IETF Logo Mail Archive

Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption

David Benjamin <davidben@chromium.org> Mon, 19 July 2021 16:35 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95C8E3A07F6 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 09:35:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.949
X-Spam-Level:
X-Spam-Status: No, score=-9.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.452, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_SPF_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0gsv0cVb5cHS for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 09:35:36 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 61C123A07EF for <tls@ietf.org>; Mon, 19 Jul 2021 09:35:36 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id b12so16964825pfv.6 for <tls@ietf.org>; Mon, 19 Jul 2021 09:35:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=8Rngn9N66rLIE7OLtcdEzRrgPwwzL02glpiMZUdXeYQ=; b=SnnAvdhRVNgww+Ggmu0a1FQnHRfphd0mAaWEq+Q1GT+0HQquwCSfYcacuFqKOFU3JF umJ9UA3NczUxQ1+81YPmm5/4t32xXCuRCi8DkqFIZaBqaH49DfueQ76R0KkE7AgILCIr 0gZqrPzZOdMGAip5bgcWMTbsXBWpPj+4M6uVk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=8Rngn9N66rLIE7OLtcdEzRrgPwwzL02glpiMZUdXeYQ=; b=BMAJtg4zcLc9+aBLUIB2Iib+KXvmOvBP1vpS2ENAtfDBANgLCjQC2PB5H6xWwb3OjW RQTBQyJN9FzGyFPTkswkmuniODaQWJ8lyVG/AYn5KPF6Sf9Y/O2TFene5kE2X2Jkomf/ zwm/ZPWVGQZ9n3+rZQgQs+5kpc9enxwwRxGpKhMMffFWue1VmGfeSmjNBDnnEEq47nYk LrQSWT+lrUEr6rtHYMBSKjvO7pt/ovSUF2EGtLkoPQOVEgwrqhYnefdeRL3Honf3yf6T 6iDPBW04tfbe2J61WsbnEBngyfYUrZA+Qv38O4TgiSIJ4JW/lCwxXp91ryT3AzxNNwzX yaAA==
X-Gm-Message-State: AOAM5301wy0wu++8DwuRewtj5theI1opNKsaR2rTORA9xJR8Y1q7Ioqz iidzj64Lx3KksXR0k385riW04LGnOoKuuFjMMWaD
X-Google-Smtp-Source: ABdhPJwnlFyz+6CsVLsrA3Vl2ohmtp+eWXUVf/7Qr838KHvE0YwSxR2iZJWqpCrG0AStK0Fa3c7+AdaJaN+C8MYf/Aw=
X-Received: by 2002:aa7:8298:0:b029:338:340:a085 with SMTP id s24-20020aa782980000b02903380340a085mr17286675pfm.46.1626712534285; Mon, 19 Jul 2021 09:35:34 -0700 (PDT)
MIME-Version: 1.0
References: <0ad354da-5300-4b48-8925-f7ab18cdf235@www.fastmail.com> <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com> <2c7c53a8-cf47-f51d-f97b-f6cd5a712024@cs.tcd.ie> <CAErg=HE92wz3-aLDSfNWk_qJA35+V-euUvtW07HKA=B7CVB3iA@mail.gmail.com> <CAF8qwaDKScDihLVHTahVGqwZjU3U1OXwpsygR=SXMt_3rEOZpA@mail.gmail.com> <80e47f63-725f-ad39-5add-161e6e299fba@cs.tcd.ie>
In-Reply-To: <80e47f63-725f-ad39-5add-161e6e299fba@cs.tcd.ie>
From: David Benjamin <davidben@chromium.org>
Date: Mon, 19 Jul 2021 12:35:17 -0400
Message-ID: <CAF8qwaDzH30--4UE_hA3RHMfcw9V2Z4Hmx-vuQ6AJy3e6BiO3Q@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Ryan Sleevi <ryan-ietftls@sleevi.com>, "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c2d36105c77c8646"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/aTSr197lXNxuBJaYnlydT95APrA>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 16:35:42 -0000

On Mon, Jul 19, 2021 at 12:27 PM Stephen Farrell <stephen.farrell@cs.tcd.ie>
wrote:

>
> Hiya,
>
> On 19/07/2021 17:17, David Benjamin wrote:
> > I'll add that, in the context of cross-domain tracking on the web, this
> > draft is a red herring. Remember that web pages have subresources. That
> > means looking at the destination domain isn't useful because two
> different
> > pages can embed a common destination domain. So the same concerns exist
> > with RFC8446 (TLS resumption), RFC7540 (connection-reuse, same- and
> > cross-domain), and RFC7230 (connection reuse). That's why we need a
> > holistic answer like network partition keys from [FETCH], that apply to
> > *all*  network state. That answer applies equally to plain resumption and
> > this draft.
>
> That's true but isn't that also the old "adding this
> one new way to track doesn't make it worse because it's
> already horrible"?
>
> My preference is to not add new mechanisms that can
> enable cross-domain tracking as this one does.
>

No, that's not what I'm saying at all. Read the last sentence again.

We need to *both* not add new tracking vectors *and* mitigate the existing
ones. Doing either one on its own is not useful. That means if the existing
mitigation for the existing vector applies just as well to this new
feature, we have not added a new vector. Indeed it applies so well that we
were able to add the same text to both this draft and rfc8446bis.

David

v2.23.0 | Report a Bug | By Email