On 3/28/24 04:37, internet-dra...@ietf.org wrote:
Internet-Draft draft-ietf-tls-svcb-ech-01.txt is now available. It is a work item of the Transport Layer Security (TLS) WG of the IETF.Title: Bootstrapping TLS Encrypted ClientHello with DNS Service Bindings Authors: Ben Schwartz Mike Bishop Erik Nygren Name: draft-ietf-tls-svcb-ech-01.txt Pages: 6 Dates: 2024-03-27
Just wondering, do we want to explicitly mention looking up the SVCB record for ECHConfig using "Port Prefix Naming" e.g. with words like MUST? From the SVCB RFC (i.e. RFC 9460), it's mentioned under Section 2.3 that non-standard ports MAY be specified.
However, for something security-related like ECH, I think a client MUST lookup the port-prefixed HTTPS record for determining which ECHConfig to use. As an example, for my personal ECH test website[0], different ports advertise different ECHConfigs. Chromium handles this correctly, but Firefox does not, which is considered to be a bug[1]. In my particular example, all ports have the same backend which can find a relevant ECH private key to use, but in some cases this may not be the case, so using the ECHConfig of port 443 (default) on another port could lead to problems.
I'm not sure if we need to explicitly mention it here, but since the draft seems to re-iterate some points of both SVCB & ECH, it may be useful.
Regards, Raghu Saxena [0] https://rfc5746.mywaifu.best:4443/ [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1860038P.S. The current draft links to SVCB as "https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-svcb-https-12";, but since it is now standardized as RFC 9460, I guess it should be updated.
OpenPGP_0xA1E21ED06A67D28A.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
