[TLS] Re: Mohamed Boucadair's Discuss on draft-ietf-tls-esni-24: (with DISCUSS and COMMENT)
Ben Schwartz <bemasc@meta.com> Tue, 06 May 2025 15:17 UTC
Return-Path: <prvs=12218ba9fa=bemasc@meta.com>
X-Original-To: tls@mail2.ietf.org
Delivered-To: tls@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 9917B257393B; Tue, 6 May 2025 08:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.793
X-Spam-Level:
X-Spam-Status: No, score=-2.793 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=meta.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4qeW843Vd3hr; Tue, 6 May 2025 08:17:35 -0700 (PDT)
Received: from mx0a-00082601.pphosted.com (mx0a-00082601.pphosted.com [67.231.145.42]) by mail2.ietf.org (Postfix) with ESMTP id 06AC62573934; Tue, 6 May 2025 08:17:33 -0700 (PDT)
Received: from pps.filterd (m0044010.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.18.1.2/8.18.1.2) with ESMTP id 546DDYcc021963; Tue, 6 May 2025 08:17:32 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=meta.com; h=cc :content-type:date:from:in-reply-to:message-id:mime-version :references:subject:to; s=s2048-2021-q4; bh=bjngT2Wro5MTUA/ls1+4 sDoWFQvo1Uz9B0nhJzyXuBg=; b=jFvMXKNvH4H+yeG7EJfeHPZHGStFENSLg5rn B1JAA3ZJFfGNEJKngpNFlFZ+8ehzayKjKyNESjCphdirYYmLddQuAEmiCaEq1pSN Axw1FOf5vPjoPpKjRhokzps0zO3I3IJKgP0Cog2tm110xgz2ynmzIqW5+2NMACjH EqzOlsGeptK9uOcmOgxrU9gw8KWnIfZTz61kaJW5y2Iqxe2FegTk0jCOcWjKmbUL 0u/rl5PTHbBYvEYfssXMbQY7VG993ZB1+wzpTzhjCOHof8OyXuIFtZPKkEbRlfrx 79U95i5eXYWeg2/hrBY6aUhvTd/Y70t89EFINyC26tdO55QQ3w==
Received: from nam12-bn8-obe.outbound.protection.outlook.com (mail-bn8nam12lp2175.outbound.protection.outlook.com [104.47.55.175]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 46fj421d6j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Tue, 06 May 2025 08:17:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=dPz4Kude+pVMctf5YK+zbgmSG4m+0IG/sCtScAYv+I0Imvm+I6GUXDibV803csgkPMJhbjOO8IjueQUSsFK71hCALax4PaekMQ0nH2uwY8GWYFxTnH12IIJ8Hpnrj+WAlsHbzFTl7TtcOgPYH0Lpl43AjekcgQjz0gQZlK3e9aKiOfjDgB18Z1r11sK2Qq08l1iHilInDRKZouQRuZD42Q/hsHjXZnnEop5+JlfpAGUA2s/jMDnCoSmnLBhGK0yf3eh7zBPixY35TZBVbLq2yt+MOznFbyvnMwPZOGGu+63/9XjWH1GOxUjMr/S31IFVh47GmAA8WweQ5PLtxTMfAw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=bjngT2Wro5MTUA/ls1+4sDoWFQvo1Uz9B0nhJzyXuBg=; b=qtTaHK8OM3ExXEHW9AVsDLw4wE9//C6QNIqyVuOs9z9F+MgNiOQ1bS56VqaRL8MBRoBkOrOScPOuscyOPJPa8ETKfLP5fB9+K0X4RsM3o4Sxab6C7l3aQk/WKG54U9STSZzlGfcB/AzgSdYmsQR4L+GtRB2NTkqh5epCmSdifgFN9PNgzPKMITBdz3jW4VPuhm5e9Is4jOE8efJVVZDv0gKa/BJSObVU5hbeQaEIc3NJAXPiCYVz4PXr0IgFEMIy2Mbf9yLhc6yBaZfVYdLW0xy0vKUJuzkAz+uO1gJLPkUBrhp18z5gstLMzBUcf4v+trzZCn6EmUeTnqtNXAdYRA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=meta.com; dmarc=pass action=none header.from=meta.com; dkim=pass header.d=meta.com; arc=none
Received: from SA1PR15MB4370.namprd15.prod.outlook.com (2603:10b6:806:191::8) by SA6PR15MB6661.namprd15.prod.outlook.com (2603:10b6:806:417::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8699.22; Tue, 6 May 2025 15:17:24 +0000
