On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> Hi folks,
>
> We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like
> the group's thoughts on. The goal is to make ESNI more robust and eliminate
> a bunch of deployment risks. The PRs are linked below:
>
>
Hi,
first I may introduce my problem.
We take a small mail server, in this case exim and enabling TLS with an
OCSP-Must-Staple certificate. We add the status_request
like described in RFC 6066 and everything works fine for all clients
connecting to that server and send mail.
Now we turn to
Does the server claim to support must-staple?
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
been discussed a lot on this list already). My suggestion is that we
define the ESNI DNS record format as optionally including "stapled" A/
records.
Server operators would have the option to publish an ESNI record that
On Fri, Dec 14, 2018 at 08:53:47PM -0600, Nico Williams wrote:
> Figure 1: Alternative ESNI w/o active protection
Figure 1 was expositional. Please forget it.
> Figure 2: Alternative ESNI w/ active protection
> Figure 3: Alternative ESNI w/ active
Just a clarifying question inline
On Sun, Dec 16, 2018 at 3:30 PM Eric Rescorla wrote:
>
>
> On Sun, Dec 16, 2018 at 11:45 AM Paul Wouters wrote:
>
>> On Fri, 14 Dec 2018, Eric Rescorla wrote:
>>
>> > However, in a large number of cases (e.g., an attacker on your local
>> network,
>> > there
On Tue, Dec 18, 2018 at 1:27 AM Viktor Dukhovni
wrote:
> On Tue, Dec 18, 2018 at 12:45:22AM -0600, David Benjamin wrote:
>
> > An earlier iteration even placed the retry on the same connection, which
> > makes the analog clearer. (Doing it in the same connection is rather a
> > mess, so we
On Tue, Dec 18, 2018 at 02:27:10PM -0600, David Benjamin wrote:
> On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara
> wrote:
>
> > On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> > > Hi folks,
> > >
> > > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd
> >
On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote:
> I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
> been discussed a lot on this list already). My suggestion is that we
> define the ESNI DNS record format as optionally including "stapled" A/
> records.
On Tue, Dec 18, 2018 at 4:14 PM Ilari Liusvaara
wrote:
> On Tue, Dec 18, 2018 at 12:29:56PM -0500, Ben Schwartz wrote:
> > I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
> > been discussed a lot on this list already). My suggestion is that we
> > define the ESNI DNS
On Tue, Dec 18, 2018 at 3:06 PM Ilari Liusvaara
wrote:
> On Tue, Dec 18, 2018 at 02:27:10PM -0600, David Benjamin wrote:
> > On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara <
> ilariliusva...@welho.com>
> > wrote:
> >
> > > On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> > > >
(Hit send too early)
On Tue, Dec 18, 2018 at 3:32 PM David Benjamin
wrote:
> On Tue, Dec 18, 2018 at 3:06 PM Ilari Liusvaara
> wrote:
>
>> On Tue, Dec 18, 2018 at 02:27:10PM -0600, David Benjamin wrote:
>> > On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara <
>> ilariliusva...@welho.com>
>> >
On Tue, Dec 18, 2018 at 03:01:07PM -0600, David Benjamin wrote:
> On Tue, Dec 18, 2018 at 1:27 AM Viktor Dukhovni
> wrote:
>
> > Also connection re-establishment has considerable cost, additional
> > TCP roundtrips on top of the extra TLS roundtrips.
> >
>
> Agreed. The other cost is that it
On Tue, Dec 18, 2018 at 10:54 AM Kathleen Moriarty <
kathleen.moriarty.i...@gmail.com> wrote:
> Just a clarifying question inline
> On Sun, Dec 16, 2018 at 3:30 PM Eric Rescorla wrote:
>
>>
>>
>> On Sun, Dec 16, 2018 at 11:45 AM Paul Wouters wrote:
>>
>>> On Fri, 14 Dec 2018, Eric Rescorla
> On Dec 18, 2018, at 4:48 PM, Eric Rescorla wrote:
>
> To my knowledge, no generic browser client does DNSSEC validation, for the
> reason that when people have looked at it it created unaceptable failure
> rates.
Agreed. That's a pretty safe bet. The last-mile problem is still with us
On Tue, Dec 18, 2018 at 3:00 AM Ilari Liusvaara
wrote:
> On Mon, Dec 17, 2018 at 05:17:37PM -0600, David Benjamin wrote:
> > Hi folks,
> >
> > We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd
> like
> > the group's thoughts on. The goal is to make ESNI more robust and
>
* I'd like to propose a solution to the ESNI + Multi-CDN problem (which has
been discussed a lot on this list already). My suggestion is that we define
the ESNI DNS record format as optionally including "stapled" A/ records.
As in a multiple response? That might be interesting, but it
On Tue, Dec 18, 2018 at 2:56 PM Salz, Rich wrote:
>
>- I'd like to propose a solution to the ESNI + Multi-CDN problem
>(which has been discussed a lot on this list already). My suggestion is
>that we define the ESNI DNS record format as optionally including "stapled"
>A/
>The "exim" server claims to support stapling (for incoming connections)
Yes, which isn't what I asked.
>The Must-Staple belongs to the certificate which was requested
including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
in the CSR.
Does the exim server understand that
Am 18.12.18 um 15:57 schrieb Salz, Rich:
> Does the server claim to support must-staple?
>
The "exim" server claims to support stapling (for incoming connections)
The Must-Staple belongs to the certificate which was requested
including "1.3.6.1.5.5.7.1.24=DER:30:03:02:01:05"
in the CSR.
20 matches
Mail list logo