Re: [TLS] Accepting that other SNI name types will never work.

Martin Thomson <martin.thomson@gmail.com> Mon, 07 March 2016 12:32 UTC

Return-Path: <martin.thomson@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EF8531B4043 for <tls@ietfa.amsl.com>; Mon, 7 Mar 2016 04:32:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id X57yuji9rj7y for <tls@ietfa.amsl.com>; Mon, 7 Mar 2016 04:32:56 -0800 (PST)
Received: from mail-io0-x22d.google.com (mail-io0-x22d.google.com [IPv6:2607:f8b0:4001:c06::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A4DD1B4036 for <tls@ietf.org>; Mon, 7 Mar 2016 04:32:56 -0800 (PST)
Received: by mail-io0-x22d.google.com with SMTP id g203so129146656iof.2 for <tls@ietf.org>; Mon, 07 Mar 2016 04:32:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc; bh=uLIGmCSIVdWv3txb+5u/Ps+7wKHOraof+OCg0AhSL5o=; b=YE67mFpgGg9gdQQ72O0Qdi40SAoU8p6tuSmo2AkFy9KQE+1ylCYLiwpkcatEcIXhSP MkP1y7kG4yYcc41EKfyOLvFLNdiviHSrmCFLK4LEAYULGk9X2QXvnrjdD1QuodVr8rTQ /s8AcKjvpmN5pmB1ULNoD4aQFdrlO27Fpio//RwOVITn5vbOL5H69h2BUJqc9TS7Xeyw YiE/wt4yfcnoHDwnwQyrgHTnnWZuAGFkWsx/Qec3ZHT3ymbi4zJkpHTZokCTUe8k8pAR j1q2q5ZhGjmWF4Xv62D8ZB/HPi7OHwF/UC5dKXmdKpZJUm3AAofs7ztwsNI9Vf+sG9S0 rqOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc; bh=uLIGmCSIVdWv3txb+5u/Ps+7wKHOraof+OCg0AhSL5o=; b=DGuclAkMmb0yLful6fR5oc0j5f4/FoCLfaPgRSDDA5pTPC0XvbmSi47O/IiCuXQBRe jXYqUQjc5x6ucD4i6bQ6Rv3JMSO7SFz1VojN47Kf319pU//gys5e8x+wsE+Jf/aVlRtO Aunv494odfaqOaMqwi2hO4wIq24RhvkPVuarnS9n5rupsq7HoRYZedPV64SZffPnO03c lfl3cfglLpnCMfm1BbMy55fdjLU+TB650QQ+svdej1lGpZrCUOVrHeI0KWHKQBgZZWen wTIpG3P2+PnJRiN8FNFqsTuXF4l7gAI5fU3IyB3oXzPIL9kfpB8ae9GS+FBo0n7uFSxs Dm3A==
X-Gm-Message-State: AD7BkJLBOq8m6c40KtIQCOZeGlz1Db2ZwEV6dEv6wfHuPnSWnuah2AH5xeCF2dF1OQ8Y7pp3456rNQKQLOelKQ==
MIME-Version: 1.0
X-Received: by 10.107.41.133 with SMTP id p127mr21276556iop.100.1457353975900; Mon, 07 Mar 2016 04:32:55 -0800 (PST)
Received: by 10.36.43.5 with HTTP; Mon, 7 Mar 2016 04:32:55 -0800 (PST)
In-Reply-To: <5191210.88NEgq11Kq@pintsize.usersys.redhat.com>
References: <CAMfhd9WNHqfRH=M=_B7_apJ-r43fi8qoe-+VcDkrKPwwhkPR5A@mail.gmail.com> <CAMp7mVtwrF9CL-MqyF0UZJemBOMyFieAy++-_539fE5eAB_KMQ@mail.gmail.com> <CABkgnnWf_W--LQixDBfSqeinQ01Ew4c-QXuSnyE-qN5ckrfCsA@mail.gmail.com> <5191210.88NEgq11Kq@pintsize.usersys.redhat.com>
Date: Mon, 7 Mar 2016 23:32:55 +1100
Message-ID: <CABkgnnUVmFSBBJG--khh435v54bEL=KRPAR6_Jguk4r12io1oA@mail.gmail.com>
From: Martin Thomson <martin.thomson@gmail.com>
To: Hubert Kario <hkario@redhat.com>
Content-Type: text/plain; charset=UTF-8
Archived-At: <http://mailarchive.ietf.org/arch/msg/tls/ppovGaWm11GEFP-kfeFJeYInyt4>
Cc: Adam Langley <agl@imperialviolet.org>, "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Accepting that other SNI name types will never work.
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2016 12:32:58 -0000

On 7 March 2016 at 23:02, Hubert Kario <hkario@redhat.com> wrote:
> well, if some people don't care about their implementation being
> fingerprintable, let them be, but there should but at least a
> recommendation what to do if you want to avoid that.

I'd be very surprised if this added anything to the fingerprinting
entropy already present in TLS implementations.  You can't use this
sort of thing to distinguish one user of NSS from another NSS user.

BTW, I'm pretty much not willing to volunteer to review the patch that
made NSS less fingerprintable as NSS.  I'm pretty sure that involves
replacing NSS with OpenSSL.