Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 10 November 2020 11:06 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EEE03A0317 for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 03:06:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B3bls1dHbV-Y for <tls@ietfa.amsl.com>; Tue, 10 Nov 2020 03:06:05 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 77A383A02BD for <tls@ietf.org>; Tue, 10 Nov 2020 03:06:05 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id E7D0DBE5C; Tue, 10 Nov 2020 11:06:03 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfR290cVABmX; Tue, 10 Nov 2020 11:06:01 +0000 (GMT)
Received: from [10.244.2.119] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 98D87BE53; Tue, 10 Nov 2020 11:06:01 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1605006361; bh=ZzTgzLomAu8mrVfQOQCJyekDHx5ZFcg6ATWTM2XGg3w=; h=Subject:To:References:From:Date:In-Reply-To:From; b=n2xG0upBVY7RHM5I/cLZo3dPMuVotTQx//0t26XP1t5yLLIHe7kLIJUz3Xq5SaZZX DJ2vPSmd/HZGBrGeXkvxJLF6cQbxKAYZXtwwKBLWDVPxJ170KE/CSM5kAjcgroJ0j1 +bLAY6sA1u+V3bNyec1RKhaQmO9qfq+FDn0KmHnU=
To: Joseph Salowey <joe@salowey.net>, tls@ietf.org
References: <CAOgPGoATi+jFy53x5W4T6ai=xjH4VufhWaoABT5g_w=_72N8HA@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <48b1cfd3-1f3f-2478-1e36-12dd29aa1c6c@cs.tcd.ie>
Date: Tue, 10 Nov 2020 11:05:59 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.3.2
MIME-Version: 1.0
In-Reply-To: <CAOgPGoATi+jFy53x5W4T6ai=xjH4VufhWaoABT5g_w=_72N8HA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="a3zq4PuKEFFWcJqmD8RMj8iZq2zpkkdmn"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/BQhdo57wkL5Xp-uG9fWit66Igj8>
Subject: Re: [TLS] Call for adoption of draft-vvv-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Nov 2020 11:06:08 -0000

Hiya,

On 10/11/2020 03:44, Joseph Salowey wrote:
> Based on interest and support expressed at IETF 108, this email starts the
> call for adoption of draft-vvv-tls-cross-sni-resumption. The draft can be
> found here:
> 
> 
>     https://tools.ietf.org/html/draft-vvv-tls-cross-sni-resumption-00
> 
> 
> This adoption call will run until November 30, 2020. Please indicate
> whether or not you would like to see this draft adopted.

I'd be more in the "not yet" bracket for this. As Martin
mentions this'd seem to create a possibly attractive way
to do more tracking, so I think we ought try understand
how that might fit into the wider set of new things (e.g.
the HTTPS RRtype) before adopting.

One concern is that this mechanism plus some minimal cert
trickery such as having a single name present in many certs
could result in large scale cross domain tracking if say the
owner of "use-us-to-track-em.example.com" enabled anyone in
their (advertising) network to pass ACME checks as needed,
for that name.

While that kind of trickery ought be visible via CT, I'm not
sure we could depend on the web PKI to ensure it'd not
happen.

Cheers,
S.



> Note that this is
> an adoption call for the draft as a starting point towards solving the
> problem of resumption across SNI values. The final mechanism may certainly
> change depending on related efforts, e.g., draft-ietf-tls-tlsflags.
> 
> 
> Thanks,
> 
> 
> Sean, Chris and Joe
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>