[TLS] ECH usage indication: alternatives to trial decryption?

Christopher Patton <cpatton@cloudflare.com> Mon, 17 August 2020 20:55 UTC

Return-Path: <cpatton@cloudflare.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 505C33A1180 for <tls@ietfa.amsl.com>; Mon, 17 Aug 2020 13:55:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cloudflare.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RsLGkqscycTf for <tls@ietfa.amsl.com>; Mon, 17 Aug 2020 13:55:03 -0700 (PDT)
Received: from mail-qv1-xf29.google.com (mail-qv1-xf29.google.com [IPv6:2607:f8b0:4864:20::f29]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 009853A117B for <tls@ietf.org>; Mon, 17 Aug 2020 13:55:02 -0700 (PDT)
Received: by mail-qv1-xf29.google.com with SMTP id b2so8483249qvp.9 for <tls@ietf.org>; Mon, 17 Aug 2020 13:55:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=d+6nvX/kFClaDGczs2Z5FmSZQYfyT6PPt1UBYcoyNqc=; b=zCNsv6RA0e72IlzGxxOErji0Jk2Uocj5VA+ke7INfc7t8abKnS7D9brvv4TWS1buwe T+FyTen6HuM14bi9LBJochHKFQCQpdn78ck+SlFp8TxPCq7YiuzS21x1L93fA9ICvRV2 9aniSRmNCRAiG0PNLJ7GVbbylwMEsDsjhfAyM=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=d+6nvX/kFClaDGczs2Z5FmSZQYfyT6PPt1UBYcoyNqc=; b=NA0FoSpfHjwlOrdB+1HXZDLrvwUcGlHXj5Eg+IX1AqSfkEdZOzf99GkFLTe0T7SJ4q /MWYg6UhWbfemzQuqngP11v41pUwXss5fVustnkSKR+o33zn4swDmt/sOvvkKEKx2zuX sd+UWhbRWpgwHPZwKXtmIKOFkM2cpn+5WUC7flwgPZ1ftYl4PqIW2nnANuB9yWlHBkpQ 1epZ20FTNVKQBAam927/oiTK1RltCZm+54Dz0sHaVKs+dLHur/Nznh8h0Wrn/ZipWI5x gdpJfvTQnUx7JR4dmCfReg0+ZfZv6XOeDuH4kKRHrxctrOHw/V6GJlWYTYYvbDxR5LC7 aWFA==
X-Gm-Message-State: AOAM530nTsoEILtoeuEg6bB6zpXhzs4CQhaztO7YnEtQfX14ZF4Q+e9g MQbAkeY30bOr5rNkUAojaKHtm9WjikXlJ3AMDGig9zNewR7Yi/22
X-Google-Smtp-Source: ABdhPJzHo37jel7EcESIE33zvOpLXyQAimD19YbgK3cUgMmiO4Fb6bi8KI+f7uz5KEuO14z0mrchllp8B6NNeguXF10=
X-Received: by 2002:ad4:446a:: with SMTP id s10mr16259394qvt.2.1597697701805; Mon, 17 Aug 2020 13:55:01 -0700 (PDT)
MIME-Version: 1.0
From: Christopher Patton <cpatton@cloudflare.com>
Date: Mon, 17 Aug 2020 13:54:51 -0700
Message-ID: <CAG2Zi22-L3j8ha4bgE3tjqdUVAMsOUVvW79UEhKSydrZ=mY6PA@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000f9b34a05ad18fb6f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YVyB2-_Hsxcewy4xv0_Di3yjT-o>
Subject: [TLS] ECH usage indication: alternatives to trial decryption?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Aug 2020 20:55:04 -0000

Hi list,

In the current ECH specification (draft-ietf-tls-esni-07), the server
provides no indication of whether the inner or outer ClientHello (CH) was
used. This means the client must do trial decryption to make this
determination, which creates implementation complexity and potentially
raises security concerns. I was hoping to get your thoughts on a couple
alternatives, which strike different balances between implementation
complexity and other design considerations for ECH. Follow along here:

https://github.com/tlswg/draft-ietf-tls-esni/issues/274

Thanks,
Chris P.