Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
Ralf Skyper Kaiser <skyper@thc.org> Fri, 08 November 2013 21:43 UTC
Return-Path: <skyper@thc.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC01321E8147 for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 13:43:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.357
X-Spam-Level:
X-Spam-Status: No, score=-0.357 tagged_above=-999 required=5 tests=[AWL=0.068, BAYES_00=-2.599, FH_RELAY_NODNS=1.451, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ToWyCzZNYgiq for <tls@ietfa.amsl.com>; Fri, 8 Nov 2013 13:43:00 -0800 (PST)
Received: from mail-ie0-x236.google.com (mail-ie0-x236.google.com [IPv6:2607:f8b0:4001:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id 281FE11E80FB for <tls@ietf.org>; Fri, 8 Nov 2013 13:42:06 -0800 (PST)
Received: by mail-ie0-f182.google.com with SMTP id as1so4240191iec.41 for <tls@ietf.org>; Fri, 08 Nov 2013 13:42:05 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=thc.org; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=pgCbNP3trBI6HBFMArZKU0gnQA/zdRmAOYJwtm7E7Us=; b=JoMA0gMsxB4nJy4CL/1qxtzR13F+yx60L4Nh7Tx83alLWNaCrW4uRIlkOniNaHszEY +1/QemtgZ/Vjak4Bom9O4JQ4oq25qfcG6OQPYWFRX1PnVJQumf83k7AUc6hI430hTMXb vDXOl6xUNNU3B06fi1ROyq2CugqdUfQGCnt3I=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=pgCbNP3trBI6HBFMArZKU0gnQA/zdRmAOYJwtm7E7Us=; b=bIOcXrzljyuqXLQtSpqf81hI7ahz9D8fgWvcA7zL/oDAjGjnlm/xCI+B7K+t4aH6O/ k5rA9Awxwk6w4DLjnEII9TGnAkzWuFvFD/4oatplBjUT7NGtodW2/PcF6V4BE1pCMjJA 7ytFU0jJ6KG4aSHrczt070+vheYNjK0R8NQ0JKxM4y3Umu+X5vkrbQ8DOYePGe8ooNoC dDd6kFoi6gK8IVju2Yf2mhMuRDCvpVzScwEN4fkzZLzMcTvXSeFQPToKISS6lPG4T1ub 0QNzomsa1bkrU+Z2ksr2cif5pzlXb4sNQyUVjTFbYxpQDXv+8f1MuxLiW11IC72oTVwF M9FA==
X-Gm-Message-State: ALoCoQlugxO27u6P8Bt3iHZghc3/5aMqHXS8vhX/H8MMCuUO+Lmy2KlAbKcyGcuxiQlTEC587K6g
MIME-Version: 1.0
X-Received: by 10.43.80.67 with SMTP id zt3mr10389704icb.23.1383946924992; Fri, 08 Nov 2013 13:42:04 -0800 (PST)
Received: by 10.64.231.100 with HTTP; Fri, 8 Nov 2013 13:42:04 -0800 (PST)
X-Originating-IP: [87.106.82.87]
In-Reply-To: <527D3E04.9050206@pobox.com>
References: <CA+BZK2qUE3oS6Sbp1HbKZ7Wgen9gEjjdepON1egLhGqCPpoVBw@mail.gmail.com> <527D3E04.9050206@pobox.com>
Date: Fri, 08 Nov 2013 21:42:04 +0000
Message-ID: <CA+BZK2qa3tiHWVQF+DGn5XRRvdWCKYYUMdEEQjOQQpidioFqOw@mail.gmail.com>
From: Ralf Skyper Kaiser <skyper@thc.org>
To: Michael D'Errico <mike-list@pobox.com>
Content-Type: multipart/alternative; boundary="001a1133326adadcaa04eab14044"
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] Final nail in the coffin for cleartext SNI/ALPN in TLS 1.3
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Nov 2013 21:43:07 -0000
Hi, absolutely. Encrypted SNI in TLS 1.3 will be received by server prior to selecting a certificate. ALPN could be encrypted as well (same reason, same solution). regards, ralf On Fri, Nov 8, 2013 at 7:39 PM, Michael D'Errico <mike-list@pobox.com>wrote: > Ralf Skyper Kaiser wrote: > >> Some thoughts why SNI (host name) and ALPN should be >> transmitted encrypted and not in clear.... >> > > I'm fine with encrypting these as long as the server > receives them prior to selecting a certificate. > > SNI allows for multi-homing (different server names > on the same IP), and ALPN allows you to put multiple > services on the same port (e.g. SMTP/POP3/IMAP all on > port 443 along with HTTPS/SPDY). Each service might > require its own certificate. > > Mike >
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- [TLS] Final nail in the coffin for cleartext SNI/… Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Ryan Hurst
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Seth David Schoen
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Watson Ladd
- Re: [TLS] Final nail in the coffin for cleartext … Salz, Rich
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Jacob Appelbaum
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Michael D'Errico
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Sean Leonard
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Phillip Hallam-Baker
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Daniel Kahn Gillmor
- Re: [TLS] Final nail in the coffin for cleartext … Juho Vähä-Herttua
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Yoav Nir
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Martin Rex
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Bodo Moeller
- Re: [TLS] Final nail in the coffin for cleartext … Marsh Ray
- Re: [TLS] Final nail in the coffin for cleartext … Ralf Skyper Kaiser
- Re: [TLS] Final nail in the coffin for cleartext … Geoffrey Keating