Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)

"Salz, Rich" <rsalz@akamai.com> Fri, 25 September 2015 15:27 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D2F441A6F64 for <tls@ietfa.amsl.com>; Fri, 25 Sep 2015 08:27:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NlONWZqtrMmR for <tls@ietfa.amsl.com>; Fri, 25 Sep 2015 08:27:52 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (prod-mail-xrelay06.akamai.com [96.6.114.98]) by ietfa.amsl.com (Postfix) with ESMTP id 474991A6F11 for <tls@ietf.org>; Fri, 25 Sep 2015 08:27:52 -0700 (PDT)
Received: from prod-mail-xrelay06.akamai.com (localhost.localdomain [127.0.0.1]) by postfix.imss70 (Postfix) with ESMTP id BDF02496C15; Fri, 25 Sep 2015 15:27:51 +0000 (GMT)
Received: from prod-mail-relay09.akamai.com (prod-mail-relay09.akamai.com [172.27.22.68]) by prod-mail-xrelay06.akamai.com (Postfix) with ESMTP id A78E2496C14; Fri, 25 Sep 2015 15:27:51 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; s=a1; t=1443194871; bh=Vky1cWIYP1TFRFEmL+El+URNClKIXL/swK0uYdZ7rp8=; l=724; h=From:To:CC:Date:References:In-Reply-To:From; b=kVLjlWudHIaMtnz+DeCDmgfwFrCaHi/V6FDXikSolz3KOfQFdwcR/ny1gejc9zXmj OPgQDNevBwti+7q/QfLaBRV2Fwm5JQO0AY8BSbIIgu35ZK4ruZz/DOdX0LK7VH6pAV +lOHl8wJJLvG7UIRuVCAjMyzEK6preQe39PbzHSg=
Received: from email.msg.corp.akamai.com (ustx2ex-cas1.msg.corp.akamai.com [172.27.25.30]) by prod-mail-relay09.akamai.com (Postfix) with ESMTP id A39251E08F; Fri, 25 Sep 2015 15:27:51 +0000 (GMT)
Received: from ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) by ustx2ex-dag1mb4.msg.corp.akamai.com (172.27.27.104) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 25 Sep 2015 10:27:51 -0500
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com (172.27.27.103) by ustx2ex-dag1mb6.msg.corp.akamai.com (172.27.27.107) with Microsoft SMTP Server (TLS) id 15.0.1076.9; Fri, 25 Sep 2015 08:27:51 -0700
Received: from USTX2EX-DAG1MB3.msg.corp.akamai.com ([172.27.27.103]) by ustx2ex-dag1mb3.msg.corp.akamai.com ([172.27.27.103]) with mapi id 15.00.1076.000; Fri, 25 Sep 2015 10:27:50 -0500
From: "Salz, Rich" <rsalz@akamai.com>
To: Nick Mathewson <nickm@torproject.org>
Thread-Topic: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
Thread-Index: AQHQ4ayRRnZKd+mYm0W69zVWwS2qcZ4h7AsAgCWp+QCAAbXSgIAAC2cA//+wipCABLrGgP//xfbw
Date: Fri, 25 Sep 2015 15:27:50 +0000
Message-ID: <e8d65731aad740f9aa94c997b1547a93@ustx2ex-dag1mb3.msg.corp.akamai.com>
References: <CAL6x8mchyh2Qpqcd5Rv-rXgZ+1_CAbV7vkib+-yU4DEDFx82Yg@mail.gmail.com> <CAL6x8mfDjYAhOwvBY-tFO-407E9U+SaknJnuh_dCEEUbWJZZWw@mail.gmail.com> <20150828144932.GH9021@mournblade.imrryr.org> <201508281213.03823.davemgarrett@gmail.com> <20150828162251.GM9021@mournblade.imrryr.org> <871tdr23fh.fsf@alice.fifthhorseman.net> <CAFggDF14LALxYZMVYzRepNU61tgPERTJyn+FgHWD13CpRcbLAQ@mail.gmail.com> <CABtrr-Vi5CqiU9Wvs3vkr_beP4gGX9sSczAy2FOUFags4dsK8w@mail.gmail.com> <e6259a91ef61490696d39c4e7515c470@ustx2ex-dag1mb1.msg.corp.akamai.com> <CAKDKvuxXOYBTD9N9kAxh7kxWP74zzcQBcnnNTA3qFEbs5eKL8Q@mail.gmail.com>
In-Reply-To: <CAKDKvuxXOYBTD9N9kAxh7kxWP74zzcQBcnnNTA3qFEbs5eKL8Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.36.10]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ILN2pFPhM7Kmukl6X7Hxf6DvUs0>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Encrypted SNI (was: Privacy considerations - identity hiding from eavesdropping in (D)TLS)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Sep 2015 15:27:54 -0000

Thanks for your detailed and thoughtful review.

It's all trade-offs.  In previous emails on this thread I acknowledged the co-dependant issue, by calling out dkg's excellement statement of it.

At the TLS interim earlier this week, Brian Sniffen (from Akamai) started a proposal that makes SNI-encryption something that can be deployed and tested on the Internet in TLS 1.3.  So we'll see if it gets used and works.  The earlier slides notwithstanding, it's something we (those of us at Akamai) would really like to see.