[TLS] Opsdir last call review of draft-ietf-tls-sni-encryption-05
Dan Romascanu via Datatracker <email@example.com> Tue, 20 August 2019 09:26 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 3228C120923; Tue, 20 Aug 2019 02:26:51 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Dan Romascanu via Datatracker <firstname.lastname@example.org>
Cc: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Reply-To: Dan Romascanu <email@example.com>
Date: Tue, 20 Aug 2019 02:26:51 -0700
Subject: [TLS] Opsdir last call review of draft-ietf-tls-sni-encryption-05
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 09:26:51 -0000
Reviewer: Dan Romascanu Review result: Ready This document targets Informational status. It is Ready from an OPS-DIR perspective and it offers valuable information for operators deploying TLS. It does not define a new protocol, thus a full RFC 5706 OPS-DIR review does not apply. It does however raise a number of operational issues in the deployment of multiplexed servers that rely on the Service Name Information (SNI) TLS extension which is a protocol element transmitted in clear text. Section 3 details the different type of attacks and lists encryption requirements for SNI that would prevent these, but notes that not all can be simultaneously met by implementations and deployments. Section 4 describes the HTTP Co-Tenancy Fronting as a solution that could be deployed in the absence of TLS-level SNI encryption. The HTTP fronting solution can be deployed without modification to the TLS protocol, and does not require using any specific version of TLS. There are however a few issues regarding discovery, client implementations, trust, and applicability which are further discussed. Operators should note that Section 5 states that 'The current HTTP based solutions described in Section 4 only meet some of these requirements. In practice, it may well be that no solution can meet every requirement, and that practical solutions will have to make some compromises.'
- [TLS] Opsdir last call review of draft-ietf-tls... Dan Romascanu via Datatracker