Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 19 July 2021 15:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92BE3A36B4 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 08:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXWOdhBdNAm6 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 08:01:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140105.outbound.protection.outlook.com [40.107.14.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3A803A36AE for <TLS@ietf.org>; Mon, 19 Jul 2021 08:01:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FawIFUzpKXGzcT6W804gVc0hXT/Fae+R1O9X3dkQqsrl1PQPjVyJyV+ZAxp4YoC6UCwCESp/I0SCQSm5EldZoweIsVKViTNfdq4ygNZdUnyAke5rH32q+QLt82g4u8XOUhB16xgaEViF8cwIiqj6Xa/nC1iimGOKG92eJXYKhwde9LCo9O3FppCvAKozOIYqyELjAOMQNsNDEFqDZBDs8dJeOVnqLmKP6kDopYGBHv6BE5mZfRZSHLgGeL6qO82HqN2M6lv0mmMYHhqUbxupMMU8KxZEiiZtH3gG4jWG1IwP7I+bHOnjPdduzdqatJibma1j3a9Lp/Ac+JhlrjGSxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cmgWcW23IDf56N8XRIAOKmATxgD+0CVUJggO5jfkdUk=; b=Xygzk3qb6y6pW8EGfMlV9tpSua2TerVha72v48x58jzWDT8DiakR++v39u5k6zcGPk5xpB+EUqWSx/LthGcl6IYmv8LcbrwxGdRoHIva+CVj5IgNWAjJJ5F9HY5fi4oZ4MI9k35U2E5i9sU8Aw7KCJjWDV8mHn90tGeqqzGNMNn13rmz8eFwVxIYyMeIppuja52GrYEn7qesoExTK0/hlCB7NylzcjO0og8p4cI1I7dVu6L4NSShPulFDwRo1u1Sw6RI7xP2+C4c6/VBDG3IFPuV3cn2iWdLYcn61u8bj9mp8gkvybkWtfj6UHLzn6Y2pa3G1HMEHAlDQnwV0XxpTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cmgWcW23IDf56N8XRIAOKmATxgD+0CVUJggO5jfkdUk=; b=uwRVXUvMRyckWVXetOkgsG6rDhBUcTPUWxVnSI6+e5quXBCpMIyQ+7KpcHACESxjB+iu656cKArTJXWS2zz1YJ9FXz+l5haZ8xKylcL/ZW1i9r9lzjHn2fuL8pz3pfXKrB1IU1Q/vfBvFtZwVdx7A6NV/h/dm3vQV9O1eH2Wjfl2InPSn+bXZH4HC5PvtY+hu+VSNxeRsE1eclKZOgcysg9VSFKRUojYqRdHId6II87y5mukG02owqhbyMn2ANEFZxKD6OblFIbnJf61fcDkzrcltiCQoClEO56KDuWws2XNoTip86AWEkhP/nsjYZ/+oDAp6YCDwG+LZZvEj7Q48w==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by AM6PR02MB4456.eurprd02.prod.outlook.com (2603:10a6:20b:61::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.29; Mon, 19 Jul 2021 15:01:23 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4%7]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021 15:01:23 +0000
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <TLS@ietf.org>
References: <0ad354da-5300-4b48-8925-f7ab18cdf235@www.fastmail.com> <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <2c7c53a8-cf47-f51d-f97b-f6cd5a712024@cs.tcd.ie>
Date: Mon, 19 Jul 2021 16:01:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="3LEtRfeCunv3aAmAGGGsJz1OiHvZ6j04V"
X-ClientProxiedBy: DB7PR02CA0032.eurprd02.prod.outlook.com (2603:10a6:10:52::45) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:a38f:a588:612a:945f] (2001:bb6:5e5e:b458:a38f:a588:612a:945f) by DB7PR02CA0032.eurprd02.prod.outlook.com (2603:10a6:10:52::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21 via Frontend Transport; Mon, 19 Jul 2021 15:01:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f586fa9c-c1dc-48e7-980e-08d94ac612e3
