Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
Nikos Mavrogiannopoulos <nmav@redhat.com> Mon, 17 March 2014 08:01 UTC
Return-Path: <nmav@redhat.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3A6261A03BA for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 01:01:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.449
X-Spam-Level:
X-Spam-Status: No, score=-7.449 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uZGkWBqKO-dp for <tls@ietfa.amsl.com>; Mon, 17 Mar 2014 01:01:04 -0700 (PDT)
Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by ietfa.amsl.com (Postfix) with ESMTP id 426E71A004C for <tls@ietf.org>; Mon, 17 Mar 2014 01:01:04 -0700 (PDT)
Received: from int-mx11.intmail.prod.int.phx2.redhat.com (int-mx11.intmail.prod.int.phx2.redhat.com [10.5.11.24]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id s2H80mGv003472 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 17 Mar 2014 04:00:49 -0400
Received: from [10.34.2.127] (dhcp-2-127.brq.redhat.com [10.34.2.127]) by int-mx11.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id s2H80jxt009843 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO); Mon, 17 Mar 2014 04:00:47 -0400
Message-ID: <1395043245.23812.4.camel@dhcp-2-127.brq.redhat.com>
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
To: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 17 Mar 2014 09:00:45 +0100
In-Reply-To: <CACsn0cnKFQdiq8kx3w4SViN20-9UTxA_1riq-A5XJyaqLUQuFA@mail.gmail.com>
References: <5325DDA0.9030006@nthpermutation.com> <CACsn0cmLJJGw5cKmbnUT9tftEd0tn4cJQcf1WN7VQQc1GeO-aA@mail.gmail.com> <53260C51.10407@nthpermutation.com> <CACsn0cnKFQdiq8kx3w4SViN20-9UTxA_1riq-A5XJyaqLUQuFA@mail.gmail.com>
Content-Type: text/plain; charset="UTF-8"
Mime-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Scanned-By: MIMEDefang 2.68 on 10.5.11.24
Archived-At: http://mailarchive.ietf.org/arch/msg/tls/ZS-4zcelfEpoZyp8htDgtdh3u5o
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] draft-rescorla-tls13-new-flows-01 - Thoughts post-meeting
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Mar 2014 08:01:06 -0000
On Sun, 2014-03-16 at 21:23 -0700, Watson Ladd wrote: > Dear Mr. StJohns, > > Suppose you work at the Chinese Ministry of Truth, in the department > of web truthmaking, domain forgetting division. > Right now, if you want to ensure HTTP content is in conformance with > the truth you simply scan for the Host header and check against a > list. > For HTTPS life could get nasty. But luckily we decided to put SNI > information on the outside, so you can see if that connection needs to > go down the memory hole. I think this is a common misconception. SNI places the hostname in the clear, but that was already available. It is present in plain in both the DNS request and the certificate sent by the TLS server. SNI allowed the server to properly select the correct certificate when multi-hosting, but didn't really modify the existing privacy level. What I believe is the actual privacy issue there, are the cleartext certificates (client and server) in TLS. After that issue is addressed, only DNS will remain. regards, Nikos
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Watson Ladd
- [TLS] draft-rescorla-tls13-new-flows-01 - Thought… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Eric Rescorla
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Erik Nygren
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Tom Ritter
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Watson Ladd
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Alyssa Rowan
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Nikos Mavrogiannopoulos
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Erik Nygren
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Eric Rescorla
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Tom Ritter
- Re: [TLS] draft-rescorla-tls13-new-flows-01 - Tho… Michael StJohns