Re: [TLS] draft-ietf-tls-esni feedback

"Christopher Wood" <caw@heapingbits.net> Wed, 23 October 2019 21:46 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D647120106 for <tls@ietfa.amsl.com>; Wed, 23 Oct 2019 14:46:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=OvhR4MdA; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=iVbY+Amk
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RQAXk6217BbC for <tls@ietfa.amsl.com>; Wed, 23 Oct 2019 14:46:13 -0700 (PDT)
Received: from out4-smtp.messagingengine.com (out4-smtp.messagingengine.com [66.111.4.28]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA253120100 for <tls@ietf.org>; Wed, 23 Oct 2019 14:46:13 -0700 (PDT)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.nyi.internal (Postfix) with ESMTP id CC14421F2E for <tls@ietf.org>; Wed, 23 Oct 2019 17:46:12 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute6.internal (MEProxy); Wed, 23 Oct 2019 17:46:12 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:in-reply-to:references:date:from:to :subject:content-type; s=fm2; bh=VvQkektZMDMONZk7vIbXvg/Ibgy5ufx FZ/K5iwbWU10=; b=OvhR4MdAxT6otmftu4lI5Ws5Ey8aTR1Q3m20gefP0Cn6dVz 28Elxkc2c1rygQVvP3HwFhQQn46tWyYXt/x4Pd0ledhPKXzwRpC8HxVoKn4wEgdb PjdwfZ7BaWnhSsjEXvz8goNnNUBaXjoHUzmB/aog9vM7FaLImJKSqcFGsoKzr5Og 5dxt1shqAhskOHBI4qQVNWZmav2HNPeYIuXyc9igPIMuCf1UtlqT/TV5rzOq1bok d3rCy7UFCNZ7KIDL11CE8nskTRkRzN7ZcbskoRTmcepslhMzolBdi65qOB9KBsv6 naJzkMA4e8onWzekXTjGYtF8Roi4wMqdapB5Cmw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:in-reply-to :message-id:mime-version:references:subject:to:x-me-proxy :x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=fm1; bh=VvQkek tZMDMONZk7vIbXvg/Ibgy5ufxFZ/K5iwbWU10=; b=iVbY+AmkkbYAGYxsppnzM4 /eu10nxnF3PH2KdtcF8fx0v/oLlmm6DJLmJUz1stoqrx/HQZNfosEPJp6eIVugW+ Yo1KbGlhwp2q2MEdyUrCpDkHl7wtYKGadhbGh3L14X7Z0w1lYf/jIdxFjZ+e7WLF l4gbRV+LWiYf1SQrqW84MGMjjajfYK/ahyC/4AztzGOoX3K7IggUh/QMGB1rIAQC Yoe5fsZNunKXzTEkdk274QcR2RUSN4iMNdPNuho3KK1OkCxs6wbNvRpJPFhim9zM wKBCwrTQZl3Ec9243sXQvB1+Uhh0hUZ2Qh2Q1Mrmw1381yR1jWas1/OPUNZBIHUA ==
X-ME-Sender: <xms:JMqwXaYoK5sI2nvn4tl-XNBb_9HyckXPzmRmTOzPe91UlpczfqwJVA>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrledtucetufdoteggodetrfdotffvucfrrh hofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgenuceurghi lhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttdertderre dtnecuhfhrohhmpedfvehhrhhishhtohhphhgvrhcuhghoohgufdcuoegtrgifsehhvggr phhinhhgsghithhsrdhnvghtqeenucffohhmrghinhepghhithhhuhgsrdgtohhmnecurf grrhgrmhepmhgrihhlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvghtnecu vehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:JMqwXRpoEuYtimzxN0O_2REiS2FxBafJ7RcHfpNfSYds3BxAVg9yYg> <xmx:JMqwXf-bAMXSBjreFPjM7n-eOoHVeRO-dTtUXZsvly0MBJbFFFo70g> <xmx:JMqwXQ-PfG2x6Tp1IPtYXvKCshVP2hk3LL3GJlDaxWT_leo6WTSZkg> <xmx:JMqwXXyBNhMYYu0ZJi-Cn_TWygQumTUgEWiEc-1_XZ7iveuqqWx2ug>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 8EEBD3C00A2; Wed, 23 Oct 2019 17:46:12 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.1.7-470-gedfae93-fmstable-20191021v4
Mime-Version: 1.0
Message-Id: <a78ca9f6-b5ee-4c0c-8695-b1bd30d227db@www.fastmail.com>
In-Reply-To: <0374dea8-f8bd-e0e6-d23e-f76051ec4f78@cs.tcd.ie>
References: <CAChr6SwM0cAH4ShJdw6WpV3rwLUPoaqB+imvv61XohLaLiS7jA@mail.gmail.com> <r480Ps-10146i-D05F1D3FC7BC4B899AE60F28D44FDF74@Williams-MacBook-Pro.local> <CACsn0cmhJ5yhZ7h7skgJLdbH9ykcOw6_9D+h7hx8Y8YE69nMaA@mail.gmail.com> <CAHbrMsAFh6g+hAMcjmDqQ=JEv+PDQQaygTfBnHgwepaNJkZtSA@mail.gmail.com> <0374dea8-f8bd-e0e6-d23e-f76051ec4f78@cs.tcd.ie>
Date: Wed, 23 Oct 2019 14:45:52 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "TLS@ietf.org" <tls@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/LMKYMHiqClZuv17qTciHIGsbv7g>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 21:46:16 -0000

On Wed, Oct 23, 2019, at 2:12 PM, Stephen Farrell wrote:
> 
> 
> On 23/10/2019 17:13, Ben Schwartz wrote:
> > On the topic of radical suggestions, here's another one:
> > https://github.com/tlswg/draft-ietf-tls-esni/pull/186
> 
> How about a variant like this (which is maybe close to your
> most recent email, not quite sure):
> 
> Names < N octets: pad those to N.
> 
> Names >= N octets: hash those and pad to N.
> 
> With N ~=64 I think that'd be ok, assuming we do some checking
> that N covers a sufficient percentage of names in real use.

For this and other proposals, it seems there's different assumptions being made. I'd prefer to not make any change absent further analysis with clear guidance pointing towards a safe policy. Absent that, the safest approach (260B) seems prudent.

> I think the WG could easily make the case that if some web
> site really does need/want to hide in the crowd, they just
> better not try do that with a gigantic DNS name.

Why would such a site use ESNI at all?

Best,
Chris