IETF Logo Mail Archive

[TLS]Re: HTTPS-RR and TLS

Stephen Farrell <stephen.farrell@cs.tcd.ie> Tue, 21 May 2024 00:27 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6239EC1C3D4F for <tls@ietfa.amsl.com>; Mon, 20 May 2024 17:27:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.999
X-Spam-Level:
X-Spam-Status: No, score=-6.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QzuCXKVVXMYv for <tls@ietfa.amsl.com>; Mon, 20 May 2024 17:27:50 -0700 (PDT)
Received: from EUR02-DB5-obe.outbound.protection.outlook.com (mail-db5eur02on2095.outbound.protection.outlook.com [40.107.249.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 03106C1C3D48 for <tls@ietf.org>; Mon, 20 May 2024 17:27:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VSTPZ5NvdGk7UhkhdYzZcaS1EVRA5de2RWFFM96S7Uv61NWaZuO5HaEPcCx8u+yY8lEcSQMx1PzthOsoOIbIL7CMDluQlm1cuDOLUiKN7b+76JEhwOYyqk15Gx2FxlZ6fUhczSmruoR9mgtFYs5hCHXNqZnWxVVmaWWAFVRGsSmojyPT2ImZceg+91FyjQgJgpDw3w0Rmhndt3B8FAhba4naebkPtNcpwgVoQiRdsepc+QmWEFyI3SPqpEjIeEF0b73OHvfSaiUxCxsK7lRnQ7AHGbeeafGuEC02p9SQishCn7VRzqzu8SkTh0O5IrwUNM7lU7RwNpiLtNpV5HT9UQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BamRIM1QuuHTTBlNwsU24h/Xix76u1bkpblzX0JhMs0=; b=j6vNegCyKsiEqeQdqKwSRhT4A7vKNndKWPsoC6+q56tAaEJmbdWR7SVHXvPNrbsr1lZ4As9bF9qHavEzDHtoQ+g8IEAYhE+8fRk+bOalm0bMELGkXoupPr5DCjNeO1V4tFckyuVcejrg85LNLBZJwx2vONMKE9Y2/3D9C3Goz6dU2t3UySkT8cg2QnOgCL6dLMbZDGlVqXl2G5QZ8XM2+9D8PFr80OYzCeCM7y7RP2gXrra5J+grEoxvd+VtSnJnVwmNpONXDxC5Qn6Ip7j9hqEyoi2WAsuZ3OLR6jOBAQJ3TjjFqI3TStip900d80Ij0cCJC9cSY6hJGIVbiMMLog==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BamRIM1QuuHTTBlNwsU24h/Xix76u1bkpblzX0JhMs0=; b=MxgobwHeTO3zWMGWsmxSMkAjHz4CrMRM96llLa1lz8VPmDCgG3VUw4V7bpEFOBMwv+++fwEbfNyFbnL8E6RefsBSwhS+oWDiCcmiGKRRVoRPsheHMy471LpZviE0Xol6PBCwSzICeU3dN5zfcU228o6s27PUY49pbBuj3v0wSyclVW45nEZBW94wE+v45cm17LeGP8uEZvoX6yfNK7cGAuh02hcT8SXwlkm9SrUUJlpi7N1rfznrZFvsNtBCkal5rd5jUZziQ9kp5lb3TV2zCuSqUQeUnmedulgK8Vs85sBHMHgJgIg1RKJinRm6Onm6JzbFRcvMNhb09Tua3Yp/Lg==
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by VI1PR02MB6095.eurprd02.prod.outlook.com (2603:10a6:800:18e::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7587.36; Tue, 21 May 2024 00:27:31 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::72da:1be4:dee3:34e0]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::72da:1be4:dee3:34e0%4]) with mapi id 15.20.7587.030; Tue, 21 May 2024 00:27:31 +0000
Message-ID: <048ec036-9c73-40f0-8c5b-6c5288e65da1@cs.tcd.ie>
Date: Tue, 21 May 2024 01:27:29 +0100
User-Agent: Mozilla Thunderbird
To: David Benjamin <davidben@chromium.org>, Watson Ladd <watsonbladd@gmail.com>
