IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Raghu Saxena <poiasdpoiasd@live.com> Thu, 14 March 2024 03:40 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 44BEBC14F6B7 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 20:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.204
X-Spam-Level:
X-Spam-Status: No, score=0.204 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PQEqwZIFgIpO for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 20:39:58 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2166.outbound.protection.outlook.com [40.92.62.166]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D770C17A743 for <tls@ietf.org>; Wed, 13 Mar 2024 20:39:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=DMSkx6GNwtnCJqqojhkMExGKqh+CaYcI1V1cCXHo6Nlca6W1w+vCbhZ2yv7XZA0tWbkXgu5ZhBRShFTwKSlRC5599l6lOslO9dBbABxpygCeaCs5lawtJ/12V3GEFfZXDoLSLnFTwusbQ3P353sWOPTpM4PLBX83n7ojsmbSHJqogCU92duf7ovuFrgUT8Wb+bAgQygxSrr6w/T9UXqf0c9laysX8YPEbDYwAEBieGWq50cAQEsIHKX4BGHnWrGsi3z0ON39YOC0uQ/B+yeEWWasY4k4lM09bC0/8VnUSBvY9cufegXQOp6i1NpOZsJNI4GA60uNdeNWxyg+JF0lEg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=lPNIgnPHcYlnbtjcMjmsMUqsf5v3mST6qXyQwi+8CmY=; b=cAbdaMFb4hJ8gtjaDyNpjv5IuM+goBHwjTHdmXAbKHFaSzx1Wc77yeLbLzduHGWXHCyp9b728MXJAD0UB5PQZV3SBJ8GyteZlBfvxBCuWs4+0I11aSLARRJfsZ5CUruKxBfCp/8pbLACdPSlMH9JE4IzVRaW8z3q3PD6hHYwRohUL8fsgGUA8BdeZ+XuZ7GjlsVlql7RJnnpOQwAM1SVR58S7b2d3EKyYuHliasE4x4XDvmzatko96IoPCbJCgI+dldgiTfVBooaTsCmdf0fsBjJY0B48onEaekHIgyz/QQN+d9qi1Nt/O5gcmwFlffu1n6FR+cibex+qa5puGefUg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lPNIgnPHcYlnbtjcMjmsMUqsf5v3mST6qXyQwi+8CmY=; b=ni3aFhEMkb6Jhp3zvwN+iQOeNS9T26OTPkVSut934hQbcjxEP/p/y9GFo9l/gguSdjX0xDkaJGhPIGfzktVriWOOI/g6zqYfu5yIGGj5WcppGt/rOKPLZ5ouwF6vhx/iD6EDGM2lqHsKpmgfjoEWdLHmqEqUouWuBSLz+AVnPUdmJWHw56zurtbz/rExQj/4L5h5qrP4tB1cc+UYiA5ZBE9J+Q9qHncqT/Vv4QopZT9NtcRzyT/Ag954K9NE5UUyDPV6Vs6EW47oxckBi/GhY43q2lRs9IHkwdvYWSex6K3EO672UM1bX8aTqOrh3kA2hMAAut9WIBMysu2mU9s9EA==
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14) by SY0P282MB5029.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:2a6::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.21; Thu, 14 Mar 2024 03:39:06 +0000
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c]) by MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c%7]) with mapi id 15.20.7386.020; Thu, 14 Mar 2024 03:39:06 +0000
Message-ID: <MEYP282MB35640378A952FD86311381B8A3292@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Date: Thu, 14 Mar 2024 11:38:42 +0800
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: tls@ietf.org
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com> <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com> <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com>
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------M8eKJX9l2CPr0pQhBXP5mcf3"
X-TMN: [pXbXxgKBWOdPTwR0uJOXB4rw/K4hOSni]
X-ClientProxiedBy: SG2PR04CA0181.apcprd04.prod.outlook.com (2603:1096:4:14::19) To MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14)
X-Microsoft-Original-Message-ID: <2559c9b6-3d58-4b4d-92b9-1984a816c944@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MEYP282MB3564:EE_|SY0P282MB5029:EE_
X-MS-Office365-Filtering-Correlation-Id: 07589f6e-d49c-43a8-de25-08dc43d84cde
