Re: [TLS] ESNI PEM files
Eric Rescorla <ekr@rtfm.com> Fri, 25 October 2019 14:06 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3946A12080E for <tls@ietfa.amsl.com>; Fri, 25 Oct 2019 07:06:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CsKIkhSQ9GH8 for <tls@ietfa.amsl.com>; Fri, 25 Oct 2019 07:06:40 -0700 (PDT)
Received: from mail-lj1-x22c.google.com (mail-lj1-x22c.google.com [IPv6:2a00:1450:4864:20::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 380CC120123 for <tls@ietf.org>; Fri, 25 Oct 2019 07:06:40 -0700 (PDT)
Received: by mail-lj1-x22c.google.com with SMTP id q64so2838185ljb.12 for <tls@ietf.org>; Fri, 25 Oct 2019 07:06:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=f8pNMKDiGwPiQUufhPkpwavx5eiBM/TdT2lLhCGalMY=; b=0cbeD2inzKbT/MQeD2yFVdzqpxQQZfsRtm5+LxUAP6ARoaoPXVUt/ybhh9GUE5qCzN gS4d9oPycyVoiz4atKj0tZFnZ8tHOE7Q6eI1ZMaGibWVOE5wDGNmMIbtCEsLY24IdG2i sCtqrZ+t1xTXLUbFwo/Apbu7tjq24wFgvD/XZdJN9zTesfrALFQIU9OzNzM/pQIcJ4Gi P9RIi9hZqjluTEGCAyQmnXMb/093bnZZwICGWf5uRuhp+Hy1C9fyEyUy3htxNoKytO4O 8CFxrAFtKIRgExJ6B/YpfNPVD0r72C4ky+vL+pDWsjEP7BbK40/dWFEOz9ObULXA9r1W hewg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=f8pNMKDiGwPiQUufhPkpwavx5eiBM/TdT2lLhCGalMY=; b=km+DtSR8Jmxpim5Q8d0SIUm8ifuawPJIzOoWlg19Nys8AdMYl/owFFrs869kSo2TmU f1rSBRzMls0JhkovR1UC2FfBV2aOMdM2oDHNwu3FLsr13lVO9yTQQ6BuOYpUh81MegIk 0/vkQKEV2jhRvSYZ2PhX/C7glcX1RtIyggPbarQcpPyhrpu0S8U94xkiXAWwtGbuEQfI 2xNhZKe2TCtaKBP7Yhzfq86Twr3TmoSaBkcOwM2FIyW0R2UjlNbA33NUGShTmtE/QgNr +yPso7EexJSoWRzV1gRt/4bAaMgTMNiq0QcKRG7TiXkQVfLhYHSr8gc1aeSll3OaWxoP Vf2g==
X-Gm-Message-State: APjAAAXxfrk2bretnAXQT0BIaA3NXfP19EiugoyUipwXclu7nkWizoxp YQ8IOF+nVUCDqPYNe7LaUTst+CEMThdUbGaVD+5nEA==
X-Google-Smtp-Source: APXvYqxTY/ZUd2l1Yvqnxn/AqEKcznAOBDUBkpaDkkaundhQiTy1SqnouHxD5nKSOU2gBVgxSi7DnUECwYs1XskGm+4=
X-Received: by 2002:a2e:9a09:: with SMTP id o9mr2699143lji.217.1572012398300; Fri, 25 Oct 2019 07:06:38 -0700 (PDT)
MIME-Version: 1.0
References: <f5229a83-2724-681f-8593-ccfad8732ed6@cs.tcd.ie> <CABcZeBM2-XboBEXgPgP+RtaFECb4rSaM2uUHJbkCm3=9j2xKFA@mail.gmail.com> <d04846ee-dc56-06d6-b597-526972eeadef@cs.tcd.ie>
In-Reply-To: <d04846ee-dc56-06d6-b597-526972eeadef@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, 25 Oct 2019 07:06:02 -0700
Message-ID: <CABcZeBMxioountj65Uo+qipx68YA4q439Bsr=q2LNG-mc4mYuA@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009565b00595bca8f5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/-mGJxZLSMJDFiuxpjoAicxg8Of8>
Subject: Re: [TLS] ESNI PEM files
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Oct 2019 14:06:42 -0000
On Fri, Oct 25, 2019 at 7:03 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > > On 25/10/2019 14:45, Eric Rescorla wrote: > > Are you suggesting that these strings appear on the wire in DNS? > > Nope. > > > Or is this > > just an internal implementation covnenience? > > A bit more than that, but yes. I have a (temporary) tool for > generating these files and then need to import the output from > that into e.g. nginx or lighttpd. Some applications support > more than one TLS