Re: [Uta] Éric Vyncke's No Objection on draft-ietf-uta-rfc7525bis-09: (with COMMENT)
Peter Saint-Andre <stpeter@stpeter.im> Mon, 18 July 2022 18:21 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: uta@ietfa.amsl.com
Delivered-To: uta@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 92DC6C14F749; Mon, 18 Jul 2022 11:21:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.812
X-Spam-Level:
X-Spam-Status: No, score=-2.812 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=stpeter.im header.b=XNgc96Wu; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=tLi9MFAz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n-eS0NzuEDlO; Mon, 18 Jul 2022 11:21:46 -0700 (PDT)
Received: from out5-smtp.messagingengine.com (out5-smtp.messagingengine.com [66.111.4.29]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7466EC14F6EB; Mon, 18 Jul 2022 11:21:46 -0700 (PDT)
Received: from compute5.internal (compute5.nyi.internal [10.202.2.45]) by mailout.nyi.internal (Postfix) with ESMTP id AFB575C00E2; Mon, 18 Jul 2022 14:21:45 -0400 (EDT)
Received: from mailfrontend1 ([10.202.2.162]) by compute5.internal (MEProxy); Mon, 18 Jul 2022 14:21:45 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=stpeter.im; h=cc :cc:content-transfer-encoding:content-type:date:date:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to; s=fm1; t=1658168505; x= 1658254905; bh=fbm4QWxlJAEhtGx2S3Ejj2AkIiX3AKzlDKqCmM4aP3w=; b=X Ngc96WuIOViN+nPNPrcCCyB3x0haAgv4AouK32f9hTiWpjo7IahB7SmwpUh2anSb ZNs1vBPu6A5vtvOvvFGA5eDPsWTlXWsoHentUx0OuqquAkzhu6oeJxqNoHey85ah T+QEzC369KY1zzynkMPMxm6HUlPpIiOq0cDbJIEDGUkLp0bA2oKPvupxucvGExEP LzVmkToYN44Ezx+pVm3teQCLy72dBE/+SevW6hUpk582HyH7H477qVcbXc/a5oAG 81fQwfp9NQ25E7CR7hue5bh4yp5niBpWAmdCtDgf0Fiidqq5/XXANelDc5oKZwdv f1kCRhPeH1nS5hxd3xyAw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:cc:content-transfer-encoding :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1658168505; x= 1658254905; bh=fbm4QWxlJAEhtGx2S3Ejj2AkIiX3AKzlDKqCmM4aP3w=; b=t Li9MFAzOwqFQuEYQ7ONyKwWOog532MrzkWgDVSO/ZrbPzageey/NaRFSNBHZSABf 0UrBDA10hKYXjrbsgdFwjAd27YC994RJ29hipbvllOpiLZYFNBclOCG7inKLgFgv +pjtZa8jROPfGLG+DJ7X+P/3fIsaOTFuH6IFTwHF+aYhZmGxuhXc6zsB2wnoyCx/ qdY3dTYribYjltRyY30a+oCPqLu0Kmd6iFm8WW/uuUb22sYpq/mCcNzM4Ok0MRXx LO/iYThq3xI859bBwrBrcro9VlcqcBQClKG4nXdq7xJchXAaTA17ZZVlO0xbPiIU M570zUVWp+D76da0LD0fQ==
X-ME-Sender: <xms:uaTVYjt71Dj93eYS5y6B91oe5iS7QYfhdAKVoAaj4CHZP-EypWw1Mw> <xme:uaTVYkeWiSXQ8dRfoHRu9NsgW-gDepwDc0amLQ4csgQAChOoHLR2CDXYeq5DiCZDJ CtnvrN5Nt_dBR_pHg>
X-ME-Received: <xmr:uaTVYmwebaveBRB7fZCjVv8bG5_GCaL392lGZvKnqRtRRt1F9gxenFQaBcLNHpZR>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvfedrudekkedguddvtdcutefuodetggdotefrod ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh necuuegrihhlohhuthemuceftddtnecusecvtfgvtghiphhivghnthhsucdlqddutddtmd enucfjughrpefkffggfgfhvfevfhfujggtgfesthekredttdefjeenucfhrhhomheprfgv thgvrhcuufgrihhnthdqtehnughrvgcuoehsthhpvghtvghrsehsthhpvghtvghrrdhimh eqnecuggftrfgrthhtvghrnhepieevjeeuueeitdffgeelvdetieeiteevveeutdffieei tdetfedvjeelfeefjeehnecuffhomhgrihhnpehgihhthhhusgdrtghomhenucevlhhush htvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpehsthhpvghtvghrsehs thhpvghtvghrrdhimh
X-ME-Proxy: <xmx:uaTVYiNoPv8lXX5GRz1UKC8MY2MRXQBguyJO2cRoHVYFD_nukBMx6A> <xmx:uaTVYj-NqVUnMvekLlqNKsr8KhCNzd5WzWWd7r5QTLh1G2mxUK1DgQ> <xmx:uaTVYiVaEid59CyWleQWngafNTxY523fyeB2jNwviNF3J5zWE1ircA> <xmx:uaTVYunPzfi00iKEHnnMwIZy1686cDQInDXcaIIsPLrOUvkKw8xWvA>
Feedback-ID: i24394279:Fastmail
Received: by mail.messagingengine.com (Postfix) with ESMTPA; Mon, 18 Jul 2022 14:21:44 -0400 (EDT)
Message-ID: <9818d795-9cd0-70b4-0ef1-8b5624fab38f@stpeter.im>
Date: Mon, 18 Jul 2022 12:21:43 -0600
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-US
From: Peter Saint-Andre <stpeter@stpeter.im>
