Re: [TLS] ESNIKeys.public_name vs. cleartext SNI

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 29 July 2019 11:12 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 68B15120120 for <tls@ietfa.amsl.com>; Mon, 29 Jul 2019 04:12:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.3
X-Spam-Level:
X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s_XxS-FDLBzu for <tls@ietfa.amsl.com>; Mon, 29 Jul 2019 04:12:21 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81FE11200FF for <tls@ietf.org>; Mon, 29 Jul 2019 04:12:21 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 334AEBE2E; Mon, 29 Jul 2019 12:12:19 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1TBlAgdz4gtn; Mon, 29 Jul 2019 12:12:17 +0100 (IST)
Received: from [10.244.2.138] (95-45-153-252-dynamic.agg2.phb.bdt-fng.eircom.net [95.45.153.252]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 75716BE24; Mon, 29 Jul 2019 12:12:17 +0100 (IST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cs.tcd.ie; s=mail; t=1564398737; bh=0UCQeEmc5NeDNek4o7nACZWabqdz6yBaQp3gawzAz4E=; h=Subject:To:References:From:Date:In-Reply-To:From; b=vVk7jlGgWub1Ekh4ST2S4IzgBMAZHqKIv51KE53NSLeImxiym6XlFztqONR18u6Pb kLFu8tZCt+f/qcHts44vqkxb3Xs9npQMNzggxMAIVh73D2eE8KJ8UGBefrtAPe7N/b KDeLoSS+NbLX0JkiVA6Au4tYM4kZWpNgz0ye7tH0=
To: Christian Huitema <huitema@huitema.net>, "tls@ietf.org" <tls@ietf.org>
References: <84f41a5a-b543-2fdb-8af0-b923dccd7693@cs.tcd.ie> <05501e58-6d97-c2b6-6e76-bc4c3b2f4579@huitema.net>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Openpgp: id=5BB5A6EA5765D2C5863CAE275AB2FAF17B172BEA; url=
Autocrypt: addr=stephen.farrell@cs.tcd.ie; prefer-encrypt=mutual; keydata= mQINBFo9UDIBEADUH4ZPcUnX5WWRWO4kEkHea5Y5eEvZjSwe/YA+G0nrTuOU9nemCP5PMvmh 5Cg8gBTyWyN4Z2+O25p9Tja5zUb+vPMWYvOtokRrp46yhFZOmiS5b6kTq0IqYzsEv5HI58S+ QtaFq978CRa4xH9Gi9u4yzUmT03QNIGDXE37honcAM4MOEtEgvw4fVhVWJuyy3w//0F2tzKr EMjmL5VGuD/Q9+G/7abuXiYNNd9ZFjv4625AUWwy+pAh4EKzS1FE7BOZp9daMu9MUQmDqtZU bUv0Q+DnQAB/4tNncejJPz0p2z3MWCp5iSwHiQvytYgatMp34a50l6CWqa13n6vY8VcPlIqO Vz+7L+WiVfxLbeVqBwV+4uL9to9zLF9IyUvl94lCxpscR2kgRgpM6A5LylRDkR6E0oudFnJg b097ZaNyuY1ETghVB5Uir1GCYChs8NUNumTHXiOkuzk+Gs4DAHx/a78YxBolKHi+esLH8r2k 4LyM2lp5FmBKjG7cGcpBGmWavACYEa7rwAadg4uBx9SHMV5i33vDXQUZcmW0vslQ2Is02NMK 7uB7E7HlVE1IM1zNkVTYYGkKreU8DVQu8qNOtPVE/CdaCJ/pbXoYeHz2B1Nvbl9tlyWxn5Xi HzFPJleXc0ksb9SkJokAfwTSZzTxeQPER8la5lsEEPbU/cDTcwARAQABtDJTdGVwaGVuIEZh cnJlbGwgKDIwMTcpIDxzdGVwaGVuLmZhcnJlbGxAY3MudGNkLmllPokCQAQTAQgAKgIbAwUJ CZQmAAULCQgHAgYVCAkKCwIEFgIDAQIeAQIXgAUCWj6jdwIZAQAKCRBasvrxexcr6o7QD/9m x9DPJetmW794RXmNTrbTJ44zc/tJbcLdRBh0KBn9OW/EaAqjDmgNJeCMyJTKr1ywaps8HGUN