On Mon, Jul 19, 2021 at 12:27 PM Stephen Farrell <stephen.farr...@cs.tcd.ie> wrote:
> > Hiya, > > On 19/07/2021 17:17, David Benjamin wrote: > > I'll add that, in the context of cross-domain tracking on the web, this > > draft is a red herring. Remember that web pages have subresources. That > > means looking at the destination domain isn't useful because two > different > > pages can embed a common destination domain. So the same concerns exist > > with RFC8446 (TLS resumption), RFC7540 (connection-reuse, same- and > > cross-domain), and RFC7230 (connection reuse). That's why we need a > > holistic answer like network partition keys from [FETCH], that apply to > > *all* network state. That answer applies equally to plain resumption and > > this draft. > > That's true but isn't that also the old "adding this > one new way to track doesn't make it worse because it's > already horrible"? > > My preference is to not add new mechanisms that can > enable cross-domain tracking as this one does. > No, that's not what I'm saying at all. Read the last sentence again. We need to *both* not add new tracking vectors *and* mitigate the existing ones. Doing either one on its own is not useful. That means if the existing mitigation for the existing vector applies just as well to this new feature, we have not added a new vector. Indeed it applies so well that we were able to add the same text to both this draft and rfc8446bis. David
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
