IETF Logo Mail Archive

Re: [TLS] publishing ESNIKeys under a .well-known URI...

Stephen Farrell <stephen.farrell@cs.tcd.ie> Fri, 22 November 2019 05:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C501012022D for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 21:13:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.299
X-Spam-Level:
X-Spam-Status: No, score=-4.299 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H77PM8cfq2z8 for <tls@ietfa.amsl.com>; Thu, 21 Nov 2019 21:13:26 -0800 (PST)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AB7412004E for <tls@ietf.org>; Thu, 21 Nov 2019 21:13:25 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 147E5BE4D; Fri, 22 Nov 2019 05:13:24 +0000 (GMT)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nGYZarH_w5E4; Fri, 22 Nov 2019 05:13:21 +0000 (GMT)
Received: from [31.133.146.56] (dhcp-9238.meeting.ietf.org [31.133.146.56]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 4F357BE2E; Fri, 22 Nov 2019 05:13:20 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1574399601; bh=6llW1jTTjATCXJDjsjRGUAJoYYtaJJn8dBqPCkcYgy8=; h=To:Cc:References:From:Subject:Date:In-Reply-To:From; b=NBPI6I07JC6Uav/C1DzIgfb1cQw3tcnA4+ovVa6EUt7e1hewRSQjYspgQX9AKWdcm DFSx/Q6srM73AuaX2RklljwI5zY6VE7uwb5ka6HrzFjDL/qfG6GjWGtawjGB20q8Qp PtZEqchLbkeLXXLaMbbhImMENOBf0ZJRFpH1tSvc=
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Christian Huitema <huitema@huitema.net>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <7374648a-d684-87be-0807-219bc10793ac@cs.tcd.ie> <18514.1561564689@localhost> <e61cb6c7-af9c-4f8b-4f94-88dc56a7f6f1@cs.tcd.ie> <f015bd0e-8e0d-ab1a-eab8-a0dc466e2de4@huitema.net> <ba4a4f84-9663-393a-4254-193cf4051ac3@cs.tcd.ie> <878so9jafi.fsf@fifthhorseman.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <12d46f25-bfd6-ff16-1569-e6121d7de100@cs.tcd.ie>
Date: Fri, 22 Nov 2019 05:13:14 +0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <878so9jafi.fsf@fifthhorseman.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="BjPurnKaIfJMpZjEVsGDp56eG9DI10qGj"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/XMLAInWGnPl6Autjopw_DdaOgXw>
Subject: Re: [TLS] publishing ESNIKeys under a .well-known URI...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 05:13:30 -0000

Hiya,

(As per the meeting discussion, I'll plan to revise the
individual draft in the next while and then the WG can
consider what to do about it. If ESNI/ECHO draft-06 is
out first, I'll change to align with that. If not, we
can worry about that later. In the meantime...)

On 21/11/2019 19:28, Daniel Kahn Gillmor wrote:
> On Wed 2019-07-03 16:01:21 +0100, Stephen Farrell wrote:
>> It doesn't take much to encourage me so I just
>> pushed out that idea in I-D form:-) [1]
>  […]
>> [1] https://tools.ietf.org/html/draft-farrell-tls-wkesni-00
> 
> Thanks for this (and for the -01 update for the draft).  I like this
> work, and i think we should pursue it in the WG.

Cool. Thanks.

> 
> A couple notes/questions:
> 
>  - Clients might use this, not just "zone factories".  For instance,
>    consider a client with limited access to the DNS that makes an
>    initial direct connection to the hidden host, leaking SNI.  If, in
>    that connection, it also fetches this record, it could use that to
>    bootstrap future connections to the host, right?

Yep.

>    The draft currently contemplates this briefly for followup queries
>    for some clients, but it doesn't go into it in more detail.

Right. I wasn't sure if people would like, or be freaked
out by, that:-)

> 
>  - Why is it hosted on the cover server, instead of on the hidden
>    server?  is that just so that the zone factory doesn't leak $HIDDEN
>    to the network?

Yes. Also - if adding a new $HIDDEN then first time around
the zone factory can't use ESNI/ECHO to $HIDDEN.

>    Surely on a zone factory update, the zone factory already knows the
>    eSNI for $HIDDEN so it could make the request with eSNI to
>    https://$HIDDEN/.well-known/esni/$HIDDEN.json rather than to
>    https://$COVER/.well-known/esni/$HIDDEN.json

Other than first time, as noted above. I've also had cases
where things got out of whack (because I'd broken stuff)
that meant ESNI stopped working to $HIDDEN for a bit. (The
specific failures I've seen don't make a real difference
to answering your question, as the zone factory does try
out the new keys with $HIDDEN as part of it's work, but
maybe some other failure cases might matter more.)

>    At the same time, for $COVER to publish this information potentially
>    puts $COVER at more risk, right? 

Yes. If $COVER is the public_name from the ESNIConfig
though it doesn't seem much more of a risk.

> And, a $COVER could *claim* to be a
>    cover for $HIDDEN without approval of the $HIDDEN site by publishing
>    these records; if anyone believes that claim, it could cause traffic
>    to be re-routed through the ersatz $COVER.  If it's going to be
>    hosted at $COVER and not $HIDDEN, we should be explicit about what
>    defends against such an attack.

Sure. In my case, the zone factory knows all the names but
yes, discussion of the more general case is needed.

> 
>    There could be an "obvious" reason for the choice of hosting it at
>    $COVER instead of at $HIDDEN, but it should be spelled out in the
>    draft.

Ack. Will do.

> 
>  - If this is treated as a separate/independent source of authority
>    about ESNI data for a host from the DNS (e.g. in the client examples
>    contemplated in my first point above, not just the "zone factory"),
>    then the draft probably needs some text discussing what to do when
>    discovering a discrepancy between what's in the DNS and what's found
>    at .well-known.

True. In the zone factory case, such discrepancies are of
course nominal. Otherwise, I can envisage a number of
different client scenarios (client DoH/DoT availability
can be yes, no or dunno; the client might have old
ESNIConfig values or not, and HTTPSSVC might or might
not be available etc.)

And I guess there's even the case (that probably will freak
someone out) where $HIDDEN might not even exist in the
DNS at all if it is covered by a wild-card cert and if
$HIDDEN is in the client's /etc/hosts or equivalent. (I
think I could support that now in my servers but haven't
actually deployed such a vhost - maybe I should:-)

I'm not sure if this draft ought specify behaviour for
such clients, but I can try add text describing the various
cases I guess. (If that text were to stay in, then I'd
guess that it'll make this document too long to include
in the base ESNI/ECHO draft thus taking that option off
the table maybe.)

Cheers,
S.



> 
> Regards,
> 
>         --dkg
>

v2.23.0 | Report a Bug | By Email