Re: [TLS] publishing ESNIKeys under a .well-known URI...

Daniel Kahn Gillmor <dkg@fifthhorseman.net> Thu, 21 November 2019 19:29 UTC

Return-Path: <dkg@fifthhorseman.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CDBDC120B66 for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 11:29:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=neutral reason="invalid (unsupported algorithm ed25519-sha256)" header.d=fifthhorseman.net header.b=zvnIiw34; dkim=pass (2048-bit key) header.d=fifthhorseman.net header.b=e99iSRj/
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AGLkf7qHJSiA for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 11:29:01 -0800 (PST)
Received: from che.mayfirst.org (che.mayfirst.org [162.247.75.118]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B310C120B64 for <tls@ietf.org>; Thu, 21 Nov 2019 11:28:59 -0800 (PST)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019; t=1574364538; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=oft7n3iskcbnRKM4PWuM4TpjyeK7m8IZyADyclYJohw=; b=zvnIiw34wiTlOYJIQUgUurNEiVk7t7K5ndKRl/tPMge/RKG3M3kpkAQ4 zZEkrwy62Lo2f452O+IyBKzt+g/0Cw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fifthhorseman.net; i=@fifthhorseman.net; q=dns/txt; s=2019rsa; t=1574364538; h=from : to : cc : subject : in-reply-to : references : date : message-id : mime-version : content-type : from; bh=oft7n3iskcbnRKM4PWuM4TpjyeK7m8IZyADyclYJohw=; b=e99iSRj/2uFUeE1DJsI0iRKuUrnsgAq6+VeXl2Mq4Af5RHgDhujlmRHE GwG0KTBSenA8BfukOWUw8ItOl4YkGy15jefm4TGBfYRV2Eo6qYoZYb03de cXuezUtUlobYSSrJjnLdWZhp9q6KVl+PCk9GC5hpy+KP/Nu+c55Gncf/iU Brm/l7rGB37Q+ul5VTEh0cW1s9lgAjqEWE8Pj9AKt/z7QT7MoL8nheIeoL Cd9eDt67v8vL1PziEuRy9e7WpXnOCzf8L2KLmylhKf5DaorzfnQX9/YWHh DoB3+/NyglyCumaRwqaAEz0o49YccdFug+rZJgr3iptVoIVOzbdr1Q==
Received: from fifthhorseman.net (unknown [182.55.86.21]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by che.mayfirst.org (Postfix) with ESMTPSA id A5FE7F9AF; Thu, 21 Nov 2019 14:28:57 -0500 (EST)
Received: by fifthhorseman.net (Postfix, from userid 1000) id 5B2602038D; Fri, 22 Nov 2019 03:28:50 +0800 (+08)
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Christian Huitema <huitema@huitema.net>
Cc: "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <ba4a4f84-9663-393a-4254-193cf4051ac3@cs.tcd.ie>
References: <7374648a-d684-87be-0807-219bc10793ac@cs.tcd.ie> <18514.1561564689@localhost> <e61cb6c7-af9c-4f8b-4f94-88dc56a7f6f1@cs.tcd.ie> <f015bd0e-8e0d-ab1a-eab8-a0dc466e2de4@huitema.net> <ba4a4f84-9663-393a-4254-193cf4051ac3@cs.tcd.ie>
Autocrypt: addr=dkg@fifthhorseman.net; prefer-encrypt=mutual; keydata= mDMEXEK/AhYJKwYBBAHaRw8BAQdAr/gSROcn+6m8ijTN0DV9AahoHGafy52RRkhCZVwxhEe0K0Rh bmllbCBLYWhuIEdpbGxtb3IgPGRrZ0BmaWZ0aGhvcnNlbWFuLm5ldD6ImQQTFggAQQIbAQUJA8Jn AAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgBYhBMS8Lds4zOlkhevpwvIGkReQOOXGBQJcQsbzAhkB AAoJEPIGkReQOOXG4fkBAO1joRxqAZY57PjdzGieXLpluk9RkWa3ufkt3YUVEpH/AP9c+pgIxtyW +FwMQRjlqljuj8amdN4zuEqaCy4hhz/1DbgzBFxCv4sWCSsGAQQB2kcPAQEHQERSZxSPmgtdw6nN u7uxY7bzb9TnPrGAOp9kClBLRwGfiPUEGBYIACYWIQTEvC3bOMzpZIXr6cLyBpEXkDjlxgUCXEK/ iwIbAgUJAeEzgACBCRDyBpEXkDjlxnYgBBkWCAAdFiEEyQ5tNiAKG5IqFQnndhgZZSmuX/gFAlxC v4sACgkQdhgZZSmuX/iVWgD/fCU4ONzgy8w8UCHGmrmIZfDvdhg512NIBfx+Mz9ls5kA/Rq97vz4 z48MFuBdCuu0W/fVqVjnY7LN5n+CQJwGC0MIA7QA/RyY7Sz2gFIOcrns0RpoHr+3WI+won3xCD8+ sVXSHZvCAP98HCjDnw/b0lGuCR7coTXKLIM44/LFWgXAdZjm1wjODbg4BFxCv50SCisGAQQBl1UB BQEBB0BG4iXnHX/fs35NWKMWQTQoRI7oiAUt0wJHFFJbomxXbAMBCAeIfgQYFggAJhYhBMS8Lds4 zOlkhevpwvIGkReQOOXGBQJcQr+dAhsMBQkB4TOAAAoJEPIGkReQOOXGe/cBAPlek5d9xzcXUn/D kY6jKmxe26CTws3ZkbK6Aa5Ey/qKAP0VuPQSCRxA7RKfcB/XrEphfUFkraL06Xn/xGwJ+D0hCw==
Date: Fri, 22 Nov 2019 03:28:49 +0800
Message-ID: <878so9jafi.fsf@fifthhorseman.net>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/DPXpC4TCNZ2Yj_erZdex1S9Ijtw>
Subject: Re: [TLS] publishing ESNIKeys under a .well-known URI...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Nov 2019 19:29:04 -0000

