Re: [TLS] draft-ietf-tls-esni feedback

Rob Sayre <sayrer@gmail.com> Tue, 22 October 2019 16:22 UTC

Return-Path: <sayrer@gmail.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35756120073 for <tls@ietfa.amsl.com>; Tue, 22 Oct 2019 09:22:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W19EvIb1srn9 for <tls@ietfa.amsl.com>; Tue, 22 Oct 2019 09:22:04 -0700 (PDT)
Received: from mail-il1-x12c.google.com (mail-il1-x12c.google.com [IPv6:2607:f8b0:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33CC712004A for <tls@ietf.org>; Tue, 22 Oct 2019 09:22:04 -0700 (PDT)
Received: by mail-il1-x12c.google.com with SMTP id f13so15981375ils.11 for <tls@ietf.org>; Tue, 22 Oct 2019 09:22:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qec8JNvcXLf07ytcSK2T3n31D7Nt4nF20Y/uI8JJLlk=; b=G5vQndGotjh53veVK/PC/aYEaIQomY2A8SkHQpcvWoLycnSM95+Pk1eGAA4SDt3s9H mg/sr02Mt4LDlAvhVNb/pL626y0QOeOWyD2H16gh6sY0QKywdjYbu18DjLmh0as7F0kc 6X8vq9ti9hzRYXAUhG62F9Zstw12z1L1fNRAZXoG5yuYg/pUI9T1LXJN+7BpZpjwYgU+ JpafYKGveyGmkBAjJ7vvtX3qGJVh1okCRRnq4IOGYAVa6AjjQsYdMpmUQVJLK1P3krcF QgNXoLiyBWFGID3afkVOQPazIJJGaH+wPxGydJwY6VN14miXgk6mDpq0w5mcDtwFGIe6 tAdw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qec8JNvcXLf07ytcSK2T3n31D7Nt4nF20Y/uI8JJLlk=; b=YRMLKsKvUT6rE7E9E1kZ179ULqjxuaUCMbpMavlu9CTrwjXBmNt3n9rC9DDcT6cwbi prKglgB0sSEDMT0cooQAbPr+1FYbPGOduanx7bmLcthlxuoj7M6NN0UJ1Nv0Q/GLVsfL tsZ8y8taUL+08+xCl0vZsdGItzaUtuTRcT5+Ih1dcq+G5VcuWEwr98h0x5dufW8uITm4 OQdL+Ta4cWuvdd2RO79o3veocFVey2Uiq7VYTt73MGl+JVXleK9RND60FlAZ8ovDD3kN 3mmlPVbIGkhMjIC1LwSXp2apgP0vQV4p5/CLrzdjqAOXHATLNVXRtRsTB2ROgaJYCl93 b72Q==
X-Gm-Message-State: APjAAAXEaGqcXTe9V0phJFdjvfxXKvSRpfu0x+ghXFMz9HP84vkPRDsF e0bPznVsrH/X4mK+itNr81B3Xsg31eJr0+3eCgcwjcqa
X-Google-Smtp-Source: APXvYqyXdQ4OIq+ywhVPaWB48iXR73sF7oT2rcPsv43bL5aZ5PFjTmVFMZAL+qalsn6wIB68uAdixHa12x11FsBqG9k=
X-Received: by 2002:a05:6e02:a:: with SMTP id h10mr9145516ilr.254.1571761323200; Tue, 22 Oct 2019 09:22:03 -0700 (PDT)
MIME-Version: 1.0
References: <CAChr6Sw3f7du3JYxfcWSZje1zjDzsRBQyDjob-AvzjWeZzKW7g@mail.gmail.com> <CAChr6SwB+7Jt2TLJSQh3q=Roizdt2=9jCBa9nq8KRxRo=86uZQ@mail.gmail.com> <CABcZeBNBtDK7q175tseEUiCVds=khj4xXYJZRf7GU9VGNDJ_Tg@mail.gmail.com> <CAChr6Sz6xHtFWjOKrLp3sp9MpC-SoU9Sx=vk22ditjShA7B=Kg@mail.gmail.com> <CABcZeBOnE+gyNu7GarAfO0bptoPfzQQ=VKeWLdpJBDM=E4yhzg@mail.gmail.com> <CAChr6SxWE66jPRbnBRtwNSn3L+uNFkoFBbYNOBAkKDN05qotoA@mail.gmail.com> <CABcZeBOy8ogJrmFajxX1pqjqgnE61gE=c3CWz+pp34NWHmGKbw@mail.gmail.com> <03e15760-dfce-cd7b-baea-56ac70d92192@cs.tcd.ie> <CAChr6SzmpSn3Q8tBi+Pdc+Bq7stiukbufbh-jDt+AEtrkV8XGg@mail.gmail.com> <f87c2916-d03d-2715-7b36-7b70fead8df4@cs.tcd.ie> <CAChr6SxfT0ed5J89siGX23A0G77BJQWxFRDoJ1w0v7=5O0KERw@mail.gmail.com> <8063bb12-8462-53fa-fa62-1e5abb1a652e@cs.tcd.ie> <CAHbrMsBPJqzaUSa42gGq45MfsTvCVW7t95q3feWEiSYeSN9ocw@mail.gmail.com> <333fde42-76f9-1af3-0f0f-c70914b0222e@cs.tcd.ie> <CAHbrMsA0PFwvu3hvZgXMbe2Buzq9dQHgNJJLOqtyMUzb-qpc0A@mail.gmail.com> <04a5a50a-3268-d9fb-de16-abb9224409ed@cs.tcd.ie>
In-Reply-To: <04a5a50a-3268-d9fb-de16-abb9224409ed@cs.tcd.ie>
From: Rob Sayre <sayrer@gmail.com>
Date: Tue, 22 Oct 2019 09:21:51 -0700
Message-ID: <CAChr6SySVXsH1J7KGDJjjB=wdxhdaCe207pLn2fGFMmDb1q82w@mail.gmail.com>
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Cc: Ben Schwartz <bemasc@google.com>, "TLS@ietf.org" <tls@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000057561a05958233fc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/vnNYwKOc1m9wUOw8PMffg3o3Gts>
Subject: Re: [TLS] draft-ietf-tls-esni feedback
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2019 16:22:06 -0000

On Tue, Oct 22, 2019 at 8:06 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>;
wrote:

>
>
> On 22/10/2019 15:56, Ben Schwartz wrote:
> > Sure.  For example, tumblr limits usernames to 32 characters:
> > https://unwrapping.tumblr.com/post/58535402323/tips-tumblr-username
> >
> > These usernames also form the subdomain part of the *.tumblr.com
> > wildcard, so the longest allowed name is [32 chars].tumblr.com.
> >
> > I expect that most wildcard TLS hosts impose similar limits.
> >
>
> Fair enough. Sub-domains (or whatever may be the right
> term) can have such limits. However, IIUC most services
> ilke hosters or CDNs will just allow anything that's a
> valid DNS name so I argue that our design target ought
> be to handle that well. (The current spec does handle
> it, but not, IMO, well;-)


On reflection, I’m not really comfortable with the code I’ve written on the
client side. It does work, but I don’t think the DNS record should dictate
the padding so precisely. I’d like my client to send 260 (or whatever the
right number is) whenever possible. As specified, short TTLs and varying
padding could be a problem.


thanks,
Rob

>