X-MS-Exchange-SLBlob-MailProps: 9qw5+ftluCDmDxMnmv8WVu7Wdlh9nKS/lf/aEP2Qk6lYZMljSxEPFFjFFRkRBFCO17UWzXyI8y3CqUi6sauKKvi+FrNDTEJmuCGG1cD84+cEqkC8+PnvVx3+LfPSpKHzx56U10UDmOka9I/N3DyUpJEH/5HY4NpConA2XWyeFagwzuF3Z7YYoiy7JjD8MgSEsrBPxxVLJh5XvsEDI69sRHFLe/EeeQiEPULZ1RdEpYblNj4u1ul9AIKeYe8Oz8PLJqyuU9N/osPZgX4RGBBlRayZJo/ohRgULhpj4cAG25vggr+C6D14a2+5ch0Y2n0gwc/3qrt4UKGpsDZPZxC9/+PgAvna1QfYhmUyRJwuSZ9ntyF8fCfsKHAs+dttfybGCczYNMroPd+JdB7czigCYTVvSV5u534r2yRx+BQqrKl85RKARTvi+Qu7hDmyB4NcWmwkwg/xd/lpcn8j2mEvZ56KfvHLemtEv7XXdP0tePxsCghfXuMTpbXNbFdLwtajlhi/9FREjI9hgSPTCXQvopOQ2oHFXgpBVIJFtIPSFrjMGL3UQ6DbFCTd67VAcKxGASKHXURfQ1geiN7Vsz4TbdPcbsHHxC2yMQNTs9kJvCHL1tpLKSDdH8rVisRj0+alQ4v9s8gfwPJg1/gtHTBhTQEkqKKcOH6dws6OGms2t/oBaB01d9bo0Af/QxdrcOhowEPlOanuDsU=
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: qOJp8gmpE9wN7Cwg6Dxlg2sYFJQ2fBw2+agtkb+futVMRgMj2oreaDJRixC6NbWjEmSiNYiZg7veRnEFQlZWnLp+5/2NJL/obsrvUpCd45mnaR41bZi5R7MiG59clOf2B8zRXEjJt+2PZLx0l6zGxYT/sWDh7SMJ5BSFa3jMUK7JtK+e4r1DKZFymvduLmvY/pBZYYvtUJbsoQ+J98MDWhES9QLc7xKTWwsIGIS98Ji2XE6gATvo7hUUEYJWfoeisz5NBtoFjXx2p+1Fk8M+607hz1dtut8mvfLMPAl4srzuusagcrPM5UINUHBiFlpNybBQxJ+RzocAoJ3+KF1tTGDDcW1uAC4xpzqvLv+FqtsGzvlUytpU0BvOl7O8kX5upWGV8w2KxanFJy6Oq+uWaI3B17mx7oGPoKTKpF6DXiB6vehbCDGQFCv4MeX6p4I80jgoJzO8j2Xg4M05MD3zaLg/sPdr4SL2Wjzm9doMCsf4ibXDm1N8Me7GzDQhHcmyfZGRcbnDifsxgqbdOyZ61JMBU1UblYLJjV6mPboqlORjDSeZT/PqOq+V5/OxUaOBZmFCAzPSMXnUUusIOHw+PZAUVLiVrsE3QPCEz7XpR9Ji2J0nTTNuRnaPQzo12Ydj
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: HzMmUFOv+ibIatau8pp5YPvsTsrRxsnviRARdKCguSX5rM9mrPQjFW5BOl1XzTpq04l9Z2l2NA2MxgmZY6VvhSIaBY9hkqn36NKd4xi01dDGnqfIHZxB227ybhb0H73ZgYPLt/GwIcDWQfsbdjXNgO2Ot2xbZuzHhD0vpAYehD7AWLm5ZSM5jTmyKnGXtkmvQWUSae6/O0tVM3+KfzMJlUqNouDk4/2Eg/WZDh4HH+0iSQO5wInjOCO9BeRSot8eICp+J/81r3l1liVgsRvat3knfHFCFeyz9caOPK/E9RST+fNlKhq3nbJ+1uaNil1rjz15ZdZqMyGDy2xfKmvhiC2gHBQbZzWX2Bd3Y/uHOutCLXCTwLxQmKpB9BQbaTLZ8yuh052ZQW4xPYVEyj/MCtQOjXXDwKaCxiyswk9o7gvA+GERBCHhAXQn+2F9EnH6+WP1UVAdj6lAVdy4gfl8Q45E7jjDI7ujyHXVPmlxz/q8XyhNywoJiso8T4XInTRHkeI0HsYd9VPoxTgBsixUtqngDsos840Za5qQgXFfJzPxng291V+itcLvZ5Boz9om0fkSg5uApFskw4GdASv17P53j479UuqRBCLFJ+VbAuRMIh2WDVu47EivIEqUqlJ1SsXd3hs4l5lZIl77sFEh9MjeBABGpqFlL2mL3jDYCmYwOVU6s8MYGlXhk/bsmFOFm1yzzp15Khj2y1urRWFkRv4mfVopSuNARpkOQ9Hje+aKgoJdmVsnnsMUm6mMuA+F5qf287sAn59WWvOIhiSAw98CInQwW1RyKub6Fc9jSX5Ze0VKP1p2H0OYNxLsafzezB2fvaGm0u5vf1d/Y6Pc/OOkWUJj7QM3FNs6uRScZKx6X4LfSWAyeteRo09k5cEmF0kWIPkFaJigGiQaGb6/PB36v8tWlOzSZNYmY+7Gi+oPi4yR83vLqEAt6tsfO94FCD0bHZ+JBhZZvkNelYiXZrZNBU1nfYNz3x4lDMAs7FXfzNmL/fzb72z8PHJrib7dIakt8p8kkwiR+wX5ovYmLnfwTOGoqMgyMYj8LQ8Z7obsQtVzBkqrSVIaSvSoydliYmOwuZIBBR8+o/uSyhQRsYncFWAvqXl8UfTCKoV7JYeme6ysu91/kGh7SmVrgSjHZ6wAba0wDWi67F9PMbRjZ97vOZzBcm/XRx3vQIry/8wOwM+6HIuEgbBJfFwQjOtI+zlyNdc3BV8DaPWSN6DGCuxNDKhTvpysSRKUI7fW6lU=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-746f3.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 07589f6e-d49c-43a8-de25-08dc43d84cde
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Mar 2024 03:39:06.5518 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY0P282MB5029
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/2D-HVG3GlI5iEjIr5La6tnSUalQ>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Mar 2024 03:40:03 -0000