To: Éric Vyncke <evyncke@cisco.com>, The IESG <iesg@ietf.org>
Cc: draft-ietf-uta-rfc7525bis@ietf.org, uta-chairs@ietf.org, uta@ietf.org, leifj@sunet.se
References: <165761223987.5020.15178372510088278304@ietfa.amsl.com> <a5948297-021e-fbd5-c05b-4587cdf10658@stpeter.im>
In-Reply-To: <a5948297-021e-fbd5-c05b-4587cdf10658@stpeter.im>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/uta/f31S6sqHhTLhv3Fv_NcolncE-7A>
Subject: Re: [Uta] Éric Vyncke's No Objection on draft-ietf-uta-rfc7525bis-09: (with COMMENT)
X-BeenThere: uta@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: UTA working group mailing list <uta.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/uta>, <mailto:uta-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/uta/>
List-Post: <mailto:uta@ietf.org>
List-Help: <mailto:uta-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/uta>, <mailto:uta-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Jul 2022 18:21:51 -0000
Hi Éric, see further thoughts on ECH below.
On 7/13/22 12:12 PM, Peter Saint-Andre wrote:
> On 7/12/22 1:50 AM, Éric Vyncke via Datatracker wrote:
>> Éric Vyncke has entered the following ballot position for
>> draft-ietf-uta-rfc7525bis-09: No Objection
<snip/>
>> ### Section 3.7 ESNI as a SHOULD ?
>>
>> Shouldn't ESNI be a normative "SHOULD" ? Or is the non-normative text
>> "just" to
>> avoid forming a cluster with ESNI draft ? Which would be sad...
>
> There is always debate about references to works in progress. It's not
> clear that a protocol still being hashed out in a WG (even a protocol as
> important as ESNI) can be reasonably considered a best current practice,
> given that it's far from stable. Eventually, we assume that the IETF
> will publish rfc7525ter to replace rfc7525bis, at which time that BCP
> will include updated recommendations (including, I'd expect, ESNI and
> various other things that are developed between now and then).
The implication of your original comment is that the authors are trying
to avoid a cluster and push this document through without a normative
reference to the ECH I-D being worked on in the TLS WG.
This is not what we're trying to do. Although personally I think that
ECH is consistent with RFC 3365, there are questions and concerns about
ECH that need to be worked out, the protocol needs to be finalized,
implementations need to be written or finished, administrators of
various TLS-based systems need figure out how to deploy it properly,
etc. For these reasons, I think it is simply too early to recommend ECH
as a best *current* practice. Hopefully it will be so when this BCP is
updated again a few years from now.
Nevertheless and in light of the above considerations, I grant that the
current text might be too strong:
Implementers are strongly encouraged to support TLS
Encrypted Client Hello once [I-D.ietf-tls-esni] has been
standardized.
Something like this might be more accurate:
At the time of writing, a technology for encrypting the SNI
(called Encrypted Client Hello) is being worked on in the TLS
Working Group [I-D.ietf-tls-esni]. Once that method has been
standardized and widely implemented, it will likely be appropriate
to recommend or mandate its usage in a future version of this
BCP.
I'd also suggest changing "this information leak is closed by use of TLS
Encrypted Client Hello" to "this information leak will be closed by use
of TLS Encrypted Client Hello once that method has been standardized".
I've incorporated the foregoing suggestions into a PR:
https://github.com/yaronf/I-D/pull/463
Peter
- [Uta] Éric Vyncke's No Objection on draft-ietf-ut… Éric Vyncke via Datatracker
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Peter Saint-Andre
- Re: [Uta] Éric Vyncke's No Objection on draft-iet… Peter Saint-Andre