References: <CAOgPGoA8-t_x7WLOjZ7kWaoPn9n2m-RM3VGUFaVttBiFrbjZHw@mail.gmail.com> <26143ff1-1c0c-4baf-9054-2f2b10cee90a@cs.tcd.ie> <CAF8qwaBQaM7q22nWqzWjbwXVbPPUU3TrwSHvTXxbwqCKmw1j8Q@mail.gmail.com> <CACsn0cn4fy2Lese6wNzu+UCqJfLAPMdDKHivERLMxwjifOmrkQ@mail.gmail.com> <CAF8qwaAQG9y0Ri8LcwbQushNL4T_XDkawdqo9PNL3xxxFw2Ghg@mail.gmail.com>
Content-Language: en-US
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Autocrypt: addr=stephen.farrell@cs.tcd.ie; keydata= xjMEY9GzphYJKwYBBAHaRw8BAQdAo6JvjmSbxHdQWPZdvciQYsHhM1NxQBU398Mmimoy4p7N M1N0ZXBoZW4gRmFycmVsbCAoMjU1MTkpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPsKQ BBMWCAA4FiEEMG54R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwMFCwkIBwIGFQoJCAsCBBYC AwECHgECF4AACgkQ5Njp+ZeoM93bogEA25ElRyX0wwg+kGEN1AoL60MoZfvQZ/VtmXY6IC5j +csBAIBpkL5ySuzJK2zLNZn9qQGht8IaUcA7cvDcLvS2uHUEzjgEY9GzphIKKwYBBAGXVQEF AQEHQILCPWOwW36e8D3pY8GmvvtItIT+A5uV80ist+WokVsQAwEIB8J4BBgWCAAgFiEEMG54 R8tZDyZFrDOn5Njp+ZeoM90FAmPRs6YCGwwACgkQ5Njp+ZeoM92bcAEA8R+8cpqRUIS+SoAN iO05xE6O/wEx8/e88BqzAYki3SoBAOQdwiPX+MQrAxkWD8xxOsdMOAtxYKpkD1n8aPJUw6QJ
In-Reply-To: <CAF8qwaAQG9y0Ri8LcwbQushNL4T_XDkawdqo9PNL3xxxFw2Ghg@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------cF1cDS8G2cXw7cq0LK8BE89n"
X-ClientProxiedBy: LO4P123CA0131.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:193::10) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: AM6PR02MB5112:EE_|VI1PR02MB6095:EE_
X-MS-Office365-Filtering-Correlation-Id: be1b19e7-19e7-4ce5-63f1-08dc792ccd50
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;ARA:13230031|376005|1800799015|366007;
X-Microsoft-Antispam-Message-Info: 5xj+xq/yZUyqUMsHp3ChfXnBMoHmLFIzRAFOwivf8c1GpWxr1KWEZeNMkMg5rC0ASmIhke/1JvkCOLBowRZjqr+obSpWJZOu5kSwX3ql2Pcy2OpDQHQpGdjxqfnipQZeFl4sFp6TGZKGrWhISRcTBiTdTtgidJ+rJCdqEaoCb3vg3OvZzynsOCDv9DYBFtN1APpAamOSQOp4NdPAWBvX8OIek40Re90wH8pnTP5UYn0kcShuymAPfXvu0EFI0wEsSJt5adlZhbMcl0BOmsdYeti9Ottt2Hk4nXrq41KN2HLiULoRXM7C04UF12WnqZdxUzxE0fAtb6EOLth4V+lhuRRXnMWIsr1iwFNsDuMY6RpCG/JEo2fwrkyOHsGwMMmQ5aT+jBdZYQqqU7LoCMkjS8kHlU/6nYpuYsZjSJs5o2oGCxZoPzeoIeKYmtyx87JwRoUNV9wwDc8YQv37EcpaOncMBgVmidnTLWmhaAp0OEt2zRKDC5bRx7X3iiS2W3pIH2wD4b3RQR9HqhGGWYgxxS7I6q0m8vgFxonjUPvJIPqCQIDp5nQghUZxiFvmT+hHB5D1fgWrEmN4jrJDrEnh/zg/FkfHRMoHnIPa7fZkap5PrrZmh00gxwODViogwt71IjBC2+GBM+qodVYdMAzldeSA6wbQbEvujJu22lzcIRNOvk4uKuYbcelsaafGL8HszVA5RJzqxb1b38zrMwath1Ued4YVNkQZ6BAVAwLDDAEqxHG3VJLAqd7c9J2PHrGtKh31w6C6hcYg//wJ7ibv/HWE+kynSFTnllkPvZwDoBVtP9qQeI2GlUTIuOU5Ly9lGCAtrx7aSHi43Yso9QWUE/TYrXi74KlHe34aZ3olcbjNh61aHM3ST6UqqaTLxavH4t9w4JwXe5zGa7d4XHXKdh8NurfE8oIy8NzwTFLkIQyPbAM0hlrOPEDKAPJn27NlsOBPSIhApmSF5x+2LWbpWTi+WKJttIIxuajY4FqL0v8T4PIU4hVZcdIcNslHVwCVMuVG02r/0Tm27QD95BIhd2FpXLD5f4U8/S6SX7kLwbby2W5SiDovx/SQYY2e5xPCaq1d0qC915Gw8lGqB0KaDcpQW/Xp+NTfenfxK+AvMEs7q/5Kf0a4BPw/t3Gr2aQALhkkcRkWiNP/5fYBesz7QS0jlsVb1dusUMzLuPA/f8hfX+JT7UJJXZg+CKnUvdje2lshRz2v3gwdQW45VNacLA5bzdxrIYgG4bTq8RnaJ7M=
