IETF Logo Mail Archive

[TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting

Stephen Farrell <stephen.farrell@cs.tcd.ie> Thu, 06 March 2025 15:13 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id F13BA849189 for <tls@mail2.ietf.org>; Thu, 6 Mar 2025 07:13:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_MSPIKE_H2=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0mf4CSn_bbG0 for <tls@mail2.ietf.org>; Thu, 6 Mar 2025 07:13:20 -0800 (PST)
Received: from PA4PR04CU001.outbound.protection.outlook.com (mail-francecentralazon11023109.outbound.protection.outlook.com [40.107.162.109]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 4379B84915F for <TLS@ietf.org>; Thu, 6 Mar 2025 07:13:19 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=wg1YlPxMgL9BPTMtYe1zPQ6X3JtSQIHck5s/aTKC6GXHvO5uqKN5dAZ3fNVRm0oA81DQkA55y+z2WUGmMjdurRkhtU13i/VJCkoS0E4tRMDpvG/M/OV1MYoRJJwvDm3rc5w+JvMmZSN3DomHtqrzzE+NPVD6nBGuJp2gFSb3CLinEW3h4WFTP1m+YsihdQbf1QRohHBYEEqX0GN1WG02fceHYfHUanQzfRQivh+ANBadTHT2vcxYs5ylxRkYdmUMQ9syXIpXI6Nc/akKoKJDoO+eSanamN1CSYZ+KAYMlbsz4NStyQ86u3llZSw1aTX5CoF6HeP00R5CENCDHSEzfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8RMo7cML7MQpLrbA5XsEILJMHx2a0czWvSOjKTnxj1A=; b=K42B3PRgL9U3bsJwaRHgB26iTQ4Fc5AKjIkuQliedq3roOXoSpG0iShuHjrmCXWc7inNySeD8u3/fXr70afbJBqp+ivvhRFii8Le2opyfsgvqmLrSaHzAFyK8smj/eK4AR8/WlTI1DiOgOreHdIMpqigcVYIVq3IM9flNNGivIRcaJr3l36wRuUfjd/GYmv+QXqRXBfhT/kZPif7erQPk1hLgjsg/COoDBWLb6ltNF97TJaoiJS4VbbSQYo/sAJnBkKg7vnUBnwj4tMcJyVQogX1tFmogZZaMxJqf9+PDuzgKsISt7uj1h158xBwPUNpQD24zeMNd3fyy1Bor84sFA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8RMo7cML7MQpLrbA5XsEILJMHx2a0czWvSOjKTnxj1A=; b=bb9twuwwR7g0QRhekJmw0hOqZ/USjcWoIsgGK5V8pzasUjXHFSKopMqwTzGwxomVjKO1IFnZl4CoL+vy+QzResZVLkzQeO1Jt1y+VNLy4FOrNm7F3Kb9jsVDXGTz6pe1RJarjP14vrtDFzcNIb8P3Cyz6PgEH2VWt4U0QJxqWzggx6iPqMoun6zRS1/7e5Lg9H+glwmJkjcUwByMtC+dO+Ieyb7/ENHzrXClotrIdm9J+vTczObaBmorHiKnjdRl91g/Gl+ICGvT7RKYdBEQleeCxGFgQZH032H5dXsBOrg0bJPdeWxdA2otsWdtghGbwB9KLN36ryi0wegkftebMA==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16) by GVXPR02MB10715.eurprd02.prod.outlook.com (2603:10a6:150:150::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8511.17; Thu, 6 Mar 2025 15:13:16 +0000
Received: from DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a]) by DB8PR02MB5946.eurprd02.prod.outlook.com ([fe80::e0d3:772e:a68d:d54a%3]) with mapi id 15.20.8511.017; Thu, 6 Mar 2025 15:13:16 +0000
Message-ID: <f26ac091-b22c-464b-a389-b8f48d93802e@cs.tcd.ie>
Date: Thu, 06 Mar 2025 15:13:15 +0000
User-Agent: Mozilla Thunderbird
To: Martin Thomson <mt@lowentropy.net>, Christopher Patton <cpatton=40cloudflare.com@dmarc.ietf.org>, Nick Sullivan <nicholas.sullivan@gmail.com>
References: <CAOjisRzBNG2KdAZXssnR9Ura9HuAUKxOH+VLCAE5B9MfYyeT2A@mail.gmail.com> <CAOjisRx9vuroH8-q1tgTPWNnTWQ6i+0Vb=VBTv77j7-hEbHHSw@mail.gmail.com> <CAG2Zi23kVghBzq3eyNXXqs+wk+LuRky8k2ZaJv5iRD6Pp5tpYQ@mail.gmail.com> <e6544817-e0d5-4404-a74b-3df360c544fb@app.fastmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <e6544817-e0d5-4404-a74b-3df360c544fb@app.fastmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------cJD0k5FpRgd60kiYO7EAnaRu"
