Re: [TLS] Adam Roach's Yes on draft-ietf-tls-sni-encryption-05: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Wed, 18 September 2019 21:28 UTC

Return-Path: <kaduk@mit.edu>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E55101200B7; Wed, 18 Sep 2019 14:28:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dFUcJOgNSC0B; Wed, 18 Sep 2019 14:27:58 -0700 (PDT)
Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A16F120052; Wed, 18 Sep 2019 14:27:58 -0700 (PDT)
Received: from kduck.mit.edu ([24.16.140.251]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id x8ILRov6029333 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 18 Sep 2019 17:27:54 -0400
Date: Wed, 18 Sep 2019 16:27:49 -0500
From: Benjamin Kaduk <kaduk@mit.edu>
To: Adam Roach <adam@nostrum.com>
Cc: Christian Huitema <huitema@huitema.net>, The IESG <iesg@ietf.org>, draft-ietf-tls-sni-encryption@ietf.org, tls-chairs@ietf.org, tls@ietf.org
Message-ID: <20190918212749.GA14253@kduck.mit.edu>
References: <156877530949.17386.10408818675097603080.idtracker@ietfa.amsl.com> <c9dc7cd0-e008-3263-4bb3-8c74a1eb1474@huitema.net> <7cf5b08b-17f5-9d5c-34d4-bfd58aff5a32@nostrum.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <7cf5b08b-17f5-9d5c-34d4-bfd58aff5a32@nostrum.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/mdVcuE-oFshUY3cQcnhKoU-za58>
Subject: Re: [TLS] Adam Roach's Yes on draft-ietf-tls-sni-encryption-05: (with COMMENT)
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Sep 2019 21:28:01 -0000

I don't think there's going to be a huge practical difference between
pushing a new rev now with the editorial fixes vs. waiting.  My personal
inclination is to push the new rev now, acknowledging that another rev
after that will likely be needed as well.

-Ben

On Wed, Sep 18, 2019 at 04:18:03PM -0500, Adam Roach wrote:
> No worries!
> 
> I'd work with the responsible AD to coordinate when to publish a new 
> version.
> 
> I do have one comment below -- regarding the multi-party security 
> context -- that isn't really editorial and which isn't addressed in the 
> github version. Do you have any thoughts on it? Am I just missing 
> something obvious?
> 
> /a
> 
> On 9/18/19 4:10 PM, Christian Huitema wrote:
> > Thanks, Adam
> >
> > I appreciate the feedback, and in fact I need to apologize. We have a
> > new version of the draft ready at
> > https://github.com/tlswg/sniencryption, which takes into account the
> > comments received before Saturday 15, but does not take into account the
> > latest round of comments from Alissa, Éric and Roman. It resolves almost
> > all the nits that many of you have noticed. I probably hesitated too
> > long before publishing a new version of the draft. I knew the ballot was
> > in progress, and I was trying to not force everybody to read the draft a
> > second time. Also, I was concerned that comments would keep coming as
> > long as the ballot progressed, and I kind of hoped resolving all of them
> > before cutting a new version. But then, several of you end up stumbling
> > on the same issues that are already fixed in the editor copy. My bad.
> >
> > At that point, I could either publish a new draft version right know, or
> > wait a couple of days and address the last comments. I wonder what is
> > best for the IESG members. Any opinion?
> >
> > -- Christian Huitema
> >
> >
> >
> > On 9/17/2019 7:55 PM, Adam Roach via Datatracker wrote:
> >> Adam Roach has entered the following ballot position for
> >> draft-ietf-tls-sni-encryption-05: Yes
> >>
> >> When responding, please keep the subject line intact and reply to all
> >> email addresses included in the To and CC lines. (Feel free to cut this
> >> introductory paragraph, however.)
> >>
> >>
> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
> >> for more information about IESG DISCUSS and COMMENT positions.
> >>
> >>
> >> The document, along with other ballot positions, can be found here:
> >> https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/
> >>
> >>
> >>
> >> ----------------------------------------------------------------------
> >> COMMENT:
> >> ----------------------------------------------------------------------
> >>
> >>
> >> Thanks to everyone who worked on this. It seems that it will be a useful
> >> tool for evaluating potential solutions.
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §3.1:
> >>
> >>>   Regardless of the encryption used,
> >>>   these designs can be broken by a simple replay attack, which works as
> >>>   follow:
> >> Nit: "...as follows:"
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §3.6:
> >>
> >>>   These solutions offer more protection against a Man-In-The-
> >>>   Middle attack by the fronting service.  The downside is the the
> >>>   client will not verify the identity of the fronting service with
> >>>   risks discussed in , but solutions will have to mitigate this risks.
> >> This final sentence appears to be missing some kind of citation before the
> >> comma.
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §3.6:
> >>
> >>>   Adversaries can also attempt to hijack the traffic to the
> >>>   regular fronting server, using for example spoofed DNS responses or
> >>>   spoofed IP level routing, combined with a spoofed certificate.
> >> It's a bit unclear why this is described as part of the injection of
> >> a third party into the scenario. As far as I understand, the described
> >> attack exists today, in the absence of any SNI encrypting schemes.
> >> If there's a new twist introduced by a multi-party security context,
> >> the current text doesn't seem to explain what it is.
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §3.7:
> >>
> >>>   Multiple other applications currently use TLS, including for example
> >>>   SMTP [RFC5246], DNS [RFC7858], or XMPP [RFC7590].
> >> Nit: "...including, for example, SMTP..."
> >> Nit: "...and XMPP..."
> >>
> >>>   These applications
> >>>   too will benefit of SNI encryption.  HTTP only methods like those
> >>>   described in Section 4.1 would not apply there.
> >> Nit: "...benefit from SNI..."
> >> Nit: "HTTP-only..."
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §4.2:
> >>
> >>>   This requires a
> >>>   controlled way to indicate which fronting ferver is acceptable by the
> >>>   hidden service.
> >> Nit: "...server..."
> >>
> >> ---------------------------------------------------------------------------
> >>
> >> §7:
> >>
> >>>   Thanks to Stephen Farrell, Martin Rex Martin Thomson
> >>>   and employees of the UK National Cyber Security Centre for their
> >>>   reviews.
> >> I think you're missing a comma between the two Martins.
> >>
> >>
> >> _______________________________________________
> >> TLS mailing list
> >> TLS@ietf.org
> >> https://www.ietf.org/mailman/listinfo/tls
> 
>