Document: draft-camwinget-tls-use-cases-05.txt I have some technical comments on the current draft.
S 2.2.1. Note that even _if_ the SNI is provided by the client, there is no guarantee that the actual server responding is the one indicated in the SNI from the client. SNI alone, without comparison of the server certificate, does not provide reliable information about the server that the client attempts to reach. Where a client has been compromised by malware and connects to a command and control server, but presents an innocuous SNI to bypass protective filters, it is undetectable under TLS 1.3. This actually applies to TLS 1.2 as well, because nothing requires that a nonconformant client use the key supplied in the server certificate (for instance, it might just just encrypt with a fixed key or tunnel a key exchange in the TLS handshake somehow). This cannot be detected by a passive observer. S 2.2.2. I don't understand the point of this section. TLS 1.3 resumption PSK and TLS 1.2 resumption (with tickets, for instance) are largely isomorphic. In both cases, the client can decline resumption, but that is true in 1.2 as well (though there's no formal way to do it in 1.2). As a practical matter, there's no real chance that a standard client will not let you fall back to a full handshake. In earlier versions of this document, it didn't recognize this point and so this section (while misleading) made some sense, but at this point I would just remove it. S 2.2.3. I don't get what this section is trying to say. Previous TLS versions included anti-downgrade mechanisms, so you could never silently downgrade versions. The TLS 1.3 anti-downgrade mechanisms are designed to be stronger than TLS 1.2, but they don't fundamentally change this situation. S 2.2.4. Yes, ESNI causes you problems, but if you are a selective MITM proxy, you should just disable ESNI on clients using the same mechanisms that you use to add your own trust anchor. -Ekr On Sun, Jul 21, 2019 at 6:51 AM Nancy Cam-Winget (ncamwing) < ncamw...@cisco.com> wrote: > Hi, > > Thanks to all the feedback provided, we have updated the > https://tools.ietf.org/html/draft-camwinget-tls-use-cases-04 > > draft. At this point, we believe the draft is stable and would like to > request its publication as an informational draft. > > > > Warm regards, > > Nancy > > > > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
