Re: [TLS] Tonight's Encrypted SNI Hangout Session
Tom Ritter <tom@ritter.vg> Mon, 13 November 2017 16:00 UTC
Return-Path: <tom@ritter.vg>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FCE01200FC for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 08:00:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ritter.vg
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DNw4qG6dRlb for <tls@ietfa.amsl.com>; Mon, 13 Nov 2017 08:00:44 -0800 (PST)
Received: from mail-qt0-x22f.google.com (mail-qt0-x22f.google.com [IPv6:2607:f8b0:400d:c0d::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B1507127843 for <tls@ietf.org>; Mon, 13 Nov 2017 08:00:44 -0800 (PST)
Received: by mail-qt0-x22f.google.com with SMTP id e19so15280087qte.8 for <tls@ietf.org>; Mon, 13 Nov 2017 08:00:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ritter.vg; s=vg; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Ws1OROSsJ6LfbPfJmrWfSq5rsWZuQWrEzqo4f6DUPFs=; b=eB/galv1kHHt0hGK92kYzglm7zIAJy18NR1uwPM7mTp4CTBNgDXhA9mL8cwMUoVt58 oFHUDmDG8GFZlmeiRds5vyYCENwQYHRMZmYKpV19+K1iwit7sJrB1SZY63PvBz3OPKIu pFtg2jfU8h3WjxXQ5FmYpmyLXLBHuTcg2tUj8=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Ws1OROSsJ6LfbPfJmrWfSq5rsWZuQWrEzqo4f6DUPFs=; b=Uu3Baz7umXhEBKE2O+folsLcEPMXNIoIBH9d+hNUA/04u1rsHqlAl1AQe/HSH9QjMI BGWc/f796b76kA2i+j7UpgCRbSlps9ohNZT6vppNHax4RaciWUWXSm0thCny7LkmjJAl lmVMMbrtje4wMc7jxzNtzfv8VpMOObBCNHtD1iDMQzHwFK7jS+U7yfL/KrXuNkKlRmgt 7FmLJv56QYUZvs4F/HuIw2O6bt1LaRguV75xzfQokvsq8pRLcz8FmdI8k1ai8Vt4ouCv B1eDD8+nZYvfR7PakcZaSCB8Go1S6A3xIeXzUCHG+skREXgOP4vvAqowovXmoIGW3Vhw wX/A==
X-Gm-Message-State: AJaThX5Y9ulNUyaQD95TRaSBhI1vIVXxiRpUsAbup0L9NBH4wXi7nauH oxWm3Dispqzzac/wNprGjFYKmy5R4wkoZ9f/RrZtT7mtp5s=
X-Google-Smtp-Source: AGs4zMbbkQu2puEPxT1Hqo3eXaz6nQl5fDgJKVZ5ZJOEpXfEOtpgJeqxyZjmrr2rc1WMD1PjQ2zo5XDmLbTeos1yt9Q=
X-Received: by 10.200.22.168 with SMTP id r37mr13881446qtj.21.1510588843646; Mon, 13 Nov 2017 08:00:43 -0800 (PST)
MIME-Version: 1.0
Received: by 10.140.92.130 with HTTP; Mon, 13 Nov 2017 08:00:23 -0800 (PST)
In-Reply-To: <CAPCpN4t4m9M6u=E29u=TQnBScjRTfA91K9pdyPG3nvyi+GHC3w@mail.gmail.com>
References: <CAPCpN4t4m9M6u=E29u=TQnBScjRTfA91K9pdyPG3nvyi+GHC3w@mail.gmail.com>
From: Tom Ritter <tom@ritter.vg>
Date: Mon, 13 Nov 2017 10:00:23 -0600
Message-ID: <CA+cU71nf1qpCNkRzUgm3Xh_Y9P4zTFD3sD2wp6xPutdLPZzB9A@mail.gmail.com>
To: Bret Jordan <jordan.ietf@gmail.com>
Cc: "tls@ietf.org" <tls@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/jCVKk4KCZirs7cqxl-ElUKlbTDI>
Subject: Re: [TLS] Tonight's Encrypted SNI Hangout Session
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Nov 2017 16:00:51 -0000
On 13 November 2017 at 07:28, Bret Jordan <jordan.ietf@gmail.com> wrote: > All, > > We had a great turnout tonight for the encrypted SNI hangout session. > Everyone seemed open and willing to work together to understand the > complexities that sit before us. Several interesting and important views > were expressed, and I feel that the meeting was ultimately a success. In > fact, I believe we should do more hangout sessions like this. > > Take aways from the meeting: > 1) We are starting to understand the problem that we are trying to solve > > 2) We need to ensure that any potential solution will in fact solve the > problems as we understand it and not make the problem worse > > 3) We need to compile a list of use cases and scenarios in a draft document > that talk about how the SNI (for good or for bad) is being used today and > what an encrypted SNI will mean for these use cases. > > 4) We need to make sure we get feedback and information from at least the > telco sector, large enterprise, financial sector, and the health care > sector. > > > I believe this information will help us better understand both sides of the > issue, shed light in to what it will mean, help us define the "why" we are > doing this, and ultimately feed and foster a better technological solution. > If you have or know of scenarios or use-cases where the SNI is being used by > network operators, system administrators, security engineers, products, etc, > please send them to me so I can start compiling them in to a draft document. Are you also interested in collecting reports of where SNI is used to censor? Or the list of network vendors that support filtering and manipulating traffic based on the value? In general, the bad uses of SNI are harder to enumerate because people aren't willing to come to the WG and explain how they use SNI to selectively break or censor the internet for their citizens/users. We have a few confirmed cases, anecdotal evidence, and lots of evidence of censors being technically applied by whatever means is available. But when you pile up all the administrators who will come to the WG and say "This really frustrates me and makes my job harder" you're going to have a much bigger pile than the users (or even technical advocates like myself) we can bring in and say "Plaintext SNI is harming the Internet". > Side question, it feels like this effort could represent a lot of work and > require a lot of dedicated cycles. Does it make sense to continue this > effort inside of the TLS WG? If it does, will the WG give us the time, > mindshare, and cycles to focus on it (just asking the hard question)? In August we adopted the draft, so the answer is "Yes". -tom
- [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Tom Ritter
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Ilari Liusvaara
- Re: [TLS] Tonight's Encrypted SNI Hangout Session David P
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Ilari Liusvaara
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Christian Huitema
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Salz, Rich
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Yoav Nir
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Bret Jordan
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Flemming Andreasen
- Re: [TLS] Tonight's Encrypted SNI Hangout Session Sean Turner