Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 19 July 2021 21:32 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0C6BF3A0B13 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 14:32:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gpa_TQ8_674j for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 14:32:10 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70100.outbound.protection.outlook.com [40.107.7.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D671F3A0B0A for <tls@ietf.org>; Mon, 19 Jul 2021 14:32:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eXs6kfQ5MF6XZc6SB13tbHHbcizBPQEJfMy0ceIWKL7oerrs/vosFQCfGW0zSVoRbdIltTNofUMmhnMT7jplAMROLyaaHDoy64qNJOOo2Rq1jMGctTNoUfaqlkzMR6zm3x8iqJ4u4BJYWLI+sVaJk1rhXNPinf3IfKXB221AkRGKgsV23ysscbDNuxOv3y3Khuh94mJSQGGsqW1p7NX2eu9c46o8hMKNs4L5720uxtlf8TBwnSyUuJEvqn/CCq5bsTt77eF44+pik/mmKc05tCMyaVhX4Y0nGduHA3yGxKGtLGJ064Y00mpxBlfx3Xlf6yRcBnEN3rA18e6AFQLI+A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MXSQeTcVmFYPXMjJCcIggtwNwDF1VWB8UTkf65LYV6g=; b=UVOe22P6S3NAT5Pqbm/OOhDg4+Yz3Zh3jEBV6X+8xZyjDnZBJFd83zVPkL55myZp7YkwGl14SKaBndEDZoGomoagKTYEm6G+AoiUFvU4qEq2XVSokLmQsvWF4ZlcfvHslXr9uxT8zMceig5mS99ccTVQJGbtjZaIkBGYhvKg+vo6vhuCn9beV8KUeY31/XViW1wB77Seo8Y5iVJA+6ItkGxGGTpSOUpFI+xa5lcZXc9glrXE1Ta0RQtAQX4W1i8aTJhU6YQu1KYElxPgGHXbBVxfXvlwtDzfQiTsyHAZ7mpYy77mBxTNmkKvq/pmRfrX8jz0752nRX+/DQc26l5aQg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MXSQeTcVmFYPXMjJCcIggtwNwDF1VWB8UTkf65LYV6g=; b=KYcuzSyPDVx0B7Mmj7jNVPS0ZBduJgXmbdIfqzx+MCRpZ5VwUQZuyjjO+D6fjNvIY3rF6P0vT/d7e9BW1zVMz9DzN0lcuLe/nk3N1or5QumPb5xhELylIqPFaXlO7bPXR0qL0zw5qenQh6vI3QRsTEJnFwexSDfZzEGeCDq/UnUlLoUBxD3Qj6//IUF3SCUqh5N6K0dXSGLuDutIsSOytvfiMQvnAAPCWQJaAWQkHPlPgGprT7Q1HTKimb+gAJ7s2AQNtl34T+7PClkgcZi1ZR7CtEGdOwNSfOo+PsZB30HZVWQHmtufBYqlgjv05YATCLMROUptIZGf8PoFOwIwvw==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15) by DB9PR02MB7387.eurprd02.prod.outlook.com (2603:10a6:10:240::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21; Mon, 19 Jul 2021 21:32:05 +0000
Received: from DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4198:a9d1:7246:8272]) by DB7PR02MB5113.eurprd02.prod.outlook.com ([fe80::4198:a9d1:7246:8272%3]) with mapi id 15.20.4331.033; Mon, 19 Jul 2021 21:32:05 +0000
To: David Benjamin <davidben@chromium.org>
Cc: Ryan Sleevi <ryan-ietftls@sleevi.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
