Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption

Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 19 July 2021 16:00 UTC

Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5857F3A3876 for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 09:00:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MSGID_FROM_MTA_HEADER=0.001, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=cs.tcd.ie
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1GB_UV23zr3u for <tls@ietfa.amsl.com>; Mon, 19 Jul 2021 09:00:01 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00101.outbound.protection.outlook.com [40.107.0.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C0373A386D for <TLS@ietf.org>; Mon, 19 Jul 2021 09:00:00 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VFmjPrsdI2iRgwFCENxXWjJTC02tYEFmQ4R1t+wGCUabqFWQ2mhBHdozBW0/peLkzqb+aeaLGC0i/k62dq0YsH4tx39kSTTBMpuJI/PCbzxM8pM1hU6MT3t2esd9+PXF6R1yO5RQWKBYjO9ZGIT+tircsdrdzFrQETEcAwoC4wknbCx4rw+hrXv1C1h+GNOLnFd0+yz1e05XmQHXuiI8x4zoN5CwkGp1G9tB63RLxRnMBFXDcE8qFsgBRrT9ieyvGORcpattddnyws7HCK9E80a7DoqPuq7k8ufiNXkyEQIM4TmQgER0iM+nOEXTdO6+6kaLrlhXaqtZQlr4GlrCfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ptq82qOQ9aZEsuyJvP0ndovyprOrGbEo1ROKoU7UlJ8=; b=LwAGl3cTqRIaLL8VqY/crEdT3rBAWRO6YSkWIXPSZkAf5wkDF5oYhjn4rmw7gaB1Eru3AlbgeT2FCrW8mX8T/8wuoRIlGM5FMoOQUa6I5n/JQcuyYZFSbMxkjt2WG2jNi3sC78UksF8yR9SDLMpc4Iubzh42RRYiVmzxmtURY53Kp/fwxx69+RU2rg8/WQrhDYXDqyjLI170DXB2O4PgaWpUG9R7o1AP2CCdL3Abnm6OU1QNzIy1P+U8kww6o9XRcAJ5FR5saippPjkOeQxBFNb/X/RvW/2kzL021YchrxAK0g7GzChIhZpL0dUzfxEvrYayXGR+r8bQOR+pQKLqaQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cs.tcd.ie; dmarc=pass action=none header.from=cs.tcd.ie; dkim=pass header.d=cs.tcd.ie; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cs.tcd.ie; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ptq82qOQ9aZEsuyJvP0ndovyprOrGbEo1ROKoU7UlJ8=; b=P3+4oVf4ZVtNn4V/+v0Pyxhj04agQRtd4kDVEBy887pOkvlBFPSQyJZf/dHXO/H8s+6q8QaHFS6Ud14R7vj177gHa7iQL2Y3z7+Zpd+sZZhEGG1KHBO3nXPcNA5lUdIEetQJX2sM81FN/4zgH8N/jY7ikXvDQg5IDJgUdC5nrqlmtJ4ytBI7UhrEvgPb4Q/PurkuRi0exAmsYJ/34rFgQb5JJJtVW8L0l7LeDIWStkJNOojraPJc6GKeJNxFLnt8qvt0Q4ydhs/74cULQ6tQCbjN3Z3lTdggx6Yto6uTNNsnCCCFsbsstN+g5QjXT0sD+tkTs0yC0FZdiCJSxiBqkg==
Authentication-Results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cs.tcd.ie;
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21) by AM7PR02MB6273.eurprd02.prod.outlook.com (2603:10a6:20b:1b7::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.21; Mon, 19 Jul 2021 15:59:57 +0000
Received: from AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4]) by AM6PR02MB5112.eurprd02.prod.outlook.com ([fe80::c0d5:2359:eae3:f5d4%7]) with mapi id 15.20.4331.032; Mon, 19 Jul 2021 15:59:57 +0000
To: Ryan Sleevi <ryan-ietftls@sleevi.com>
Cc: "Salz, Rich" <rsalz=40akamai.com@dmarc.ietf.org>, Christopher Wood <caw@heapingbits.net>, "TLS@ietf.org" <TLS@ietf.org>
