On 19/07/2021 15:16, Salz, Rich wrote:
I support publication.
I don't, though I may be in the rough. We did discuss this a bit earlier but from my POV this adds a new vector for cross-domain tracking and we ought be removing those, not adding them. I don't find the reference to [FETCH] explains how that problem can be mitigated by browsers. (IIRC, adding that was the result of earlier discussion of this point?) I have no idea if anything similar might protect mail user agents when processing mailbug URLs, not other applications using TLS. To give a small sense of scale, in scans I did a few years back [1], one wild-card certificate [2] was visible at almost 2000 addresses in a range of different countries. That appeared to be part of some multi-product marketing campaign. (The names seen associated with the wildcard cert were of the form "<product>.campaign.<marketing-company>" and the wildcard was for "*.campaign.<marketing-company>".) Another certificate (sorry had a quick look but didn't find the specific ref) for parked domains had 1500 SANs. I think both of those are indicators that this mechanism could be used at scale for tracking. Cheers, S. [1] https://eprint.iacr.org/2018/299 [2] https://crt.sh/?id=242683192
https://datatracker.ietf.org/doc/draft-ietf-tls-cross-sni-resumption/_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
