Re: [TLS] publishing ESNIKeys under a .well-known URI...

Hans-Christoph Steiner <hans@guardianproject.info> Fri, 22 November 2019 11:11 UTC

Return-Path: <hans@guardianproject.info>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24B8F12021C for <tls@ietfa.amsl.com>; Fri, 22 Nov 2019 03:11:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.887
X-Spam-Level:
X-Spam-Status: No, score=-1.887 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ccs0XwQDMnnG for <tls@ietfa.amsl.com>; Fri, 22 Nov 2019 03:10:58 -0800 (PST)
Received: from paulo.mayfirst.org (paulo.mayfirst.org [162.247.75.97]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7064312008A for <tls@ietf.org>; Fri, 22 Nov 2019 03:10:58 -0800 (PST)
Received: from paulo.mayfirst.org (unknown [127.0.0.1]) by paulo.mayfirst.org (Postfix) with ESMTP id C5C5C3F40; Fri, 22 Nov 2019 06:10:56 -0500 (EST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) (Authenticated sender: xxxxx) with ESMTPSA id 940613F3C
To: Daniel Kahn Gillmor <dkg@fifthhorseman.net>, Stephen Farrell <stephen.farrell@cs.tcd.ie>, Christian Huitema <huitema@huitema.net>
Cc: "tls@ietf.org" <tls@ietf.org>
References: <7374648a-d684-87be-0807-219bc10793ac@cs.tcd.ie> <18514.1561564689@localhost> <e61cb6c7-af9c-4f8b-4f94-88dc56a7f6f1@cs.tcd.ie> <f015bd0e-8e0d-ab1a-eab8-a0dc466e2de4@huitema.net> <ba4a4f84-9663-393a-4254-193cf4051ac3@cs.tcd.ie> <878so9jafi.fsf@fifthhorseman.net> <6636c7da-39ec-ebef-905f-6458ac8c1a56@cs.tcd.ie> <87d0dkib25.fsf@fifthhorseman.net>
From: Hans-Christoph Steiner <hans@guardianproject.info>
Autocrypt: addr=hans@guardianproject.info; prefer-encrypt=mutual; keydata= mQINBFY1RO0BEAC94s679hO9oxi2h1GF0hN7xCXxeIyJp58rA2QxuMJ/NvMhrfBGVqhkolUb 7IqvHy8n7jvTCCAJOHP6ZAtUUwV20ZpUa2Mfp0/6dbGkvXcXwGlU9ShpBiXnDsKvgRRX5gOO /WeWLe8x8HRcFfcJVXS9pHRw2bxjrbs3zKlf7yBACcSt6ZSgPsqHuUQSUs4Qo0E0/H14uJiD k32qQ1YicVrE1r2pFe9iZpxBMGTwgZyNUEUYDeVfTDubL7Jc1MUpgotNTxbJ3jVxt0uHn20l hNXG6ybaYK3MhIHIEp9Nbd4l6+Y81ZgIQbs4jAbAPcy+qY3GT2uQfbFb2UK8+hnDotGmejgo YuDZGBaAukiELIKxrsNCvaSg5DI/yrH6Vx6ZceHpitrer6yOwZescc5SGud3btU4Iktfw7w+ 5pxmyypUazaltibSd13o56n/aKrQZw098bhqnh9xTbPVK14t4wTdsJKyZmJv8oKCqppEuhTc q8kur0PWOM85NSBl0igSfj8/CR8CbzgasMPNQVVwUA0Ody0s8wO13+WVaLq7y6Xpy9t6jSVv S8KLgmJ/wTJimHb2cctHNBSQEwnJtRyy/o7kKnge6HPzOprjPAlv6okA2XQaLTxyjW1YCRwN GatNAJ2WnJx3m89WGRONN6qQ3RFX59kbyzR1uL6D3Z6ts7bTmwARAQABtDJIYW5zLUNocmlz dG9waCBTdGVpbmVyIDxoYW5zQGd1YXJkaWFucHJvamVjdC5pbmZvPokCfgQTAQoAaAIbAQUL CQgHAwUVCgkICwUWAgMBAAIeAQIXgAIZAQUCVjdjhUMYaHR0cHM6Ly9wZ3AubWl0LmVkdS9w a3MvbG9va3VwP29wPXZpbmRleCZzZWFyY2g9MHhFOUUyOERFQTAwQUE1NTU2AAoJEOnijeoA qlVW/IwP/0Uq8896f4NJPv9m5xKZnpCErXhvGU8b4gwH5EXaw66Z/0Zp56zF+J0rLdQZ9FoL HmShM8ZIEHmbNs/NTxqJ5qR0QDKJl8kJW7P/yfNjYOHtBCxPOS5LcapGtUT9jx7GAPU+oJ7z RC0nF8eot97Ds797n139BSbabZ74j0mfwKdGFxRaZVAfhzOD3tevyxUGMwj3w+zRpSXrDHc+ mZa9oHVE6J632rKMUTyDH/7kjzqN54l+dW29SK2NCfC79jfjDcO+ldbUV0lDz+HcLAiEYY1U ucuGVYgL0s/blCqw8YBmwBFdzYYwL6JXiK0KO+eukEZZl9nAWb0CUtuq/8dqkB5VKE39sBjZ pADf8xknMXJVTN1NlMUv6ZDKgRByL0gWdxmSaLLcjBliieXsDvMDHZnwhVsXeoPB1o6PaNLr Ho6ohf8vUrpVzDt6jwEydKBjJiykoSae4Gb7zgVx2/jvHZG3TrMqwktmPQKc+mS/WQBVMfUm ay3EYuIXRFhh2l4czMxFPWpan0nxV3QSpjPYJFOcKm0fPOLBAfe5WnatO8RGtL/quOdpOhMi