Re: [TLS] ESNI and padding
Eric Rescorla <ekr@rtfm.com> Thu, 20 June 2019 13:48 UTC
Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9FA32120113 for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 06:48:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id C7Q8DVb8yCB1 for <tls@ietfa.amsl.com>; Thu, 20 Jun 2019 06:48:43 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3555D1200F1 for <tls@ietf.org>; Thu, 20 Jun 2019 06:48:43 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id p17so2801240ljg.1 for <tls@ietf.org>; Thu, 20 Jun 2019 06:48:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=WAwMSnukY6JFT56OrHpZYG0sn+H6Sh/42Nziy+Mx6ok=; b=vHusX41NtGHv6aIuD4n9ryhNIvjzopNgvjAf22vZYcJ/1+qadHYl9iZzC0lwcH5rI3 pmLPqWrVvqQMA4SlTFp6wGa9NP2zxftyOn2EhSMkiX9FN4m689+sA9CDAh/O8/C8nPnr KuWeWgT4+CVvvjBGhZcMetmlvXrIjpGttV5kaD+VB1GYzuHiy2jYpIq1fZBxgD4ku0jx iXfdU6nPy1U8wW8xUUvCNAePloFgGnwPAiAktSfmQsorIgz30zCQsQrLvFQA8MhOw1Ng J5Pjwe16ES8HZfMHqhs0lFziGeAkG8ixmcG7SCV1DMPalhEm014lBivC9cC0+GwoK5/r 9oog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=WAwMSnukY6JFT56OrHpZYG0sn+H6Sh/42Nziy+Mx6ok=; b=RqyAVGyMZdgxqSNu5JfjturVQE3QZXdI+P8NA+SMFk6qc/WznbfYTDr/HQB7EabJ6q rq/3NkkZu+2ULVpG3Kvy1osjWf9qhL5t2bLjEPOh44nphzGyox4tsvvJSZjpCH0miAFD pMs4gxTpbiR0b9Xd3UvNQcOWalas/WmDP3B9sNHhxlTm+3U0gNROAw3TEAHvWbdcPzni yywpEWEexF4WcGT4kerfro/XEbsuKsaTKhQ/dMqM1Pz2tkQgzoayoFPYV48CXdL0vq2j n+ScRl7lfyrt0l/pv2gm98nXd2Ms69aKEqQbfxKLtrHffFwaf5uo2dn8b89bfy48MSKB Jnhw==
X-Gm-Message-State: APjAAAVWl6NbNxbLFpl0rekJGrUgFPU7OGGvXMvw9B9U80FwayA/2Qlf SN4RWNSWv4DZcMDEf94lldJ/Y/wDfOL0wxeW7gRv8EamyCg=
X-Google-Smtp-Source: APXvYqwUnQQtCjkgJzDXdyy93Tl/aL+kcL1/EVZ0xGYA2vbOIBJ0OvVDzyBX7P97cBMvplwkijfsPgVvFIYXPqhsj0M=
X-Received: by 2002:a2e:9cd4:: with SMTP id g20mr18089204ljj.205.1561038521465; Thu, 20 Jun 2019 06:48:41 -0700 (PDT)
MIME-Version: 1.0
References: <eb4bc1a3-ebff-b174-e601-5cf727a7bedd@cs.tcd.ie> <CABcZeBO5-kaczJab7ryeURX21OQ_AkR5pKuf+1R2YF+=z4g9cA@mail.gmail.com> <73fc5d1e-12ad-db81-6f0b-702d9230a2bf@cs.tcd.ie>
In-Reply-To: <73fc5d1e-12ad-db81-6f0b-702d9230a2bf@cs.tcd.ie>
From: Eric Rescorla <ekr@rtfm.com>
Date: Thu, 20 Jun 2019 06:48:02 -0700
Message-ID: <CABcZeBNbHrieKkMxGvN2vKkLu_TAy5GmfSr-=qsDTV5uQg6mrw@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008d9875058bc19a92"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IUPrSRpsM9SopSvfzs3ZFyq68Lo>
Subject: Re: [TLS] ESNI and padding
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Jun 2019 13:48:53 -0000
On Thu, Jun 20, 2019 at 1:20 AM Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote: > > Hiya, > > On 20/06/2019 02:17, Eric Rescorla wrote: > > I am not in favor of these changes. They reduce protocol flexibility for > > servers > > I don't see being asked to configure a new thing that has > subtle relationships with other things that aren't always > under the control of one entity as "flexibility." I see > that as a burden, and maybe as a protocol design bug. > Well, opinions differ, I suppose. The server implementor is free to implement the policies you suggest here. > which know what they are doing and largely can be implemented in the > > protocol > > by servers which do know what they are doing. > > That kind of anthropomorphism often seems to me to indicate > a weak argument:-) I'm assuming this is just snark, not something you think has any rhetorical force. Servers don't "know" anything - the question > is whether the current setup could cause problems for a range > of possible deployments, and I think it could if there's less > tight coupling between how ESNIKeys get generated and published > and how names and certificates are handled. IIUC that kind of > setup does exist in the wild. > > To give an example, say some hoster is doing ESNI and has set > padded_length to 55. If a new customer turns up with a 56 octet > name, then that hoster has to unexpectedly touch ESNIKeys or > deal with possibly weird ESNI problems for at least a TTL. If > we had an algorithmic approach it should just continue to work. > And as I said, the hoster is free to implement that value themselves. But I'm not in favor of opposing them. > Characterising that hoster as "not knowing what they're doing" > seems to me wrong. I think that'd be more a case of us not > knowing what we're doing:-) > Again, I suppose opinions differ. As to the specific numbers in my mail - I don't much care > what's picked, and do agree that some measurements would help > pick good numbers. I also agree that CertificateVerify is much > less of a concern in reality. But asking that Certificate be > padded "such that its length equals the size of the largest > possible Certificate (message) covered by the same ESNI key" > would in some cases require a new database search for each > TLS session. I don't really know why you think that. -Ekr And since the Certificate message is the path > and not one certificate that could be quite expensive to > impractical depending how a server stores/builds paths. I > also believe that some openssl deployments do this via > locally implemented callbacks so it'd be hard to know how > badly or not the current approach might affect those. > > Cheers, > S. > > > > > >
- [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Ben Schwartz
- Re: [TLS] ESNI and padding Eric Rescorla
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Stephen Farrell
- Re: [TLS] ESNI and padding Christopher Wood