IETF Logo Mail Archive

Re: [TLS] Authenticating the client-facing server with an IP-based certificate

Carrick Bartle <cbartle891@icloud.com> Wed, 21 April 2021 02:06 UTC

Return-Path: <cbartle891@icloud.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CEE23A0A34 for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:06:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.849
X-Spam-Level:
X-Spam-Status: No, score=-1.849 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=icloud.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 41nelcRmEs6u for <tls@ietfa.amsl.com>; Tue, 20 Apr 2021 19:05:57 -0700 (PDT)
Received: from mr85p00im-ztdg06011101.me.com (mr85p00im-ztdg06011101.me.com [17.58.23.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7435D3A0A2D for <tls@ietf.org>; Tue, 20 Apr 2021 19:05:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=icloud.com; s=1a1hai; t=1618970756; bh=AvvqI3XlkDd5ajxVQifn0/XxTCwTku9z37xL1XQdVUk=; h=Content-Type:Mime-Version:Subject:From:Date:Message-Id:To; b=ReL8M4jFQulduPkN7/p2QsJ2E5mPgKUBRA4/9qFQE6sV+P18AwYIre2k2/hdpAV7P 6nsRxvLGulW/cy8pfuWyf7u/J6jeKqlsVAMpNW+iWny+p/4Mpdne5/45Xd35/QEQ5E c6eETFOQ4c+Qp5kfBTpgGjAKNFOKliHcKdSWS174B9pIgS51Y0Bd3OVW1CcmhwGTYg 68jFUBL58wg4/7PZQe6wK+iE7nMgupgq422r64s82zdvOhnDM/MCE/nHD9IbNRoOxV eaQLKM0ELDrfT789sIfQ2Hg//9SORGulkwlRDhpi8gw9pPxDirTsN6nz1Yiwmg9jxW bc3GWfaebWong==
Received: from smtpclient.apple (unknown [17.11.113.204]) by mr85p00im-ztdg06011101.me.com (Postfix) with ESMTPSA id 7FE7B4A08B3; Wed, 21 Apr 2021 02:05:56 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.80.0.2.43\))
From: Carrick Bartle <cbartle891@icloud.com>
In-Reply-To: <7f1f6634-4895-3989-1960-30e617e3e81b@cs.tcd.ie>
Date: Tue, 20 Apr 2021 19:05:55 -0700
Cc: Martin Thomson <mt@lowentropy.net>, "<tls@ietf.org>" <tls@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <8211B6CB-43B5-4DF6-BCD9-33BA5DCE837C@icloud.com>
References: <38f4c969-90d8-478e-9c3d-0bdf538dabed@www.fastmail.com> <37c84b96-324b-46a6-a3c0-57eb275f439b@www.fastmail.com> <674A5578-85C8-4134-B9AA-E9D287131701@icloud.com> <4837796a-4528-4df4-aa8b-383ff3229cb6@www.fastmail.com> <53B5686F-0A64-426B-8EC4-6A996F169EAC@icloud.com> <7f1f6634-4895-3989-1960-30e617e3e81b@cs.tcd.ie>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
X-Mailer: Apple Mail (2.3654.80.0.2.43)
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-20_11:2021-04-20, 2021-04-20 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-2009150000 definitions=main-2104210015
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/IbXRQUlG2oqZ45If9sLA05EKrmY>
Subject: Re: [TLS] Authenticating the client-facing server with an IP-based certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 21 Apr 2021 02:06:02 -0000

> In general, I'd prefer we get ECH deployed for some major use
> cases and not try fill in every possible niche at this point.

That's fine with me.


> On Apr 20, 2021, at 7:03 PM, Stephen Farrell <stephen.farrell@cs.tcd.ie> wrote:
> 
> 
> Hiya,
> 
> To answer Chris' initial question: I can't currently think of
> a real use-case where the client would need to authenticate
> an IP address for a client-facing server in the event that
> ECH decryption has been tried and failed.
> 
> And, I very much sympathise with Martin's goal of simplifying
> if we can. (E.g. leave the public_name as-is and as we've got
> implemented, but drop the extensions field entirely - I don't
> think there's a shortage of code points for new extensions if
> the first ECH one doesn't quite do what's needed.)
> 
> But I'm likely not the right person to ask - I'd guess that
> the people who might have a use-case for this are smaller
> hosters where the default listener on 443 is very minimal. I
> don't know how common those are, but I'd suspect they are
> fairly rare. And likely those with certs that have the
> exactly right IP address are even rarer.
> 
> On 21/04/2021 02:48, Carrick Bartle wrote:
>>> I'm not sure what you are implying might be impossible.  Are you
>>> suggesting that it might be impossible to get a name for which you
>>> could get a certificate?
>> No. I'm implying that if we don't allow clients to authenticate
>> client-facing servers with an IP-based certificate, ECH won't be
>> possible in cases where the client-facing server doesn't have a
>> name.
> 
> In general, I'd prefer we get ECH deployed for some major use
> cases and not try fill in every possible niche at this point.
> ISTM the overall win here is that we end up with ECH working
> in many cases, but don't need all cases. And there's a danger
> that we get zero cases if we make it too complex.
> 
> Cheers,
> S.
> 
> 
> <OpenPGP_0x5AB2FAF17B172BEA.asc>_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.20.3 | Report a Bug | By Email