IETF Logo Mail Archive

Re: [TLS] I-D Action: draft-ietf-tls-svcb-ech-01.txt

Raghu Saxena <poiasdpoiasd@live.com> Thu, 28 March 2024 06:16 UTC

Return-Path: <poiasdpoiasd@live.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA984C14F711 for <tls@ietfa.amsl.com>; Wed, 27 Mar 2024 23:16:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=live.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d2mtyXmCjiAn for <tls@ietfa.amsl.com>; Wed, 27 Mar 2024 23:16:25 -0700 (PDT)
Received: from AUS01-SY4-obe.outbound.protection.outlook.com (mail-sy4aus01olkn2156.outbound.protection.outlook.com [40.92.62.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C5FAC14F6B0 for <tls@ietf.org>; Wed, 27 Mar 2024 23:16:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PLOSXA3FQR7x7/NtOK0ZC14rzOyHLN7Qd3XLshZMV8lvcV7He2v86mJg3GvpBkcRB1p2xB1MG8rvCSFoQph+NyVe4KQ6c37Ffd74M5idJ0Jg9DYt1iX5c2qasPXY/O9Q8Ove4sje7VlZR6UjtDIlGPAuX5dMtG3jt4+KH+PQCAAbOCSQAWsGbhBGDyvxtwkBI9dfvcSnv1oY/WznSifb/5V9FjdVKZuxKi51hrZd6f4RT58rKjDf7gA2SG6xtBwGVvRb62Hjperzlz/MxojPp4kR10AUw6aHOuTbmh3X+6ijGVqAEcp99YQCC6co+Jx84OsY6P6tgyWPOYfpMzCWbQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=nh/cq3KaLj04spOyJ4ERFDscbZhAw+mYXtt78ftXEc0=; b=mn/fBdXWI28y/76qk2uKq16mGBUIu3jZBP6ZBsXv2nQjjG1Efk25dBq+qFQq6p5jPeyDzwkn3fW1QkPpwBQtiZvt5tlYke61Ei8piS3GoZ9D/ltFeeHoKj1aCQAvxHWkSIm9IAM9vovOEd/wLcL8VzFrTCqEI/a1MuF1R8udxMpKlphDWELfrmymdTlOwEt1MYT2Ui8NYOrYA1GEc3Ixc2vK8JzuLoYjWEdAVGBBKEc74SoHh2imnodnNOAErAxvnKp9baEwF/rqwkPFh7n79ZV2QqL3aHNUwK2iOhzBvMEvrovfW6rz02FWXZ7aRLZxBlClZkrsh5FCcm5HJSG13w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=live.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nh/cq3KaLj04spOyJ4ERFDscbZhAw+mYXtt78ftXEc0=; b=Zm9UsmfQRjsIEy6fFlBVwfMx8Ri1nLfIYogbAtxJdX9p1ws8J1xBYpbZ/cqh98jr5+4Ja4xtC7I/U03QTYZsale/caUJXO6rRWprF4KroeemUEzN+pNtnN/QMQ4D59txFhqDi2nlDaw/haUDUc2PCOxka/Ut5gnWyrA2SIwKVzlbOTBPHfEbG5mzGQfikjRj/a0hkPiMQqhuiS4pBqjxfDcZihb19IuZEX3IFfKWmsRLsMD3h/3FMOejVKVSmv3YC6fjXQCNRsS+jPl6TNiLTs7dNXYvl/IVX2ZLKf8660I1T83I6GcCN2Kesye62cgFDNWVgY3LvNKLksA5Jcuvfw==
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14) by SY5P282MB4512.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:271::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7362.36; Thu, 28 Mar 2024 06:16:22 +0000
Received: from MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c]) by MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM ([fe80::cc6:d722:c696:5c1c%7]) with mapi id 15.20.7409.031; Thu, 28 Mar 2024 06:16:22 +0000
Message-ID: <MEYP282MB35641C0FB75242FA6F1A651CA33B2@MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM>
Date: Thu, 28 Mar 2024 14:16:14 +0800
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: tls@ietf.org
References: <171157185560.1955.8626280673835536445@ietfa.amsl.com>
From: Raghu Saxena <poiasdpoiasd@live.com>
In-Reply-To: <171157185560.1955.8626280673835536445@ietfa.amsl.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="------------6Yalq6gQ5LtIlWPRvwBy1LQ6"
X-TMN: [YP/HjWPknD4PQG0Bb2bKbG0O3IibvWnZ]
