Re: [TLS] ESNIKeys over complex

(Trimming bits down...)

On 21/11/2018 00:59, Eric Rescorla wrote:
> On Tue, Nov 20, 2018 at 4:36 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
>> Aren't DNS answers RRsets? I may be wrong but I thought DNS
>> clients have to handle that anyway,
> 
> 
> Not really, because any of them is co-valid. 

Sure, in DNS terms.

> We currently permit >1 RR, but
> actually
> I suspect that it would be better to try to restrict this. 

Not sure we can and I suspect that'd raise DNS-folks' hackles,
but maybe I'm wrong.

>> That said, >1 ciphersuite wouldn't be so bad if that were
>> the only list per RData instance. Or maybe one could get
>> rid of it entirely via some conditional link the to set
>> of suites in the CH, not sure. (Or just go fully experimental
>> and say everyone doing esni for now has to use the same
>> suite all the time.)
>>
> 
> I've implemented this and did not find it to be a major obstacle.
> I do not think unnecessary duplication is a good tradeoff for
> such a trivial implementation complexity reduction.

Sure a list of ciphersuites isn't bad. But the current
design has a set of keys and a set of ciphersuites and a
set of extensions and a set of Rdata values in the RRset.

Surely we can collapse at least most of those down to
one list without too much of a problem. And as to trivial,
I'd bet a beer on such complexity being a source of bugs
every time.

> I don't see any advantage to choosing a suboptimal design, just
> based on it being Experimental.

All designs are suboptimal for someone:-)

>>> - get rid of not_before/not_after - I don't believe those
>>>>   are useful given TTLs and they'll just lead to failures
>>>>
>>>
>>> I'm mostly ambivalent on this, but on balance, I think these are useful,
>>> as they are not tied to potentially fragile DNS TTLs.
>>
>> If there were a justification offered for 'em I'd be
>> ok with it, but TBH, I'm not seeing it. And my main
>> experience of the similar dates on RRSIGs are that they
>> just break things and don't help.
> 
> 
> This has a totally different expiry behavior from RRSIGs, so I'm
> not sure that's that useful an analogy.

Disagree. They're both specifying a time window for DNS data.
Same problems will arise is my bet.

My main ask though for these time values is that their presence
be explicitly justified. That's missing now, and I suspect won't
be convincing, but maybe I'll turn out to be wrong.

>> Put another way, I
>> don't know what sensible code to write to decide between
>> not connecting or sending SNI in clear if one of these
>> dates is out of whack. (I be tempted to just ignore the
>> time constraints and try send the SNI encrypted instead.)
>>
> 
> You should connect with SNI in the clear.

As a generic browser, I guess so. As some specialised
privacy sensitive application, not sure. As a library
that could be used for either, I'm not clear there's a
good answer other than ignoring the artificial time
window and encrypting anyway.

> And having to deploy a cron job equivalent for the DNS
>> data is an order of magnitude harder than not.
>>
> 
> Nothing stops you having an infinite expiry.

Nothing stops us deleting the useless dates:-)

> They will also use different keys for x and y, so they will
> have different records and can have different pad lengghts.

All going well, yes. All not going well, the pad lengths
may get out of whack, exposing names.

> How about rounding up to the nearest power of 2 that's
>> bigger than 5? (Or some such.)
> 
> I don't know what this means.

Ah sorry. I meant just take the length of the server
name and pad to the shortest of 32, 64, 128 or 256
octets. (Or some other breakpoints.) I'm sure we could
do some measurement so that an acceptable fraction of
names fit in the shortest bucket. (Didn't DKG do work
on that for DNS padding?)

>> (As a
>> nasty hack, you could even derive the padded_length
>> from the value of the key_share and fronters could just
>> keep generating shares until they get one that works:-)
> 
> I thought you were complaining about complexity

That's not complex, it's just waay hacky:-) It'd actually
be simpler for the client to just take some (e.g. low order)
bits of the key share as the padded_length. More work for
the people generating the key share yes, (they need to keep
iterating 'till they find a key share that works for their
preferred padding_length) but that's easy, offline, done by
fewer folks and removes a way of screwing up the ops.

All-in-all, while it's too hacky it's not complex at all.

Cheers,
S.

> 
> -Ekr
> 
> 
>>> - I'm not convinced the checksum is useful, but it's not
>>>>   hard to handle
>>>> - (Possibly) drop the base64 encoding, make it DNS operator
>>>>   friendly text (or else binary with a zonefile text format
>>>>   defined in addition)
>>>>
>>>
>>> We are likely to drop the base64 encoding.
>>
>> Ack.
>>
>> And just to note again - I suspect a bunch of the above would
>> be better sorted out as ancillary changes once a multi-CDN
>> proposal is figured out.
>>
>> Cheers,
>> S.
>>
>>>
>>> -Ekr
>>>
>>>
>>>
>>>> [1] https://github.com/sftcd/openssl/tree/master/esnistuff
>>>> _______________________________________________
>>>> TLS mailing list
>>>> TLS@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/tls
>>>>
>>>
>>
> 

Re: [TLS] ESNIKeys over complex

Attachment: 0x5AB2FAF17B172BEA.asc

Attachment: signature.asc