Re: [TLS] Barry Leiba's No Objection on draft-ietf-tls-sni-encryption-05: (with COMMENT)

Christian Huitema <huitema@huitema.net> Thu, 05 September 2019 05:04 UTC

Return-Path: <huitema@huitema.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D6B7120CAA for <tls@ietfa.amsl.com>; Wed, 4 Sep 2019 22:04:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cH2j-ptiiV4V for <tls@ietfa.amsl.com>; Wed, 4 Sep 2019 22:04:24 -0700 (PDT)
Received: from mx36-out10.antispamcloud.com (mx36-out10.antispamcloud.com [209.126.121.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB5D5120074 for <tls@ietf.org>; Wed, 4 Sep 2019 22:04:24 -0700 (PDT)
Received: from xse470.mail2web.com ([66.113.197.216] helo=xse.mail2web.com) by mx42.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1i5jwS-0005F9-3G for tls@ietf.org; Thu, 05 Sep 2019 07:04:22 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 46P7rw65sKz1fG4 for <tls@ietf.org>; Wed, 4 Sep 2019 22:04:16 -0700 (PDT)
Received: from [10.5.2.49] (helo=xmail11.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1i5jwO-00035x-OH for tls@ietf.org; Wed, 04 Sep 2019 22:04:16 -0700
Received: (qmail 24937 invoked from network); 5 Sep 2019 05:04:16 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.209]) (envelope-sender <huitema@huitema.net>) by xmail11.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 5 Sep 2019 05:04:16 -0000
To: Barry Leiba <barryleiba@computer.org>, The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-sni-encryption@ietf.org, tls-chairs@ietf.org, tls@ietf.org
References: <156765486733.22748.1412979182718163650.idtracker@ietfa.amsl.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <c33d3844-6227-cc8e-ed96-91d99e4d68ff@huitema.net>
Date: Wed, 4 Sep 2019 22:04:15 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <156765486733.22748.1412979182718163650.idtracker@ietfa.amsl.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Content-Language: en-US
X-Originating-IP: 66.113.197.216
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.197.0/24
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.197.0/24@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: ham
X-Spampanel-Outgoing-Evidence: Combined (0.03)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0duM4P579sYYbdH8Mt+sPVWpSDasLI4SayDByyq9LIhVnnd6rkVCwLkN HaG59+GQ+UTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDoOWO0i/H75teRGzF9TgV+efH zJ6mVE7ewsipSVIfs4Zyu3Z8S+reKmDYtVWS0Y7CgyWFxOA5dILPypvKxNVhWQwOVcNrdpWfEYrY fLBY3+dpWSQSTvD93wt1mIlelTEYmdySlZou9qHIGOZDEEo7O2nS6C1mWTD2n8BB0gTSSfCrE2rb Hpkagd3yMuHMqQJIX+gRCHfMVnsAk591zk0uilUI+ZL4xWiN8NS6C+dmX6OEdA4u1aThyWrQ/ou2 +v/lmX4Em37yFgrCB6NHRn1g+f3uncIqYSL3lhh5c81YyJqFoLZMmkWsaurVZfvqROaDnDtHb8z5 dpPkEuJ8SnwqlUrBK2R/GBg9vCpMGFHw53FxnHnL50HZvyS1o3x98IkV0bm2vWdo8usP65i82q1C dZgGrpL44wdx9eXqjQjbvUopOMQJvQ/Ck3iiU+4DQAj3fuQgzT3K9JUHTNiGwfwAmzgaPWpTyLGL BEE5QIU8l3jXXkDPqoPgWPTmvnZFkrdyu4ziRrUDiXNDm2GhsHu56dwfO/MNtR+47RaoJn15nb4v UwPy3x0FYtCNEb10sHyQCLHEvD1OqP6bgZ4L66GcgBg66gs5OuzYxJgw5atIxeNDvjI/CYe5WPy0 +t1RP0azWPpeObIQIApsYTPV6gwXXJxMPnetLBJMh51NiRRoHICABFMyDM/a9kMLZvt1WBhZmiK7 x42VjdzChZMe6O/Did+/hGXTmfhE+Dx2/NyzMXqBKCJwJqU61H9iInyNpFijvOnCUbNPgcPcQwzM gKHyQxUo+ql2ySTkvEFH/23XMww2BnTTFGX5/yI4Ky+1ZJcbGqc5H4PEZHeoI/d6LWFf332z7LMw LGdoi9FMQ5j9dQUvMi1YKAun15JQSJLyCT5k+MTObVKxHy/dols381l9r9ft9daDonlwd6LnuX+J u10=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aQi7qo3BTMPWxYTJSNWfi3xDXZ4>
Subject: Re: [TLS] Barry Leiba's No Objection on draft-ietf-tls-sni-encryption-05: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Sep 2019 05:04:27 -0000

Thanks, Barry. I will incorporate your fixes in the next version, due soon.

