Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 19 July 2021 15:01 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D92BE3A36B4 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 08:01:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.99
X-Spam-Level:
X-Spam-Status: No, score=-1.99 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, T_SPF_TEMPERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pXWOdhBdNAm6 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 08:01:29 -0700 (PDT)
Received: from EUR01-VE1-obe.outbound.protection.outlook.com (mail-eopbgr140105.outbound.protection.outlook.com [40.107.14.105]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3A803A36AE for <TLS@ietf.org>; Mon, 19 Jul 2021 08:01:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FawIFUzpKXGzcT6W804gVc0hXT/Fae+R1O9X3dkQqsrl1PQPjVyJyV+ZAxp4YoC6UCwCESp/I0SCQSm5EldZoweIsVKViTNfdq4ygNZdUnyAke5rH32q+QLt82g4u8XOUhB16xgaEViF8cwIiqj6Xa/nC1iimGOKG92eJXYKhwde9LCo9O3FppCvAKozOIYqyELjAOMQNsNDEFqDZBDs8dJeOVnqLmKP6kDopYGBHv6BE5mZfRZSHLgGeL6qO82HqN2M6lv0mmMYHhqUbxupMMU8KxZEiiZtH3gG4jWG1IwP7I+bHOnjPdduzdqatJibma1j3a9Lp/Ac+JhlrjGSxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cmgWcW23IDf56N8XRIAOKmATxgD+0CVUJggO5jfkdUk=; b=Xygzk3qb6y6pW8EGfMlV9tpSua2TerVha72v48x58jzWDT8DiakR++v39u5k6zcGPk5xpB+EUqWSx/LthGcl6IYmv8LcbrwxGdRoHIva+CVj5IgNWAjJJ5F9HY5fi4oZ4MI9k35U2E5i9sU8Aw7KCJjWDV8mHn90tGeqqzGNMNn13rmz8eFwVxIYyMeIppuja52GrYEn7qesoExTK0/hlCB7NylzcjO0og8p4cI1I7dVu6L4NSShPulFDwRo1u1Sw6RI7xP2+C4c6/VBDG3IFPuV3cn2iWdLYcn61u8bj9mp8gkvybkWtfj6UHLzn6Y2pa3G1HMEHAlDQnwV0XxpTQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=cmgWcW23IDf56N8XRIAOKmATxgD+0CVUJggO5jfkdUk=; b=uwRVXUvMRyckWVXetOkgsG6rDhBUcTPUWxVnSI6+e5quXBCpMIyQ+7KpcHACESxjB+iu656cKArTJXWS2zz1YJ9FXz+l5haZ8xKylcL/ZW1i9r9lzjHn2fuL8pz3pfXKrB1IU1Q/vfBvFtZwVdx7A6NV/h/dm3vQV9O1eH2Wjfl2InPSn+bXZH4HC5PvtY+hu+VSNxeRsE1eclKZOgcysg9VSFKRUojYqRdHId6II87y5mukG02owqhbyMn2ANEFZxKD6OblFIbnJf61fcDkzrcltiCQoClEO56KDuWws2XNoTip86AWEkhP/nsjYZ/+oDAp6YCDwG+LZZvEj7Q48w==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by AM6PR02MB4456.eurprd02.prod.outlook.com (2603:10a6:20b:61::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.29; Mon, 19 Jul 2021 15:01:23 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4%7]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021 15:01:23 +0000
To: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <TLS@ietf.org>
References: <0ad354da-5300-4b48-8925-f7ab18cdf235@www.fastmail.com> <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <2c7c53a8-cf47-f51d-f97b-f6cd5a712024@cs.tcd.ie>
Date: Mon, 19 Jul 2021 16:01:20 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="3LEtRfeCunv3aAmAGGGsJz1OiHvZ6j04V"
X-ClientProxiedBy: DB7PR02CA0032.eurprd02.prod.outlook.com (2603:10a6:10:52::45) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:a38f:a588:612a:945f] (2001:bb6:5e5e:b458:a38f:a588:612a:945f) by DB7PR02CA0032.eurprd02.prod.outlook.com (2603:10a6:10:52::45) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21 via Frontend Transport; Mon, 19 Jul 2021 15:01:22 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: f586fa9c-c1dc-48e7-980e-08d94ac612e3
X-MS-TrafficTypeDiagnostic: AM6PR02MB4456:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <AM6PR02MB4456E29F9714509AF85BE9FDA8E19@AM6PR02MB4456.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:4502;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: bsHJwbs7tj0fyUmulqqcYtS3Z07AlaOxzgkt9fNFKYYVmnLbuwuXlAx0/WWHPNoQhZ5pNeiVnFZrUhq7vE8Jfjj5TAhwOXgEcn4nn7Uq4SM5IVAKAhRIxy3bOLyUKgneEJXGdCJjUmP0UO2VSsA4hFClnvhw5K2cD2qVIB+a5Ol4eZTy7f2HL+V4RvEdg3uP93STOeih4QNgyIAEuS9LZ0WR/Z8ofaE595L8lYKQ3skaxHuc7++POXuCAaDS86y9vqmsyV4wxs6SQikPbhVLlLPM38qE7eYdZMTvtLN09QoZp9RtKLU1k4hlDnUVcdrB/YdUVEN+lh/fciHF7clfjJvyGoTLXlVMFpZJI3ycBbLJ0njdLFeJgYx3GPfkrU8mViw4WSeo8B/nzAN6z7NAB/JjdWCKKIBcs8Y9vUkFao4J/OV6t2UdEY7MWVOh31FmzxLZYoweZKwsbg3RwNEcYNDCMM5V4ReEzS8yAEjM7J9jJvGJQ+OOYbcUqIaAiZOlW8jW0JwJXCnpVUsgiHvApkv/52Wi9LsQCvR2eKiCiMSbe81BsI7h8os6ejWmwr/fk7R0CBsjtUWSofO/fWRCp7zBpcnCFbOuVmaMuNnWkGpc0WfOZueJD9xpZeLs1K00eVJ8kFlL7G8V5w2gNNRNLxjxnIcVf/nAVX9snBOZODOqAhz+wDnvyyGGfqmqw+Qu6Ymkl19DJSgSKxe3D+vUmQNYlIlNa+Lm68SpPjwdW4XHsXN6CPO1C2m8G0YrRt8MpHtuj469zYFGsMFkGYuz6WoJ6IEZfpuLrAgVGu8wlh1ogamu8p8t66644Dvezhij
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39850400004)(346002)(396003)(376002)(366004)(110136005)(21480400003)(31696002)(83380400001)(86362001)(8676002)(5660300002)(6486002)(478600001)(966005)(38100700002)(53546011)(33964004)(235185007)(44832011)(2906002)(31686004)(36756003)(8936002)(786003)(316002)(66946007)(2616005)(186003)(66616009)(66476007)(66556008)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 1DL9SZHVSC4isxicQkqbuqg25npQnECgJACESChdzytA2T3rvsRb/mTSO3SdGZyohnV29li1U8Ev5BBCMdAPLfglqIOPjdZkZn5RFiuVGL/mW1CDlO3GUZBkqklRnbLAEfuJCZr5J8QFo/DP/9Pqo47+5nz4qM4RfW5wwxjPkqutjrIn5/YJxUDF+gkhfjZkeHtd886bnQe5xGnepvzAKdtSLtOJfJOurz9n8GdQYRgs5c8X+FnuzxNkI6eurr5ntX2zSbdpE7ZSoYEkrxkYVsQYX4yNminEMV/7H0cab/rMIuSPhxktXRWELItrMtD6fH6fu4DBnnMvLCO2abYwO92dpIOuuipFDt7ck+LL22VuHKi2wu/rkrE7Cr2t+XqWGhpZuaquXA7QxnqTzi8F3sdzCO7MaPMjs6HEabaZRqfy6sKqDdQYmJYiuDjh+6DcTJCfmWYuWmJRSRf8F+hy4rmNPAqF80AQn+YbjKihRDMMogzet3Edddv/Yz84LO8A/gv3HvTkshy04NCMIjdT3CgsXwipNJjiEP7oghvul/VF28YGECTsJT6rQ/5ZZLd+reX3csIuV22M6LUV5o4k+OSa5rMul10T1y+P95atT0qF0FdnYk7N