References: <0ad354da-5300-4b48-8925-f7ab18cdf235@www.fastmail.com> <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com> <2c7c53a8-cf47-f51d-f97b-f6cd5a712024@cs.tcd.ie> <CAErg=HE92wz3-aLDSfNWk_qJA35+V-euUvtW07HKA=B7CVB3iA@mail.gmail.com> <CAF8qwaDKScDihLVHTahVGqwZjU3U1OXwpsygR=SXMt_3rEOZpA@mail.gmail.com> <80e47f63-725f-ad39-5add-161e6e299fba@cs.tcd.ie> <CAF8qwaDzH30--4UE_hA3RHMfcw9V2Z4Hmx-vuQ6AJy3e6BiO3Q@mail.gmail.com> <9bff5f4d-e2ce-c046-5515-882b45079ef9@cs.tcd.ie> <CAF8qwaDudTerAU7AAh1ezvthDGKRZONzGU4fwf=1A4dikkC+Dw@mail.gmail.com> <0f461bf3-3fad-ff65-9f2a-b2be1832fe45@cs.tcd.ie> <CAF8qwaArW2POUkhLXN9HLmTZ19m_oFeW5d5OqCcjsq+zywRKcQ@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <177ef2b8-3ae3-2af8-1a37-5757c1656910@cs.tcd.ie>
Date: Mon, 19 Jul 2021 22:32:03 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <CAF8qwaArW2POUkhLXN9HLmTZ19m_oFeW5d5OqCcjsq+zywRKcQ@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="H4vmDsWXK1KWiq9yMXTjfRWl9V0boUkws"
X-ClientProxiedBy: DB9PR01CA0012.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::17) To DB7PR02MB5113.eurprd02.prod.outlook.com (2603:10a6:10:77::15)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [10.244.2.119] (95.45.153.252) by DB9PR01CA0012.eurprd01.prod.exchangelabs.com (2603:10a6:10:1d8::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21 via Frontend Transport; Mon, 19 Jul 2021 21:32:04 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2fb56731-b6da-48c2-2eb2-08d94afca71e
X-MS-TrafficTypeDiagnostic: DB9PR02MB7387:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <DB9PR02MB7387814E9571F1DDDE29BC5FA8E19@DB9PR02MB7387.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:3631;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: OlO+L/18cQKjciJ3ouXWZ9On8XEc2k5TNUjrHqnn+zxAF2fir6sJHsirhGvbAqn7spOTq1ufDBr681SpdayJfrZml1msDujZGouTWZp4d4C3lmOWRWT02JsaO6CVbiZIqjRXi6FijUcaL5pL6vww5i+6iS3PiagFIXFyuRiEeYoxs8DpYoYHS5YRUAczeH01Dr2heGZnnLY6PgkGvt8LmX6Tx5RsxpoJTi6SUiH+O7gQ8q19qj8ti5v6q9h6RHRwn0zRwYwjaZ2bPF6sS4TTd5k+AvMZ4ctuDBoKfCnac30hSYuPPfIAXxkbWx5+5p/KC6eDWzlpkkRRtdMAjNhdSXpyrv01KwmEAcD3mO+2mFpe42/03O2vhO24dl4c/xynYu5phRrSFC16THdf6vJ+6IXrTYOjbyfEN4ovdi9ArB5c2R/oys3AD9URUQvNXCUI+p3JNSWIbfoaDyz51KifJ/b1iGvS6BI9G84qBEAA1i9sz6NwSlOEvom++1kkitqSqMgXBm+T9b9cw98YGZ5Wag4mdOBGNNdkLjpuO3S5sLYm0d5t0mh7qS8nq0bawfDELoMWVoncYhzpNClNjMJv9RN/3nmhU9wMu6UQSBWf8v6ygkKP1Cu0z8bdh1WATIL131zebuRRppn/+metzdULYBFQdwE5wqgDoln0ax3hzSqTL7jaNaQcJDD26h8rvyI4MVJ4BNDcAOxqgYCV6Fi0NweFYEFppT/U175laJNc9oI+SjYxNQvEjp5TwJtrJ9NvJX/zdq2hkLn/5ng8iQSQw3xqXLBgiifIFCLtZvv+rVs=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR02MB5113.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(346002)(396003)(366004)(136003)(39850400004)(21480400003)(235185007)(5660300002)(8676002)(83380400001)(8936002)(31686004)(36756003)(6486002)(44832011)(2616005)(956004)(38100700002)(86362001)(186003)(31696002)(2906002)(966005)(66476007)(66946007)(66556008)(66616009)(26005)(54906003)(53546011)(4326008)(6916009)(33964004)(478600001)(786003)(316002)(16576012)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?S0lKK1NtOXp4SjI4VVdNM2NBNTN2dmdGbXB6MktaekduVGxyOU1TRFFRRW5z?