IETF Logo Mail Archive

Re: [TLS] Working Group Last Call for ECH

Raghu Saxena <poiasdpoiasd@live.com> Wed, 13 March 2024 09:15 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E879C17C8A9 for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 02:15:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.798
X-Spam-Level:
X-Spam-Status: No, score=-4.798 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_MUA_MOZILLA=2.309, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mJSp7vkHVMyA for <tls@ietfa.amsl.com>; Wed, 13 Mar 2024 02:15:42 -0700 (PDT)
Received: from AUS01-ME3-obe.outbound.protection.outlook.com (mail-me3aus01olkn2184.outbound.protection.outlook.com [40.92.63.184]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60D36C180B4F for <tls@ietf.org>; Wed, 13 Mar 2024 02:15:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JA810Kb6mdpa0YJL1MQDJHEo9SOWoEH16xbWCI481e7yqv+0souFBAFuHuvowd8Ed1OxaAF4t/jRkgeQn9L03qDmePXXUPDuyyisRCvJih48oXq+51NqrsLR1Kyp0DkAbC4rtGt7YptVF6XTSSrQlLIfCnBlvLf0AFJlYOGMEs23lj6ALw8hGj8JWY+mSe190di2CAlDuvUbc6IZ1Zy7ErpLUPc9OlBH/JGzalWKwrWivEw91m4CA/iDGCpvmeArnbLXe0kCRGRYZz/SHMifGbOnaEZZo2xl/l9t6fTY1ZKBES0nBtfL74dTw5c/bkGt78YvrcjsDYMiWbKOl9INGA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=HF0Gh4eF18ZypPlDTfn4a9cWslQKKFr70drm8XefSfU=; b=W+Mq4VoSCaYgzW5UDaMX+O+4S0fpILAI2SLH6YV9UJVihyAQmJOU/kgC07rvvSOqmO4AknWXAiAulccdx+gQQyslEAqdHmQA9ERHpUPIwbSAwgqPR0HDpLXvq3PwOBDTToIYSKH0ubClAAI1HzAcu8t7dX7P6GI7eZSoqrpaylCSi8wfX9obNJnPpvZR1MYMLtykNj5yQWQijMPXT03xYBDE0QqFWVrMOK8ZVbbsx2ZQcY324Q5pQpX7VROBMkM1GmUSQ8+JCkElU333li38BEL2n+nwO8WYLHgSqeDjwHgVUnSWSNCLAxgMVLzh0RadKu7SBjvEXQxLsIKa925ySg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=HF0Gh4eF18ZypPlDTfn4a9cWslQKKFr70drm8XefSfU=; b=K0QVh/yOwyHGns5F47YlHj3w/b80hUFLF294B1IAT1KwH+eYN24wzL8Eo8SiG11VDu/Y0cyy1zVcykw3nJYy/GpG22LbVCNo3ItggqNDkFpcPiBLFWcDrUtYsQJbF6boVUmUkRAkVScfi5eqPNnLhX3W3qBukjFknxHSDkxfHGAaN0O4kbOajyboBqdUX5MMg/F2yIsncbIBq99m+mllgosAeAXCDT417DweSfMbzx+E06YFBAGN8QbWuu9TlCMlWn/V+jwAY8aiZxdsl84uOMRHGK+MGNgWTdXWhCpG4Wf/8y4kiMuFviF90ou1YXVA2T9jg/iPWxKJkZqTaQzNCA==
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14) by ME3P282MB1939.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:b2::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7386.18; Wed, 13 Mar 2024 09:16:56 +0000
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c]) by MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c%7]) with mapi id 15.20.7386.017; Wed, 13 Mar 2024 09:15:39 +0000
Message-ID: <MEYP282MB3564E419539472CE1B5C5B1EA32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Date: Wed, 13 Mar 2024 17:15:31 +0800
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: Watson Ladd <watsonbladd@gmail.com>
Cc: tls@ietf.org
References: <CAOgPGoD4iiJ7kivRo4xbe0peiMG3YdzUvmVHC2KvqnMOpm+N7Q@mail.gmail.com> <MEYP282MB35643E2F4A977C0FC051D006A32A2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM> <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com>
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <CACsn0ckt5k_jJDp_RnWci94Li3AtcBiMfPehuLtdkAN-XoWtdQ@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------IlPqMPHlHfxNne9Tuu86UZRj"
X-TMN: [hYAu1ymUZugb3475zgCLI/lLemTRzAni]
X-ClientProxiedBy: KL1P15301CA0031.APCP153.PROD.OUTLOOK.COM (2603:1096:820:6::19) To MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14)
X-Microsoft-Original-Message-ID: <3bd16ed9-3924-4254-aa08-6ccdbd5ecb37@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MEYP282MB3564:EE_|ME3P282MB1939:EE_
