Re: [TLS] Dropping "do not stick out" from ECHO

Martin Thomson <> Sun, 22 March 2020 23:11 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 33A843A0496 for <>; Sun, 22 Mar 2020 16:11:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key) header.b=G9flYVoH; dkim=pass (2048-bit key) header.b=sJt2HPxn
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rsNW6KgeKVRG for <>; Sun, 22 Mar 2020 16:11:10 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D23F73A048D for <>; Sun, 22 Mar 2020 16:11:09 -0700 (PDT)
Received: from compute2.internal (compute2.nyi.internal []) by mailout.nyi.internal (Postfix) with ESMTP id DBC255C0127 for <>; Sun, 22 Mar 2020 19:11:07 -0400 (EDT)
Received: from imap2 ([]) by compute2.internal (MEProxy); Sun, 22 Mar 2020 19:11:07 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm1; bh=kja3ZtWm8RGvqN7n86YT9JTtV/zzXf6 ZT1zgDfCQz/s=; b=G9flYVoHOi7RX/E88UzDKg3unArR1s1jM7SE026pKxFzzC0 pKVIuKjWKB8iZDyrLlUvKCofiYFcWvNxiULWMBR3OU6utW/lXVRUBQQJZ7yuvwRH 6XkmrdBO6l2Xm0z4zEesny7Otk/eJA667TiFi8neuh9Tu0ouhEkYj+3DMkQRBs8r dtAX81D+eKgGMOefniTnZVf8X8yTcmI6hvR49+53fcBg7gUzzdojuIbNe3l/OX7H 9S0Hh2tbE7JnHRZO9qvJq1yI3ZNOLJihZxZyKo1wLgJ/qGU31Dpw4xrwMBe3EBat /tX1UrvAvnOmqc7IKElU7CAZqVL8jgDnP5kGYTQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm2; bh=kja3Zt Wm8RGvqN7n86YT9JTtV/zzXf6ZT1zgDfCQz/s=; b=sJt2HPxnrxEjFV5ZOqKmIS HUPQobSilUj+1BzD2+wOda/4OVfINWDbUW7c//V41K81fVsDE9xjaXjVdhiu4yI+ 5Nr56ZyEuICBABikiAS5WFhUxOT/L1lICkLA38JZztb/7wCcnkpifZ0YxPbtfk0s 4pHmsMLeGbHzDCyOG9+z0PZOlX1VMcp7dtv5+auAOY/Ty84qvn6exieZ73m1F+PK ak3tXGYLjAVof6anR8Tr/pITz1oS9rR68X4anpi3tHbc3gcPYB5hLtDssUcMA+AH qVoI6A0AgImqQ1dlT+fegO50CqyC6LQlop/n4w1h0bQO9W8gYuysawqN1F4wuy9Q ==
X-ME-Sender: <xms:i_B3XugdKQzPQoggAlJOE460jxqDQEHoC0y54DZNgTIw9wDefRaW-g>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedugedrudegiedgudejvdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkjghffffhvffutgesth dtredtreertdenucfhrhhomhepfdforghrthhinhcuvfhhohhmshhonhdfuceomhhtsehl ohifvghnthhrohhphidrnhgvtheqnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrg hmpehmrghilhhfrhhomhepmhhtsehlohifvghnthhrohhphidrnhgvth
X-ME-Proxy: <xmx:i_B3XkqV3wwQP6LUTUItRAHCKedD45bHcZMoZ6157CgBF5-8pZhWCQ> <xmx:i_B3XuLBYl0_KFAPJPWOVzUeQG9iA2EHqjJKxT5deIlIpTE2KwxCCQ> <xmx:i_B3Xv9z5YPCIhHiWY79S6OEOAgfCidQL7T3NtyEZEbY_71L8AcNfw> <xmx:i_B3XjBnpT-gkGUQvg8yXX0Ao1ZVdyKVX4LEkuZCWfz2P57OWR6RVA>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 7164AE00E1; Sun, 22 Mar 2020 19:11:07 -0400 (EDT)
X-Mailer: Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-1021-g152deaf-fmstable-20200319v1
Mime-Version: 1.0
Message-Id: <>
In-Reply-To: <>
References: <>
Date: Mon, 23 Mar 2020 10:10:48 +1100
From: "Martin Thomson" <>
Content-Type: text/plain
Archived-At: <>
Subject: Re: [TLS] Dropping "do not stick out" from ECHO
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 22 Mar 2020 23:11:12 -0000

On Mon, Mar 23, 2020, at 03:54, Christopher Wood wrote:
> I propose we remove this requirement and add an explicit signal in SH 
> that says whether or not ECHO was negotiated. 

Here's a spitball signaling option that might not stick out:

Client sends (in the ECHO) a random value, N, with 32(?) < |N| << 128.  And N != either of the values we reserve for signaling downgrade.

Server sends that value in the ServerHello.random, in the same place we signal downgrade.

If the client sees that value, then it proceeds with the trial encryption with an expectation that it will work.

> (This will require us to revisit GREASE.)

I'm not following how this relates, sorry.