hLEVkc14NUpgi4/Zkrbi3DmTp25OHj6wXBS5qVMyVynTMEIjOfeFFyxG+48od+Xn7qg6LT7G rHeNf+z/r0v9+8eZ1Ip63kshQDGhhpmRMKu4Ws9ZvTW2ACXkkTFaSGYJj3yIP4R6IgwBYGMz DXFX6nS4LA1s3pcPNxOgrvCyb60AiJZTLcOk/rRrpZtXB1XQc23ZZmrlTkl2HaThL6w3YKdi Ti1NbuMeOxZqtXcUshII45sANm4HuWNTiRh93Bn5bN6ddjgsaXEZBKUBuUaPBl7gQiQJcAlS 3MmGgVS4ZoX8+VaPGpXdQVFyBMRFlOKOC5XJESt7wY0RE2C8PFm+5eywSO/P1fkl9whkMgml 3OEuIQiP2ehRt/HVLMHkoM9CPQ7t6UwdrXrvX+vBZykav8x9U9M6KTgfsXytxUl6Vx5lPMLi 2/Jrsz6Mzh/IVZa3xjhq1OLFSI/tT2ji4FkJDQbO+yYUDhcuqfakDmtWLMxecZsY6O58A/95 8Qni6Xeq+Nh7zJ7wNcQOMoDGj+24di2TX1cKLzdDMWFaWzlNP5dB5VMwS9Wqj1Z6TzKjGjru q8soqohwb2CK9B3wzFg0Bs1iBI+2RuFnxLkCDQRaPVAyARAA+g3R0HzGr/Dl34Y07XqGqzq5 SU0nXIu9u8Ynsxj7gR5qb3HgUWYEWrHW2jHOByXnvkffucf5yzwrsvw8Q8iI8CFHiTYHPpey 4yPVn6R0w/FOMcY70eTIu/k6EEFDlDbs09DtKcrsT9bmN0XoRxITlXwWTufYqUnmS+YkAuk+ TLCtUin7OdaS2uU6Ata3PLQSeM2ZsUQMmYmHPwB9rmf+q2I005AJ9Q1SPQ2KNg/8xOGxo13S VuaSqYRQdpV93RuCOzg4vuXtR+gP0KQrus/P2ZCEPvU9cXF/2MIhXgOz207lv3iE2zGyNXld /n8spvWk+0bH5Zqd9Wcba/rGcBhmX9NKKDARZqjkv/zVEP1X97w1HsNYeUFNcg2lk9zQKb4v l1jx/Uz8ukzH2QNhU4R39dbF/4AwWuSVkGW6bTxHJqGs6YimbfdQqxTzmqFwz3JP0OtXX5q/ 6D4pHwcmJwEiDNzsBLl6skPSQ0Xyq3pua/qAP8MVm+YxCxJQITqZ8qjDLzoe7s9X6FLLC/DA L9kxl5saVSfDbuI3usH/emdtn0NA9/M7nfgih92zD92sl1yQXHT6BDa8xW1j+RU4P+E0wyd7 zgB2UeYgrp2IIcfG+xX2uFG5MJQ/nYfBoiALb0+dQHNHDtFnNGY3Oe8z1M9c5aDG3/s29QbJ +w7hEKKo9YMAEQEAAYkCJQQYAQgADwUCWj1QMgIbDAUJCZQmAAAKCRBasvrxexcr6qwvD/9b Rek3kfN8Q+jGrKl8qwY8HC5s4mhdDJZI/JP2FImf5J2+d5/e8UJ4fcsT79E0/FqX3Z9wZr6h sofPqLh1/YzDsYkZDHTYSGrlWGP/I5kXwUmFnBZHzM3WGrL3S7ZmCYMdudhykxXXjq7M6Do1 oxM8JofrXGtwBTLv5wfvvygJouVCVe87Ge7mCeY5vey1eUi4zSSF1zPpR6gg64w2g4TXM5qt SwkZVOv1g475LsGlYWRuJV8TA67yp1zJI7HkNqCo8KyHX0DPOh9c+Sd9ZX4aqKfqH9HIpnCL AYEgj7vofeix7gM3kQQmwynqq32bQGQBrKJEYp2vfeO30VsVx4dzuuiC5lyjUccVmw5D72J0 FlGrfEm0kw6D1qwyBg0SAMqamKN6XDdjhNAtXIaoA2UMZK/vZGGUKbqTgDdk0fnzOyb2zvXK CiPFKqIPAqKaDHg0JHdGI3KpQdRNLLzgx083EqEc6IAwWA6jSz+6lZDV6XDgF0lYqAYIkg3+ 6OUXUv6plMlwSHquiOc/MQXHfgUP5//Ra5JuiuyCj954FD+MBKIj8eWROfnzyEnBplVHGSDI ZLzL3pvV14dcsoajdeIH45i8DxnVm64BvEFHtLNlnliMrLOrk4shfmWyUqNlzilXN2BTFVFH 4MrnagFdcFnWYp1JPh96ZKjiqBwMv/H0kw==
Message-ID: <2997ba60-6d01-5440-cd3d-66651443253d@cs.tcd.ie>
Date: Mon, 29 Jul 2019 12:12:16 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <05501e58-6d97-c2b6-6e76-bc4c3b2f4579@huitema.net>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="ngT9GBlM2dLxq4Zqgd3LV5AMgWZpFXrZi"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/uvYSGFJdBmVV3F4K3QJ2h5C8bVw>
Subject: Re: [TLS] ESNIKeys.public_name vs. cleartext SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jul 2019 11:12:25 -0000

