Return-Path: <ekr@rtfm.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
 by ietfa.amsl.com (Postfix) with ESMTP id 81CBA13148A
 for <tls@ietfa.amsl.com>; Mon,  2 Jul 2018 16:40:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level: 
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5
 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
 HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, T_DKIMWL_WL_MED=-0.01,
 URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
 header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44])
 by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id na0n_RfuSgOy for <tls@ietfa.amsl.com>;
 Mon,  2 Jul 2018 16:40:35 -0700 (PDT)
Received: from mail-yw0-x22f.google.com (mail-yw0-x22f.google.com
 [IPv6:2607:f8b0:4002:c05::22f])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (No client certificate requested)
 by ietfa.amsl.com (Postfix) with ESMTPS id 7F49E131231
 for <tls@ietf.org>; Mon,  2 Jul 2018 16:39:56 -0700 (PDT)
Received: by mail-yw0-x22f.google.com with SMTP id g123-v6so36601ywf.13
 for <tls@ietf.org>; Mon, 02 Jul 2018 16:39:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=rtfm-com.20150623.gappssmtp.com; s=20150623;
 h=mime-version:from:date:message-id:subject:to;
 bh=0VZXMfKZhTTFeISUrlIQa8LGEgSPtgj67IqVzrr5H54=;
 b=q19/ipqLBe4DY+eWpiBz7ffeMKz8IbcvXWhH/TrenU6h/VE3Eyl2wti0vqUTYWqL5T
 bwkCeAAZ2W2yVoDlkFF0OhQ/lFMQp3LmxQZFOHXRM8Wy6R+/vzmceXALPka8qILeSCH1
 WL1e0GJZtRRZCKxShaaui8ourCkcKpYQTj8QBvjb8qRtseJid/Ep5HLmHidYwnndMkYL
 Cef9/1UQLO35Fl9gXXMf39WImMePcezhVPhE7bXRV/dHCTWeINqJcBPzIaZI+x4+zGpW
 ZoSxNkP0Gy+wYYsRuOYD1CipbOWyiz4C38/hNJAlq9VMnC16KgVfKI0xtkCcVYWMze4N
 fApw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
 bh=0VZXMfKZhTTFeISUrlIQa8LGEgSPtgj67IqVzrr5H54=;
 b=Tz42KrQiIAlBUvbtJzlDal5a7WhT3MW8QCJVAC8+iZ1Jn4rjJONhU3iKfkZAjBsR6X
 yQxeBKIZ7xio6WWgD3y7cjom/D20eF1SpaTXFvNUcMIvqPDdzBgZQBECw8m3EcgBYx5q
 HXaJxXIfQS7J4DTXokRcaRjjWg9RX6j9Dw1B/DNCD+xnGJCBGP/GPH3+JsnewSN/V/5Y
 ATsufn5evazjXOEA6Sz3K1Ns+XD0mdVLmbX5p7vV7ZX+2Y5ePxp1/EeUJxUKTO+H5xhr
 AcEMcbi/w0SrSvFRgJKaQ/3IwiMkF1DE3/DNkyPqw4LwllgkvRK+CdmiDDT28POzK6TL
 1Isw==
X-Gm-Message-State: APt69E2mOcf+DsOP/HB0ScMuZ9YMnRBspdPtXkPfrv3cr4SUwk1/dMH8
 sGCL2u76USzbA724E68Ft/SqkyJX5UgkuuPXYCNEhmCYVAg=
X-Google-Smtp-Source: AAOMgpeME9F97wNYZg26xlK/lEVrsGOuzeNWh4BgUYAt0brIpPqUYZf7GkQtpKuj1RJGevfenMBTyHf8/4BNcSwI21Y=
X-Received: by 2002:a0d:f286:: with SMTP id
 b128-v6mr13349777ywf.489.1530574795480; 
 Mon, 02 Jul 2018 16:39:55 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a81:6b83:0:0:0:0:0 with HTTP;
 Mon, 2 Jul 2018 16:39:14 -0700 (PDT)
From: Eric Rescorla <ekr@rtfm.com>
Date: Mon, 2 Jul 2018 16:39:14 -0700
Message-ID: <CABcZeBMR=5QQjSS68H2mQoyG1cHVa5+Z_5SH0Md07kTBVSr3Sw@mail.gmail.com>
To: "<tls@ietf.org>" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fcbc6905700cb652"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vc_gm-Wqpg5e15Ws_7OuqOZudB4>
Subject: [TLS] DNS-based Encrypted SNI
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working
 group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>,
 <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>,
 <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Jul 2018 23:40:46 -0000

--000000000000fcbc6905700cb652
Content-Type: text/plain; charset="UTF-8"

Hi folks,

I just submitted:

  https://tools.ietf.org/html/draft-rescorla-tls-esni-00

This draft describes a DNS-based approach to doing encrypted SNI.

Previously, we had thought this wouldn't work because only sites that
were particularly vulnerable would do it, and so the use of ESNI marks
you out. The idea behind this draft is that there are a lot of sites
which are hosted by -- and whose DNS is run by -- a large provider,
and that provider can shift many if not all of its sites to ESNI at
once, thus removing the "standing out" issue and making a DNS-based
approach practical.

I am working on an implementation for NSS/Firefox and I know some
others are working on their own implementations, so hopefully we can
do some interop in Montreal.

This is at a pretty early stage, so comments, questions, defect
reports welcome.

-Ekr

--000000000000fcbc6905700cb652
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Hi folks,<br><br>I just submitted:<br><br>=C2=A0 <a href=
=3D"https://tools.ietf.org/html/draft-rescorla-tls-esni-00">https://tools.i=
etf.org/html/draft-rescorla-tls-esni-00</a><br><br>This draft describes a D=
NS-based approach to doing encrypted SNI.<br><br>Previously, we had thought=
 this wouldn&#39;t work because only sites that<br>were particularly vulner=
able would do it, and so the use of ESNI marks<br>you out. The idea behind =
this draft is that there are a lot of sites<br>which are hosted by -- and w=
hose DNS is run by -- a large provider,<br>and that provider can shift many=
 if not all of its sites to ESNI at<br>once, thus removing the &quot;standi=
ng out&quot; issue and making a DNS-based<br>approach practical.<br><br>I a=
m working on an implementation for NSS/Firefox and I know some<br>others ar=
e working on their own implementations, so hopefully we can<br>do some inte=
rop in Montreal.<br><br>This is at a pretty early stage, so comments, quest=
ions, defect<br>reports welcome.<br><br>-Ekr<br><br><br><br><br><br><br></d=
iv>

--000000000000fcbc6905700cb652--