Re: [TLS] Working Group Last Call for ECH

Mon, 11 Mar 2024 18:37:39 -0700 


Hiya,

On 12/03/2024 01:25, Rob Sayre wrote:

The one that got to me was:

"It SHOULD place the value of ECHConfig.contents.public_name in the
"server_name" extension. Clients that do not follow this step, or place a
different value in the "server_name" extension, risk breaking the retry
mechanism described in Section 6.1.6 or failing to interoperate with
servers that require this step to be done; see Section 7.1."

So, that seemed like it might be a problem for the previous analysis.


I guess that's a reasonable question to ask, though I'd be
surprised if it that case were represented in the analyses.

If asked, (and who'd ask me:-), I'd probably argue that it
doesn't affect the security properties of ECH though, as a
server could always have been presented with an outer CH
that has some random SNI value, so I'd guess that change
ought not affect the security properties of ECH. Clients
that follow the SHOULD get the same as before, as do those
that don't, and servers should in any case have been able
to handle unexpected values in inputs.

Hopefully, some of the people who did the analyses will
chime in on the WGLC though, it'd be good if they had the
time to do that.

Cheers,
S.



thanks,
Rob

On Mon, Mar 11, 2024 at 6:12 PM Stephen Farrell <stephen.farr...@cs.tcd.ie>
wrote:




On 12/03/2024 00:49, Rob Sayre wrote:

On Mon, Mar 11, 2024 at 5:21 PM Christopher Patton <

cpat...@cloudflare.com>

wrote:


I don't believe there were any changes from draft 13 to 18 that would
invalidate security analysis for draft 13:



https://author-tools.ietf.org/iddiff?url1=draft-ietf-tls-esni-13&url2=draft-ietf-tls-esni-18&difftype=--html




Hmm. It does look like there are few substantial changes in that diff

that

might be worth re-checking, but I'm not trying to delay things with
nitpicking. If others feel the analysis of -13 is enough, then let's go.


Not quite answering the question, but I don't recall any code
changes affecting the crypto plumbing or interop since -13.

Cheers,
S.



thanks,
Rob


_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Attachment: OpenPGP_0xE4D8E9F997A833DD.asc
Description: OpenPGP public key

Attachment: OpenPGP_signature.asc
Description: OpenPGP digital signature

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to