IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

涛叔 <hi@taoshu.in> Wed, 13 March 2024 06:28 UTC

Return-Path: <hi@taoshu.in>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C741C14F6E3 for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 23:28:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.375
X-Spam-Level:
X-Spam-Status: No, score=-1.375 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_SOFTFAIL=0.732, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=taoshu.in
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9GMFVzS09iOC for <tls@ietfa.amsl.com>; Tue, 12 Mar 2024 23:28:12 -0700 (PDT)
Received: from mx1.lehu.in (mx1.lehu.in [IPv6:2603:c024:c00c:9e00:1::]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 221AAC14F6A7 for <tls@ietf.org>; Tue, 12 Mar 2024 23:28:12 -0700 (PDT)
DKIM-Signature: a=rsa-sha256; bh=JQWhq5tbDomdS9DEyN4bEGgY25ydAJ5OddBddqzVeUM=; c=relaxed/relaxed; d=taoshu.in; h=Subject:Subject:Sender:To:To:Cc:Cc:From:From:Date:Date:MIME-Version:MIME-Version:Content-Type:Content-Type:Content-Transfer-Encoding:Reply-To:In-Reply-To:In-Reply-To:Message-Id:Message-Id:References:References:Autocrypt:Openpgp; i=@taoshu.in; s=default; t=1710311291; v=1; x=1710743291; b=Vozjmg5hPuq4T7o7lXRenTZTQNxJU3F6xVD+ZruyCx95qOoFH+jipLRAGWE9pBs5z+3h/EaX YWy7jngTykakVygNcCMAzWOcR9iacgxhg4agickkysMj3dFGAkj3OPWivDZkipTS+dQGplkFPCB x0kwYnzvr64eCbuXqb+dCW4e+xXVG/vi+XYFeX2d4wRs6AYZArlxVcAboubXKUjddtlx1XGOydD u1ydoZyQh5DoigvhfHilv14HUlyMM65VdgsqDSDQrPczCyg9gWZu0FTtak5AVwpW0a8e9oyXvD2 A6Shg6+y0j8Tgkuu6pDg7PX+O9UEWUtATqs1RNG+F4mUQ==
Received: by mx1.lehu.in (envelope-sender <hi@taoshu.in>) with ESMTPS id b3754640; Wed, 13 Mar 2024 06:28:11 +0000
From: 涛叔 <hi@taoshu.in>
Message-Id: <18DDB0DF-A303-4C62-AE5D-521321F9D3EB@taoshu.in>
Content-Type: multipart/alternative; boundary="Apple-Mail=_08550694-44ED-429F-9739-2BAD51722C76"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.300.61.1.2\))
Date: Wed, 13 Mar 2024 14:27:59 +0800
In-Reply-To: <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Cc: tls@ietf.org
To: Raghu Saxena <poiasdpoiasd@live.com>
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
X-Mailer: Apple Mail (2.3774.300.61.1.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/MxeRH5U2G4-h4TD9X6dP-5o2-n0>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 06:28:16 -0000

I have risen similar discussion before and have tried to suggest some solutions, but none of them got any support.

Here is the previous discuss thread, just FYI

https://mailarchive.ietf.org/arch/msg/tls/HlwYX16Y4W2BevKTpI6a81eO1JE/

> On Mar 13, 2024, at 13:20, Raghu Saxena <poiasdpoiasd@live.com> wrote:
> 
> Are comments restricted strictly to members of the working group? If so, please ignore this E-Mail.
> 
> I'd previously tried to raise an issue regarding requirements of a public_name in the ECHConfig in the mailing list [0], and when I didn't get much response there, even on Github [1], where I was further met by silence. I assumed this meant since I am not in the working group I am not allowed to participate in discussions, but seeing the "Last Call" I thought I'd try one last time.
> 
> My concern relies around the fact that by requiring a public_name in the ECHConfig, and clients "SHOULD" pass it, means we are losing basically all the benefit we initially had with ESNI, since now some part is leaked anyway. This was not an issue in original ESNI. Although the draft allows for a client to not use this value, and/or for a server to not validate it ("SHOULD" rather than "MUST"), in practice all of the most popular clients (i.e. browsers) will probably end up using / sending it. We saw this for SNI, where even websites which don't need it (e.g. a very popular adult website), browsers will still send it, and this becomes a vector for censorship / blocking.
> 
> If this requirement is unlikely to change, my question then becomes - it is  "acceptable", as a website operator who does not wish to leak the domain name in the ECHOuter's plaintext SNI, to specify the "public_name" in the ECHConfig as something random (e.g. "example.com"), acknowledging the fact that as a server operator, I will disregard any value the client passes for the SNI in the ClientHello anyway? Or is there another recommended approach if I do not want the actual domain to be leaked on the wire. This is coming as an individual operator, with no CDNs to hide behind (e.g. `cloudflare-ech.com`).
> 
> Lastly, I also struggle to understand the value of this field. From reading the RFC, it seems it is mostly only applicable if the server rejects ECH. I would think this happens if the server does not support ECH, and therefore should not have had an ECHConfig published anyway- or the client is unable to satsify the server's ECH requirements. In both cases, I would think it is on the client to fallback an purposely initiate a non-ECH TLS handshake, rather than "downgrade" the connection. Forgive me if I am missing something obvious, but as someone who used ESNI successfully back when it was in draft status, and was happy with no SNI being leaked, I am unhappy that it has returned.
> 
> Regards,
> 
> Raghu Saxena
> 
> [0] https://mailarchive.ietf.org/arch/msg/tls/HUG1CU0Q4PorZ7fD0yafVfj7VUY/
> 
> [1] https://github.com/tlswg/draft-ietf-tls-esni/issues/572#issuecomment-1780859252
> 
> On 3/12/24 06:00, Joseph Salowey wrote:
>> This is the working group last call for TLS Encrypted Client Hello [1].  Please indicate if you think the draft is ready to progress to the IESG and send any comments to the list by 31 March 2024.  The comments sent by Watson Ladd to the list [2] on 17 February 2024 will be considered last call comments.
>> 
>> Thanks,
>> 
>> Joe, Deirdre, and Sean
>> 
>> [1] https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
>> [2] https://mailarchive.ietf.org/arch/msg/tls/XUCFuNBSQfSJclkhLW-14DZ0ETg/
>> 
>> 
>> 
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
> <OpenPGP_0xA1E21ED06A67D28A.asc>_______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls

v2.23.0 | Report a Bug | By Email