I've updated PR#16 to reframe this paragraph as a statement of fact: https://github.com/tlswg/draft-ietf-tls-svcb-ech/pull/16/files
It seems strange to me to describe a vulnerability without explaining how to mitigate it, but I'm willing to move forward if this is all we have consensus for. --Ben ________________________________ From: Eric Rescorla <[email protected]> Sent: Friday, October 4, 2024 8:07 AM To: Salz, Rich <[email protected]> Cc: Arnaud Taddei <[email protected]>; Ben Schwartz <[email protected]>; Paul Vixie <[email protected]>; Paul Wouters <[email protected]>; [email protected] <[email protected]>; [email protected] <[email protected]>; [email protected] WG <[email protected]> Subject: Re: [DNSOP] Re: [TLS] Re: Re: Re: AD review draft-ietf-tls-svcb-ech I don't really think it's helpful to re-litigate the broader topic of the merits of ECH; nothing we say in security considerations will make a material difference there. With that said, I don't love the last sentence as we know users I don't really think it's helpful to re-litigate the broader topic of the merits of ECH; nothing we say in security considerations will make a material difference there. With that said, I don't love the last sentence as we know users don't really choose their resolvers. How about simply stating the facts: "This specification does not effectively conceal the target domain name from an untrusted resolver." -Ekr On Thu, Oct 3, 2024 at 9:41 AM Salz, Rich <[email protected]<mailto:[email protected]>> wrote: I do not think this conflict of views can be resolved. The draft is intended to show how it ECH should be used to preserve it’s security guarantees, and there are groups in the DNS community who say this prevents their normal course of operation, and providing the features that they provide. I apologize in advance if anyone finds my wording clumsy or, worse, offensive. I was trying to use neutral words throughout. I think we just acknowledge that in the security considerations and declare the issue closed. _______________________________________________ DNSOP mailing list -- [email protected]<mailto:[email protected]> To unsubscribe send an email to [email protected]<mailto:[email protected]>
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