Received: from SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb]) by SA1PR15MB4370.namprd15.prod.outlook.com ([fe80::b6dd:72cc:243a:babb%7]) with mapi id 15.20.8699.022; Tue, 6 May 2025 15:17:23 +0000
From: Ben Schwartz <bemasc@meta.com>
To: The IESG <iesg@ietf.org>, Mohamed Boucadair <mohamed.boucadair@orange.com>
Thread-Topic: [TLS] Mohamed Boucadair's Discuss on draft-ietf-tls-esni-24: (with DISCUSS and COMMENT)
Thread-Index: AQHbvpDXvWUBRO53pkq8BtsROl3YwbPFtNSH
Date: Tue, 06 May 2025 15:17:23 +0000
Message-ID: <SA1PR15MB4370603308C6D619A7DE3554B389A@SA1PR15MB4370.namprd15.prod.outlook.com>
References: <174654055559.678918.7219031199891418697@dt-datatracker-58d4498dbd-6gzjf>
In-Reply-To: <174654055559.678918.7219031199891418697@dt-datatracker-58d4498dbd-6gzjf>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA1PR15MB4370:EE_|SA6PR15MB6661:EE_
x-ms-office365-filtering-correlation-id: 74e9832d-06b4-47a8-e5e1-08dd8cb11a72
x-fb-source: Internal
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|376014|10070799003|366016|8096899003|38070700018;
x-microsoft-antispam-message-info: kxURRE7nEzmTklBRuWdvlc0WawRP5QM1EkNZ6qxZSHIoVE2lU87SB7WgG/gA0GhfP1romGFIekO172UBrpOdO94t/AeRbcU3TxI320BR18wes9+r3hFQSx3g0NraIJNa4J/kfdtnY9LtN8wZDY4uxyz7siTUtVTtfZXiZTmT4xrLvNIrzhmInRR2INulwYU+xBZgu8ZpSdlXy+xBVrfcuXt8ylSaYgtQUB+AIVf9zo7n4Zy0AD1Oh5wTiR48/jsbgy6X8cJUTVD7lnUboiEvk5J5Gzrq50b8aqiuuQ1pfIwjDRm6wzSopfbC7SCHD5T5vVWIfEBfVELklfpb0uIjYDFVq/kDwYE0Y98AFuSKileYucv+PXBPrFUUMUqUvFE4xC2dPdzQ/rEyXRHONYEP3KbC5J4atTNTwhe0GW/bWMDoG5v+0GxJR6cbn5nCAJ1OmMFygqgjUs2ApIVH3efHzO9O5TbfakKigJlT/0HwBm1APwZQ9l8tDu3WwkqFXMVvEAboOJBuc6vzsULx+UyZNaRoHoOV9DetwixGYkZqGktSOFnqWloY3oLJ7og2Qj19d15hdv/am18NQnzJWD9i8QBjby+dNBfhLyXH4YhWbr90lmDkxwp/MCZnTmJ6bjpvSltGOiJ4Zmrt7Ou2ZJ2KPow1X0M86PQGCrP20ppxREWpn7hPkzY8qm+hJSgqE2/8m2v8dDIFiyjoqlGCua7aCAO//XqUB+PTQb0Z+yQKN43cEQoVv4Z4Ml/HM50q1fAXVMTwaorN1MgESflQeJyKvmMt9H9D9keZIXsJ4eoYroMbwng/0ZCohm75IjSKTeK/9ZSqFCyYZA9Uqm5XLDr8R9wTr7IKo6gMA6Qq8/rpcwlAfxqfKMvTkY+nYg+6gzsUNhcV3jomSEIZ+2NKxR0y3kmU39fmJbzeBmYNmfkhslhWIMstnLKAPJDJrynLrxIvxLk8J6mJa2CnN1tolpsoGbs8iU66daXao6SEf2EK+YrmEnN0T7F6q+zh7AuLHur3ase9jHPH/tyJhwhb6UZiUJGyhRLRZh85THaSeABxorAQYsbgiWU5pnydVbEYyL0Me/phxR/3Eye0tyVXv+QnVuZ7gMI0yyiMSvx/31yKhnmwSdiIDlyOCaNTEnDB5fLnDb+F+Q9CcfhLRzLumKbqw6xlrmJpezpJSq7an4HWcIXRwAmyBa3CO/Ja8mNzrsPc2ELnvNep14eLTkqqs6OvOHFpKQVuX2Noox0oWATD0hqBovdkcpLauCPBSNHT3/ASAz6Hc81Fyobi+7tR3JDn+wKiT4dc0gCa0JXGf/MoYGhUywKJmi4cu+qDQIyofDcrZ/hGalolXk25jJ1zBvc/W3/JOdt1JuBD1BDfX6L2NrQRl4CgSLtfEth2YNRBx8X9hvbOiAPqXIk3aG14IJmzl7pFZOyv10Ww5YIUo9+Cpi4qcwocqtEydh8V7kd1k0Go2FU7JjOsjWsag2wpuonH9E819VSotjFfOtnHGQj5WPI=