On 3/14/24 00:45, Eric Rescorla wrote:
> There are two questions here:
>
> 1. What the specification says
> 2. What implementations choose to do within the envelope of that 
> specification.
>
> The specification needs to prescribe a set of behaviors that promote 
> interoperability, which means that whatever it tells the client to do 
> must be compatible with what it tells servers to do. Presently, the 
> specification tells clients to put whatever is in 
> ECHConfig.public_name in ClientHelloOuter.sni (S 6.1) and tells the 
> server that it may check and reject it otherwise (S 7.1).

So, if I understand correctly, for my domain "abc.com", I could 
purposely choose to have my ECHConfig public_name be "google.com", and 
configure my server to handle it (or ignore the SNI in outer client 
hello altogether), and a client SHOULD NOT try and cancel the ECH 
attempt on seeing that the public_name in ECHConfig does not match the 
host the user is attempting to connect to?

I guess this makes sense, since in the Cloudflare case, every ECHConfig 
advertises public_name as "cloudflare-ech.com", and the user is 
obviously connecting to a different website. In this case I guess it 
isn't as bad, since as a server operator I _could_ choose to just 
piggyback on the public_name of some popular CDN, even though I am not 
using it, to "hide" my real SNI / domain. I think this is a feasible 
workaround.

Regards,

Raghu Saxena

v2.31.3 | Report a Bug | By Email | System Status