IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Raghu Saxena <poiasdpoiasd@live.com> Thu, 21 March 2024 05:39 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C60E7C17C8A9 for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:39:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.202
X-Spam-Level:
X-Spam-Status: No, score=0.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9dAnQ4Cd06i4 for <tls@ietfa.amsl.com>; Wed, 20 Mar 2024 22:39:44 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2150.outbound.protection.outlook.com [40.92.62.150]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED4FDC151092 for <tls@ietf.org>; Wed, 20 Mar 2024 22:39:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PxaR8eVw7J3F20ZVHxsBdICRWieliaxAioX5Es6VnBzCBNhzSQ/JupqaJf2AIgl4sDtqOvkJJ+gZXmLfu28g3lpiBIqV7T0E+ThMrCjSoxKFHZX9KY9iIEV/oR5s3dC91F6rIOqzo/VWTwQDFL1V1BFpyE+NFzMi4mHLcZ+o3J0UNuRvj2c1dPPJDpPwLApjwsKX3z//+uIzbFQNaGwxx5EfFilSoyB1o8Hg3Gia/rqOLT1Sovv2meAMdy7U0ILwD7v9OQzglkPNHa6j8R7J3eyEBbIKs8DvHDqlNQrvnrCiOOus7pvX0ZESFK24Ozyl2fygJgv+psu4qA3a30ry1w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=1PXfwelQMpj4lRGycG7qymxaqFS2dSED9fBvzqfVdyQ=; b=fTyZxIqrejcBeME55PNOhpLmO5rEMwhhCe6TWa+eIQCHqAe2w4+CQeJQm+aoJr1bRykc/w5FUp3W2ed84eF72B26O1P/ELmfUFlVTZ28Gi0BlBZ+aiDP6PslEYrGe9ormiLii2ppjss545Fq03kj8V2JGQvXcIkWeB//PNNReEv8BmIl5PkV6HxQAhvp25S7PXR3kz3Snx7pFhPx5KfqaeJ1w6eORxPbnl1c90LBw9xv4kHftdJLh/Cr+cBnQ4hgUusYuyXbrsCqM77Wg3zP5rapVaKQA2gKAs1kIMXsrSJpQH+HumjS0slbrRBuXNO9Y624CSJXfhuAQC9ampAM7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1PXfwelQMpj4lRGycG7qymxaqFS2dSED9fBvzqfVdyQ=; b=HBJB8WRCf6nDurVENJnu34uSBBA3GMJDl7npH514DXr4Sd6vQ84zhKOc1PBYII284gxlZKCW8VdquXFBH0SkJnrXhxgnq3AEkIXMAYlraadSjVRHRqDBENVTZxrRVZKSCSwsWlavSyayuN1gh3MgHofkcOmdfHGDlB44DLkDXV/KzJbMsSqmBY5i1A3Lj5PP62O18qpmkT/RvN5K6qEC6NR14eSNnRV2wdE27fZgW1bpkJe9xdXzLOKs+44JaZfh37RHBKiNTdgrmiYtw/g+ZhimyLenlxnG3KBVCe+QFjyXv+TBZKx/rmo9YrHVFGwhV/M8hk/qI81acQtSTYELsQ==
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14) by ME0P282MB4285.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:227::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.34; Thu, 21 Mar 2024 05:39:40 +0000
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c]) by MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c%7]) with mapi id 15.20.7386.031; Thu, 21 Mar 2024 05:39:40 +0000
Message-ID: <MEYP282MB356410AFBE741EFCF86A5638A3322@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Date: Thu, 21 Mar 2024 13:39:32 +0800
User-Agent: Mozilla Thunderbird
To: Eric Rescorla <ekr@rtfm.com>
Cc: tls@ietf.org
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com> <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBPK+jdirtxVPJWipXs0odhsqwsG088NC=OPpd4R=q16Zg@mail.gmail.com> <CAOG=JUKSjbPoz-xBHExrdgtSGTKYYTtnvO18o=qTm7eC2Anc4w@mail.gmail.com> <253111710344559@mail.yandex.com> <CABcZeBNMMvn0g_0dO3rvZfiB8K-5DmBWREVuZJL-r4zPjq_YWQ@mail.gmail.com> <CAOG=JUJRCdzbYaEfwP2pJfduE7=ChHTwpqO94=kzNs=8U1L_hA@mail.gmail.com> <CABcZeBP7mbdyGr4ECnfkOMb8Aj9Es_iFddYnv7sq5ZehS1D1dA@mail.gmail.com> <MEYP282MB35640378A952FD86311381B8A3292@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CABcZeBMsdp-HJ-K2B3i81mNF1qWsHRYuDspquKA8Snae5CKtbw@mail.gmail.com>
Content-Language: en-US
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <CABcZeBMsdp-HJ-K2B3i81mNF1qWsHRYuDspquKA8Snae5CKtbw@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------roNFqrUiaiYaL2ZKGA0lWF7F"
X-TMN: [H5XknXp4B2ugYGF6FOx2OshsJ+qncqMc]
X-ClientProxiedBy: SI1PR02CA0058.apcprd02.prod.outlook.com (2603:1096:4:1f5::9) To MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14)
X-Microsoft-Original-Message-ID: <0601e08f-e157-4463-a11f-08551edc4100@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MEYP282MB3564:EE_|ME0P282MB4285:EE_
