Re: [Tsv-art] TSV ART review of draft-ietf-tls-sni-encryption
Christian Huitema <huitema@huitema.net> Tue, 10 September 2019 18:50 UTC
Return-Path: <huitema@huitema.net>
X-Original-To: tsv-art@ietfa.amsl.com
Delivered-To: tsv-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 678F0120273 for <tsv-art@ietfa.amsl.com>; Tue, 10 Sep 2019 11:50:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OWqE74-TM0Ax for <tsv-art@ietfa.amsl.com>; Tue, 10 Sep 2019 11:50:27 -0700 (PDT)
Received: from mx43-out1.antispamcloud.com (mx43-out1.antispamcloud.com [138.201.61.189]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEF501201EA for <tsv-art@ietf.org>; Tue, 10 Sep 2019 11:50:26 -0700 (PDT)
Received: from xse23.mail2web.com ([66.113.196.23] helo=xse.mail2web.com) by mx61.antispamcloud.com with esmtp (Exim 4.89) (envelope-from <huitema@huitema.net>) id 1i7lDb-0001A4-Sn for tsv-art@ietf.org; Tue, 10 Sep 2019 20:50:24 +0200
Received: from xsmtp22.mail2web.com (unknown [10.100.68.61]) by xse.mail2web.com (Postfix) with ESMTPS id 46SYxp5PmDzPQg for <tsv-art@ietf.org>; Tue, 10 Sep 2019 11:50:22 -0700 (PDT)
Received: from [10.5.2.16] (helo=xmail06.myhosting.com) by xsmtp22.mail2web.com with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.92) (envelope-from <huitema@huitema.net>) id 1i7lDa-0002nD-L2 for tsv-art@ietf.org; Tue, 10 Sep 2019 11:50:22 -0700
Received: (qmail 25919 invoked from network); 10 Sep 2019 18:50:21 -0000
Received: from unknown (HELO [192.168.1.105]) (Authenticated-user:_huitema@huitema.net@[172.58.46.209]) (envelope-sender <huitema@huitema.net>) by xmail06.myhosting.com (qmail-ldap-1.03) with ESMTPA for <tls@ietf.org>; 10 Sep 2019 18:50:21 -0000
To: Bernard Aboba <bernard_aboba@hotmail.com>, "tsv-art@ietf.org" <tsv-art@ietf.org>, "draft-ietf-tls-sni-encryption.all@ietf.org" <draft-ietf-tls-sni-encryption.all@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "tls@ietf.org" <tls@ietf.org>
References: <BYAPR06MB55586171004B46D9F92E1EFC93B70@BYAPR06MB5558.namprd06.prod.outlook.com>
From: Christian Huitema <huitema@huitema.net>
Openpgp: preference=signencrypt
Autocrypt: addr=huitema@huitema.net; prefer-encrypt=mutual; keydata= mQENBFIRX8gBCAC26usy/Ya38IqaLBSu33vKD6hP5Yw390XsWLaAZTeQR64OJEkoOdXpvcOS HWfMIlD5s5+oHfLe8jjmErFAXYJ8yytPj1fD2OdSKAe1TccUBiOXT8wdVxSr5d0alExVv/LO I/vA2aU1TwOkVHKSapD7j8/HZBrqIWRrXUSj2f5n9tY2nJzG9KRzSG0giaJWBfUFiGb4lvsy IaCaIU0YpfkDDk6PtK5YYzuCeF0B+O7N9LhDu/foUUc4MNq4K3EKDPb2FL1Hrv0XHpkXeMRZ olpH8SUFUJbmi+zYRuUgcXgMZRmZFL1tu6z9h6gY4/KPyF9aYot6zG28Qk/BFQRtj7V1ABEB AAG0J0NocmlzdGlhbiBIdWl0ZW1hIDxodWl0ZW1hQGh1aXRlbWEubmV0PokBOQQTAQIAIwUC UhFfyAIbLwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEJNDCbJVyA1yhbYH/1ud6x6m VqGIp0JcZUfSQO8w+TjugqxCyGNn+w/6Qb5O/xENxNQ4HaMQ5uSRK9n8WKKDDRSzwZ4syKKf wbkfj05vgFxrjCynVbm1zs2X2aGXh+PxPL/WHUaxzEP7KjYbLtCUZDRzOOrm+0LMktngT/k3 6+EZoLEM52hwwpIAzJoscyEz7QfqMOZtFm6xQnlvDQeIrHx0KUvwo/vgDLK3SuruG1CSHcR0 D24kEEUa044AIUKBS3b0b8AR7f6mP2NcnLpdsibtpabi9BzqAidcY/EjTaoea46HXALk/eJd 6OLkLE6UQe1PPzQC4jB7rErX2BxnSkHDw50xMgLRcl5/b1a5AQ0EUhFfyAEIAKp7Cp8lqKTV CC9QiAf6QTIjW+lie5J44Ad++0k8gRgANZVWubQuCQ71gxDWLtxYfFkEXjG4TXV/MUtnOliG 5rc2E+ih6Dg61Y5PQakm9OwPIsOx+2R+iSW325ngln2UQrVPgloO83QiUoi7mBJPbcHlxkhZ bd3+EjFxSLIQogt29sTcg2oSh4oljUpz5niTt69IOfZx21kf29NfDE+Iw56gfrxI2ywZbu5o G+d0ZSp0lsovygpk4jK04fDTq0vxjEU5HjPcsXC4CSZdq5E2DrF4nOh1UHkHzeaXdYR2Bn1Y