Minutes interim-2020-tls-02: Thu 10:00
minutes-interim-2020-tls-02-202009031000-01
Meeting Minutes | Transport Layer Security (tls) WG | |
---|---|---|
Date and time | 2020-09-03 17:00 | |
Title | Minutes interim-2020-tls-02: Thu 10:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2020-09-07 |
minutes-interim-2020-tls-02-202009031000-01
TLS VIrtual Interim September 2020
September 3, 2020 - 17:00 - 18:00 UTC
Agenda
ECH Issues - https://github.com/tlswg/draft-ietf-tls-esni/issues
Attendance:
- Joe Salowey, Salesforce
- Tim Wicinski, N/A
- Chris Wood, Cloudflare
- Chris Patton, Cloudflare
- Watson Ladd, Cloudflare
- Jonathan Hammell, Canadian Centre for Cyber Security
- Russ Housley, Vigil Security
- Ben Schwartz, Google
- Marco Tiloca, RISE
- Ben Kaduk, Akamai
- Paul Wouters, Red Hat
- Rich Salz, Akamai
- Eric Rescorla, Mozilla
- Dan McArdle, Google
- Lucas Pardue, Cloudflare
- Andrew Campling, 419 Consulting
- Tommy Pauly, Apple
- Barbara Stark, AT&T
- Chris Box, BT
- Nick Harper, Google
- Marten Seemann, Protocol Labs
- Vittorio Bertola, Open-Xchange
- Nick Lamb, Unaffiliated
- Sean Turner, sn3rd
- Jonathan Hoyland, Cloudflare
- Carrick Bartle, Apple
- Christian Huitema, Private Octopus Inc.
Meeting Minutes
- Trying cameras on (ends up some need to be turned off to preserve audio)
- Note Well
- First issue: 274
- Trial decryption complicates quic
- Multiple options: 1, 2, 3, 3' ...
- Most momentum is PR #287, reuse SH random bytes
-
287 will be worked on through comments on it
- Resolution: merge it after spellcheck
- Christan: Question about replay attack
- Issue 253
- ECH_Nonce rational
- Carryover from ESNI.
- May be redundant, remove?
- Does need to remain secret
- Server leakage? Discussions with Karthik about removal
- PR 292 removes the Nonce
- Concerns with session tickets
- Resolution: remove the nonce, new requirements on Client Random
- Issue 264
- Padding at record layer problematic for QUIC
- Do it with extensions?
- New Handshake message for padding. Record layer will drop on floor like CCS
- EKR: Why not in EE? Handshake message boundaries not visible on the wire
- Nick Harper: padding at TLS layer needed
- Unsolicited padding: Inner ClientHello using unencrypted CH extension?
- EKR's idea: standard padding extension, remove requirement for responding, let ECH predicate its use in response
- Resolution: Pause certificate compression until this resolved. Need a TLS non-record layer, mechanism TBD, ensure multiple mechanisms possible
- Issue 263
- Hash included of reconstructed CH. Is that actually useful?
- Weird corner cases with SNI privacy breaking extensions
- Binding of outer to inner prevents it.
- Stronger security property for inner CH than usual.
- More natural examples?
- EKR: we got into trouble, easier to fix by binding outer to inner
- Resolution: close issue, keep spec as-is
- Issue 262
- outer_extensions lossy
- Preserve order which currently doesn't. Proposal for doing this
- Not much feedback. Pushback from Martin Thompson
- Feedback wanted
- EKR: reinvention of original design
- EKR: how is performance; what is compressed?
- Ben Schwartz: does order matter?
- Preshared Key come last
- EKR: not that useful, can negotiate
- Resolution: See what's actually useful
- Issue 297
- Version in ClientEncryptedCH?
- Breaking backwards compat in future versions
- But config is signaled. So first two fields ossified: can we live with that?
- Also have codepoints for extensions
- Resolution: We can use a different codepoint
Next meeting in a week or two.
Recording
TLS ECH Interim 01-20200903 1700-1
https://ietf.webex.com/recordingservice/sites/ietf/recording/playback/7a102a74107e404c9c357e4283aec4c3