X-MS-Office365-Filtering-Correlation-Id: 6e04dcbc-6b8c-4875-81d7-08dc49694d82
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: TtN7AOC51BJVHkhgEZIsYtfoktXw7jAdQw6JsWxleO5lW87IY08o/HCof+Y8L0tymHszev+F7X7q0tMaZ51ANPf1hr0r6D7lClg7yqO+N73IZDvgTzWaQ/RMhOBaAVidWOTumFkbSXpyz4aNzl1XxxIqfJiXYPv8cablov7fvi1AWI5lmhsPJPq1Zz0NP/ZymjRo10e2gUhj4/E7nUt9o2Cl5FdkDGRVEVcMDRwZn/UnlU9fjiy9QZ4pH8E+5uQjpRnLMG3jonllnEvw22E2RQ9+8Nj9QZNba3SJX2pWR50bkvFB1tGUCICnJ8yX3Sfoqwr/MX6z10a+Kke6Mxnq78ZL20hLrHyT326rSCPosgjxSMRsTBmEDi5nh40Pz65w/OoAJfMSiwfq5mFJlU7fh0vChKNCBnZKnT29ZcMIHAPuSoXNhgUHUMDezGJ6zY5ESIFsXt073wS7S9GIULypYFdd+w92toIoQ4FmDUpnGjr1OlcHPCpo7q6dc1Vuri4bV8HpZdUCYpNtuaoX0npVtCOCD3z2o6iO+2DkWjXidvfw+zGk8Um0vKL7ZcUYlpLeU87vq6nsM5TfBvXcgpOIMHy7J0+6zZHPht3GovikWf5Q/I4QPXTpKBCVXwFZMeLF3yzHD8k3iTFqxrHinM+WHzvccoJ3dVHIGTXcg3z+EKc=
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: FYTL2f+VnMt3cN5vSxLEB7KQOUtdYpO5GcYovVIM2FCHPuzpDI6gu15A1aQ5iRMmjrxsbRzGv9jjK9O+VxukYniSet7UskNgaM9yvKR1xNHWnBmuxep+C1XdRmX1foginSVNeH/zjHVfwhPqBDJA1+pZDWP1+bQjd8MGCzQaa0gmCXYLbWVRDENilTgnFoI+6JYrNIN8XC1L3FGypmJSELT9WgU/EuuW6ZzjZAV0FV/+8q4YFWk7u483JeAhv4yg8MoCZKtP5tafzuNkekheSRs3pE0NwbE+5tcyRLb7VRdSIf6t1PEb9z7jMH8vPKpsZAFVWj6mE+N79FElpLGrpxNWRhLBABJQPMmmPt23NgtEjTfbOb1YW0tbhGruxJDgODyjcZ4EDOXEvPG4YidBdGMOJDCy7phDctpZSb5RHkkc/F9RLxFJZVV9xiIKPbtgCDKyeE5Q95sBz+d0X2GVkjyPAI/1uP8sTGED8NAuGGMKd7E19KDxR9l9MALW8jK4+3l5cloEyg5/g8fYh9K8AuvbH6OIM2a9Ejp8PXNXT69hu86zcvRPs63UK5yHI3XKmdW2YfS9VKTEmP3a29GXRWM0I3GotC1zE6/4f6XvtXiBDD7hvydUSWuWPoRA6+O0gYiDRQB9oLF82yO15I+fwo5NN0XpebuWnJRzyWvBEb8PRlv5kRMiWb7qngGlil9GAloDpaO2xZy0WCLqioGGmlD5zcUz87svy3/iSZ5HA/b4inzWg7033jep5ZbJ0rGWF/PhmriIumbZ2wc3n6aa/b5JN1uBiWzqTs0hR7nKgCPgov+14nRlclrMqOexD8MT/2aL5W5f5LuxH3I1aNOc2L0aZZTKwHHlqzsCKTuR44LuVAobBkmAE3bzYACwQkaHh3/Zp6z2ol69XfD78BGPbXcXyO+XEZS4AH96zfKRNXxPO0oleOKw6xRxKM9mztrC94Cy+ah5bSnoS6fEiJJXNNy95CFe0iV1C1VVBj4Q7yDDM+stEVxEXUvVjs3jAqCLRRSb4kJQ/yyqbEEZTTk93KTWWUh/4DfODS9ffe7rMAmfFwM3yqdUb7eASBwt4KIpupxLcfN/hxCoZ6bkY1Dz9A2f2hGsTikQN6zNVmEMqZYCWC9bdJqAX2ytEDGxGogMeFtzKmHYBFaePT8aZigrbzUef0JF2dRHXd9MqNPcg/DHd9h/yhqclUrLzeeNFpCRUO+FKxu8KadxNOW+4lwC3eFaiZwKBV43kJmRC5fdW7U=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-746f3.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: 6e04dcbc-6b8c-4875-81d7-08dc49694d82
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 Mar 2024 05:39:40.6802 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME0P282MB4285
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/AtFCrmQSL24WRVeQTeiRT_5P8VU>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Mar 2024 05:39:48 -0000

On 3/15/24 00:02, Eric Rescorla wrote:
>
>
>     So, if I understand correctly, for my domain "abc.com
>     <http://abc.com>", I could
>     purposely choose to have my ECHConfig public_name be "google.com
>     <http://google.com>", and
>
>
> As I said earlier, using "google.com <http://google.com>" would be 
> unwise because it
> would allow Google to mount an attack where they terminated
> the connection and replaced the ECHConfig. You should instead
> use a name that is either unregistrable or that you control.

Just so I understand correctly - the scope of the attack if they were to 
really intercept the TLS handshake and replace the ECHConfig, would 
allow them to "just" decrypt my ClientHelloInner, correct? Since 
ultimately the real origin I am connecting to (e.g. "mydomain.com") is 
not something they control, and so they can't present a valid cert for 
it and complete the full TLS connection (i.e. impersonate the true origin).

At least this is what I understand from Section 6.1.7, specifically: 
"Note that authenticating a connection for the public name does not 
authenticate it for the origin. The TLS implementation MUST NOT report 
such connections as successful to the application."

Regards,

Raghu Saxena

v2.23.0 | Report a Bug | By Email