= =?utf-8?B?RjJ3NGVBd2JmMnBBWnlqYmNCTXhRcTNBcm9aOU0rTDRNQXhRdUJrcVRlek84?= =?utf-8?B?dkdBOFYySEJpRWs1OTY0Slo0dlNhSTQwbEo0eGtqb09iZTc1Y2RQYURQZ25O?= =?utf-8?B?c0dad0lTSDNvQWNGMkxDTHFWVURReVl0aHR3OEVkemJIbGpPdG1GaFYxSmlK?= =?utf-8?B?L292YWlKaFVyTWZKT1pRaG9iUG55Q3VSblAxU1BLVE1rYWx4UTBmd1NDTDA0?= =?utf-8?B?c3YxNkdsNXhkeVNpUTl4VmpWNG1XQ1lSOUcvSVpwcUROV3c4eHM2dGFmWnFs?= =?utf-8?B?YWN6N1R0V200RjE2bHJ6RHRLU0JZWnoxK2JNaUIxSWNtVWdDWXFwd1htR0pG?= =?utf-8?B?M1VoTkhMU3h6OERXendML3RYWXdOVDVOMENmUXdHdnZ0dzRrUzEwZzV4Q0Vk?= =?utf-8?B?b1piSDZoUnR6SmVYeEdkdmhpeE1jR01sbHpFOW9BcENZZUZMQkZwUHZzRHhY?= =?utf-8?B?RERKb3B4ZkFmQUpoVVZRMUtlalE2YVJJQXZLMkNFTlY3NUxqNThjMStBTmJZ?= =?utf-8?B?Rm94VlNiREl2Q3JUK1N0RFVZd0psQXNvRlh6WGxaZzkyYU9HcW9rQVYzZW1x?= =?utf-8?B?SFIrdWpEQmc3TWMvSjNpL3hzU09mTC9hS3BSRzgxZk1uMndwSkVrNzd2UTdv?= =?utf-8?B?NzdiZWZQUFV6b2FueE5kUDNZaVhuQ0NKNUlaSm5LWEVaYjFIMU1xUnQ0RU9X?= =?utf-8?B?UkpoYnFzbWw5NS8xTjlKY3NvbGNtOHczWVZyZTMxQUVHanJNaXIzV3lCS3Zs?= =?utf-8?B?SjlDUk1JOHZGdFFvTUpEOVJTdjN3aG9hdXhTM3FlY25FenhHMGhmSG1GM2JZ?= =?utf-8?B?NVRHdEhzWGtiZWg0YlZWOXZLRENXcnV1bnh4REpTeUNaTFJYVjBMOVhLM0VB?= =?utf-8?B?dDhFVjF6dXJienFadjBJTWtha0VFaDAxSlVWTVN1QS9odHNFNnRXZ3VYaXVM?= =?utf-8?B?V2NsanFEcEpaNWdkTkVUczhaMC9oeVpJb0VoeHU4b2J5bGFjWjFwZ3lWMnl5?= =?utf-8?B?MlBQNzc2WFhqc0pKY2dLN3hTOXZuZGJMS1ExWUVEU044ZXRzNjFHUzFtaEJ2?= =?utf-8?B?NDJjT0dRYkppcDBDVm1IamhBS2pLd2ZJQmpmbGIxeE9xU0dDL1M0N2xZeVJY?= =?utf-8?B?L2lzZDBsL1VGVUlTQVR6UDdGWUMwUTcxZTFLc3Y0Um4rYWZ2eTFvMmx5c1JH?= =?utf-8?B?TXA3YU9xaFhqOEtmUkRGNG5JeFNPL25qejhtd3BvaVZqSS9neDY3enZtS3c2?= =?utf-8?B?SlVnK0xROExCeUNuVGVmdkFFcVJycFJXQ1JncG9LcHZpcFBaZmRwRFFoTU5Y?= =?utf-8?B?YVFERmd4SllmaVlTZ3d0bDF4RCt6WU4zUUY4elp0dEIwL0h0RzdMK3lZR1Mr?= =?utf-8?B?ZGU5aTkxeGdlUnMzTHpmTHlOUnREYzFubEVYZWd4dm5CSkRTZzk5aW8wVlFZ?= =?utf-8?B?Q3RMaWhFa3NCSk5ORm5SQmdVVWpISzlycDV3WWJuMzlMUzNqR1VaYU5vTENi?= =?utf-8?B?d2xjamhFUEVwRkhJcDNOR1JaVEh5YjdqeThWQytvbGl3T0M1V1puTkYrRnZN?= =?utf-8?B?cmJSZXNIQ2QrSkI4QmlZd1lhbFNsSFZxM2F3c3BNTUVKY21xNk9iemxXQ0wv?= =?utf-8?B?ZjE3MHUxd09kelVyb08yQVlUUmQ2VmV1MmwvUjRKQlduc0VIZlVHUWV2MnhM?= =?utf-8?Q?5BHcTowwmGbWAa1f8fyOkhJhJjqMFIoyK+dxR5Z?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 2fb56731-b6da-48c2-2eb2-08d94afca71e
X-MS-Exchange-CrossTenant-AuthSource: DB7PR02MB5113.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 21:32:04.9780 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: NzdEvwuLHLjwGX0fGEUwowYOAM3u1BrIT5hjUw6X3FOuoTE8lVyuWT9EnYP0WNNn
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR02MB7387
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/7rqEajOUYPWah5YtZ0IWadHBbPU>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 21:32:15 -0000

