Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)

Rob Sayre <sayrer@gmail.com> Wed, 09 October 2019 11:55 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 801331200B7 for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 04:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 143kG4aKE0Si for <tls@ietfa.amsl.com>; Wed, 9 Oct 2019 04:55:22 -0700 (PDT)
Received: from mail-io1-xd2b.google.com (mail-io1-xd2b.google.com [IPv6:2607:f8b0:4864:20::d2b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 689F912008B for <tls@ietf.org>; Wed, 9 Oct 2019 04:55:22 -0700 (PDT)
Received: by mail-io1-xd2b.google.com with SMTP id b136so4323842iof.3 for <tls@ietf.org>; Wed, 09 Oct 2019 04:55:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Zo+yQl0/r+PE1xf2/4V5BTXVaX+NH5LYrtkYIm2PXNs=; b=GJuHSTRK3OY98C+KcjWMMxpudwG4wMTvvUVMSLHiCU+Sedf4QV+atrxHYILZEGXlnH UiB4VJzI6n2qtVy+Qhfcrpwot2szwKXs1ZKgm5zyqOr3oD2m9LP2GYhfQIWb9j6X9Xtg ejv84Omuj7n8Bn5W9NF/tWqZGEtaGlk2bUic3qslUYFdVTbYXcSqJpSpqVSqaNWxMRWJ y+r8DWkG4OqtZ/Q2Ln1mDcncKTaHONAEp69/Ho9N+2muVSSRSbLOu+0YZvCkqaLecpLy RWC9YQm0z16eoocvvvi175ulw6yIghWPatl64nEkaXCmhVpyEoCYHnapJlWQBCxRthZ/ 6Cog==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Zo+yQl0/r+PE1xf2/4V5BTXVaX+NH5LYrtkYIm2PXNs=; b=Il2r8qCFM/ilYWoGfw45BgsrlHQvqbuNTgz3usdtIXYgIW7I8RwWD5kd+Itr7/JSb7 7MsOWKAkalnMVK/caIFYJ55Jd1u3iJ/G6EIY07+q6VMSScAvtA7oR6oYSaLxVpchWkz7 +JZHvLpeZ8LXwDVzPpzKdHnIL9V+WL+6paG3L/3ErqNrJUXOjNrop5iuih3zwjQzCnRl SO/5dLzmhwAzdFqjdP5rXfW180vcPodAQ+YTbVPcavOl6FruRLsUrnCdFYLnLvkXmPze nG1SoBhjZ5+clxptPvDtddLiG7ALSdZ3V78Mv0RYomUKdRa/5bTi7TuAvVP913Ed61tE KKJw==
X-Gm-Message-State: APjAAAWztbkvjK/4AkDi3h6T3/ZzYulz+3oJkWxyt3mgCeV71PQJdbmW egeIc6ObMSCNhAz/0l9FlQk1fpEPyM2Q31tV6gU=
X-Google-Smtp-Source: APXvYqwlU4UZTRZRqnG8eJgSbrGqNtpWCCr0qVpi6hBY539C6xCYCPeFIsOyKWT7lYz/FeDptix+NdheRQ6qMv1Esuo=
X-Received: by 2002:a6b:b807:: with SMTP id i7mr2921314iof.254.1570622121515; Wed, 09 Oct 2019 04:55:21 -0700 (PDT)
MIME-Version: 1.0
References: <157048178892.4743.5417505225884589066@ietfa.amsl.com> <CAChr6Sy9=GbUO19X0vc0Dz7c565iPAj=uWVujLV5P3_QL5_srw@mail.gmail.com> <28C7A74D-5F9D-4E1A-A2D2-155417DA51C0@akamai.com> <CAChr6Szay7j=czCaYhKGp9bHHmZiArU440hSnvNqNaL+hX2wKA@mail.gmail.com> <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com>
In-Reply-To: <F932C81B-95E9-4044-B975-9AFCD09CF7FA@akamai.com>
From: Rob Sayre <sayrer@gmail.com>
Date: Wed, 9 Oct 2019 18:55:10 +0700
Message-ID: <CAChr6Sy=+qt=KYKfXEkWhBBev88-XEcB4tOZLz9cBf76wsUo2g@mail.gmail.com>
To: "Salz, Rich" <rsalz@akamai.com>
Cc: "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000a11e6b059478f501"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/gcGYPkdsUen6uxF9zO5gmYapnag>
Subject: Re: [TLS] SNI from CDN to Origin (was I-D Action: draft-ietf-tls-sni-encryption-08.txt)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Oct 2019 11:55:25 -0000

On Wed, Oct 9, 2019 at 6:51 PM Salz, Rich <rsalz@akamai.com>; wrote:

>
>    - A link from CDN to Origin is just a particularly easy-to-deploy use
>    case, since client certificates are already in wide use and IPv6 tends to
>    work flawlessly.
>
>
>
> It does?  Gee, cool.
>

This response sounds like anger. I'm sorry I've caused you to feel angry.

It might be best to discuss technical concerns. Do you think an SNI field
sent with a client certificate is a bad idea? I'm not a cryptographer, so I
thought I would suggest the approach and see what people thought.

thanks,
Rob