Re: [Secdispatch] Request for a slot in the agenda of secdispatch on the 26th
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 21 July 2022 18:48 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 08DDCC16ECD7 for <secdispatch@ietfa.amsl.com>; Thu, 21 Jul 2022 11:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.007
X-Spam-Level:
X-Spam-Status: No, score=-7.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YTfEOeC887Nv for <secdispatch@ietfa.amsl.com>; Thu, 21 Jul 2022 11:48:41 -0700 (PDT)
Received: from mail-vs1-xe35.google.com (mail-vs1-xe35.google.com [IPv6:2607:f8b0:4864:20::e35]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E10AC16ECD5 for <secdispatch@ietf.org>; Thu, 21 Jul 2022 11:48:41 -0700 (PDT)
Received: by mail-vs1-xe35.google.com with SMTP id t127so2374255vsb.8 for <secdispatch@ietf.org>; Thu, 21 Jul 2022 11:48:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=+diXzdztoBJNc54ydAYRLDkfBeCSRdWS75W08heVwKc=; b=PhAxXj8qao4uARqgMzh1lOJZsLUhXX4OMRD/yzgbHDEF8qQ9329QK/rUKuG0hEVbSi spxu6w4Fe+e+65Bi8JvuhnKNz1qs3CQ0StcNt8ObdC9Z5Zul/RMlIzWkRI9Lu7PQ2kJ8 P5GbJa6wtq5M3WefEiQ8J55fpOlPE2WERP0gpAbRfB3V2MyOqsI2nCVFsKVZ9PveiVUh QeLJ3ouGmY8qM+fktYoY9GQhxDNXngUaMZ9/OpLfU2PEFxMsGUMawFvtvkdMZt42PZeA imwH7BtjtbjJxPiQgHHNjNMW26jy7hl+yBj1tUWpTTVuF25H9bw3N9dAMMUHbmvh7Pse uNkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=+diXzdztoBJNc54ydAYRLDkfBeCSRdWS75W08heVwKc=; b=dhsM+Hl6uRf3IXmGVQovxmr+CDi23SBAfqlXjSbD73jomYWx6FwUlqC4LOBAXrNzNG YRI+gjjhFcMVhg8fNKpNem5VTSIr131s0QdrrkZrovtqe6ytESi7hakZuXCzCwAqfBw/ hVIe9d4c3OCmbNDxzXaHT5kI+z1YBqAMgLUgOm107naMjiQk1/jA2T9qGdJRMm420mIE HoSHYNU5ptvIaO3aSq27o9oPO+KPZan3G/94TyH3bHivs38mEfVhl1B2vAUtZS1K6MWe nuR2irIjaVWktuuLv5WQ3fVMrs1T7kXq5JUnlXZT+Mq2Sw5w5Bh9OobiR3oCZf19Ipa2 b/6w==
X-Gm-Message-State: AJIora+sokBUcbxwu1UQ3cM5s2yn6lBamvcNXf4ZtnC6TEDqLnGm+asd jrgsHXBPXYVFtNogqRfKmTIKmK3O42rP7yTdVNQFWRpJ
X-Google-Smtp-Source: AGRyM1vwKJXFm+bWQcclHazZUIR5Xj/Xmu2KQPqt3SYtP8z+J+/ccro4x7KWpbWf3ph9iN+JUtL5XHh3LgUdpVbg4AA=
X-Received: by 2002:a67:cb0c:0:b0:357:9897:32d4 with SMTP id b12-20020a67cb0c000000b00357989732d4mr14921294vsl.18.1658429319566; Thu, 21 Jul 2022 11:48:39 -0700 (PDT)
MIME-Version: 1.0
References: <D6BB2A21-352D-4D72-BD21-22C427F7D31A@broadcom.com> <CABcZeBNgLvj_giSQVVi=tyCuM8SWFhC=sNcQ+WOsBpTtnSjXVA@mail.gmail.com> <36FD4E26-B3FF-4ADA-9320-E69B6C79898B@broadcom.com>
In-Reply-To: <36FD4E26-B3FF-4ADA-9320-E69B6C79898B@broadcom.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Thu, 21 Jul 2022 14:48:03 -0400
Message-ID: <CAHbuEH7an_Y72VqdpXXjngQTh-uO72g7=zjPHGJrGYMRwbvEJg@mail.gmail.com>
To: Arnaud Taddei <arnaud.taddei=40broadcom.com@dmarc.ietf.org>
Cc: IETF SecDispatch <secdispatch@ietf.org>, Eric Rescorla <ekr@rtfm.com>
Content-Type: multipart/related; boundary="0000000000007a707005e4552aba"
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/mNok62giX1soBczDUJ3tTfy71EE>
Subject: Re: [Secdispatch] Request for a slot in the agenda of secdispatch on the 26th
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jul 2022 18:48:42 -0000
Arnaud, First, I hope you recover quickly and that your family is well. I appreciate the update to the list and your engagement to determine possible paths forward. Best regards, Kathleen On Thu, Jul 21, 2022 at 5:19 AM Arnaud Taddei <arnaud.taddei= 40broadcom.com@dmarc.ietf.org> wrote: > Dear all, am coming back here late as I have a bad COVID and it hurts > > As such, I answered Eric, Steven and Michael separately yesterday, and I > was so confused, I didn’t realise I hit Reply and not Reply all > > Anyway, the net net is that > > - I will withdraw my request for a slot in secdispatch agenda > - This work could have been good for OPSEC especially given the work > on IOCs but their agenda is now full > - This work is NOT a critique for ECH, it is a ask for what ECH can do > to help enterprises when it will happen there (just a matter of time) > - This work as it is, is premature for TLS group and I need to do some > extra research on my claim that it brings new arguments (right now I insist > it does) > - I will rejoin the TLS working group and mailing list and engage > prior to IETF 115 > - For the moment, Lars supports the idea this work as it is can go to > HotRFC so I will pursue this direction for a brief intervention > > > Thank you for the 3 email threads and the good perspective exchanges > separately > > Best Regards > > > On 12 Jul 2022, at 19:44, Eric Rescorla <ekr@rtfm.com> wrote: > > Document: draft-taddei-ech4ent-introduction-00.txt > > Hi Arnaud, > > This seems to be largely a critique of ECH, so as far as SECDISPATCH > goes, the answer is that this should go to TLS. With that said, I > believe most of the points that you are raising were already > considered when we decided to do ECH, so I wouldn't expect this to > change the trajectory of the WG. You could, of course, also make these > as Last