[TLS] Converging on ECH public name semantics

Christopher Wood <caw@heapingbits.net> Mon, 07 June 2021 17:40 UTC

Return-Path: <caw@heapingbits.net>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2E753A3F7D for <tls@ietfa.amsl.com>; Mon, 7 Jun 2021 10:40:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=heapingbits.net header.b=uowj7kSb; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=IUN/qgAC
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0LjBzxGdktAD for <tls@ietfa.amsl.com>; Mon, 7 Jun 2021 10:39:56 -0700 (PDT)
Received: from wout1-smtp.messagingengine.com (wout1-smtp.messagingengine.com [64.147.123.24]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C06B43A3F7F for <TLS@ietf.org>; Mon, 7 Jun 2021 10:39:56 -0700 (PDT)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id 3B9681BB9 for <TLS@ietf.org>; Mon, 7 Jun 2021 13:39:55 -0400 (EDT)
Received: from imap4 ([10.202.2.54]) by compute4.internal (MEProxy); Mon, 07 Jun 2021 13:39:55 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=heapingbits.net; h=mime-version:message-id:date:from:to:subject:content-type; s= fm1; bh=X4MlsJJzN8pDpY93wzxvGmh/S5gAjtOxbs0EtDy1YBk=; b=uowj7kSb 6onNLQsbCD1KFiFjKn6AROgq+xiAechoeTaZlOsAVBMAjXyJBClsxk0XLBWByECD L06Rfk8YPoUYfOjgZ0l9g/Rd4PSOnA091ImMHGX9fckMqeS9Br12rwlAvK2OppIR SvYOCRQnHM1UXacFzAYv79cxrsXZEloohUBg7IoGTkD1mvJbmQKrWoaN/hLL0uJA J3xtQCjrZxhdsSoEhFqdPDoeXtUenwYOj+AA+T+lCoEiOn+/x6JXxeAqTNPFtnP5 KbeUnpqz51507EiB270SwybLscOf6VBclJFwoss6sK8DkanOHXm1lCdeIM1uOlqg 62FVpGdmI3DUwQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=content-type:date:from:message-id :mime-version:subject:to:x-me-proxy:x-me-proxy:x-me-sender :x-me-sender:x-sasl-enc; s=fm3; bh=X4MlsJJzN8pDpY93wzxvGmh/S5gAj tOxbs0EtDy1YBk=; b=IUN/qgAC2puWVbeg+immn6tBaVGUBRXRS3+Ek+/6QPBkL Y9ITael9L2ZM4ggJ4V1dx0ku3M51sO97y24hlKvDdbER/Ro509Rx6PbUd0HlA477 tvFFPnWPt8acXqSeuI/C72csDCPX2IrJthlFVuZGZbDyEIifRNQFkotDZl0Fn++N nLUDofX+ojwdlW4tcQIxvdLmDTEL0vl58iet85TvUzI/gsuITQ3czcMSn1xYzB0C rTOnSp/C2nk3Bjwlm1C+lLy5x/x6sEH5kOa6nL0aTCjaQkdUCVTgTf2mZYHAI2aF wH+J8dLMC2G/CscT4H3kysrJTr3Pkr4AwHznrD2pQ==
X-ME-Sender: <xms:6lm-YPaZnGhhOmVoXM8CSyfySKKG0d59fS5cRBXP9W5NKaWXQgmtgQ> <xme:6lm-YOatvsfg2eVIJA5wXg9aRV208bLA4iaA5y-s4MFVDqzn4wXXlN8DS6VMRSWc3 Pvrn3clqhyMXDQ8tNk>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgeduledrfedtjedgudduiecutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecunecujfgurhepofgfggfkfffhvffutgesthdtre dtreertdenucfhrhhomhepfdevhhhrihhsthhophhhvghrucghohhougdfuceotggrfies hhgvrghpihhnghgsihhtshdrnhgvtheqnecuggftrfgrthhtvghrnhepfeelkeehfeffhf ehieeijeeggfektdffteejkeeltdehffetueekvdettdefjeegnecuffhomhgrihhnpehg ihhthhhusgdrtghomhenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrih hlfhhrohhmpegtrgifsehhvggrphhinhhgsghithhsrdhnvght
X-ME-Proxy: <xmx:6lm-YB8H1RftssxLlFafb5kHIAebUBh7bzG8WoBNGPW1TZFua3KPeQ> <xmx:6lm-YFpOkUHfi3Bt_q6a56OFaRFTf-xpJ31_Cl3vldmezMCQ2rOeKw> <xmx:6lm-YKr8fvqSG5qyjMS-bjOkLcSxZHPlJEjEvVJlbOh0lQ0UdHU9NA> <xmx:6lm-YH0NrlaK7a7wKaxFzosF8InCx1WbBK0bxu15WhwAsoC7cXTKbQ>
Received: by mailuser.nyi.internal (Postfix, from userid 501) id 34FB416019A; Mon, 7 Jun 2021 13:39:54 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.5.0-alpha0-519-g27a961944e-fm-20210531.001-g27a96194
Mime-Version: 1.0
Message-Id: <42c5149f-5cea-4eab-90aa-09266bf2e631@www.fastmail.com>
Date: Mon, 07 Jun 2021 10:39:32 -0700
From: "Christopher Wood" <caw@heapingbits.net>
To: "TLS@ietf.org" <TLS@ietf.org>
Content-Type: text/plain
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/bL5Jf2w58vNGn-28XAKA1LQkCzQ>
Subject: [TLS] Converging on ECH public name semantics
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jun 2021 17:40:03 -0000

Hi folks,

After substantial deliberation on the public name and reference identity topic, I think we're zeroing in on two possible changes that effectively prohibit use of IPv4 addresses in ECHConfig.public_name. Here's a quick summary of the proposals:

- https://github.com/tlswg/draft-ietf-tls-esni/pull/436: Encourage TLS to check and filter ECHConfigs based on whether ECHConfig.public_name is an IPv4 address, and defer validation and use of ECHConfig.public_name to the application.
- https://github.com/tlswg/draft-ietf-tls-esni/pull/447: Punt ECHConfig.public_name IPv4 address filtering to the application. 

It would be helpful if folks weighed in on which option they prefer, taking into account changes asked of the TLS stack, its effect on the application and client-facing server connections, and future spec changes.

Thanks,
Chris