-- Christian Huitema

On 9/4/2019 8:41 PM, Barry Leiba via Datatracker wrote:
> Barry Leiba has entered the following ballot position for
> draft-ietf-tls-sni-encryption-05: No Objection
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> for more information about IESG DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/
>
>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Lovely document; thanks.  Just a collection of nits here:
>
> — Section 1 —
>
>    These attempts have generally floundered,
>
> I think the word you want here is “foundered”, without the “l”.
>
> — Section 2.1 —
>
>       which inspection would intrude with the privacy of employees.
>
> “Intrude on”.
>
> — Section 2.2 —
>
>    and protection of server certificates transmissions
>
> “certificate”
>
> — Section 2.3 —
>
>    Deploying SNI encryption will help thwarting most of the
>
> Will “help thwart” or “help in thwarting”; I think the former sounds better.
>
>    can however be realized by other means.
>
> Needs commas around “, however,” .
>
> — Section 3.1 —
>
>    these designs can be broken by a simple replay attack, which works as
>    follow:
>
> “as follows”
>
>    attacks breaks that goal
>
> “break”
>
> — Section 3.2 —
>
>    the multiplexed server, and by every users of the protected services.
>
> By “every user” or “all users”.
>
> — Section 3.4 —
>
>    of TLS handshakes use SNI encryption.  If that was the case, the
>
> “If that were the case,” subjunctive mood.
>
> — Section 3.5 —
>
>    If the corresponding private key was compromised,
>
> “is compromised,” or, better, “should be compromised,” subjunctive again.
>
> — Section 3.6 —
>
>    We can design solutions in which a fronting service act as a relay
>
> “acts”
>
>    Middle attack by the fronting service.  The downside is the the
>
> “that the”
>
>    client will not verify the identity of the fronting service with
>    risks discussed in , but solutions will have to mitigate this risks.
>
> You’re missing something here, a reference after “in”?  And “those risks.”
>
>    regular fronting server, using for example spoofed DNS responses
>
> Needs commas around “, for example,” .
>
> — Section 3.7 —
>
>    Multiple other applications currently use TLS, including for example
>    SMTP [RFC5246], DNS [RFC7858], or XMPP [RFC7590].
>
> Needs commas around “, for example,” .
> Also, “and”, rather than “or”.
>
>    These applications too will benefit of SNI encryption.
>
> Needs commas around “, too,” .  Or make it, “These applications will also benefit...”
>
>    HTTP only methods like those
>
> “HTTP-only” needs a hyphen.
>
>    to the need of an application-agnostic solution, that would be
>    implemented fully in the TLS layer.
>
> “need for”, and “which would”.
>
> — Section 3.7.1 —
>
>    specific port numbers exposed in some network.
>
> Should this be “networks”?
>
>    Applications would not need to do that if the ALPN was hidden
>
> “were hidden”
>
> — Section 3.7.2 —
>
>    Support other transports than TCP
>
> “Support Transports Other than TCP”
>
>    requirement to encrypt the SNI apply just as well
>
> “applies”
>
> — Section 4 —
>
>    when the fronting server and the hidden server are "co-tenant" of the
>
> “co-tenants”
>
>    There are however a few issues regarding discovery
>
> Needs commas around “, however,” .
>
>    o  The client browser's has to be directed to access
>
> The “client’s browser”.
>
>       cryptographic proof that the content does in fact come from
>
> Needs commas around “, in fact,” .
>
>       The solution does thus not mitigate
>
> Needs commas around “, thus,” .
>
>    support HTTP Fronting
>
> “supports”
>
>    applications over HTTP, such as for example DNS over HTTPS
>
> Needs commas around “, for example,” .
>
> — Section 4.1 —
>
>    It also requires that the fronting server decrypts and relay
>    messages to the hidden server.
>
> “decrypt”, more subjunctive.
>
> — Section 4.2 —
>
>    be performed by distributing fake advice, such as "to reach example
>    hidden.example.com, use fake.example.com as a fronting server",
>
> There’s an extra “example” on the first line.
>
>    We can observe that content distribution network have a similar
>
> “networks”
>
> — Section 5 —
>
>    The current HTTP based
>
> “HTTP-based” needs a hyphen.
>
>
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls