Re: [Secdispatch] Request for a slot in the agenda of secdispatch on the 26th

Eric Rescorla <ekr@rtfm.com> Tue, 12 July 2022 17:44 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26E57C14F747 for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 10:44:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RMHGOte149nj for <secdispatch@ietfa.amsl.com>; Tue, 12 Jul 2022 10:44:39 -0700 (PDT)
Received: from mail-io1-xd2f.google.com (mail-io1-xd2f.google.com [IPv6:2607:f8b0:4864:20::d2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2746DC14F720 for <secdispatch@ietf.org>; Tue, 12 Jul 2022 10:44:39 -0700 (PDT)
Received: by mail-io1-xd2f.google.com with SMTP id 190so8587861iou.6 for <secdispatch@ietf.org>; Tue, 12 Jul 2022 10:44:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20210112.gappssmtp.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Rv18NMAC48sXCTQjT/474apRq0Htrcq1HOLmkRWucbw=; b=1dDg6U5yO3xL69wR+a2NGl27auN1F8TAhXmdbcPDtvHhyBquzi/hMTk7Yr2XuXBYFt yPimvsU4dcb369ANMLfqxn3AQmTGwKo7jabGuxLXWb8DHn6A5KlxQA87MAQg3OJR7qUn s83pcP4tUb+3+xnwgQc6tYexA77Kn6V8yWnUfPgNExxgpPaZ0tmGgKa3V2phHyq1M/dX nsuznbYXgsFl5fxzq6XLoS+fyGJBeNQ/+iyNO1bGFmE7Fcwp7KQrN3KsXDjfuPgVGjOB 3rJnTOl7UvcvCH0IJIS4ksc9We7iNGI/WfM3Z6dAiTMUZ7d2rgnDs7xPygaMYAs0zNo1 NvCA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Rv18NMAC48sXCTQjT/474apRq0Htrcq1HOLmkRWucbw=; b=VhpVqOKM5fUsCcEQbtVKdp54J2kprSPHKjn7Iopy0lmMovCul/V3u6lVB5ck0Hwr4S eCx61H1B2hJIVC6lj37Ab5X5swRpUxTPnvYxZky8nRn2YJbHuZlOeV9XKuTI7A1iztJJ SbLzUtigJJxLozzlY4WM9VSF62tErpPqbCeqzX5bDCtIE/X6yDwSZrQIDJP5M1zbz6X3 T5oWCtFf64JwuOnfngjGLz5kJ85xy4eiOMfGF4LSaFGEbvL7GncHb1fSTf7UKE4OiNlb YZ4xTDjdvkdOwkPwwLKHCjOWj0bHySukrffTQLyka9EvIDk99AU6+CE4Ptx5uHxmIv5C K+MQ==
X-Gm-Message-State: AJIora8w9IJBVZ/xqHgM3wxi3gqA9eP4j7vDNkKZLCA0GZ3Ks0cwWExq 8ZqG1zHIldKMXwzq9Jow2xopqOcKQ9oL2ZGUn6S0gDNKNV+tew==
X-Google-Smtp-Source: AGRyM1vFUn3pYIFTt1pzLC81lnR6+52R8rsm1ay2cWHpuTac8SJFjovCDB4v4Xg3LxezQLblvsgJ5OqrpK8jte0wB8s=
X-Received: by 2002:a02:a61a:0:b0:33f:70cb:a86b with SMTP id c26-20020a02a61a000000b0033f70cba86bmr2714726jam.137.1657647878210; Tue, 12 Jul 2022 10:44:38 -0700 (PDT)
MIME-Version: 1.0
References: <D6BB2A21-352D-4D72-BD21-22C427F7D31A@broadcom.com>
In-Reply-To: <D6BB2A21-352D-4D72-BD21-22C427F7D31A@broadcom.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Tue, 12 Jul 2022 10:44:01 -0700
Message-ID: <CABcZeBNgLvj_giSQVVi=tyCuM8SWFhC=sNcQ+WOsBpTtnSjXVA@mail.gmail.com>
To: Arnaud Taddei <arnaud.taddei=40broadcom.com@dmarc.ietf.org>
Cc: IETF SecDispatch <secdispatch@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f1a3df05e39f38c5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/iPfUKcwn8zmOu6lV2Ip1FXlMzFo>
Subject: Re: [Secdispatch] Request for a slot in the agenda of secdispatch on the 26th
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Jul 2022 17:44:40 -0000

Document: draft-taddei-ech4ent-introduction-00.txt

Hi Arnaud,

This seems to be largely a critique of ECH, so as far as SECDISPATCH
goes, the answer is that this should go to TLS. With that said, I
believe most of the points that you are raising were already
considered when we decided to do ECH, so I wouldn't expect this to
change the trajectory of the WG. You could, of course, also make these
as Last Call comments. I don't think this needs an agenda slot at
SECDISPATCH.


As far as the substance goes, I would make two points.

First, I think there is perhaps a disconnect about the way that ECH is
likely to be deployed, especially in Enterprise
environments. Specifically:

1. Because ECH depends on DNS, if clients us the Enterprise DNS,
   then that server can simply strip the ECH records from
   DNS responses. I believe this applies to non-Firefox browsers,
   as they use the DHCP-advertised resolver.

2. Although ECH is not yet widely deployed in clients, I would
   expect it to be configurable via enterprise policies. You
   mention intercepting proxies a number of times in S 3.5,
   but enabling those proxies requires control of the endpoint,
   which should be sufficient to disable ECH.

My point here is that in both cases the Enterprise has the opportunity
to disable ECH, so there shouldn't be any real impact. Of course,
this doesn't apply to BYOD, but the solution there is to actually
get management of the device--at least enough to disable ECH.


Second, in cases where the client is untrustworthy, then SNI cannot be
trusted, even if it is in the clear. The client can put an innocuous
SNI in the ClientHello. The same applies to the server certificate
because the client and server don't need to comply with RFCs 2818 or
6125. If what you are worried about is malware connecting to C&C, then
SNI is insufficient.  It's true that SNI is useful for compliant
clients and servers, however, for instance if you want to prevent
people from browsing specific sites.


-Ekr




On Mon, Jul 11, 2022 at 8:33 PM Arnaud Taddei <arnaud.taddei=
40broadcom.com@dmarc.ietf.org> wrote:

> Dear all, I would like to request a slot in the agenda of secdispatch on
> the 26th at IETF114 to present the I-D
> draft-taddei-ech4ent-introduction-00.txt
>
> I came back to IETF113 after an air gap of 2 years, so I am certainly very
> rusty but I could do some investigations since March and I would like the
> chance to share some ideas regarding ECH in the context of Enterprises and
> Organizations
>
> I will be there remotely
>
> Thank you for your consideration
>
>
>
> This electronic communication and the information and any files
> transmitted with it, or attached to it, are confidential and are intended
> solely for the use of the individual or entity to whom it is addressed and
> may contain information that is confidential, legally privileged, protected
> by privacy laws, or otherwise restricted from disclosure to anyone else. If
> you are not the intended recipient or the person responsible for delivering
> the e-mail to the intended recipient, you are hereby notified that any use,
> copying, distributing, dissemination, forwarding, printing, or copying of
> this e-mail is strictly prohibited. If you received this e-mail in error,
> please return the e-mail to the sender, delete it from your computer, and
> destroy any printed copy of it.
> _______________________________________________
> Secdispatch mailing list
> Secdispatch@ietf.org
> https://www.ietf.org/mailman/listinfo/secdispatch
>