On Wed 2019-07-03 16:01:21 +0100, Stephen Farrell wrote:
> It doesn't take much to encourage me so I just
> pushed out that idea in I-D form:-) [1]
 […]
> [1] https://tools.ietf.org/html/draft-farrell-tls-wkesni-00

Thanks for this (and for the -01 update for the draft).  I like this
work, and i think we should pursue it in the WG.

A couple notes/questions:

 - Clients might use this, not just "zone factories".  For instance,
   consider a client with limited access to the DNS that makes an
   initial direct connection to the hidden host, leaking SNI.  If, in
   that connection, it also fetches this record, it could use that to
   bootstrap future connections to the host, right?

   The draft currently contemplates this briefly for followup queries
   for some clients, but it doesn't go into it in more detail.

 - Why is it hosted on the cover server, instead of on the hidden
   server?  is that just so that the zone factory doesn't leak $HIDDEN
   to the network?

   Surely on a zone factory update, the zone factory already knows the
   eSNI for $HIDDEN so it could make the request with eSNI to
   https://$HIDDEN/.well-known/esni/$HIDDEN.json rather than to
   https://$COVER/.well-known/esni/$HIDDEN.json

   At the same time, for $COVER to publish this information potentially
   puts $COVER at more risk, right?  And, a $COVER could *claim* to be a
   cover for $HIDDEN without approval of the $HIDDEN site by publishing
   these records; if anyone believes that claim, it could cause traffic
   to be re-routed through the ersatz $COVER.  If it's going to be
   hosted at $COVER and not $HIDDEN, we should be explicit about what
   defends against such an attack.

   There could be an "obvious" reason for the choice of hosting it at
   $COVER instead of at $HIDDEN, but it should be spelled out in the
   draft.

 - If this is treated as a separate/independent source of authority
   about ESNI data for a host from the DNS (e.g. in the client examples
   contemplated in my first point above, not just the "zone factory"),
   then the draft probably needs some text discussing what to do when
   discovering a discrepancy between what's in the DNS and what's found
   at .well-known.

Regards,

        --dkg