wTePfaHBFlvQzI+Li/Q6AD/uxbTM0vIcsUxrv3MNHCUAEQEAAYkCPgQYAQIACQUCUhFfyAIb LgEpCRCTQwmyVcgNcsBdIAQZAQIABgUCUhFfyAAKCRC22tOSFDh1UOlBB/94RsCJepNvmi/c YiNmMnm0mKb6vjv43OsHkqrrCqJSfo95KHyl5Up4JEp8tiJMyYT2mp4IsirZHxz/5lqkw9Az tcGAF3GlFsj++xTyD07DXlNeddwTKlqPRi/b8sppjtWur6Pm+wnAHp0mQ7GidhxHccFCl65w uT7S/ocb1MjrTgnAMiz+x87d48n1UJ7yIdI41Wpg2XFZiA9xPBiDuuoPwFj14/nK0elV5Dvq 4/HVgfurb4+fd74PV/CC/dmd7hg0ZRlgnB5rFUcFO7ywb7/TvICIIaLWcI42OJDSZjZ/MAzz BeXm263lHh+kFxkh2LxEHnQGHCHGpTYyi4Z3dv03HtkH/1SI8joQMQq00Bv+RdEbJXfEExrT u4gtdZAihwvy97OPA2nCdTAHm/phkzryMeOaOztI4PS8u2Ce5lUB6P/HcGtK/038KdX5MYST Fn8KUDt4o29bkv0CUXwDzS3oTzPNtGdryBkRMc9b+yn9+AdwFEH4auhiTQXPMnl0+G3nhKr7 jvzVFJCRif3OAhEm4vmBNDE3uuaXFQnbK56GJrnqVN+KX5Z3M7X3fA8UcVCGOEHXRP/aubiw Ngawj0V9x+43kUapFp+nF69R53UI65YtJ95ec4PTO/Edvap8h1UbdEOc4+TiYwY1TBuIKltY 1cnrjgAWUh/Ucvr++/KbD9tD6C8=
Message-ID: <e784ce21-3cf4-171f-320b-7821f02d46d9@huitema.net>
Date: Tue, 10 Sep 2019 11:50:22 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.0
MIME-Version: 1.0
In-Reply-To: <BYAPR06MB55586171004B46D9F92E1EFC93B70@BYAPR06MB5558.namprd06.prod.outlook.com>
Content-Type: multipart/alternative; boundary="------------E44E03979439B9F24F9722A4"
Content-Language: en-US
X-Originating-IP: 66.113.196.23
X-Spampanel-Domain: xsmtpout.mail2web.com
X-Spampanel-Username: 66.113.196.23/32
Authentication-Results: antispamcloud.com; auth=pass smtp.auth=66.113.196.23/32@xsmtpout.mail2web.com
X-Spampanel-Outgoing-Class: unsure
X-Spampanel-Outgoing-Evidence: Combined (0.15)
X-Recommended-Action: accept
X-Filter-ID: Mvzo4OR0dZXEDF/gcnlw0aDrId51ygpPivCXTf8hoIupSDasLI4SayDByyq9LIhV2a1kOQIl6kBc uGDA8cAGFkTNWdUk1Ol2OGx3IfrIJKywOmJyM1qr8uRnWBrbSAGDkJ/tmUQ4/0wipvvOnxdQfM0D SEpCfISRYCKsig5kq2LF3cyS+9AhOelFuQI180gnZIOQYaDXB30lsHjt7j8HkKtGwXgQYOV3OQXB 6l3JscJvOU+tBmegbIcsUon3gfm3OueuKdIJKegN3+UcLNo4xGU6UgOqKJ9sMwhVoOBGSAIboXtx P9OF0EfNs5TqNq2Yhy7LI0kfFnXdPP6btp4oBeJDeKRq5oPj2hFJhLx+qI3HlR3ootg7OlA3N5WN re/oppAGOX5cHTu1yz4pRT/9FGrxEaaKeSxe0Wrx6M4G5/WoLsdfEoJI0BNUQ4KpaNyNCwGqOUcw rXf55E8Tb8bmXq4yH8StrboPphDtmrtUkwlUgiZZ2raUFFZA8s/fhxGt7T02ZXdoQxMs//iOE4Fl hiCv9TR+UxzLZWL8hwGBjhoI3W+YcuHfP5PkZb5A+wE5qGdpH54Oa3V8I76VOEvlwIVUdYndRiyh yQb8o5SNcNTlEUDVXF9WEj81VYuBKZWcP2AtWtg/n8Fl98DRY7ZHw0UkeTf/I6i0kWK9U80i5N/0 lSfuxANzRU5MAZzTOSGB7AbtEeU9xSFZt4g4P43o3/KY2AXNZGS5G93aGyH8MqMNONNOB63tZ91H 4Bn0Oix6xbgdn8iWm2uphxjMQiSlYZxMPnetLBJMh51NiRRoHIAs6ui6J3Pqwnhab2CcBojXmiK7 x42VjdzChZMe6O/DiWiiIzuXMTE3l4bIsk+O50sZOLKZyDkP33VG7+Firy1s08QV3No+S2msRDep v5w/kkG0v17AmegcpQ0tml/sN9lmMy/o83jVXTcfb9k0nLWblJy7uxV6dw8jzlsaNZe6hynMJcjx DydxsJEju76A7X1QIVydqXpZ6MHhiKws9Iiut28r9wo4SqUIg8Yh9hAM0n3LLzx/F2gT3wl8JQJv Bho=
X-Report-Abuse-To: spam@quarantine9.antispamcloud.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/tsv-art/dBbo3Sv3Nx8AhiAHl9edLJMwaaE>
Subject: Re: [Tsv-art] TSV ART review of draft-ietf-tls-sni-encryption
X-BeenThere: tsv-art@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Transport Area Review Team <tsv-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tsv-art/>
List-Post: <mailto:tsv-art@ietf.org>
List-Help: <mailto:tsv-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tsv-art>, <mailto:tsv-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2019 18:50:30 -0000