Call comments. I don't think this needs an agenda slot at > SECDISPATCH. > > > As far as the substance goes, I would make two points. > > First, I think there is perhaps a disconnect about the way that ECH is > likely to be deployed, especially in Enterprise > environments. Specifically: > > 1. Because ECH depends on DNS, if clients us the Enterprise DNS, > then that server can simply strip the ECH records from > DNS responses. I believe this applies to non-Firefox browsers, > as they use the DHCP-advertised resolver. > > 2. Although ECH is not yet widely deployed in clients, I would > expect it to be configurable via enterprise policies. You > mention intercepting proxies a number of times in S 3.5, > but enabling those proxies requires control of the endpoint, > which should be sufficient to disable ECH. > > My point here is that in both cases the Enterprise has the opportunity > to disable ECH, so there shouldn't be any real impact. Of course, > this doesn't apply to BYOD, but the solution there is to actually > get management of the device--at least enough to disable ECH. > > > Second, in cases where the client is untrustworthy, then SNI cannot be > trusted, even if it is in the clear. The client can put an innocuous > SNI in the ClientHello. The same applies to the server certificate > because the client and server don't need to comply with RFCs 2818 or > 6125. If what you are worried about is malware connecting to C&C, then > SNI is insufficient. It's true that SNI is useful for compliant > clients and servers, however, for instance if you want to prevent > people from browsing specific sites. > > > -Ekr > > > > > On Mon, Jul 11, 2022 at 8:33 PM Arnaud Taddei <arnaud.taddei= > 40broadcom.com@dmarc.ietf.org> wrote: > >> Dear all, I would like to request a slot in the agenda of secdispatch on >> the 26th at IETF114 to present the I-D >> draft-taddei-ech4ent-introduction-00.txt >> >> I came back to IETF113 after an air gap of 2 years, so I am certainly >> very rusty but I could do some investigations since March and I would like >> the chance to share some ideas regarding ECH in the context of Enterprises >> and Organizations >> >> I will be there remotely >> >> Thank you for your consideration >> >> >> >> This electronic communication and the information and any files >> transmitted with it, or attached to it, are confidential and are intended >> solely for the use of the individual or entity to whom it is addressed and >> may contain information that is confidential, legally privileged, protected >> by privacy laws, or otherwise restricted from disclosure to anyone else. If >> you are not the intended recipient or the person responsible for delivering >> the e-mail to the intended recipient, you are hereby notified that any use, >> copying, distributing, dissemination, forwarding, printing, or copying of >> this e-mail is strictly prohibited. If you received this e-mail in error, >> please return the e-mail to the sender, delete it from your computer, and >> destroy any printed copy of it. >> _______________________________________________ >> Secdispatch mailing list >> Secdispatch@ietf.org >> https://www.ietf.org/mailman/listinfo/secdispatch >> <https://www.google.com/url?q=https://www.ietf.org/mailman/listinfo/secdispatch&source=gmail-imap&ust=1658252684000000&usg=AOvVaw0dD-NVhIVELuk4OwFaJjrw> >> > > > This electronic communication and the information and any files > transmitted with it, or attached to it, are confidential and are intended > solely for the use of the individual or entity to whom it is addressed and > may contain information that is confidential, legally privileged, protected > by privacy laws, or otherwise restricted from disclosure to anyone else. If > you are not the intended recipient or the person responsible for delivering > the e-mail to the intended recipient, you are hereby notified that any use, > copying, distributing, dissemination, forwarding, printing, or copying of > this e-mail is strictly prohibited. If you received this e-mail in error, > please return the e-mail to the sender, delete it from your computer, and > destroy any printed copy of it. > _______________________________________________ > Secdispatch mailing list > Secdispatch@ietf.org > https://www.ietf.org/mailman/listinfo/secdispatch > -- Best regards, Kathleen
- [Secdispatch] Request for a slot in the agenda of… Arnaud Taddei
- Re: [Secdispatch] Request for a slot in the agend… Eric Rescorla
- Re: [Secdispatch] Request for a slot in the agend… Michael Richardson
- Re: [Secdispatch] Request for a slot in the agend… Stephen Farrell
- Re: [Secdispatch] Request for a slot in the agend… Andrew Campling
- Re: [Secdispatch] Request for a slot in the agend… Eric Rescorla
- Re: [Secdispatch] Request for a slot in the agend… Arnaud Taddei
- Re: [Secdispatch] Request for a slot in the agend… Kathleen Moriarty