library, so having a well defined format > seems like it'd help with ESNI deployment. > > Basically this is the same logic that lead to pkcs8 PrivateKey > being worth documenting in an RFC. > OK. I don't think this needs to be documented in this draft, but if you wanted to write some other draft.... -Ekr > Cheers, > S. > > > > > -Ekr > > > > > > On Fri, Oct 25, 2019 at 3:55 AM Stephen Farrell < > stephen.farrell@cs.tcd.ie> > > wrote: > > > >> > >> Hiya, > >> > >> To date, my ESNI code [1] has been dealing with files containing > >> the binary encoding of ESNIKeys and a separate PEM file containing > >> the related private key. > >> > >> As part of getting nginx to work with ESNI [2], it'd be easier > >> for me to deal with a single file containing both private key > >> and the ESNIKeys (or ESNIConfig) value. (One of the upstream > >> maintainers didn't like how I handled configuring ESNI, so the > >> change is really to make him happier, but I think it's likely > >> a generally useful thing:-) > >> > >> Since mixing binary and PEM encoding in one file would be ickky, > >> it'd be nice if we had a PEM file convention for the public keys > >> used in ESNI. And of course, it'd be much nicer if everyone did > >> the same thing here. > >> > >> What I'm coding up now would handle files like: > >> > >> " > >> -----BEGIN ESNIKEY----- > >> > >> > /wGeNLTKACQAHQAg/JLBUtPE5wp4CU2bbTihSPeP3113kz1J80X/Iy1Y2EYAAhMBAQQAAAAAXO6j > >> /gAAAABc995+AAA= > >> -----END ENSIKEY----- > >> " > >> > >> ...where the content is (unsurprisingly:-) a base64 encoded ESNIKeys. > >> > >> And if both the private and public components are in one file, > >> it'd look like: > >> > >> " > >> ----BEGIN PRIVATE KEY----- > >> MC4CAQAwBQYDK2VuBCIEICAHxXknil9tI2qZ+USRouNwXp0LxlUB85l0/xbhZ4Va > >> -----END PRIVATE KEY----- > >> -----BEGIN ESNIKEY----- > >> > >> > /wGeNLTKACQAHQAg/JLBUtPE5wp4CU2bbTihSPeP3113kz1J80X/Iy1Y2EYAAhMBAQQAAAAAXO6j > >> /gAAAABc995+AAA= > >> -----END ENSIKEY----- > >> " > >> > >> I'd be happy to change that however increases the probability > >> that other code bases do the same thing. > >> > >> If this is useful, I could do up a PR with a bit of text saying > >> to use "ESNIKEY" (or whatever) as the label when storing these > >> things in PEM files. Given RFC7468 documents other PEM file > >> things, it seems reasonable to do the same for ESNI. > >> > >> Cheers, > >> S. > >> > >> [1] https://github.com/sftcd/openssl/tree/master/esnistuff > >> [2] https://github.com/sftcd/nginx > >> _______________________________________________ > >> TLS mailing list > >> TLS@ietf.org > >> https://www.ietf.org/mailman/listinfo/tls > >> > > >
- [TLS] ESNI PEM files Stephen Farrell
- Re: [TLS] ESNI PEM files Salz, Rich
- Re: [TLS] ESNI PEM files Stephen Farrell
- Re: [TLS] ESNI PEM files Eric Rescorla
- Re: [TLS] ESNI PEM files Stephen Farrell
- Re: [TLS] ESNI PEM files Eric Rescorla
- Re: [TLS] ESNI PEM files Stephen Farrell
- Re: [TLS] ESNI PEM files Eric Rescorla
- Re: [TLS] ESNI PEM files Salz, Rich
- Re: [TLS] ESNI PEM files Stephen Farrell