Thanks for the feedback, Bernard. We already fixed in the editor copy some of the issues that you described based on other feedback received during last call, but not all. Your comments about section 3.7.1 and section 5 are interesting. I like your suggestion of moving some of the text from section 5 to the introduction and believe that it will improve the document. Regarding section 3.7.1, you suggest adding a comment on related work, and perhaps moving some of the discussion of ALPN there. I understand the rationale, but I am a bit worried about going too far there -- the current text reflects discussions and feedback on the TLS list. Also, if we did add a section on related work we would probably need to reference the deployment of encrypted DNS services, and I am a bit worried about doing that late in the production cycle. How about a compromise, such as pointing the issue in the introduction with a forward reference to section 3.7.1? -- Christian Huitema On 9/9/2019 12:48 PM, Bernard Aboba wrote: > Document: draft-ietf-tls-sni-encryption > Reviewer: Bernard Aboba > Review result: Ready with Nits > > This document has been reviewed as part of the transport area review > team's > ongoing effort to review key IETF documents. These comments were written > primarily for the transport area directors, but are copied to the > document's > authors and WG to allow them to address any issues raised and also to > the IETF > discussion list for information. > > When done at the time of IETF Last Call, the authors should consider this > review as part of the last-call comments they receive. Please always CC > tsv-art@ietf.org if you reply to or forward this review. > > I have not identified any transport related issues. > > NITS > > Expansion of acronyms on first use: > > Abstract: TLS > Section 1: DNS > Section 2.1: ISP, QoS, MITM > > Section 2 > > s/mutiple/multiple/ > > Section 2.1 > > s/fradulent/fraudulent/ > > Section 3.6 > > The downside is the the > client will not verify the identity of the fronting service with > risks discussed in , but solutions will have to mitigate this risks. > > [BA] Several problems with this sentence: > > s/the the/the/ > s/this risks/the risk/ > s/discussed in ,/discussed in [REF-TBD],/ > > Section 3.7.1 > > This section seems somewhat out of place in a section on Security > and Privacy Requirements for SNI Encryption, given that it relates > to hiding of the ALPN, and the text admits a weak case for linking > the two problems: > > Using the same technique for hiding the ALPN and encrypting the SNI > may result in excess complexity. It might be preferable to encrypt > these independently. > > You might consider moving this section to Section 4.3.1, under Section 4.3 > Related Work. > > Section 5 > > The first paragraph of this section strikes me as being potentially better > suited to inclusion in Section 1 Introduction. > > Replacing clear text SNI transmission by an encrypted variant will > improve the privacy and reliability of TLS connections, but the > design of proper SNI encryption solutions is difficult. This > document does not present the design of a solution, but provides > guidelines for evaluating proposed solutions. >
- [Tsv-art] TSV ART review of draft-ietf-tls-sni-en… Bernard Aboba
- Re: [Tsv-art] TSV ART review of draft-ietf-tls-sn… Christian Huitema
- Re: [Tsv-art] TSV ART review of draft-ietf-tls-sn… Bernard Aboba