X-ClientProxiedBy: SG2PR01CA0166.apcprd01.prod.exchangelabs.com (2603:1096:4:28::22) To MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM (2603:10c6:220:178::14)
X-Microsoft-Original-Message-ID: <d3736057-7803-40f7-9a3d-208943337665@live.com>
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: MEYP282MB3564:EE_|SY5P282MB4512:EE_
X-MS-Office365-Filtering-Correlation-Id: c8111435-5a90-4a2b-7c37-08dc4eee96bd
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HHYua5kGfHl2bDvOCUWHDEpc1DU/eRvnRNxGrRFbdJ1fLsbAe6Bs/hrHfY3Im6sta6E2WY3nmFxHhyxFTnLd5JTY5jS57QAvAtjEMMcAC+LLcuQHVt7ySv+1AzNZIPNSv/8hZHAJtk2kSKXm/qekB1gwF9Og5bkn23rSbRS+eAVlUmfU9Rq1NbXrlPeqdUm+VTVBkz+yInIiFxwyh7L+CiqfQ8xaRZ6u1IWCzVz1zxtt2g4a4DK7LkJXzkx00cZqLdEcj8CFx7IzgdL1fz2Ih37ZgaMKtaJnMBjTZch4cBrCPn9O2sIY+KvCXPCVvLL0L9CeOHHannJwGT1AYsKpLSIL9JjwtY+Z0J3ljXgRf+AZBwcDrepAtMu5LbKifAh7zfmKKtyx/cgsBb9pe6MJKiMNstQRQN1HLq5Yn4Tux7Suc1i7d4+DGFK7Y2CF9FLzmFXtURO/vhXIC91J9fpmhKOtQbYDYMM3VRPS5RzOZGiVsDkSxy0ybr1jH8zQZAhabjU74jW6l+rS07GG6HlDhWC+LJQQilkFNNE9TXbGyRS5+mksORmyarh+D5AFfTHpPvJtnRe6USipbK3eBJ3x2JpJEE+dDkeW2SSyAghQ7c6AQTawqah3wKEQo5IVwWSpmof9uCliegorZuBQ9x/9HAemoi7pZYRDYKs0tkTccUGQQqu9aoWO9RPcOjCjlK8g
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: x78xHaGnBN7SQ5CZ7tNJUGapuGbXWTISend10aocJJUcgu8+rGNYKLx0JFiRJ3oQZ4UO+ETfnzMRmfEwOp74bTwtohaWvbwe6fV/FwWVcxP0NQ5fhgWyzNM1hc7Vv1Wa/+/mXLTM5uDvvfsKByVKX5lFdInzNlu9ztfSak9ct7W6qn20Y3CIEcnKcIeZ/lS5fcrlvVgCtaOKW+I1XwMKJXolMktbOnTj4wHnWkjoTqiIC+/2fAqB23tuViA9Xw7eHcZwF8MfFZ1lga0KGCUN9d6R156/oiTYvNgTacXxwjQbweGMoJx3g059zgygSO/DAFx5G1kAdfdLOqtzIuwC0g18vXHcDbm1VWsJdxUWRbZRsVqRnPcpVNnK3bglafdKMph7EdYgy/aX1UK0pRFESxonzE22eh1LniRHBGS3XpppmdEfVunhcgu/EAukpDEMbAMOmg0SetRv7r/FPEAwbbJQlbUOrxa6IODBQD5J9Tn25reGdYtHLJZ8rAi9GYvSvTzaPI5ueB+a56oYXaa+QvE6CgFFro9CZdCyKrnW8gaeFCekVSqeiVWt9LtXLi7g/XJClGdUzj56MNew5yVWKiwujL1jiYroeUhdw9dOGELZSLu6O2DGEdMu9wZbb8Y8HLNWDrO0+3YBDF+/QEBJpoqWmSrkSzF5RBr9wYhkK6lnxRMSrFYdzt/AcF7BV3dGfveiH5l2Ol4MzZIPkRiWrB1qA7uulQ6+3yyKJQnOccbkB9AtVPJqMc1PrHpsi7F2Zc1XRCPr48CWBQjx8byCp27Lqav6E8acHllPeSO7+0i/8HnuZ3gEfPRIZZ2BKMjQ8DhhAAQm0LShCax/5gZGlpSSk4E7jKxXUHroYcmYI53WviNH+FdM/2/wJcl0jSWhI+4EjfVf8MiFsypDK4Sfptf31MTPHJJLPI0mIPGBNLnUtsrGD0PJqh32OIvulK+dZWeHZuPwVCytb+/s5w1jWDdRZtrg7fUwKqe6/Rmv230Gin797yEaeNpwyAwk5gMYC4cWzEVnciFFEeCoR5IoO1HXkwuJTR5xS3odGCZ4YDuoaxzvKTP/pYw6k4LMZxQ9htWCYt3xqfU78FwhJZaSC4OcVuhmG18FVJbEvV8oVoo1vVrhsH0jeEs1sNcK6ETvFmNo+9ei/Jno4Xxuh8qTWnYO0hjlYjJfzoQMXWFMtLSm+s/EEhnJD4M47YFau6lPOidszOWxCm1miYnKYHP4RFhTSXG58M40cU1j8naw8W8=
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-746f3.templateTenant
X-MS-Exchange-CrossTenant-Network-Message-Id: c8111435-5a90-4a2b-7c37-08dc4eee96bd
X-MS-Exchange-CrossTenant-AuthSource: MEYP282MB3564.AUSP282.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 Mar 2024 06:16:22.2409 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY5P282MB4512
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/ynRkX60dGq-ofmSW4POhppQcgkY>
Subject: Re: [TLS] I-D Action: draft-ietf-tls-svcb-ech-01.txt
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Mar 2024 06:16:30 -0000