4vi1XMNqg4jMKzEmjrmCZMk5MSxNARc1Ku4c1I8rGN+AXqV80lHFBvee8TyhySfXGUluShY6hZLK44pEOSp7vIlv7asylteq1Utsjl1uk6YsI2r4pKiAKWKVuUxm8b8rrrYIZshg3Zwp93BDQA5ZE10QuKij1h31ADbbicIgMT3URdyptZ9Dg1jWnwGW+VeuPIg96vQfL5Z1wKcR535pagI88cZbNbkSeS4Wn5AepzL1Y06+Py1Qyn/6WtvuitwNcuKLiAvyOZFb6Hp+6RYNqfNi1xKMeWXHYLPgVLlBcc5+24vt6sWMFzMTOEiMmdDaRem2nA3S1x6IYWYv8qJzGWWolgyqETen35OC0AJVALaKYoNF7bJadF756l/Nq1gt5LRQpiwn7UBc3ypvqKXy6BkydsY87QY+YhQJ8IzAHoKva9oLIVn2Hr+icSr8dz5lGezx//QKSuGS6sg+w1NCbJVBD1Y+RDW3C+sGA3AUY095etrASp0fIfMyaP24EsMZpO26W3VcXl4hJDb2U/xAmtF39FROOTnLRSqQeGWixlKuE18aRttGNzRBv7npf2J+SEnZKG/2MyBios1XXe/qI27yv2RJsnmL4ENfD/NGrRrVQ6mSqrvIMnTJGCiZCHZNviHGdG7FPlWSmealATm2O0l3Wawb45mk5/ZIW/5QZNQUSufjTFu6Ht+VBit9WUNigiesHnMaqqIht7Xe2+KejJsBrWg1hXUalyL8Ea58N9c8Os5+elp6+FND9C+qAUAd6Votl/1IFRnZ
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: f586fa9c-c1dc-48e7-980e-08d94ac612e3
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 15:01:23.3139 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: s9dL0SDX49Wf3rKArYjPQrEpvV8Kp76RvsYyxc5TxCX8JNyAR9y00kYuVKdXRGD9
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR02MB4456
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/KLljb9PVQ675hUHMACxuveR0UqA>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 15:01:35 -0000


On 19/07/2021 15:16, Salz, Rich wrote:
> I support publication.

I don't, though I may be in the rough.

We did discuss this a bit earlier but from my POV this
adds a new vector for cross-domain tracking and we ought
be removing those, not adding them.

I don't find the reference to [FETCH] explains how that
problem can be mitigated by browsers. (IIRC, adding that
was the result of earlier discussion of this point?)

I have no idea if anything similar might protect mail user
agents when processing mailbug URLs, not other applications
using TLS.

To give a small sense of scale, in scans I did a few
years back [1], one wild-card certificate [2] was visible
at almost 2000 addresses in a range of different countries.
That appeared to be part of some multi-product marketing
campaign. (The names seen associated with the wildcard cert
were of the form "<product>.campaign.<marketing-company>"
and the wildcard was for "*.campaign.<marketing-company>".)
Another certificate (sorry had a quick look but didn't find
the specific ref) for parked domains had 1500 SANs.
I think both of those are indicators that this mechanism
could be used at scale for tracking.

Cheers,
S.

[1] https://eprint.iacr.org/2018/299
[2] https://crt.sh/?id=242683192

> 
>> https://datatracker.ietf.org/doc/draft-ietf-tls-cross-sni-resumption/
>   
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
>