rfzZKb0I4CiLGmyUHhewCGcggejqrBNDsip4RE4XwEYbH/VjWs0g5VVodSLUm0aC/98eG+XR 0bV/v0urdHFedFOVbkTBYYYJWNzRxvv2paJVoUzxWn5GuQENBFY1RikBCAC2ZLMA4e7v4nZL 4Fy5X5vfaZ5pGHuh/8i34V4geqbMgWKnTgi2CJkAzglVDkbhpyk/Q8hCj4DdiRMsK4+TpLmp sbCYVGBeoaB/zkhZdjHksymED7V5sUim1BV418JXk19bnrDNFvfyhy8fer8FoDKeT0HJNdab lTt5NJrVFIVmglOZFIF+dSbz+HoH15bbwUDoedM63Q9ChQ5RsPKxiKHbwsYQ6zAJb+f/xLsG RUSzg6q6GPwX0A0P6QMkl2a/OXZhk+LGmzvldg4M0roWr6ohH+4iiBxttId4VACNPjQR7UME c8E6GZTRpviaMTTioXHY2wxkjcD6LmdjZ7Hm7F2NABEBAAGJAiUEGAEKAA8FAlY1RikCGwwF CQlmAYAACgkQ6eKN6gCqVVZbvxAAk1RTjZ017OWt/Tpm7Wa1VprbNPSFmDjzXSjIM2ut7E5B iScJLRy4sl7Fl5GcwS8lWkfIz2n8R7zn0Xj4T91dKZZ4J9m+Mf37cHGBBn5Hp2E6gqoClqbN CNLpWeHtwbLf7p9e513yRZwIdwAC4sHCGSzT6ZpFNhOhTqSj4nllfpbkSSjac5KaeV7oRQXI fE8BvwH02sGM5LpsoifhShrdcoEZe3GjyERbf3oh3cqYnr9pR64DnO8IMc+RL2c+sGPoirVS d/kBCIA8vEABZzpHeoNN4DNu3ykg0d0Knn/2CoMY92w4UGrdDRc++uMOawXtI9aGdtt4AIMy YvHfSO5KtZr+U9sViMhSXiiJ1Ofl46C9nZwjyZ5t5NnwfVh3Am79uhDHrckxJ/2aWOt9KOdY H8QqxovWCCq9esUgV+Q0SXow8zdkBa8lKR2H9xbI4frKULnu29iyIv4CbWOZE8QbjKoBcThA XesRjmVb5bvAYx+t5UMyQKaaH7dVTzvdFiIRM3zm0Hxrpxn3muaGk9WRTzKi+cYlAcT3o2ES mlWXkYGArbRoOtnQ1aXbySkF/+veMptetrZ8nyAZJ5oZmjDJ70EBGHEbEhMhNhYXlua4QIiV HdBRZ93PQnQA5j8JcYkeY8g977F9I/Cjk4xSmEuPZ/rmXci54nqnT4tGKQsdnsW5AQ0EVjVG VQEIAMQWAxQD5XvNeoGOwaT6wA63+R2CY2JWutofvPRdftVyrtp02m8M1gfWevNgiooYpI/4 pJiukC2h1WUyqPVaUdBZC7bM64pSO6LLplel8bASe5gwIIm+zd/0WsjxSmmeJvHwDUzuGp6k kiw2is4b+oiokmgQUZsm0AYkNBjYbsPsBD6b5e8seKidtzdKSmJeZkFw4SqEyxRRbYXtPWub JJQjwDxJMA3xt73wsu08wbshsSESNsT34gxjWWF5EofJrYM2x6jABzhzfbx/tQv7J6z9fBTc e06eanR916OjcDyvEaDRI419Ihlyfp0Lx3zfSy3NP+S0NwALA7pML1h0LbkAEQEAAYkDRAQY AQoADwUCVjVGVQIbAgUJCWYBgAEpCRDp4o3qAKpVVsBdIAQZAQoABgUCVjVGVQAKCRA+F3gX uhub+jcFB/0XRcxwcGMkYiGpTZBt5vo/VlqAv5dBUtG/aNb/Mi4jhXZqWO6SGVpiRHrhlNAd jMWJPB9xvcsxF3GwDJfyIKYJlKAVoArJQDcqyXllqIhmhvWbOFH5Tj/XbZNNbbtvbCXSF+sJ 5l94yI/XGhN+PyQlUaHPOZJparDDuP/WGHe5CkhBLf0zNwf6ingo2qUu2Mi+U/GYhAOIgsz1 sy/8oqLWkMmlNnfYHhNEUTviXiBYd1k9qbCxU7LDvl6+ivbpUiNDn9rhmWz0imQHiheXjuSa H1ytDtxm0V9OxP2SzFrx9cGUV4q24h6ytG1bSE07D96/jSt8xIUfsZUx9BM9XbxhVdYP/jIg tMedxiv6MwVhKbNVhmjaGG/6uYuw+eqQeN1zjmXa1N/TmnEss22hiN9qtsR7QpVcAoo3QtMX YyzeplwMQuEfjCFlGb8sy7IqyoCVnSMVj57zvcQPMzbWbckhpTngYtLqzGPemaGYkoMgS2P8 HRQCQzkR5s3VBDNlpT653lRXo+yVdlJkGk72qlauv4GaRyMASX9f5TNCMl17eXvgyQZvlmge QFWm5UUgxR+J/u+U2yhSJbvkW9d/07zof7D3j+IuNuLXGFszb2916yLSyB7EZATpXFZc9MOj 5wTAf9lvFxo5I69WT999ZtRHVosgtixan2WGhOWjQV5ajCkeVvsBrSP91l8G8bzC5SCO8D5K zBn4SusmgVoK1OVdrNpM9hB5OusRl4ah8+ReC/LaxcFtf/38k73ViKI1+8bD+L7pza5enbLD W95kvIaKmer84FwyD+bfEQo6pvLzxEUBsR30JpmqzkPU8KMFtkbPEIKlQlEbk4vvAN12VDL7 jJsQZIVeH92+X4Wfyf2a7bLufsaNR/YOXLLROeZnzntF7MhS9oO+c8Z/J5py0F0KDRrhCrqb u9lRKRcxpPslTd8DKZ3Qtv64Ij/rPVDzsyHgtcgFd7E6fkKGHeiwz67WjFoLUnf09ry7rua+ yqP9FP9bXSbDaeAq9sGXH7wPTAAwbGSX
Organization: Guardian Project
Message-ID: <aa312692-933d-85ab-e58a-49271e7989d5@guardianproject.info>
Date: Fri, 22 Nov 2019 12:10:51 +0100
MIME-Version: 1.0
In-Reply-To: <87d0dkib25.fsf@fifthhorseman.net>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: ClamAV using ClamSMTP
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/fgvDgbBPIM4BJecU6V1nIXfGViU>
Subject: Re: [TLS] publishing ESNIKeys under a .well-known URI...
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 Nov 2019 11:11:00 -0000