X-MS-Office365-Filtering-Correlation-Id: ffac0378-c179-4b08-c098-08dc433e2642
X-MS-Exchange-SLBlob-MailProps: gMiuAN0LASJkqHbdx0eYzpHhNUWrG0aYLn1LngY/1F9SdcCkzFb8cRiUVUQAsYJeiSMbdJE4LQQYPc7LQXt6nBKTDnvt+Hv84jaVlG6WIQ6mCgFzX8CbMDpNKPnKxJOKAmQk0JegxJtrrTwcKgfIv7K07G9uCTUiuxyof6V2UiJZiLdRrql8sGHCGCJDSAtWqDRTt0KTAV4bNLqfWZ4DzYg5nJcWiG6oyOsO+4cdcEOq85kx1ddaNCYvc8I6TfkKa5Cgc6oFXyVRs7LFPDU63B2xhdos6qHKF1h1sb/TarhLrCKVMxMvwztP6wBbAVqvAv3aTAG/quZzWPq1a2woZTHm7Yq0iFfVqvExlhWPwDWlAGHbmco7fgyfkrX3Ht6XrBVVy6fkaZ2grgNBIpZl85DRr98z8A56HItoonvOJ9XU/oZxYNIT3cLa61mzIIJNsvsq4wVUg5yNWoIH89hCSVzunAQ34rebwCXUxHrKVNTh2rtsRbm+qatQbvuQ5v2vcuKG4WkMuUPh1XOUbO8YfF0STAZgLTr9kaO40vHR1azT+DonATGaB/BZ3uvnkPl1iqkFgMCUcSEmns/aNAd10mfxDLhToxpfSXVCibfRaVVW1Q3D/Aja88FovHrXoRIwD2JQJPumqa+ctMl4DOdvG2ndAX1oj8vo6HM03kxQJ+Yvdxfmgu91xur4+IRiM3Amr1ipISmjXkv8lECuOD+Ssg==
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: jZyEqlW6sHRoPo9SMAwWY3SEaT87NN+kUeR9nSBIzSLo51vrLBNkyz6JygOENJxOp4ldg13TIiEmimdH9vpen5PY1Ap4J8ovcm/FQfh2ove8UHJkeAItp/S5QGlmyI9b2d3MxIQj6/I0Eb72EvRRl7vvzvx5GEJvyrjfdp5K66h2O5U3RO7RKtkgaJJQoG8Mk9PPIFrKP4KO2VsSEDwBM2tZ0Cx/LnSaUn4nxkwP6MTHpTrKMFG9u64K9zLQAExW2+2wHC0dUEigMxorfsIXk4dcUnjpdd+CTxZWWnQ1XPq8AQjxh80gdbCLh9x5t8ARvxPvWlpq/VsGws9BpB5bSBokd4L/S++YNFscf3XFH2IjHw/47fFZQoQJ2DEY1UIgP44ZlkF69pOd4qNo/Mpt/NDBP3p/tHg5qlonGLkNdfZnnRbi+hLsdoU0w4EuUuvShYaq9NJVqJMmjfy1p5ydJTyUxQBpznUf4MmDfa03W4tAyPyrmFOPJsjJHxAGgmg3UidFPgUMGzKxB53Fpv1IQd4Qpdc1PH4840JXIPOPBdP3eMKO3XB7mKgsG7gF29xJQVsNUsVfKs/TWb1wtetA/qZX16S4tdD57KfxJsufy9vnCdlDHnP3/lpCfCm8tr9o
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: c4NQGAxDSO7NO9k8jFYil53LX6n1erOsv/6j0g6WuJ0Coz3Rhk2i7aepkphE77n+KSFhhllX/g/nS0tc3JRFj0zIh0sS9PiqEidincqU5Cxac6P40aS/T36YXJxp2zc/21MAeofLFa1J2EeirC9HWDjTfsbi9DtkSEem3iHAypdPevAJaIXFc3ZPCX03rvteM2F1meAIuEx0clB/ub5zULtLT6I70Kk82JRVfH9E1vE1LXMoihLQxhZUmrUnMAyVdv9y5++O83van0h6t2d97dYVjh+8EZeUXNYqkOohadVMGqzocrr90O+IVcqO4n0Kcpp0iKDqAn3CBHu2FhF5Cz+6itUYCHE9X7ehvbX1Dk8iEj34Ib1zAKNhAoNQNc5G50tYK/bKmLCtqP3SxQOOCJ7yQLYLNir2zBhXXZY4O6lo61KoJzl7nZXongdliFEx9/WaVthPxT7fQ8sS6jJLXinGS+xK0s5t3p05ZF/U6EkaEPFIkbnPocqs51Xh3zlcZJAWxPjoWqj6L3oZ5h3JfDDcNSXcViR5Ogdcl7k1ucusaVQ8xaZTTPcsB12/4QakrA+kW5iVoNuIJvu/x2XeEsfZWzb2CHIkHNqW7yWtAnNyl+/uESWQlCAlivueu8BzwzbM96vEz360/PvwVK+hZj3Ilx/pyQ13gVkbqsj3tMCUws5S9+e/uyHPFQiNvSIiWgbW0i4Ng6Qrl7pi7l4xI4Xcx9p8nxxVyNDb1HiLnpnjTJUHLi3fx8DdMi0/1D/rEcWmYJcV/v+0empeJnjnVQL/gBDSCiYIbJa9m3WlXzFUS07TBNwKjVQnMf4uq6PHvIauoLhDTEpym/HwXiax1esw3+dapiYQ1W44JJHoIjw4AbBq2ILpQie3kqJQc0W1Z5JFD4OKslMpvAydjf5vUjveh3wdDieLiFV879xl7GS2+8gyGyyYrofgKR21j01mo7Z6ZVlheDhW5lkOT8HcnryLhwXAgRkyUhpxIsycJ1Sn6PAOMS8oAHe+6mAR4V9aFMAjicq5itUU15HIAT9ZI6rZddbwSDRoABWXAYpihl8vjnu8w9spicUnPnTi6mSPVNRqSHJgCPFworFPzkUWHb9cbVd2n0LE1FEEczSUIvy5Q2vPo5cuq4nYaV64aLnEgLk0y/JjcmpGGqdM/Zw2qa9Hdsu6LhAWzrurRwzTEvEmB3/NuMAAvCKZfranqJJjFzdb3Gct9Qt+wc452qjrlQJ5LiHQP5qlOpVPOMi/72Q=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-746f3.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: ffac0378-c179-4b08-c098-08dc433e2642
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 13 Mar 2024 09:15:39.1343 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: ME3P282MB1939
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/Yd2OqWoXMtW998cYU1CsCNdpFkM>
Subject: Re: [TLS] Working Group Last Call for ECH
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Mar 2024 09:15:47 -0000

On 3/13/24 14:51, Watson Ladd wrote:
> The reason the public_name exists is so that the connections can all
> have the same SNI field. Since we can't do what ESNI did, there must
> be something there and it should all be the same.

Could you elaborate a bit on this? Sorry I'm unfamiliar with some design 
decisions, but why connections all need to have the same SNI field 
instead of just excluding it altogether, i.e. what ESNI did?

> I'm not sure what problem you want us to solve here. In the case of
> server offering a single domain, an attacker can determine that
> connections to that domain go to the server and cheaply block based on
> IP. As a result the threat model is one of distinguishing between
> connections to two different inner names.

An IP can be cheaply recycled as well, for instance restarting a VPS on 
a cloud provider. Furthermore, IP based blocking may even be discouraged 
at a higher level, for the exact reason that IPs can change pretty 
easily. As an operator, I might be able to migrate my hosting to a new 
server provider (and hence IP) trivially, but informing my users of a 
domain change is much harder.

> DNS does not propagate atomically with webserver configuration
> changes. It's thus necessary to deal with mismatches.
While this is true, if there is a configuration mismatch (and hence ECH 
cannot work), why is the decision made for the server to transparently 
"downgrade" it to non-ECH, instead of sending some kind of alert that 
signifies the client to retry without ECH?

Regards,

Raghu Saxena

v2.31.3 | Report a Bug | By Email | System Status