Hiya,

On 29/07/2019 01:32, Christian Huitema wrote:
> 
> On 7/28/2019 5:25 AM, Stephen Farrell wrote:
>> For example, my openssl build allows this for s_client. I've
>> a colleague who's got a first build of curl using that that
>> also allows such a local over-ride. I think other command-line
>> clients might be likely to also support that kind of thing, if
>> for no other reason than the existence of the draft-02 version
>> that's deployed and has no public_name. But I guess being able
>> to do a local over-ride may also be generally useful, while
>> not being so useful for web browsers. For example, if a given
>> public_name value is being censored, clients might at that
>> point want to use something else.
> 
> I see the intent, but I am not sure it is practical. 

In which case I must've explained it badly, because it's
entirely practical:-) Let me try again...

What I'm asking is that we not insist that the cleartext
SNI is the ESNIKeys.public_name even though those will be
the same value in almost all cases.

I don't think there's any major security benefit to insisting
that they be the same and there are cases where e.g. a command
line tool like curl or wget can easily supply a different
cleartext SNI value as an override, should that ever be needed
or useful.

> A lot of the HTTP
> connection establishment is automated. Given a server name, the client
> will do a lookup for the ESNI record or a cached value. If there is one,
> the simple solution is to put the public name in the SNI extension and
> the actual name in the ESNI extension. 

Sure, I know that and am fine with it being the default.

> If the public name is censored,
> the solution is probably to look for a different ESNI record for the
> server, one that would mention a different public name.

If the public_name is censored, then there may be >1 solution
needed, so allowing for more than one seems better than assuming
there is one and only one solution in that circumstance.

> 
> By the way, I think that the current ESNI record is maybe a little too
> complicated. The ESNI key is really a property of the public server, yet
> the ESNI record is defined as a property of the hidden server. If the
> public server rolls a new key, all the ESNI records of all the hidden
> servers that mentioned the old key need to be updated. I think it would
> be simpler to have the ESNI record as a property of the public server,
> and to just have a pointer to the public server in the context of the
> hidden server. May an SRV record. The chain would be something like:
> 
> 1) Look up whether the SRV record for _esni._tcp.hidden.example.com
> 
> 2) If there are such records, select the appropriate public server, say
> public.example.net
> 
> 3) Look up ESNI, A, AAAA for public.example.net
> 
> In that architecture, there is no need to encode the public server name
> in the ESNI record. I think there will be several advantages. The ESNI
> record's TTL can be set to the lifetime of the key. The SRV record's TTL
> can be set to the expected lifetime of the relation between 'hidden" and
> "public". If the SRV lifetime is long enough, the value can be
> efficiently cached by the client. If multiple clients share the same
> hidden server, the ESNI record is fetched only once, and can be cached.
> At connection time, the client would only need to query the A/AAAA
> records of the public server, i.e. exactly the same DNS transaction as
> an access to the public server.

That seems a bit like the HTTPSSRV proposal and maybe better in
a different thread?

S.


> 
> -- Christian Huitema
> 
> 
> 
>