Minutes interim-2020-tls-02: Thu 10:00
minutes-interim-2020-tls-02-202009031000-01

Meeting Minutes Transport Layer Security (tls) WG
Date and time 2020-09-03 17:00
Title Minutes interim-2020-tls-02: Thu 10:00
State Active
Other versions markdown
Last updated 2020-09-07

minutes-interim-2020-tls-02-202009031000-01

TLS VIrtual Interim September 2020

September 3, 2020 - 17:00 - 18:00 UTC

Agenda

ECH Issues - https://github.com/tlswg/draft-ietf-tls-esni/issues

Attendance:

  1. Joe Salowey, Salesforce
  2. Tim Wicinski, N/A
  3. Chris Wood, Cloudflare
  4. Chris Patton, Cloudflare
  5. Watson Ladd, Cloudflare
  6. Jonathan Hammell, Canadian Centre for Cyber Security
  7. Russ Housley, Vigil Security
  8. Ben Schwartz, Google
  9. Marco Tiloca, RISE
  10. Ben Kaduk, Akamai
  11. Paul Wouters, Red Hat
  12. Rich Salz, Akamai
  13. Eric Rescorla, Mozilla
  14. Dan McArdle, Google
  15. Lucas Pardue, Cloudflare
  16. Andrew Campling, 419 Consulting
  17. Tommy Pauly, Apple
  18. Barbara Stark, AT&T
  19. Chris Box, BT
  20. Nick Harper, Google
  21. Marten Seemann, Protocol Labs
  22. Vittorio Bertola, Open-Xchange
  23. Nick Lamb, Unaffiliated
  24. Sean Turner, sn3rd
  25. Jonathan Hoyland, Cloudflare
  26. Carrick Bartle, Apple
  27. Christian Huitema, Private Octopus Inc.

Meeting Minutes

  1. Trying cameras on (ends up some need to be turned off to preserve audio)
  2. Note Well
  3. First issue: 274
    1. Trial decryption complicates quic
    2. Multiple options: 1, 2, 3, 3' ...
    3. Most momentum is PR #287, reuse SH random bytes

    4. 287 will be worked on through comments on it

    5. Resolution: merge it after spellcheck
    6. Christan: Question about replay attack
  4. Issue 253
    1. ECH_Nonce rational
    2. Carryover from ESNI.
    3. May be redundant, remove?
    4. Does need to remain secret
    5. Server leakage? Discussions with Karthik about removal
    6. PR 292 removes the Nonce
    7. Concerns with session tickets
    8. Resolution: remove the nonce, new requirements on Client Random
  5. Issue 264
  6. Padding at record layer problematic for QUIC
  7. Do it with extensions?
  8. New Handshake message for padding. Record layer will drop on floor like CCS
  9. EKR: Why not in EE? Handshake message boundaries not visible on the wire
  10. Nick Harper: padding at TLS layer needed
  11. Unsolicited padding: Inner ClientHello using unencrypted CH extension?
  12. EKR's idea: standard padding extension, remove requirement for responding, let ECH predicate its use in response
  13. Resolution: Pause certificate compression until this resolved. Need a TLS non-record layer, mechanism TBD, ensure multiple mechanisms possible
  14. Issue 263
    1. Hash included of reconstructed CH. Is that actually useful?
    2. Weird corner cases with SNI privacy breaking extensions
    3. Binding of outer to inner prevents it.
    4. Stronger security property for inner CH than usual.
    5. More natural examples?
    6. EKR: we got into trouble, easier to fix by binding outer to inner
    7. Resolution: close issue, keep spec as-is
  15. Issue 262
    1. outer_extensions lossy
    2. Preserve order which currently doesn't. Proposal for doing this
    3. Not much feedback. Pushback from Martin Thompson
    4. Feedback wanted
    5. EKR: reinvention of original design
    6. EKR: how is performance; what is compressed?
    7. Ben Schwartz: does order matter?
    8. Preshared Key come last
    9. EKR: not that useful, can negotiate
    10. Resolution: See what's actually useful
  16. Issue 297
    1. Version in ClientEncryptedCH?
    2. Breaking backwards compat in future versions
    3. But config is signaled. So first two fields ossified: can we live with that?
    4. Also have codepoints for extensions
    5. Resolution: We can use a different codepoint

Next meeting in a week or two.

Recording

TLS ECH Interim 01-20200903 1700-1
https://ietf.webex.com/recordingservice/sites/ietf/recording/playback/7a102a74107e404c9c357e4283aec4c3