X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AM6PR02MB5112.eurprd02.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(376005)(1800799015)(366007);DIR:OUT;SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: 72IlFV9EsellxJtJznS5o5WXMnrC30oKBcmpUObfMKgze4npdvX0mD7+Lz900R3r24Le6DS3yuVQ/jFn2nk2egVsi5MGzcs8nWTkNMdfl+dS7LYJ18pPp05cHqxmSihEFc5ZSz96D6pU54RuPvcDWe/3vC+LwBK/vRBq+5G6S0qQkUBE7fiiJgWaVcv+56+hR3XE1MYloFzQV3dQ2bVs2gjTkDpclLIUlxvi8ZXumZU5tz4foUIbhFeRAC/UhkGO8uUDvERaw2TfqqRurByLprov55m4S1S+QVRRC8pbPoccK0gXqOv+iwgLre45GERtZfSJWqv4tzGlgNBWqLNSa5u37yAMLLWtRreRRpGE2lnwbMdb16A6SgNPyfWFdsRft6zuEMCPdtzXXK60bvYioleRLK0r5zyyZwvCTYxpuuTBXLqFCXK+937LFNErfOfAHMq2s8DzyqEXyi0nTe/k9bWF3SOxqqTWac084zPcyqXk/nbDrjYUq02/T+1FFiaw3QAK91r+PkT9/+Buc0hTZCnZ3w8RM76abSaS5H+Yx85Ibzu325lMQViGXAl5Why555VZgH6FWS5IyuS3XVqa6Np6VAdM7b0bO8EtSjjG0T3C2rrrrZnYkeRKcYSvhaSgmWLTjPLXBDvvvyNLhkg5CNYIyHVF+dw9V+vspuNr9wxSnl5J+XtvdjpQ2Y/6N6HTgc/LdIMRgg+abCcooW/BkMrzARDBPHlEnyi1e4ywwnhYWtXOZYvMu3T47wCjOEKzLcrzs+mv1SKWnLGi4Ibw4jqNjqPFfMf0Xj0cwoEXThygJiXiKMikNEBT7ENlFeI6BWSWiMOgqEg1f1lcp6aMnzgqRblNiSyQq77NRKVlws/H9V+Z+H7JEaxBiGbfxkJf05ce2Tuh93o/tDuwStIwEb8KKqjDFnbZHPyHYvjeBNDwIPX/KLLn1TdW9Qdpp+9w9whZTuh/QHNVmRpqev5EI/WvRWhTmT+Z1sFLLnp3vgLFmcHR2pBu2rnZYWcD/tM3bTGdUOShXjFI8zIiybcCJxuRF41+by39TjODLuke7kEyVAyXyLZIPX5GI+o35jzmhc6txOcNyqOKUecKWaAjWV+BFWK+d4D4D1qQlUAw1aBr9A1l9qjywE8ZMR3j/FDPeJluTHpAO8WKvaYzCVbHcj+VaW9HTDhok/F8DNBkUXIe7snf1yEA3zZZXpm7HmN+YY0SEOejv1tuWlxk5dxuZq9iHcIO60Uaiic1cRqmkMxIS9t1xXupHtGvodA16/4+/JWx1SlPThROEb3hGWvr9FBi0yKboSbbX33Gid0KKGxaNrgRl+q4ZrLnVyMd8mXHe68Dw1iOm0sicU398FIINUHY6xscKADCKeqq7/sp+aq1cT6MKPLRNcQnC283xPV+L24j7AefX4geEjGpgxBQgvIUmyLyDYjCUQ4DYAufZvo4k85gw7Hb9ksMCi63pB3Kx6XBHgeVQN/HfZRhUafS8mbyShQo3NMTq2H3OmzouJcMCAAME7J8MxewVXA60bBYaMFQrcKlPd7c8vnK65yZKMHZx9MQLESxNMI9M9NajdGcD4SDLzoTc4rWxHDZFyl9CQYbq6tbr9/Sv4jMXBG04E0HnZ61syri5a2oINWAsTGCX2LRik/Lssoub/Cq6ZpX
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: be1b19e7-19e7-4ce5-63f1-08dc792ccd50
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 21 May 2024 00:27:31.6894 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: nALG0udM5IJ8upusd5tLwS8XvQgnux5lslsBYE5e9cXVvbMx57+Zi8ciCPG9Y9Fv
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR02MB6095
Message-ID-Hash: PQI44YOYNUI4AWBV4UC666OJ6CZ56LIA
X-Message-ID-Hash: PQI44YOYNUI4AWBV4UC666OJ6CZ56LIA
X-MailFrom: stephen.farrell@cs.tcd.ie
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: tls@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [TLS]Re: HTTPS-RR and TLS
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/hnCunda8e5TZcAEVIccAU2THKYo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>