X-MS-TrafficTypeDiagnostic: AM6PR02MB4456:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <AM6PR02MB4456E29F9714509AF85BE9FDA8E19@AM6PR02MB4456.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:4502;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bsHJwbs7tj0fyUmulqqcYtS3Z07AlaOxzgkt9fNFKYYVmnLbuwuXlAx0/WWHPNoQhZ5pNeiVnFZrUhq7vE8Jfjj5TAhwOXgEcn4nn7Uq4SM5IVAKAhRIxy3bOLyUKgneEJXGdCJjUmP0UO2VSsA4hFClnvhw5K2cD2qVIB+a5Ol4eZTy7f2HL+V4RvEdg3uP93STOeih4QNgyIAEuS9LZ0WR/Z8ofaE595L8lYKQ3skaxHuc7++POXuCAaDS86y9vqmsyV4wxs6SQikPbhVLlLPM38qE7eYdZMTvtLN09QoZp9RtKLU1k4hlDnUVcdrB/YdUVEN+lh/fciHF7clfjJvyGoTLXlVMFpZJI3ycBbLJ0njdLFeJgYx3GPfkrU8mViw4WSeo8B/nzAN6z7NAB/JjdWCKKIBcs8Y9vUkFao4J/OV6t2UdEY7MWVOh31FmzxLZYoweZKwsbg3RwNEcYNDCMM5V4ReEzS8yAEjM7J9jJvGJQ+OOYbcUqIaAiZOlW8jW0JwJXCnpVUsgiHvApkv/52Wi9LsQCvR2eKiCiMSbe81BsI7h8os6ejWmwr/fk7R0CBsjtUWSofO/fWRCp7zBpcnCFbOuVmaMuNnWkGpc0WfOZueJD9xpZeLs1K00eVJ8kFlL7G8V5w2gNNRNLxjxnIcVf/nAVX9snBOZODOqAhz+wDnvyyGGfqmqw+Qu6Ymkl19DJSgSKxe3D+vUmQNYlIlNa+Lm68SpPjwdW4XHsXN6CPO1C2m8G0YrRt8MpHtuj469zYFGsMFkGYuz6WoJ6IEZfpuLrAgVGu8wlh1ogamu8p8t66644Dvezhij
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(110136005)(21480400003)(31696002)(83380400001)(86362001)(8676002)(5660300002)(6486002)(478600001)(966005)(38100700002)(53546011)(33964004)(235185007)(44832011)(2906002)(31686004)(36756003)(8936002)(786003)(316002)(66946007)(2616005)(186003)(66616009)(66476007)(66556008)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MURMOVNaSFZTQzRpc3hpY1FrcWJ1cWcyNW5wUW5FQ2dKQUNFU0NoZHp5dEEy?= =?utf-8?B?VDNydnNSYi9tVFNPM1NkR1p5b2huVjI5bGkxVThFdjVCQkNNZEFQTGZnbHFJ?= =?utf-8?B?T1BqZFprWm41UkZpdVZHTC9tVzFDRGxPM0dVWkJrcWtsUm5iTEFFZnVKQ1py?= =?utf-8?B?NUo4UUZvL0RQLzlQcW80Nys1bno0cU00UmZXNXd3eGpQa3F1dGpySW41L1lK?= =?utf-8?B?eFVERitna2hmalprZUh0ZDg4NmJuUWU1eEduZXB2ekFLZHRTTHRPSmZKT3Vy?= =?utf-8?B?ejluOEdkUVlSZ3M1YzhYK0ZudXp4TmtJNmV1cnI1bnRYMnpTYmRwRTdaU29Z?= =?utf-8?B?RWtyeGtZVnNRWVg0eU5taW5FTVYvN0gwY2FiL3JNSXVTUGh4a3RYUldFTEl0?= =?utf-8?B?ck10RDZmSDZmdTREQm5uTXZMQ08yYWJZd085MmRwSU91dWlwRkR0N2NrK0xM?= =?utf-8?B?MjJWdUhLaTJ3dS9ya3JFN0NyMnQrWHFXR2hwWnVhcXVYQTdReG5xVHppOEYz?= =?utf-8?B?c2R6Q083TWFQTWpzNkhFYWJhWlJxZnk2c0txRGRRWW1KWWl1RGpoKzZEY1RK?= =?utf-8?B?Q2ZtV1l1V21KUlNSZjhGK2h5NHJtTlBBcUY4MEFRbitZYmpLaWhSRE1Nb2d6?= =?utf-8?B?ZXQzRWRkZHYvWXo4NExPOEEvZ3YzSHZUa3NoeTA0TkNNSWpkVDNDZ3NYd2lw?= =?utf-8?B?TkpqaUVQN29naHZ1bC9WRjI4WUdFQ1RzSlQ2clEvNVpaTGQrcmVYM2NzSXVW?= =?utf-8?B?MjJNNkxVVjVvNGsrT1NhNXJNdWwxMFQxeStQOTVhdFQwcUYwRmRuWWs3TjR2?= =?utf-8?B?aTFYTU5xZzRqTUt6RW1qcm1DWk1rNU1TeE5BUmMxS3U0YzFJOHJHTitBWHFW?= =?utf-8?B?ODBsSEZCdmVlOFR5aHlTZlhHVWx1U2hZNmhaTEs0NHBFT1NwN3ZJbHY3YXN5?= =?utf-8?B?bHRlcTFVdHNqbDF1azZZc0kycjRwS2lBS1dLVnVVeG04YjhycnJZSVpzaGcz?= =?utf-8?B?WndwOTNCRFFBNVpFMTBRdUtpajFoMzFBRGJiaWNJZ01UM1VSZHlwdFo5RGcx?