[TLS] Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07
Linda Dunbar via Datatracker <noreply@ietf.org> Wed, 09 April 2025 19:58 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from [10.244.8.129] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id 55D6A19C58B1; Wed, 9 Apr 2025 12:58:50 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Linda Dunbar via Datatracker <noreply@ietf.org>
To: ops-dir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.38.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <174422873005.757485.1040042912670042185@dt-datatracker-64c5c9b5f9-hz6qg>
Date: Wed, 09 Apr 2025 12:58:50 -0700
Message-ID-Hash: VNRWYTISPLZEYFYCKGUSNC7RIZ6RIGXJ
X-Message-ID-Hash: VNRWYTISPLZEYFYCKGUSNC7RIZ6RIGXJ
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-tls-svcb-ech.all@ietf.org, last-call@ietf.org, tls@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Linda Dunbar <linda.dunbar@futurewei.com>
Subject: [TLS] Opsdir ietf last call review of draft-ietf-tls-svcb-ech-07
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/euwbm2HPcSBOrSAyok_b-4YVBTw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
Document: draft-ietf-tls-svcb-ech Title: Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings Reviewer: Linda Dunbar Review result: Not Ready I have reviewed this document as part of the Ops area directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the Ops area directors. Document editors and WG chairs should treat these comments just like any other last-call comments. The draft introduces valuable privacy enhancements but also raises several deployment challenges. Mixed SVCB RRSets with and without the “ech” parameter are vulnerable to downgrade attacks, yet may occur in multi-provider environments or during staged rollouts. Clear operational guidance is needed to mitigate these risks, such as prioritizing ECH-capable endpoints using SvcPriority. Deployments involving CDNs or multi-CDN setups add complexity around coordination of ECH keys and consistent DNS records, and would benefit from best practice recommendations. Additionally, diagnosing ECH failures can be difficult due to the lack of fallback and visibility. The draft should recommend logging and monitoring strategies to help operators detect misconfigurations. Key rotation, TTL management, and rollback procedures are also important but not addressed. The draft should add an “Operational Considerations” section summarizing these aspects to improve deployability and manageability. Best Regards, Linda Dunbar
- [TLS] Opsdir ietf last call review of draft-ietf-… Linda Dunbar via Datatracker
- [TLS] Re: Opsdir ietf last call review of draft-i… Ben Schwartz