References: <0ad354da-5300-4b48-8925-f7ab18cdf235@www.fastmail.com> <5D834B58-7A0C-4701-96EB-31663BC0C2DE@akamai.com> <2c7c53a8-cf47-f51d-f97b-f6cd5a712024@cs.tcd.ie> <CAErg=HE92wz3-aLDSfNWk_qJA35+V-euUvtW07HKA=B7CVB3iA@mail.gmail.com>
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
Message-ID: <884d9513-dd38-550c-1593-a112f6d68c24@cs.tcd.ie>
Date: Mon, 19 Jul 2021 16:59:54 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
In-Reply-To: <CAErg=HE92wz3-aLDSfNWk_qJA35+V-euUvtW07HKA=B7CVB3iA@mail.gmail.com>
Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="uq6dkMFDKEPFE5Gw2WQifcz7N6tOt524I"
X-ClientProxiedBy: DB6PR1001CA0001.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:b7::11) To AM6PR02MB5112.eurprd02.prod.outlook.com (2603:10a6:20b:90::21)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [IPv6:2001:bb6:5e5e:b458:a38f:a588:612a:945f] (2001:bb6:5e5e:b458:a38f:a588:612a:945f) by DB6PR1001CA0001.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:4:b7::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4331.23 via Frontend Transport; Mon, 19 Jul 2021 15:59:56 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 54e16370-912a-4d97-7ab6-08d94ace4137
X-MS-TrafficTypeDiagnostic: AM7PR02MB6273:
X-MS-Exchange-SharedMailbox-RoutingAgent-Processed: True
X-Microsoft-Antispam-PRVS: <AM7PR02MB62734DA899FF85FBA57B4679A8E19@AM7PR02MB6273.eurprd02.prod.outlook.com>
X-TCD-Routed-via-EOP: Routed via EOP
X-TCD-ROUTED: Passed-Transport-Routing-Rules
X-MS-Oob-TLC-OOBClassifiers: OLM:439;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: wCsHgiEgSXcukjRpzC4GhiNMSu5PFAHx7F0c7WvGKZQyYwJgIDgx6b69DRygchyQ5jvKiK5e/TQFToeIzO7Qucp7lkCQ74P+PcC2cNecaLOE4az7y+8VImkZ8Lt0Tuvxw5o2goJqHbnBYdEFsZJ2MFX4MsnggAdYaQ6nHsYsDavZ1X++17MFB1DG13zelpH/I4rbyuPm1shYqqpaCxNSLcUWcINoA9mbXKvHC8OWYRN+VPn/q4YWOouCT1x6qViBx7eXcz4dZgn0m6Z44zHtWxFD4gy0ViylSdcblqBRfRzY6jCYoNTTEymA2Yu4IVFAbMG7IPw0PBNVinvkaPQApjPHx9gYivs2Se81FnIubuDQz5ezkv8BgLUEzNay0qafYRWiStkMuEZWW5K445rxFvr3Xdp1i1shvhzKJS3ZkWotmAD/j3HuVe0hXT0QQDs8TpqXMU/nRPhMlw2JhxRibEiW0WOFmtPwtfv8fvycfTATLNuSh3JuhWBL3Ip2gZHPHsXKmyZ8GjwrUlgq2WUcTfCOpUOW2B03wcnCGbsbZL8NbO0ZWefErvl//uc1ZrN8VOLTqpJxgUslxbMsjGmi0vAYz31PIBLOpCOzlxT+5O2dmHhroytdhEmRva1ror1wkEoPL+9Z6FLqtnSKESVktRp59NAENqtNvxfoyxTVKzLuEm9amviHN6Ux4vIn/QgUGF15OFHrrit4KhUVx8G7YhUv8kiKTLGRWQrhoEkBed29WWVpjvtmjFvmMkkbibHk8ZVqNwA94yGNjXm+8sOwu2vQK+t9/xCGlUlFSb3uML2VAC4TD5xCwRPU2pUTkGFO
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR02MB5112.eurprd02.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(39850400004)(376002)(396003)(346002)(136003)(31696002)(53546011)(38100700002)(2906002)(83380400001)(21480400003)(4326008)(36756003)(86362001)(6916009)(186003)(33964004)(66574015)(5660300002)(6486002)(316002)(66476007)(478600001)(966005)(54906003)(8936002)(786003)(8676002)(31686004)(2616005)(44832011)(66946007)(66556008)(66616009)(235185007)(43740500002)(45980500001); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?WEN6NnJuSUFCQzhuVXFRdzNsV3Qrd01SZVYySEhZZjVKTnVPNEFOVy9GZkxG?= =?utf-8?B?cHc2STd5MVpXR3AvdWp1NmpTVFZjencra0JnR3lIOGNGeUI3dnhJM0dwZFhl?= =?utf-8?B?TUcyMGl4VVR1SXMyRGRjbnRmZ3RHdGw4d1RTdS90Nm9iR1JVMzYrZTZDTCtw?= =?utf-8?B?elB5cloyekFHbEpQck9WNEdUZi9vTmgvMnBoU1FXTHZWNncwRzIwSHRsTm1j?= =?utf-8?B?KzN2Uzcxc2Jxa2ozQmJOWHBJL0Z1UGJmb1RaTjN6WjB0U01WK1FoSXRxTTRs?= =?utf-8?B?L29aVkM2c1c3TkJTRDRyWWhtQ0dwdzhJSmpvNFlROEhJZG8zQk5UU2gxU3J1?= =?utf-8?B?bUc3V1YrTTRYeU0yY0ZRNVBiWTBZTUxsQXpnZ1BLdGVBd3lDanBWc0dxZlZ5?= =?utf-8?B?MHc3ZVNJcG9nck9VMFFrdUFMMi9oM1lSRTZFQ002QlAzMHR2SDErQXRZRVVq?= =?utf-8?B?VmlOZlZ2K1hLVVhtU25FOW5za1EyWkV6RDNaKzc1cVUxQ1hCY2JTWmpZWTk1?= =?utf-8?B?c3BhWVNMWkZQMDFBZGt4bDBxL25yalQxR2FMd3U1Z0xUeTFKWi9ZMzREaWRy?= =?utf-8?B?bVFVSWZBMXp4STVBYjdmMkU3TE9sR1FNdnAvaTh0Y01sQTBMRXNzM3cwSkI3?= =?utf-8?B?KzR4YXVOVExiRlVITTdaYmo4VGhMd1l4L3Boclpmd0pTYzdaRklMZVdocUlC?= =?utf-8?B?eHNXR3R1ci8vY09vdk0ydURVdCtkTldNTTJXNEdpL21qSzFpdGFtb2QxMnE5?= =?utf-8?B?aStYU1M4TUtjOW5YQW41aXlTVzlWa1FLWFVscTREVzhoZTdlOExQWHdldEwr?= =?utf-8?B?WTRBZndscHJqUVR5KzJOeHhybk91WG5uR0dYRlFlcEpUWm93UW85VlJSbW9X?= =?utf-8?B?cDFEUnFncU1RdVR3OVltUzJYdm93bTMwRVVtWjdJUkt3TGNDckV1T2J0NGlR?= =?utf-8?B?SW1BVWxXSXB4Z0FFQVkzVElmRzd1N3hqSmlzZGlJTmZsbkF6QTUzZkZtYXVG?= =?utf-8?B?VjNLZjM5R0cxbEdkVG5UbEh2dk9RbnN0SDhTeXBEKzErM1ZjYysvR0RoYmdZ?= =?utf-8?B?ZmJuOEdkUkR0MDdSOFhrYkNMZzJ6Y1ZDZXQ3d2hVbi9iTHdwN0MxOHRiYUoy?= =?utf-8?B?dEZOQUdGeGFqY1pCVHdJOVVlaHZSYTZrY3FhUmpSZjA0anhpdi9SZkRUb215?= =?utf-8?B?NmpMeUFablBubEVJVnltZWNRMEVOZEFjMW05U0xsK2JQSGlLYzhTZnpUUm45?= =?utf-8?B?aVlwMTF1Qm1aNTFGUURFRFBYc05ZYmdZZW85b1k1T25vcVU4SGpPbHN6dDFR?= =?utf-8?B?Nnc0K0lyeVg2RXl0WDMvZnNONnVVNzg5Zk1ib1Q5aTdXcHYyQnFjcEIzUE5C?= =?utf-8?B?RFQ4RE5lMTRWUjNCVWlxNVpVb1hsYmN5WkphUVNjb2FQeVd3TmxyRUY4cnE2?= =?utf-8?B?WnVmb1A4S2ZKWm8yTEZYaXRnZzlLeU52M0NCQlNFWnJFaWNPZUVFa0J5UXpB?= =?utf-8?B?cFBwbEV6cWc5Q2RKLzNIRk5xT3VDUlBoV0FGcW1VTDdGWkFqVWdaRkVHTS9p?= =?utf-8?B?TEQwSk5OYThLd01ubXdRYlE1YU9NWVdXZ1dhemZtM1puSXZsUW1iV28yNEhn?= =?utf-8?B?RkVEWTNxczQrZGNPS0t1Q0JoeUNVV0h5eldnWUtDcnhLTThWb015eWQzbEVW?= =?utf-8?B?U2M1cy85L3hmLzNEUnVMOXU3cVJrWEh4azkzU0xtT3NyU25zS0tVMzFRQXJI?= =?utf-8?B?ZUJ6Y0IyejRzNk9MODFpcXNNbmxpVThPc3pXTjgyMi9yVUNwS1VQMm02aTFj?= =?utf-8?B?RlV4Qm53cDVYOHNmdm53RU0wSkwzeGliRnRjVjhpYnBzQXQ3YTRBclZMOWlw?= =?utf-8?Q?BWmAtWqi2iFRs?=
X-OriginatorOrg: cs.tcd.ie
X-MS-Exchange-CrossTenant-Network-Message-Id: 54e16370-912a-4d97-7ab6-08d94ace4137
X-MS-Exchange-CrossTenant-AuthSource: AM6PR02MB5112.eurprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 19 Jul 2021 15:59:57.1187 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: d595be8d-b306-45f4-8064-9e5b82fbe52b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: fbqJSJBMjEKn9z1rpjQ4FF44vgNnQH7Byguf0RcZbQYvtjno6judjjGGCq0jwE1w
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR02MB6273
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/xQzTrU10jfg39FDc9vW18q4uc9I>
Subject: Re: [TLS] WGLC for draft-ietf-tls-cross-sni-resumption
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Jul 2021 16:00:07 -0000