= =?utf-8?B?aldud0dXK1ZldVBJZzk2dlFmTDVaMXdLY1I1MzVwYWdJODhjWmJOYmtTZVM0?= =?utf-8?B?V241QWVwekwxWTA2K1B5MVF5bi82V3R2dWl0d05jdUtMaUF2eU9aRmI2SHAr?= =?utf-8?B?NlJZTnFmTmkxeEtNZVdYSFlMUGdWTGxCY2M1KzI0dnQ2c1dNRnpNVE9FaU1t?= =?utf-8?B?ZERhUmVtMm5BM1MxeDZJWVdZdjhxSnpHV1dvbGd5cUVUZW4zNU9DMEFKVkFM?= =?utf-8?B?YUtZb05GN2JKYWRGNzU2bC9OcTFndDVMUlFwaXduN1VCYzN5cHZxS1h5NkJr?= =?utf-8?B?eWRzWTg3UVkrWWhRSjhJekFIb0t2YTlvTElWbjJIcitpY1NyOGR6NWxHZXp4?= =?utf-8?B?Ly9RS1N1R1M2c2crdzFOQ2JKVkJEMVkrUkRXM0Mrc0dBM0FVWTA5NWV0ckFT?= =?utf-8?B?cDBmSWZNeWFQMjRFc01acE8yNlczVmNYbDRoSkRiMlUveEFtdEYzOUZST09U?= =?utf-8?B?bkxSU3FRZUdXaXhsS3VFMThhUnR0R056UkJ2N25wZjJKK1NFblpLRy8yTXlC?= =?utf-8?B?aW9zMVhYZS9xSTI3eXYyUkpzbm1MNEVOZkQvTkdyUnJWUTZtU3FydklNblRK?= =?utf-8?B?R0NpWkNIWk52aUhHZEc3RlBsV1NtZWFsQVRtMk8wbDNXYXdiNDVtazUvWklX?= =?utf-8?B?LzVRWk5RVVN1ZmpURnU2SHQrVkJpdDlXVU5pZ2llc0huTWFxcUlodDdYZTIr?= =?utf-8?B?S2VqSnNCcldnMWhYVWFseUw4RWE1OE45YzhPczUrZWxwNitGTkQ5QytxQVVB?= =?utf-8?Q?d6Votl/1IFRnZ?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: f586fa9c-c1dc-48e7-980e-08d94ac612e3
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 15:01:23.3139 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: s9dL0SDX49Wf3rKArYjPQrEpvV8Kp76RvsYyxc5TxCX8JNyAR9y00kYuVKdXRGD9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB4456
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KLljb9PVQ675hUHMACxuveR0UqA>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 15:01:35 -0000


On 19/07/2021 15:16, Salz, Rich wrote:
> I support publication.

I don't, though I may be in the rough.

We did discuss this a bit earlier but from my POV this
adds a new vector for cross-domain tracking and we ought
be removing those, not adding them.

I don't find the reference to [FETCH] explains how that
problem can be mitigated by browsers. (IIRC, adding that
was the result of earlier discussion of this point?)

I have no idea if anything similar might protect mail user
agents when processing mailbug URLs, not other applications
using TLS.

To give a small sense of scale, in scans I did a few
years back [1], one wild-card certificate [2] was visible
at almost 2000 addresses in a range of different countries.
That appeared to be part of some multi-product marketing
campaign. (The names seen associated with the wildcard cert
were of the form "<product>.campaign.<marketing-company>"
and the wildcard was for "*.campaign.<marketing-company>".)
Another certificate (sorry had a quick look but didn't find
the specific ref) for parked domains had 1500 SANs.
I think both of those are indicators that this mechanism
could be used at scale for tracking.

Cheers,
S.

[1] https://eprint.iacr.org/2018/299
[2] https://crt.sh/?id=242683192

> 
>> https://datatracker.ietf.org/doc/draft-ietf-tls-cross-sni-resumption/
>   
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>