Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-23 Thread Phil Pennock
On 2018-03-23 at 13:55 +, Daniel Kahn Gillmor wrote: > Sadly, SNI iand ALPN are both still in the claer in the TLS 1.3 > handshake. Ah, thank you. I hadn't read the draft, but have just read the relevant parts of v26. I don't recall what source I read which led me to believe otherwise,

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-23 Thread Daniel Kahn Gillmor
On Mon 2018-03-19 17:24:07 -0400, Phil Pennock wrote: > On 2018-03-19 at 22:14 +0100, Kristian Fiskerstrand wrote: >> On 03/19/2018 10:08 PM, Phil Pennock wrote: >> > Do we care? >> >> I'm tempted to say no.. I also agree that we do not care, and should issue no guidance that encourages servers

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-23 Thread Henry Vindin
On Mon, Mar 19, 2018 at 11:08:13PM +0100, Kristian Fiskerstrand wrote: > On 03/19/2018 10:40 PM, Hendrik Visage wrote: > >> Now.. if anyone were to actually disable everything but 1.3, that'd be > >> exclusion worthy from the pool, but lets do this manually if so. > > > > I’ve not seen and TLS1.2

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-19 Thread Kristian Fiskerstrand
On 03/19/2018 10:40 PM, Hendrik Visage wrote: >> Now.. if anyone were to actually disable everything but 1.3, that'd be >> exclusion worthy from the pool, but lets do this manually if so. > > I’ve not seen and TLS1.2 security issues yet (but then I might’ve missed it > in the deluge of

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-19 Thread Hendrik Visage
> On 19 Mar 2018, at 23:14 , Kristian Fiskerstrand > wrote: > > On 03/19/2018 10:08 PM, Phil Pennock wrote: >> Do we care? > > I'm tempted to say no.. > Now.. if anyone were to actually disable everything but 1.3, that'd be > exclusion worthy from

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-19 Thread Phil Pennock
On 2018-03-19 at 22:14 +0100, Kristian Fiskerstrand wrote: > On 03/19/2018 10:08 PM, Phil Pennock wrote: > > Do we care? > > I'm tempted to say no.. Another point in favor of that: I'd forgotten that TLS1.3 moves certificate exchange to be protected by the session, so encrypted. Thus I suspect

Re: [Sks-devel] TLS 1.3 and HKPS pool

2018-03-19 Thread Kristian Fiskerstrand
On 03/19/2018 10:08 PM, Phil Pennock wrote: > Do we care? I'm tempted to say no.. if there is a breakage that needs to be fixed anyhow, and for most users on LTS branches of distros it will take a while for the libraries that use tls 1.3 to begin with will be distributed. If a client experience

[Sks-devel] TLS 1.3 and HKPS pool

2018-03-19 Thread Phil Pennock
Folks, TLS 1.3 is nearing finalization and has done a bunch of work to try to get through middleboxes, but will probably still cause issues for some small percentage of clients behind corporate firewalls. This will affect servers in pools which offer HKPS on port 443. It might lead to sporadic