Hiya,

On 19/07/2021 16:21, Ryan Sleevi wrote:
> On Mon, Jul 19, 2021 at 11:02 AM Stephen Farrell <stephen.farrell@cs.tcd.ie>
> wrote:
> 
>> I don't find the reference to [FETCH] explains how that
>> problem can be mitigated by browsers. (IIRC, adding that
>> was the result of earlier discussion of this point?)
>>
> 
> I'm not sure I'm parsing this correctly.
> 
> Are you saying that you don't believe network isolation keys are
> sufficient? 

I'm saying I don't know. I'm not a browser implementer.
Nor are a bunch of other people who use TLS and who won't
be familiar with fetch.

> That is, this is the current language from the draft:
> 
>> For example, the Web use case uses network partition keys to separate
> cache lookups [FETCH].
> 
> And the term there ("network partition keys") is a defined term in the
> FETCH spec that forms the basis of cross-domain tracking prevention:
> https://fetch.spec.whatwg.org/#network-partition-key
> 
> It's unclear whether you're saying that the spec should diverge from FETCH
> and impose additional requirements, or whether you're saying you don't
> believe the current FETCH spec is robust enough there.

The spec doesn't say how to mitigate the problem for any
other application using TLS, nor does it explain how to
mitigate the issue for a browser, other than via that one
sentence referring to a document that can change (though
that last isn't my problem with this spec).

I don't myself know how well that mechanism mitigates the
issue for browser users, nor how feasible it might be to do
something similar in a non-browser. (If the mechanism works
ok for browsers, that's fine for them of course.)

> It's unclear that there's any benefit to having the Cross-SNI spec impose
> additional requirements: you have to consider the Web application in its
> entire context, which is precisely what network partition keys do.
> Similarly, if the concern is that FETCH isn't sufficient for your concerns,
> is that a concern with this spec, or with FETCH, and can/should they be
> articulated there (and the related issue mentioned)
> 
> <snip>
> 
>> I think both of those are indicators that this mechanism
>> could be used at scale for tracking.
>>
> 
> You opened by talking about MTAs,

It's very common to see web servers and MTAs on the same IP
address, and also common to see the same certificate used
for both. (My scans were of hosts listening on mail ports
but I also scanned 443.)

> but it's unclear if this is meant to be a
> general statement or specific to mail. 

The scale issue is general I think. I agree that trackers
today overwhelmingly enjoy the web as their preferred tool.

But again, my fundamental issue with this is that we ought
not be added new cross-domain tracking threats.

S.

> In the context of the Web, then we
> have to consider the holistic platform, and ask whether this hooks into the
> same appropriate points - it does, as the partition keys are based on the
> same cross-origin tracking protection mechanisms (e.g. the determination of
> "first party" vs "third party" contexts is implicitly handled here). If
> this is for mail, then isn't the point that this remains an
> application-/protocol-specific consideration?
>