Re: [TLS] Working Group Last Call for ECH
Raghu Saxena <poiasdpoiasd@live.com> Thu, 21 March 2024 05:39 UTC
Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C60E7C17C8A9 for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.202
X-Spam-Level:
X-Spam-Status: No, score=0.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dAnQ4Cd06i4 for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:39:44 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2150.outbound.protection.outlook.com [40.92.62.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED4FDC151092 for <tls@ietf.org>; Wed, 20 Mar 2024 22:39:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PxaR8eVw7J3F20ZVHxsBdICRWieliaxAioX5Es6VnBzCBNhzSQ/JupqaJf2AIgl4sDtqOvkJJ+gZXmLfu28g3lpiBIqV7T0E+ThMrCjSoxKFHZX9KY9iIEV/oR5s3dC91F6rIOqzo/VWTwQDFL1V1BFpyE+NFzMi4mHLcZ+o3J0UNuRvj2c1dPPJDpPwLApjwsKX3z//+uIzbFQNaGwxx5EfFilSoyB1o8Hg3Gia/rqOLT1Sovv2meAMdy7U0ILwD7v9OQzglkPNHa6j8R7J3eyEBbIKs8DvHDqlNQrvnrCiOOus7pvX0ZESFK24Ozyl2fygJgv+psu4qA3a30ry1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1PXfwelQMpj4lRGycG7qymxaqFS2dSED9fBvzqfVdyQ=; b=fTyZxIqrejcBeME55PNOhpLmO5rEMwhhCe6TWa+eIQCHqAe2w4+CQeJQm+aoJr1bRykc/w5FUp3W2ed84eF72B26O1P/ELmfUFlVTZ28Gi0BlBZ+aiDP6PslEYrGe9ormiLii2ppjss545Fq03kj8V2JGQvXcIkWeB//PNNReEv8BmIl5PkV6HxQAhvp25S7PXR3kz3Snx7pFhPx5KfqaeJ1w6eORxPbnl1c90LBw9xv4kHftdJLh/Cr+cBnQ4hgUusYuyXbrsCqM77Wg3zP5rapVaKQA2gKAs1kIMXsrSJpQH+HumjS0slbrRBuXNO9Y624CSJXfhuAQC9ampAM7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1PXfwelQMpj4lRGycG7qymxaqFS2dSED9fBvzqfVdyQ=; b=HBJB8WRCf6nDurVENJnu34uSBBA3GMJDl7npH514DXr4Sd6vQ84zhKOc1PBYII284gxlZKCW8VdquXFBH0SkJnrXhxgnq3AEkIXMAYlraadSjVRHRqDBENVTZxrRVZKSCSwsWlavSyayuN1gh3MgHofkcOmdfHGDlB44DLkDXV/KzJbMsSqmBY5i1A3Lj5PP62O18qpmkT/RvN5K6qEC6NR14eSNnRV2wdE27fZgW1bpkJe9xdXzLOKs+44JaZfh37RHBKiNTdgrmiYtw/g+ZhimyLenlxnG3KBVCe+QFjyXv+TBZKx/rmo9YrHVFGwhV/M8hk/qI81acQtSTYELsQ==
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14) by ME0P282MB4285.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:227::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.34; Thu, 21 Mar 2024 05:39:40 +0000
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c]) by MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c%7]) with mapi id 15.20.7386.031; Thu, 21 Mar 2024 05:39:40 +0000
Message-ID: <MEYP282MB356410AFBE741EFCF86A5638A3322@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Date: Thu, 21 Mar 2024 13:39:32 +0800
User-Agent: Mozilla Thunderbird
To: Eric Rescorla <ekr@rtfm.com>
Cc: tls@ietf.org
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com> <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com> <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com> <MEYP282MB35640378A952FD86311381B8A3292@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBMsdp-HJ-K2B3i81mNF1qWsHRYuDspquKA8Snae5CKtbw@mail.gmail.com>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <CABcZeBMsdp-HJ-K2B3i81mNF1qWsHRYuDspquKA8Snae5CKtbw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------roNFqrUiaiYaL2ZKGA0lWF7F"
X-TMN: [H5XknXp4B2ugYGF6FOx2OshsJ+qncqMc]
