[TLS] Adam Roach's Yes on draft-ietf-tls-sni-encryption-05: (with COMMENT)

Adam Roach via Datatracker <noreply@ietf.org> Wed, 18 September 2019 02:55 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: tls@ietf.org
Delivered-To: tls@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B181120096; Tue, 17 Sep 2019 19:55:09 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Adam Roach via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-tls-sni-encryption@ietf.org, Joseph Salowey <joe@salowey.net>, Sean Turner <sean@sn3rd.com>, tls-chairs@ietf.org, joe@salowey.net, tls@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.101.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Adam Roach <adam@nostrum.com>
Message-ID: <156877530949.17386.10408818675097603080.idtracker@ietfa.amsl.com>
Date: Tue, 17 Sep 2019 19:55:09 -0700
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/l-l9FBUVilFjfQ7I2R0SEDlJBak>
Subject: [TLS] Adam Roach's Yes on draft-ietf-tls-sni-encryption-05: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 02:55:10 -0000

Adam Roach has entered the following ballot position for
draft-ietf-tls-sni-encryption-05: Yes

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)

Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.

The document, along with other ballot positions, can be found here:


Thanks to everyone who worked on this. It seems that it will be a useful
tool for evaluating potential solutions.



>  Regardless of the encryption used,
>  these designs can be broken by a simple replay attack, which works as
>  follow:

Nit: "...as follows:"



>  These solutions offer more protection against a Man-In-The-
>  Middle attack by the fronting service.  The downside is the the
>  client will not verify the identity of the fronting service with
>  risks discussed in , but solutions will have to mitigate this risks.

This final sentence appears to be missing some kind of citation before the



>  Adversaries can also attempt to hijack the traffic to the
>  regular fronting server, using for example spoofed DNS responses or
>  spoofed IP level routing, combined with a spoofed certificate.

It's a bit unclear why this is described as part of the injection of
a third party into the scenario. As far as I understand, the described
attack exists today, in the absence of any SNI encrypting schemes.
If there's a new twist introduced by a multi-party security context,
the current text doesn't seem to explain what it is.



>  Multiple other applications currently use TLS, including for example
>  SMTP [RFC5246], DNS [RFC7858], or XMPP [RFC7590].

Nit: "...including, for example, SMTP..."
Nit: "...and XMPP..."

>  These applications
>  too will benefit of SNI encryption.  HTTP only methods like those
>  described in Section 4.1 would not apply there.

Nit: "...benefit from SNI..."
Nit: "HTTP-only..."



>  This requires a
>  controlled way to indicate which fronting ferver is acceptable by the
>  hidden service.

Nit: "...server..."



>  Thanks to Stephen Farrell, Martin Rex Martin Thomson
>  and employees of the UK National Cyber Security Centre for their
>  reviews.

I think you're missing a comma between the two Martins.