx8BV/b1xilXUdrmhet1JGNXhklviHLg=
From: Martin Thomson <notifications@github.com>
Reply-To: quicwg/base-drafts <reply+0166e4ab0c087a296940f41b1a74049a8d0fcfaa5b5483ee92cf000000011608dea692a169ce0f861fa8@reply.github.com>
To: quicwg/base-drafts <base-drafts@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <quicwg/base-drafts/issues/795/339503516@github.com>
In-Reply-To: <quicwg/base-drafts/issues/795@github.com>
References: <quicwg/base-drafts/issues/795@github.com>
Subject: Re: [quicwg/base-drafts] SNI encryption (#795)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--==_mimepart_59f11ca63e860_47493f9a5490ef381173de"; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Precedence: list
X-GitHub-Sender: martinthomson
X-GitHub-Recipient: quic-issues
X-GitHub-Reason: subscribed
X-Auto-Response-Suppress: All
X-GitHub-Recipient-Address: quic-issues@ietf.org
Archived-At: <https://mailarchive.ietf.org/arch/msg/quic-issues/1hsXwOE61CIDH8o_xqUQXThIACk>
X-BeenThere: quic-issues@ietf.org
X-Mailman-Version: 2.1.22
List-Id: Notification list for GitHub issues related to the QUIC WG <quic-issues.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/quic-issues/>
List-Post: <mailto:quic-issues@ietf.org>
List-Help: <mailto:quic-issues-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/quic-issues>, <mailto:quic-issues-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Oct 2017 23:22:31 -0000
The issue here is not whether we expose the use of a particular protocol. Those tend to have small cardinality, so don't tend to compromise K-anonymity much by their exposure. But I wouldn't shift the load to ALPN. If any protocol can build similar capabilities to what is proposed for HTTP, then they benefit from the same advantages vis-a-vis SNI protection. If a generic capability is what is needed, I don't think that ALPN is where I would start looking, I'd build a QUIC extension in some form. An extension would either replicate the HTTP/2 certificates functionality, or do QUIC-in-QUIC in some way (probably by putting TLS in a stream and then exporting new keys when it is done and using a key update to manage their installation). Christian and ekr have done some work here and have a few options in their TLS doc. Some, if not all, of the basic designs work for QUIC. None of them use ALPN, which would create an undesirable secondary signal. (Also, every time someone suggests we make ALPN anything other than opaque, I cringe.) -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/quicwg/base-drafts/issues/795#issuecomment-339503516
- Re: [quicwg/base-drafts] SNI encryption (#795) ekr
- Re: [quicwg/base-drafts] SNI encryption (#795) Lars Eggert
- Re: [quicwg/base-drafts] SNI encryption (#795) Juha-Matti Tilli
- Re: [quicwg/base-drafts] SNI encryption (#795) ianswett
- Re: [quicwg/base-drafts] SNI encryption (#795) Juha-Matti Tilli
- [quicwg/base-drafts] SNI encryption (#795) Martin Thomson
- Re: [quicwg/base-drafts] SNI encryption (#795) hardie
- Re: [quicwg/base-drafts] SNI encryption (#795) Mike Bishop
- Re: [quicwg/base-drafts] SNI encryption (#795) Martin Thomson
- Re: [quicwg/base-drafts] SNI encryption (#795) Martin Thomson
- Re: [quicwg/base-drafts] SNI encryption (#795) Martin Thomson
- Re: [quicwg/base-drafts] SNI encryption (#795) Martin Thomson
- Re: [quicwg/base-drafts] SNI encryption (#795) MikkelFJ
- Re: [quicwg/base-drafts] SNI encryption (#795) Martin Thomson