Re: [TLS] In support of encrypting SNI
Watson Ladd <watsonbladd@gmail.com> Fri, 16 May 2014 03:32 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18ADF1A00A8 for <tls@ietfa.amsl.com>; Thu, 15 May 2014 20:32:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.101
X-Spam-Level:
X-Spam-Status: No, score=-0.101 tagged_above=-999 required=5 tests=[BAYES_20=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eFHvqIaRulbi for <tls@ietfa.amsl.com>; Thu, 15 May 2014 20:32:55 -0700 (PDT)
Received: from mail-yh0-x22b.google.com (mail-yh0-x22b.google.com [IPv6:2607:f8b0:4002:c01::22b]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3DA1A007E for <tls@ietf.org>; Thu, 15 May 2014 20:32:55 -0700 (PDT)
Received: by mail-yh0-f43.google.com with SMTP id v1so3886391yhn.16 for <tls@ietf.org>; Thu, 15 May 2014 20:32:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=2uH7q1YZFFVW58D8Hk69tQQdg6MUVHIyU62A9dYrMkk=; b=cHftxCRgsvSv0PndMxJwDR9rOPTlFAXda+DL9d1GsRK79jwsrdmq40C8bQ3fcW9dXs YwAmXafUQWkwRux9aK2IeXiNFmnF6uhZWx7Clvw8F4xZnUnRtm3uh8SzacybqehJevsO PnPlnidLr5+jUOJqrB8BdHGZ4HdXLFXD6fvooYlYM++epiaVZ4PInDXSlYML6ay/QvPW xhxOA5x0LMvS0WLHdILBHg0fxXGJw9gGJ36uA/oXPJo4R7+7q+ustbX69B2vT8+ErnyS H/E/W6zi4TaCnDj4P8qwVpb4DlG7ZJ2qb74Uf89wSfN4qqTBo7iWyB1Hm5gtpGP4nF1I bGFg==
MIME-Version: 1.0
X-Received: by 10.236.39.72 with SMTP id c48mr21447471yhb.89.1400211167929; Thu, 15 May 2014 20:32:47 -0700 (PDT)
Received: by 10.170.39.136 with HTTP; Thu, 15 May 2014 20:32:47 -0700 (PDT)
In-Reply-To: <CABqy+sqJLbiWkGYKAT+s8_mQrWxhpotm8OBPND9a0gPg0oq-=A@mail.gmail.com>
References: <5373C4F3.3010602@blah.is> <5373d656.84c5440a.1a9b.25a0SMTPIN_ADDED_BROKEN@mx.google.com> <CACsn0cmOcJF=VmCD-=1iNg=gP+THU2ZBXn_wtPOWRhaG-BeQMg@mail.gmail.com> <498BFB9F-EF8D-48E2-92A9-4287491FB9B7@gmail.com> <04d201cf7007$1c24ced0$546e6c70$@huitema.net> <CABqy+sqJLbiWkGYKAT+s8_mQrWxhpotm8OBPND9a0gPg0oq-=A@mail.gmail.com>
Date: Thu, 15 May 2014 20:32:47 -0700
Message-ID: <CACsn0cnNFPO4uiV+Ww8RaSaYOd4jQOANjkCj=fpM_XUVo4QxRw@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
To: Robert Ransom <rransom.8774@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/AKuCC6EIKI_X6_rbD4n-jRpS214
Cc: ietf tls <tls@ietf.org>
Subject: Re: [TLS] In support of encrypting SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 May 2014 03:32:57 -0000
On Wed, May 14, 2014 at 11:38 PM, Robert Ransom <rransom.8774@gmail.com> wrote: > On 5/14/14, Christian Huitema <huitema@huitema.net> wrote: >>> If a comprehensive solution to the surveillance problem also involve >> changes to >>> plug leaks by DNS, wouldn't it be reasonable that the TLS portion of the >> solution >>> depends on the DNS bits being deployed as well? >> >> This is a bit close to the "your side of the boat is leaking more than >> mine" >> argument. Let's plug both leaks, and not have each wait for the other. > > That's what Fabrice was suggesting. (Specifically: the pieces of text > quoted in that message describe solutions to the TLS leaks which > depend on having extra information pre-distributed in DNS.) It's a little more subtle than that. Options 3 and 1 have the same security absent DNSSEC, but different performance, with Option 1 requiring an extra round trip. However, Option 3 requires administrative action on the part of a website to work. The payoff depends on DNSSEC. So right now I see Option 1 or 3 as our best bet, with very limited real world impact. Sincerely, Watson Ladd -- "Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither Liberty nor Safety." -- Benjamin Franklin
- [TLS] In support of encrypting SNI Dan Blah
- Re: [TLS] In support of encrypting SNI Salz, Rich
- Re: [TLS] In support of encrypting SNI Seth David Schoen
- Re: [TLS] In support of encrypting SNI Stephen Farrell
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Michael Carbone
- Re: [TLS] In support of encrypting SNI Fabrice
- Re: [TLS] In support of encrypting SNI Christian Huitema
- Re: [TLS] In support of encrypting SNI Daniel Kahn Gillmor
- Re: [TLS] In support of encrypting SNI Robert Ransom
- Re: [TLS] In support of encrypting SNI Stephen Farrell
- Re: [TLS] In support of encrypting SNI Marsh Ray
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Martin Rex
- Re: [TLS] In support of encrypting SNI Watson Ladd
- Re: [TLS] In support of encrypting SNI Martin Rex
- Re: [TLS] In support of encrypting SNI (off-topic) S Moonesamy
- Re: [TLS] In support of encrypting SNI (off-topic) Michael Carbone
- Re: [TLS] In support of encrypting SNI (off-topic) S Moonesamy