X-ClientProxiedBy: SI1PR02CA0058.apcprd02.prod.outlook.com (2603:1096:4:1f5::9) To MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14)
X-Microsoft-Original-Message-ID: <0601e08f-e157-4463-a11f-08551edc4100@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MEYP282MB3564:EE_|ME0P282MB4285:EE_
X-MS-Office365-Filtering-Correlation-Id: 6e04dcbc-6b8c-4875-81d7-08dc49694d82
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TtN7AOC51BJVHkhgEZIsYtfoktXw7jAdQw6JsWxleO5lW87IY08o/HCof+Y8L0tymHszev+F7X7q0tMaZ51ANPf1hr0r6D7lClg7yqO+N73IZDvgTzWaQ/RMhOBaAVidWOTumFkbSXpyz4aNzl1XxxIqfJiXYPv8cablov7fvi1AWI5lmhsPJPq1Zz0NP/ZymjRo10e2gUhj4/E7nUt9o2Cl5FdkDGRVEVcMDRwZn/UnlU9fjiy9QZ4pH8E+5uQjpRnLMG3jonllnEvw22E2RQ9+8Nj9QZNba3SJX2pWR50bkvFB1tGUCICnJ8yX3Sfoqwr/MX6z10a+Kke6Mxnq78ZL20hLrHyT326rSCPosgjxSMRsTBmEDi5nh40Pz65w/OoAJfMSiwfq5mFJlU7fh0vChKNCBnZKnT29ZcMIHAPuSoXNhgUHUMDezGJ6zY5ESIFsXt073wS7S9GIULypYFdd+w92toIoQ4FmDUpnGjr1OlcHPCpo7q6dc1Vuri4bV8HpZdUCYpNtuaoX0npVtCOCD3z2o6iO+2DkWjXidvfw+zGk8Um0vKL7ZcUYlpLeU87vq6nsM5TfBvXcgpOIMHy7J0+6zZHPht3GovikWf5Q/I4QPXTpKBCVXwFZMeLF3yzHD8k3iTFqxrHinM+WHzvccoJ3dVHIGTXcg3z+EKc=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: FYTL2f+VnMt3cN5vSxLEB7KQOUtdYpO5GcYovVIM2FCHPuzpDI6gu15A1aQ5iRMmjrxsbRzGv9jjK9O+VxukYniSet7UskNgaM9yvKR1xNHWnBmuxep+C1XdRmX1foginSVNeH/zjHVfwhPqBDJA1+pZDWP1+bQjd8MGCzQaa0gmCXYLbWVRDENilTgnFoI+6JYrNIN8XC1L3FGypmJSELT9WgU/EuuW6ZzjZAV0FV/+8q4YFWk7u483JeAhv4yg8MoCZKtP5tafzuNkekheSRs3pE0NwbE+5tcyRLb7VRdSIf6t1PEb9z7jMH8vPKpsZAFVWj6mE+N79FElpLGrpxNWRhLBABJQPMmmPt23NgtEjTfbOb1YW0tbhGruxJDgODyjcZ4EDOXEvPG4YidBdGMOJDCy7phDctpZSb5RHkkc/F9RLxFJZVV9xiIKPbtgCDKyeE5Q95sBz+d0X2GVkjyPAI/1uP8sTGED8NAuGGMKd7E19KDxR9l9MALW8jK4+3l5cloEyg5/g8fYh9K8AuvbH6OIM2a9Ejp8PXNXT69hu86zcvRPs63UK5yHI3XKmdW2YfS9VKTEmP3a29GXRWM0I3GotC1zE6/4f6XvtXiBDD7hvydUSWuWPoRA6+O0gYiDRQB9oLF82yO15I+fwo5NN0XpebuWnJRzyWvBEb8PRlv5kRMiWb7qngGlil9GAloDpaO2xZy0WCLqioGGmlD5zcUz87svy3/iSZ5HA/b4inzWg7033jep5ZbJ0rGWF/PhmriIumbZ2wc3n6aa/b5JN1uBiWzqTs0hR7nKgCPgov+14nRlclrMqOexD8MT/2aL5W5f5LuxH3I1aNOc2L0aZZTKwHHlqzsCKTuR44LuVAobBkmAE3bzYACwQkaHh3/Zp6z2ol69XfD78BGPbXcXyO+XEZS4AH96zfKRNXxPO0oleOKw6xRxKM9mztrC94Cy+ah5bSnoS6fEiJJXNNy95CFe0iV1C1VVBj4Q7yDDM+stEVxEXUvVjs3jAqCLRRSb4kJQ/yyqbEEZTTk93KTWWUh/4DfODS9ffe7rMAmfFwM3yqdUb7eASBwt4KIpupxLcfN/hxCoZ6bkY1Dz9A2f2hGsTikQN6zNVmEMqZYCWC9bdJqAX2ytEDGxGogMeFtzKmHYBFaePT8aZigrbzUef0JF2dRHXd9MqNPcg/DHd9h/yhqclUrLzeeNFpCRUO+FKxu8KadxNOW+4lwC3eFaiZwKBV43kJmRC5fdW7U=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-746f3.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e04dcbc-6b8c-4875-81d7-08dc49694d82
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2024 05:39:40.6802 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME0P282MB4285
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AtFCrmQSL24WRVeQTeiRT_5P8VU>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 05:39:48 -0000