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SA1PR15MB4370.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(376014)(10070799003)(366016)(8096899003)(38070700018);DIR:OUT;SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: rDbQ7K/m3O08vUuDNVPj1tVYblsdl9x2JteRzrA3lSfNp/XWgaEtPSPTUQLxIsT3dlCQCwmwWEFgIHnfJdsbKRMW71yrYC3LED8aBleFnjl9tk6ha/5p589oDMKZxv6Ub+PPFE75EFI2VtuZG+6RKgI01HIxHCy9ThQjs7pKrOlZnuS+0oxSKQhSIIvYOTW6Lv5yULdynoscesUAtJ+VyorYsYrXYgKenJY5LWsY7h/dKvUzo5o5qCbEA+IJPN5KCnAfILBH0hVFdg4wprH4T/N3B7dvfkgQCAAYlVH3hJe+rca0d9uFU6Qdd3cFIO0DnX9OqaKzeZUUDRywtO6xwTcbh+fOcnwhEu5N8RHWcpt6hcVxX6MSOtJHTm4cHl7+whGUPiB8x+hKUdw0fJ4I3RAQh/P+BRF6NnmdEmkwTBt1MN896GeAFPYTEYlYNsR8GrVWgFyGNBEFUcbfIW4jsWQVY8MB7v22Pn2humBUZdGt8u1rJfnIBY9ctLJi2giGdBik0KWD3bRbjeWJcIrWStulEd1deUogqJk0TTvXLTFNkYl+7Kvovpvhv8A0UxaOeWS/9G7cJkSfX+Y6jSBjaPIknU3LLYhrtVytgUfrIqHrgmZ4jVVZDfYq6Yv997dh5IIMxkvKVPA/qEZiEdEIjSsvOrW75NbVNAAHtCA+C+l1Wu19XDc4Fi/7gETP83hRPS5v+rPByTLPvpGKbr8JYeGEUqcIb/y/g297Yra+4MKnuoZxZGh3oPAVl78+SOn4/mvcHV1zasYI4Te5X32yYF6y7nAEon6yEiTcy0EygikC/Sqq7sjPiynZo9VtsyxzQ8Nf8rbD1XE0amaPXpPEuV0mGh/MiDJk9Zhvv9Rkql8FISFBiwZokztzoDYFP68D1vQ7wcJ9MpTMB6MSCiuYPEZsBjUt7Wkd2KWmyU8ysTjXPFAIALIHKjZsv41ZNDtj5cs7OcfmrOFA5c9PbHDQxAqc4cNFbNa43PpHtdLG4bv51BHTAlXo0fqoiY6mxWrtgym1S1B0eSbrrw0tlfiIX7y1WMKsrCeYkYHnDpjnKCeENHs15z/pxuUulmEbvl6hdPP6CtfxXAFUji4kYfrQKPDIrVNgDUMg0omYf0YqNdW1sKC1FIU3Jk/7AJGSS5Fo514nDimt87WPp9CDQDxrzfwbEwyDt2W3YsLn50TfZLAF/JE5EhzMGf96wj1vfPWicmHY9zRtiqwIK+RBfCb4KeCVdcgpv44mSmdZ9BvXdMcnoqSqdOLmEbmvm2hMfz5Ht4i7x1WDtFoMZGxq4edh9jJbuyWwdIhVuotwV9iD92IIaPd1or2wNkzgFL3Bo91enUkBe6y/GBkoeRSuqeAYJ3aiWwSzz8ikaTBld9XgcJZ1RH4huAb8bGy6wU/PfuGCICBGiSAYns3YmkvlFQ6pUvGXornuAPzsFWV07PREFA9IGMeiSp0yT3WulAruzq9sWW3Y7344WUD97p/GesB9PHxlapPCOCp4+KPZ9RLdnvV0BpLepyCo6ghoOtIMIHzhRTGsMYBpYJCKm8sqrWQQNjvFUbyB0SbcU1vw9Qw+3726lfB87Nd1Su1Ka1ZBTVcI4jmosUKIN+ZUYxmdOsDnvQ==
Content-Type: multipart/alternative; boundary="_000_SA1PR15MB4370603308C6D619A7DE3554B389ASA1PR15MB4370namp_"
MIME-Version: 1.0
X-OriginatorOrg: meta.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA1PR15MB4370.namprd15.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 74e9832d-06b4-47a8-e5e1-08dd8cb11a72
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 May 2025 15:17:23.6991 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 8ae927fe-1255-47a7-a2af-5f3a069daaa2
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: /JmsScWvXEsKHC27YB1/5LW92feDvATl9Aa3oo4ftxbgIkzi8dJrrbWRzzYjl0jH
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SA6PR15MB6661
X-Proofpoint-ORIG-GUID: ulxKC1YeCcPafx6lsBp_fvzKbyjm46MN
X-Proofpoint-Spam-Details-Enc: AW1haW4tMjUwNTA2MDE0NyBTYWx0ZWRfX2dhYa8DX/NbM 4HHRxvLrXf0RDgTor3frJaRC6w3aog+HUyyG+S1BAcPr8NXtlQuNQj2G0oQmefpOGX5JOG6+WWK EwHHHTH1ihv3AurZTMOd2e6ZhgOKKoiK3O44mfIQ11Aw9CFMp85yM9kcvRcZvlRJ04csbe3Nw2d TyPv+9NmB2XOHtFHupTupcsVd98sYLNbiopKUp0HmaHU3d9gdGBtQOqJ1vQYNsGV9FRPozirGnA uUdjvbquRR3G3YwCeY4hnEoK1s6sO1OBhm2hh4PmmHqq80LKnaPdDtJBQwFzb2rgnH1t3IXUtYM /JBwd9eV4p7ytneMckKuzt5GX7E1DuFMZPf5RIa+GqONoaEs7ncIxEG7RYlY60mN8CmNqXmsBnO Xa9NNXuQdUx4ddY6FiqK08URVO6O4l6YM2ud8lL87KOfWtWaHG2/IxdtvmH49zcnuvo/Zot4
X-Proofpoint-GUID: ulxKC1YeCcPafx6lsBp_fvzKbyjm46MN