Hiya,

On 09/05/2024 00:01, David Benjamin wrote:
>>> Actually, I think one thing that could help is one of your drafts! One
>> barrier with trying to use HTTPS RR for TLS problems is keeping the DNS and
>> TLS sides in sync on the server deployment. Prior to ECH, this hasn't been
>> done before, so I wouldn't expect any deployments to have a robust path
>> from their TLS configuration to their DNS records.
>>>
>>> draft-ietf-tls-wkech seems like a good model for this, but it is
>> currently written specifically for ECH. What are your thoughts on
>> generalizing that document to cover other cases as well?
>>> https://github.com/sftcd/wkesni/issues/14

Thanks for making that GH issue. I'm fine with discussing
details there, and have no problem if the draft is more useful
if it's more generic, but have a question for the broader group
that may be better asked here:

What HTTPS RR parameters do we expect will see regular changes,
and controlled by whom?

It seems fairly clear that ECHConfig values will be changed
often, e.g. hourly, which I think motivates the wkech thing,
but I'm unclear how often other bits of HTTPS RRs might
change and who may be in charge of those in real deployments.

My mental picture is something like:

what, changes how often, controlled by whom
ech, maybe hourly, client-facing server admin
alpn, rarely, client-facing server admin
tls-supported-groups, rarely, client-facing server admin
ipXhints, unpredictable, DNS admin?

Does that look kinda right? Are there other things to
consider now?

Ta,
S.

v2.30.2 | Report a Bug | By Email | System Status