On 3/15/24 00:02, Eric Rescorla wrote: > > > So, if I understand correctly, for my domain "abc.com > <http://abc.com>", I could > purposely choose to have my ECHConfig public_name be "google.com > <http://google.com>", and > > > As I said earlier, using "google.com <http://google.com>" would be > unwise because it > would allow Google to mount an attack where they terminated > the connection and replaced the ECHConfig. You should instead > use a name that is either unregistrable or that you control. Just so I understand correctly - the scope of the attack if they were to really intercept the TLS handshake and replace the ECHConfig, would allow them to "just" decrypt my ClientHelloInner, correct? Since ultimately the real origin I am connecting to (e.g. "mydomain.com") is not something they control, and so they can't present a valid cert for it and complete the full TLS connection (i.e. impersonate the true origin). At least this is what I understand from Section 6.1.7, specifically: "Note that authenticating a connection for the public name does not authenticate it for the origin. The TLS implementation MUST NOT report such connections as successful to the application." Regards, Raghu Saxena
- [TLS] Working Group Last Call for ECH Joseph Salowey
- Re: [TLS] Working Group Last Call for ECH Rob Sayre
- Re: [TLS] Working Group Last Call for ECH Rob Sayre
- Re: [TLS] Working Group Last Call for ECH Christopher Patton
- Re: [TLS] Working Group Last Call for ECH Rob Sayre
- Re: [TLS] Working Group Last Call for ECH Watson Ladd
- Re: [TLS] Working Group Last Call for ECH Stephen Farrell
- Re: [TLS] Working Group Last Call for ECH Rob Sayre
- Re: [TLS] Working Group Last Call for ECH Stephen Farrell
- Re: [TLS] Working Group Last Call for ECH Salz, Rich
- Re: [TLS] Working Group Last Call for ECH Stephen Farrell
- Re: [TLS] Working Group Last Call for ECH Arnaud Taddei
- Re: [TLS] Working Group Last Call for ECH Loganaden Velvindron
- Re: [TLS] Working Group Last Call for ECH Martin Thomson
- Re: [TLS] Working Group Last Call for ECH Raghu Saxena
- Re: [TLS] Working Group Last Call for ECH 涛叔
- Re: [TLS] Working Group Last Call for ECH Watson Ladd
- Re: [TLS] Working Group Last Call for ECH Raghu Saxena
- Re: [TLS] Working Group Last Call for ECH Karthikeyan Bhargavan
- Re: [TLS] Working Group Last Call for ECH Christopher Patton
- Re: [TLS] Working Group Last Call for ECH 涛叔
- Re: [TLS] Working Group Last Call for ECH Dennis Jackson
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Karthikeyan Bhargavan
- Re: [TLS] Working Group Last Call for ECH A A
- Re: [TLS] Working Group Last Call for ECH Amir Omidi
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Raghu Saxena
- Re: [TLS] Working Group Last Call for ECH Raghu Saxena
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Salz, Rich
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH John Mattsson
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Amir Omidi
- Re: [TLS] Working Group Last Call for ECH Raghu Saxena
- Re: [TLS] Working Group Last Call for ECH Eric Rescorla
- Re: [TLS] Working Group Last Call for ECH Sean Turner
- Re: [TLS] Working Group Last Call for ECH Joseph Salowey
- Re: [TLS] Working Group Last Call for ECH Russ Housley
- Re: [TLS] Working Group Last Call for ECH Stephen Farrell
- Re: [TLS] Working Group Last Call for ECH Russ Housley
- Re: [TLS] Working Group Last Call for ECH Sean Turner