X-Authority-Analysis: v=2.4 cv=DeoXqutW c=1 sm=1 tr=0 ts=681a280c cx=c_pps a=F+2k2gSOfOtDHduSTNWrfg==:117 a=lCpzRmAYbLLaTzLvsPZ7Mbvzbb8=:19 a=wKuvFiaSGQ0qltdbU6+NXLB8nM8=:19 a=Ol13hO9ccFRV9qXi2t6ftBPywas=:19 a=xqWC_Br6kY4A:10 a=dt9VzEwgFbYA:10 a=48vgC7mUAAAA:8 a=TBO8bHH3le6JoqQt688A:9 a=pILNOxqGKmIA:10 a=1zdOxQrmOOQAocfO8mYA:9 a=n0x2oQW45ToZmXEE:21 a=frz4AuCg-hUA:10 a=_W_S_7VecoQA:10
X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.293,Aquarius:18.0.1099,Hydra:6.0.736,FMLib:17.12.80.40 definitions=2025-05-06_07,2025-05-05_01,2025-02-21_01
Message-ID-Hash: KIDAPJ54C422JPFORTIY4S7HQH55WRBP
X-Message-ID-Hash: KIDAPJ54C422JPFORTIY4S7HQH55WRBP
X-MailFrom: prvs=12218ba9fa=bemasc@meta.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-tls.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "draft-ietf-tls-esni@ietf.org" <draft-ietf-tls-esni@ietf.org>, "tls-chairs@ietf.org" <tls-chairs@ietf.org>, "tls@ietf.org" <tls@ietf.org>, "jsalowey@gmail.com" <jsalowey@gmail.com>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [TLS] Re: Mohamed Boucadair's Discuss on draft-ietf-tls-esni-24: (with DISCUSS and COMMENT)
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uKmJMGwq8gVPgMpfj74TQn9MmrM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Owner: <mailto:tls-owner@ietf.org>
List-Post: <mailto:tls@ietf.org>
List-Subscribe: <mailto:tls-join@ietf.org>
List-Unsubscribe: <mailto:tls-leave@ietf.org>
________________________________ From: Mohamed Boucadair via Datatracker <noreply@ietf.org> ... > # (apparent) Inconsistency vs ECH-IN-DNS? > > ECH spec says the following in Section 8.1 > > Thus server operators SHOULD ensure servers understand a given set of ECH > keys before advertising them. > > ECH-IN-DNS says the following in Section 4: > > When publishing a record containing an "ech" parameter, the publisher > MUST ensure that all IP addresses of TargetName correspond to servers > that have access to the corresponding private key or are > authoritative for the public name > > Avoiding failures is the main motivation for both “ensure” behaviors. Not quite. The first quote is about avoiding the ECH recovery flow. This flow is slower than a normal handshake but does not result in a user-visible failure. The second quote is about avoiding user-visible failures. > Is there > a reason why one spec uses SHOULD while the other uses a MUST? Taken together, these quotes mean "deployments SHOULD avoid using the recovery flow, and MUST NOT create an arrangement that will fail to connect". --Ben Schwartz
- [TLS] Mohamed Boucadair's Discuss on draft-ietf-t… Mohamed Boucadair via Datatracker
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Ben Schwartz
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Eric Rescorla
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… mohamed.boucadair
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… mohamed.boucadair
- [TLS] Re: Mohamed Boucadair's Discuss on draft-ie… Eric Rescorla