Hiya,

On 19/07/2021 22:13, David Benjamin wrote:
> I don't think that's an accurate characterization of what's going on. I at
> least care about both optimization and privacy. 

Sure. We just disagree, I've no doubt you care about those.

> We should apply
> optimizations only where they do not result in a privacy issue, and we
> should not apply optimizations that result in a privacy issue. That means
> taking the time to understand a system's privacy goals and how mechanisms
> interact with them.
> 
> Even ignoring this document, rfc8446*already*  fails this test. By
> omission, it implies applications needn't match up their privacy goals with
> TLS resumption. This is false and indeed that results in a tracking vector
> on the Web, and any other application where multiple contexts talk to the
> same domain. That means this 3rd option does not replace the need for text.
> We need to either find wording we're happy with, or remove resumption
> entirely.
> 
> I've proposed some text for rfc8446bis. I think it captures the right
> criteria: you may only resume if you were okay correlating the first and
> second connections. If you think something is missing, I think that is
> useful feedback. Given how widespread resumption is, it's important that we
> fully understand the implications.
> https://github.com/tlswg/tls13-spec/pull/1205
> 
>>From there, we can look at this document.

Now it's me that's confused. Are you arguing that this draft
ought not progress until 8446bis is done?

Ta,
S.

> Observe that the rule applies
> equally well here. Moreover, on the Web, even after you apply the rule,
> there is still a space where the optimization is useful. This is great. It
> means we can both avoid a privacy issue*and*  make things faster. Even
> better, the optimizations apply to XSS privsep schemes (subdomains within a
> site), so there is an indirect security benefit. Other applications may
> look different (no subresource-like construct, different correlation
> boundaries), such that the optimization is not useful, but that's still
> fine. The overall rule simply turns the flag into a no-op.