Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
Brian Sniffen <bsniffen@akamai.com> Fri, 04 August 2017 15:31 UTC
Return-Path: <bsniffen@akamai.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41544132360 for <tls@ietfa.amsl.com>; Fri, 4 Aug 2017 08:31:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LkKfO3jm51o3 for <tls@ietfa.amsl.com>; Fri, 4 Aug 2017 08:31:04 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B9AD132343 for <tls@ietf.org>; Fri, 4 Aug 2017 08:31:04 -0700 (PDT)
Received: from pps.filterd (m0050096.ppops.net [127.0.0.1]) by m0050096.ppops.net-00190b01. (8.16.0.21/8.16.0.21) with SMTP id v74FQxvt015711; Fri, 4 Aug 2017 16:30:54 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : subject : in-reply-to : references : date : message-id : mime-version : content-type; s=jan2016.eng; bh=NzCEfRY6e2wmmBZINSeMzU+b9qq3eOACNvuKYNj3RNE=; b=JXISaEoVG91yc/zE2Lo/SqSwqpKlf53jp+yL1E+/e+ayOcDPZuz4m4t+Y4roEiKyjK7Q ild35r4I57wiKY8WL9PlaT8BkPfrPmCgNHjFTa+CXJOmK0Fufqk5YSXjmHp3fgq4AuMq TW+LnVbcx7RjRmyZUNG8To1b51EGyDDck7yxsQyp3lBkr+adTuCgo2vh9tziudKyHYRd B1U28+ek/1ySYaPZTUUnN3bnadatjYZKfhY3dlLkTrwt8+9e0Tf9lXX6+LOyCONR/ZsI zJVw+lFperc21y8iXEDH6BG7TnwUQXVFGx8gu9R1Uk2T/IB96LWTIPGonyFWCFe3WBct uQ==
Received: from prod-mail-ppoint1 (a184-51-33-18.deploy.static.akamaitechnologies.com [184.51.33.18] (may be forged)) by m0050096.ppops.net-00190b01. with ESMTP id 2c3xvmswtx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 04 Aug 2017 16:30:53 +0100
Received: from pps.filterd (prod-mail-ppoint1.akamai.com [127.0.0.1]) by prod-mail-ppoint1.akamai.com (8.16.0.17/8.16.0.17) with SMTP id v74FPfFM016102; Fri, 4 Aug 2017 11:30:53 -0400
Received: from prod-mail-relay10.akamai.com ([172.27.118.251]) by prod-mail-ppoint1.akamai.com with ESMTP id 2c0npv7tsr-1; Fri, 04 Aug 2017 11:30:52 -0400
Received: from bos-mpeve.kendall.corp.akamai.com (unknown [172.28.17.141]) by prod-mail-relay10.akamai.com (Postfix) with ESMTP id E61681FC71; Fri, 4 Aug 2017 15:30:52 +0000 (GMT)
From: Brian Sniffen <bsniffen@akamai.com>
To: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
In-Reply-To: <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
References: <149810504637.30481.937244297632371838.idtracker@ietfa.amsl.com> <422ef2c7-4d99-20d2-8a39-ffd61277e0bd@huitema.net>
Date: Fri, 04 Aug 2017 11:30:52 -0400
Message-ID: <m2vam3pcyb.fsf@bos-mpeve.kendall.corp.akamai.com>
MIME-Version: 1.0
Content-Type: text/plain
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-04_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=1 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708040237
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-08-04_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=1 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1706020000 definitions=main-1708040237
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/QSUsHk5pvJPJ_un33MIjQiHZlCM>
Subject: Re: [TLS] Fwd: New Version Notification for draft-huitema-tls-sni-encryption-00.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Aug 2017 15:31:05 -0000
Having promised a review before August 18, I have three issues I'd like to talk about. But first, thanks for keeping pushing on this. I am not sure it will ever see wide adoption, but we'll surely never find out if we don't try. ## Don't stand out I think the requirement that the browser check the CT log and perform DNSSEC in 3.2 is likely to violate the don't-stand-out requirement, as I don't expect most browsers to do that most times. Am I missing something? ## CDN integration > If N multiple domains on a CDN are acceptable fronts, then we may > want some way to indicate this without publishing and maintaining N > separate tokens. Those multiple domains will not share TLS keys (or will be under a TLS wildcard), so delegation to a certificate is enough to cover this. I think you can just cut this paragraph, but maybe I don't know something about some sort of CDN? ## Security considerations: DDoS In section 6, I'm glad to see analysis vs the ddos requirements in 2.3. I'm not sure I agree with the quick result: 1) The forwarding server can be used as a reflector. Under some circumstances it should back off. 2) Under CPU load, the forwarding server will presumably start refusing early data (especially early data with TCP Fast Open!). Is it necessary to say anything more here? Or is the ordinary behavior of flaky early data sufficient? Particularly: what should clients do when early data is refused? Try again with this in the main data section? Give up? -Brian
- [TLS] Fwd: New Version Notification for draft-hui… Christian Huitema
- Re: [TLS] Fwd: New Version Notification for draft… Kazuho Oku
- Re: [TLS] Fwd: New Version Notification for draft… Brian Sniffen
- Re: [TLS] Fwd: New Version Notification for draft… Martin Thomson
- Re: [TLS] Fwd: New Version Notification for draft… Daniel Kahn Gillmor