Hi Stephen, We're glad you drew this important point to our attention, but it appears to be needed for draft-ietf-dprive-dns-over-tls rather than this draft. In this draft we don't touch on the privacy/TLS motivation for TCP at all, leaving all that for the dprive draft.
The dprive draft has just completed WGLC. Some of us are authors on both drafts and we'll propose text on TFO privacy leakage risks to dprive and our dprive AD and you. Thanks, Allison On Jan 6, 2016 7:09 PM, "Stephen Farrell" <stephen.farr...@cs.tcd.ie> wrote: > Stephen Farrell has entered the following ballot position for > draft-ietf-dnsop-5966bis-05: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html > for more information about IESG DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-dnsop-5966bis/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > > Don't we need text warning that TFO is likely problematic > with DNS privacy and that attacks that try to prepend > information (via TFO) to otherwise secured sessions could > occur? While that might sound a bit far-fetched we have > seen exactly that kind of issue with HTTPS that had > practical impact on Webdav. (The TLS renego and then > triple handshake attacks.) So while using TFO may not > enable a slam-dunk CVE level 10 attack, I think you do > need to consider and talk about it. (Or maybe you did and > figured out no attack can work, but then I'd guess you'd > be so happy, you'd say that too:-) > > I'm not sure how this'd best be resolved, but one thing > might be to talk to the folks thinking about TCPINC as > they have at least hit this as a potential issue for > tcpcrypt and for tcp-use-tls. > > Otherwise, this is a fine document on which I'll ballot > yes when the above is sorted. > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