Daniel Kahn Gillmor:
> On Fri 2019-11-22 05:13:13 +0000, Stephen Farrell wrote:
>> I'm not sure if this draft ought specify behaviour for
>> such clients, but I can try add text describing the various
>> cases I guess. (If that text were to stay in, then I'd
>> guess that it'll make this document too long to include
>> in the base ESNI/ECHO draft thus taking that option off
>> the table maybe.)
> 
> The other option would be to make non-"zone factory" clients explicitly
> out of scope, and spend a couple sentences describing why.  And then
> note how if you're going to play these games as a non-"zone factory"
> client you really need to think it through a lot more than this draft
> does.

That seems reasonable to me, since this is obviously useful in the zone
factory use case, while other strong use cases haven't really arisen
yet, from what I've seen.  Such a use case could come along though.


> At the same time, for $COVER to publish this information potentially
> puts $COVER at more risk, right?

I think it is also important to note that for the obvious use case, I
don't think this adds risk to $COVER.  If $COVER is megacdn.com where
$HIDDEN is hosted, then megacdn.com assumes no new risk since it is
already clear that megacdn.com is hosting $HIDDEN.

.hc

-- 
PGP fingerprint: EE66 20C7 136B 0D2C 456C  0A4D E9E2 8DEA 00AA 5556
https://pgp.mit.edu/pks/lookup?op=vindex&search=0xE9E28DEA00AA5556