On 3/28/24 04:37, internet-drafts@ietf.org wrote:
> Internet-Draft draft-ietf-tls-svcb-ech-01.txt is now available. It is a work
> item of the Transport Layer Security (TLS) WG of the IETF.
>
>     Title:   Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings
>     Authors: Ben Schwartz
>              Mike Bishop
>              Erik Nygren
>     Name:    draft-ietf-tls-svcb-ech-01.txt
>     Pages:   6
>     Dates:   2024-03-27

Just wondering, do we want to explicitly mention looking up the SVCB 
record for ECHConfig using "Port Prefix Naming" e.g. with words like 
MUST? From the SVCB RFC (i.e. RFC 9460), it's mentioned under Section 
2.3 that non-standard ports MAY be specified.

However, for something security-related like ECH, I think a client MUST 
lookup the port-prefixed HTTPS record for determining which ECHConfig to 
use. As an example, for my personal ECH test website[0], different ports 
advertise different ECHConfigs. Chromium handles this correctly, but 
Firefox does not, which is considered to be a bug[1]. In my particular 
example, all ports have the same backend which can find a relevant ECH 
private key to use, but in some cases this may not be the case, so using 
the ECHConfig of port 443 (default) on another port could lead to problems.

I'm not sure if we need to explicitly mention it here, but since the 
draft seems to re-iterate some points of both SVCB & ECH, it may be useful.

Regards,

Raghu Saxena

[0] https://rfc5746.mywaifu.best:4443/

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1860038

P.S. The current draft links to SVCB as 
"https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-12", 
but since it is now standardized as RFC 9460, I guess it should be updated.

v2.23.0 | Report a Bug | By Email