Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
Martin Thomson <martin.thomson@gmail.com> Sat, 05 August 2017 10:52 UTC
Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 40C35128AA1 for <tls@ietfa.amsl.com>; Sat, 5 Aug 2017 03:52:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XnX3308zKlB9 for <tls@ietfa.amsl.com>; Sat, 5 Aug 2017 03:52:50 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 965CF128C81 for <tls@ietf.org>; Sat, 5 Aug 2017 03:52:50 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id g35so13220702ioi.3 for <tls@ietf.org>; Sat, 05 Aug 2017 03:52:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=cccFZ0gRfMZT00JA9jLsOsiiJD7U/HAwDt/ExLI2aOk=; b=oE+ljEaxNRxV8Gb2i4x5griVv+EVTSCeqy8K897ZD9hpUoXZkVWyVHW2TthA6nhaNa k3zJOGNxhyZ3A74A0JFJrv9cCuTBTNCUPwThwzWVAcV4DQCTqg5Vinbe6kmLxWCI0LPC wSuAe5Cu2h5yr0BbT3SKyrgock26Pwb0N6eWMgHudzc59E0KCmdHt7boASYPC9pVbImQ cTVkgQkN5dV5y8n45hBYUmIiThANQ5Mlm39c512dIAVW1pUKUrvBi3OPJvW3m+9RscoT Y+Z2oTMBnIWD8NNnEzIM6371OXvKAwhlUz5dfPY/yzFLYNuOnEB0cApn52IZlHXbEtyn PSWA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=cccFZ0gRfMZT00JA9jLsOsiiJD7U/HAwDt/ExLI2aOk=; b=HwQBH9JSGFbtGrYl5/4MEM4IhnvmLLKRAN6F/L+uMl72vuwk2N1JcDy6proAeUouUL t4AyZeFkyMGks/8KUUhVVxkJIG6kBwah4kSUNCyUYJVsQ/3WjcNqexwOfRvLeYt9kbsh /wreHwSPtuGhZfmJqg+Vr/voAC1izpY9cUwspvPU1NoCt2rhRRcE9dcJpCt0c1+tAAKU DBDKohEeQSAPQgZhl6d1AsL++yjfYvQI4BGWAeh+fJQmo6RyY4Ys4t46IBiA3dTys7Ex u6HdQTv3FqGho4e3PSnSuW1Od/FllzqGdrQfqi8poP4rZyNzkG3F9H/yENY2id46olb2 l54w==
X-Gm-Message-State: AIVw112KC17ZyFXh2Lx8rwlFMwjhxWYkyGcpF6c/zS3GyOWLydciEeJo p3zf2dBn0/IKSWftFUwYwIk4WyPoUw==
X-Received: by 10.107.134.196 with SMTP id q65mr5324087ioi.193.1501930369903; Sat, 05 Aug 2017 03:52:49 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.107.164.42 with HTTP; Sat, 5 Aug 2017 03:52:49 -0700 (PDT)
In-Reply-To: <m2vam3pcyb.fsf@bos-mpeve.kendall.corp.akamai.com>
References: <149810504637.30481.937244297632371838.idtracker@ietfa.amsl.com> <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net> <m2vam3pcyb.fsf@bos-mpeve.kendall.corp.akamai.com>
From: Martin Thomson <martin.thomson@gmail.com>
Date: Sat, 05 Aug 2017 20:52:49 +1000
Message-ID: <CABkgnnX--xcZbXjpgFQW04H4YjDbGz3RihirA4Fw_+KEdLP1TA@mail.gmail.com>
To: Brian Sniffen <bsniffen@akamai.com>
Cc: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/JRepQeBWIlpLX0XZrlZ1s5ad4Sc>
Subject: Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 05 Aug 2017 10:52:52 -0000
On 5 August 2017 at 01:30, Brian Sniffen <bsniffen@akamai.com> wrote: > ## Don't stand out > > I think the requirement that the browser check the CT log and perform > DNSSEC in 3.2 is likely to violate the don't-stand-out requirement, as I > don't expect most browsers to do that most times. Am I missing > something? Checking the CT log or doing DNSSEC validation would definitely cause a red flag, but if the DNSSEC chain extension to TLS is used (consistently), then the information is already on hand. I don't know what can be done for CT (SCT likely isn't what we're looking for here). The conclusion to the ORIGIN frame discussion ended with two choices that increase confidence that a certificate isn't mis-issued without violating this principle. That was OCSP stapling or SCT. It's an important principle, maybe this draft should be clearer about that.
- [TLS] Fwd: New Version Notification for draft-hui… Christian Huitema
- Re: [TLS] Fwd: New Version Notification for draft… Kazuho Oku
- Re: [TLS] Fwd: New Version Notification for draft… Brian Sniffen
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Daniel Kahn Gillmor