X-ClientProxiedBy: DU7P189CA0023.EURP189.PROD.OUTLOOK.COM (2603:10a6:10:552::16) To DB8PR02MB5946.eurprd02.prod.outlook.com (2603:10a6:10:11c::16)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: DB8PR02MB5946:EE_|GVXPR02MB10715:EE_
X-MS-Office365-Filtering-Correlation-Id: 36486f31-cb30-4af5-4b7c-08dd5cc16b84
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230040|10070799003|366016|376014|1800799024;
X-Microsoft-Antispam-Message-Info: c1drAKBOxdIxC9ma3vPtkjOhc6lHLeAlnozNViWJjq2ppgA2LNLq3/aaR0RtY8s5cXHdahb7MIcSQUZzCZd4cMeodgkol7Ee10nKYy4ItDLQw1FgHsCX3GqUf87reAf59i2tidGor+ucFFK9fINGC0T9TUMWGCLr1g3Hl6K5AathGE/12V2aoguBWEfyEoxsQS8aLmzRJg8U4buZ9n2Xv/9R5WQdyeb4ZaqZVRfm/9YuHJ/6jQ/xPTM//wBCZorFHSbRBhgIjF8bYZyyHUYWIE7eZXRMoMFTJruipHQposmXG7g+S3wERfdKo1vJ2hwbp1jI93+8WNGa5ZTBw4jppjztSwaM10DaIuI7J5h6UxGnX+y8WDK8l0k7izlH7DXdc4YjSiTwvrt8l7E4HmwPRXErJZFsQmQ7NpjLStWqY1M3ohblW3PwGu02BFnvsrJozbLP0gsI3gYx6ESO4Xb96o9aKqkDBK/C/8jLVnh/mPtOJCMppJYq7o/jO/W7Wu7pAWDQrSxvzbu5txxK9YTllrH422LbM03kgLSP5yqMzFYhXAnwXoiQaPDvkJKCf4Ylso3jleyoWRZ9AUEnTDPq4UaL88DvwgdnlqxDmcvldg6BPx0Gn7BHs427TNrzRxiWtztTeZf6msMFxl7cmPDOflv5yflw2CYhNJOUTRL5tCQdvbabbzg5szzPYxjueDBt0glsOdtNhC+wlWFngGbuvl2lLzCoW++iTALYhFEp/Vy38TPl4x6Qlil8eUAQumj9UloJR4nwpdBol1f+FIyGwA4Y+9O4c/fpTqXkUmZ9I5FCHU/0fU3Vl6uqtE5VGbqqvGLp+5OwLVGgZqMJEhtYWCzRq4nnLcjq34v7vv4kX20Mu0UtxwJykXelt0tnmeE0j4EkPh8L2n5QSD5txXNjoqzlHpSFA2tNumWtArZRDdIC67RJZBj8OZycdFxdWIpXUIa5b1GGb0WXxjoMonhJp0goFqWWdqJKgjhmwgSuAj6Ytm0Pl7kVIKB/tbPbVjnlmIJW8vmPHP3SL76fBRwknUFB6oBLlk/zRiZt7YtMQsOZfR2l80HQoX2ED1ElDLcU24oviL+DNc8v9OBGKBkyh0lM+ZJCMR+S06812ueInCtozzNUXxaVMLr5Ep1XMN0JLZCx+biegCJ4yPs6LYHTfXKEhbF74McVdfilh/q+rqfPVsBRC31d5l1Duorc8ByXw5R5nLt6MUa3sTNnNKHI96vKialPC3ISjdH2mjDpQwcnNgX5CVfUjg1yh39NU8y37yDm+6OumQ2nfksFhcBoJmjUsunqnydCZ0wwlQVPisxaboFYMauqh8tIdcytB5TMhIR4ppk/QTmV0Xjgw82Jog==
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:DB8PR02MB5946.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(10070799003)(366016)(376014)(1800799024);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: IIs09GN/4x9x5jq1Fg0tH5iJHQURZM0P+sWCLu4eejGSoZF0DfeQUtNNsTtp2FlUINBBcoloij9PKv/CfXHA02dKgBz7ocxgn7NixLsWX4AjBeNnLICY8vjlBrDTdQ5AbS3PFqrX21Vl1hkg/PrYm89BLcVef4NfJPc7UHptc+3aHPRzvySNP3p3jUp/nyREaON/MQG8oVSURZaB2PuTUPeEM+5sSBOoI9fX8WW3iBHkA+ySu+eZMeCh2fg4QISVyJEOM6tBAOza1fwrek0cGrTJ1nl7Fm9Ugl5JxEn4f3c03NuPGip9qTxP887N4Oc1+SkmYWaBOZC4ObRMZq0hFkd54ib4+pV6kOn8gxtlgPE03Kv/NG3XMj5IfPHrTOOJfO+oKqn8EctGNcoth48RvkxdmpS9oEtynKlDl91hfZ/I0PkpZscmZQUhBrz/XjJLSrKPV3d5HAWzrn6+X9s4LR1sHx/I5n/O0PaaN45bCzylImZ1wlI1zz7h/SCwNRukw7qpT4piIyjgaVrlVus60TKwuYI9mOGuUMygh2VNol17jmEyHUdGMNxvp2t+rl4K2w+94yMwvvAoTx8zz61zj6LqY1/W/1wOQGfIOezgCIt4WT8bZJpupyUzlvKhSbNGF2ktDiKGyx8CCrVIS3ZHjZ29Zeu5YMjAf7f3zaOgMwtUiSRRAQqtMFrEIeaozEDfCw1Gi4Xxoww3s5OcAZMIJR31NvkcjXm+E0hlKlN3EPPNGMEa9gXykaervrK1OK5KvVPHKmcS6AHuujTrWEjf5DYWx7gjzsvGhK7rD3L914MhaMnn8EZuo/uX+/Qayw41RoxQA9MfCD0OfbmJ3HyxdPeX180bXNAnCTBVk4yp+xqN0nwiARlWXDBBFSFgCBqI4zreFDra0sZ/8dShWyrtHNyqzSOZtlA7rU11yAeI2rUT8U8Jb/j2RHmbPQtp0SLloh1lXff2aUi0CogcZtDqFSeWs3hUMrde0HY8sYzUog47e2xyU73lhxC7aK0dvDhmxepzbnLwenNBSrQ2UUCjjuHqRaP7c/yBF55uD9342dRRPYYuReETyY7AOXezSFQvWLb5/u6gFY2F20AzKmoWlYs90e2o959reTMCnI5LZabfonK2R7eRRz73SmFffFb1cn6DcDcUsZi5+wsA5BHC2q07is7nanQNmJMJbmxILE+1pRWyg7T866UwFupiypEE0CqpGCG7rWvqebJ+rq68AC3olH4+zAi7MZhgN4mD3ztxNKZisA7VKyKAMgWEYbogVJNdTdQjLFh/EobMpYrxiM13wa7KbJ8j4/5EGQxkKD7VxYQfRsgkLZfRy4ihCraHX8KvPW5+FByje9954tZkdTwH5pmlWWSbFRrf2A5CJNDQNHy/Kh/yJh523WShG1QgwXQz4Ou4k0QEAPpIVToWeOblO0Wh5/8fZmoV64vgUpN//Qvg5orimk2fQrhM2D4Ky0o4i20tB3zhWqo1KdIv1R3iSErQuDVY3OS6xUP1LBOVKRMTqf2xmA5s+UeIRjMSfCc0TI3U/vCLqZctKaeOArO/vggQswHH3nbcuBY1AX3AruyTsrSWOLwkRjGDM9GP3dK0hLtOPn4TcPI2YBUvkkGgNpSoywNZ6+ln2C978CKZV4Z4tdRMPbyYPdQNopT7
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 36486f31-cb30-4af5-4b7c-08dd5cc16b84
X-MS-Exchange-CrossTenant-AuthSource: DB8PR02MB5946.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 06 Mar 2025 15:13:16.1414 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: RJq8z+wLpBFcjtTROv9iFf+DMliR5ZwJU/6/fJ+m8Eq+01iLjLdoK0DtUFh+ouv7
X-MS-Exchange-Transport-CrossTenantHeadersStamped: GVXPR02MB10715
Message-ID-Hash: MHDK2LLJH7ABH2TAVMIXP6KPA7AHFJQD
X-Message-ID-Hash: MHDK2LLJH7ABH2TAVMIXP6KPA7AHFJQD
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "tls@ietf.org" <TLS@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Implicit ECH Config for TLS 1.3 – addressing public_name fingerprinting
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/YWAsoBsgJ2uzUKzNbQ1p28wkd2w>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hiya,

On 06/03/2025 14:47, Martin Thomson wrote:
> On the broader topic, Marwan and I have a draft that looks at a
> different angle on this problem.  That has a bunch of complicated
> stuff in there, but those pieces aren't necessarily core to the
> idea.  I'm also aware of ongoing conversations about this that might
> lead to iterative improvements on these ideas.  It would be really
> nice if we could have some time to talk through some of the
> rationale behind these different ideas and see if we can tease out
> the real constraints.
> 
> Here's the draft that Marwan and I put together:https://
> datatracker.ietf.org/doc/draft-thomson-tls-ech-pnmasq/

I agree that that's complicated:-)

If we end up needing something that complex, (and I'm not
saying I'm convinced we do), then we should also consider
a new TLS extension code point and a new SvcParamKey, as
that might a) be simpler, and/or b) easier to deploy in
parallel with ECH as-is. And in that case, I suspect it'd
also make sense to see how things play out with ECH for a
year or so after we start to see significant numbers of
independent server deployments of ECH, before doing all
that.

Cheers,
S.

v2.30.2 | Report a Bug | By Email | System Status