# TLS VIrtual Interim September 2020
September 3, 2020 - 17:00 - 18:00 UTC

## Agenda

ECH Issues - https://github.com/tlswg/draft-ietf-tls-esni/issues


## Attendance:
1. Joe Salowey, Salesforce
2. Tim Wicinski, N/A
3. Chris Wood, Cloudflare
4. Chris Patton, Cloudflare
5. Watson Ladd, Cloudflare
6. Jonathan Hammell, Canadian Centre for Cyber Security
7. Russ Housley, Vigil Security
8. Ben Schwartz, Google
9. Marco Tiloca, RISE
10. Ben Kaduk, Akamai
11. Paul Wouters, Red Hat
12. Rich Salz, Akamai
13. Eric Rescorla, Mozilla
14. Dan McArdle, Google
15. Lucas Pardue, Cloudflare
16. Andrew Campling, 419 Consulting
17. Tommy Pauly, Apple
18. Barbara Stark, AT&T
19. Chris Box, BT
20. Nick Harper, Google
22. Marten Seemann, Protocol Labs
23. Vittorio Bertola, Open-Xchange
24. Nick Lamb, Unaffiliated
25. Sean Turner, sn3rd
26. Jonathan Hoyland, Cloudflare
27. Carrick Bartle, Apple
28. Christian Huitema, Private Octopus Inc.

## Meeting Minutes
1. Trying cameras on (ends up some need to be turned off to preserve audio)
1. Note Well
1. First issue: 274
    1. Trial decryption complicates quic
    2. Multiple options: 1, 2, 3, 3' ...
    3. Most momentum is PR #287, reuse SH random bytes
    4. #287 will be worked on through comments on it
    5. Resolution: merge it after spellcheck
    6. Christan: Question about replay attack
1. Issue 253
    1. ECH_Nonce rational
    2. Carryover from ESNI.
    3. May be redundant, remove?
    4. Does need to remain secret
    5. Server leakage? Discussions with Karthik about removal
    6. PR 292 removes the Nonce
    7. Concerns with session tickets
    9. Resolution: remove the nonce, new requirements on Client Random
1. Issue 264
   1. Padding at record layer problematic for QUIC
   2. Do it with extensions?
   3. New Handshake message for padding. Record layer will drop on floor like CCS
   4. EKR: Why not in EE? Handshake message boundaries not visible on the wire
   5. Nick Harper: padding at TLS layer needed
   6. Unsolicited padding: Inner ClientHello using unencrypted CH extension?
   7. EKR's idea: standard padding extension, remove requirement for responding, let ECH predicate its use in response
   8. Resolution: Pause certificate compression until this resolved. Need a TLS non-record layer, mechanism TBD, ensure multiple mechanisms possible
1. Issue 263
    1. Hash included of reconstructed CH. Is that actually useful?
    2. Weird corner cases with SNI privacy breaking extensions
    3. Binding of outer to inner prevents it.
    4. Stronger security property for inner CH than usual.
    5. More natural examples?
    6. EKR: we got into trouble, easier to fix by binding outer to inner
    7. Resolution: close issue, keep spec as-is
1. Issue 262
    1. outer_extensions lossy
    2. Preserve order which currently doesn't. Proposal for doing this
    3. Not much feedback. Pushback from Martin Thompson
    4. Feedback wanted
    5. EKR: reinvention of original design
    6. EKR: how is performance; what is compressed?
    7. Ben Schwartz: does order matter?
    8. Preshared Key come last
    9. EKR: not that useful, can negotiate
    10. Resolution: See what's actually useful
1. Issue 297
    1. Version in ClientEncryptedCH?
    2. Breaking backwards compat in future versions
    3. But config is signaled. So first two fields ossified: can we live with that?
    4. Also have codepoints for extensions
    5. Resolution: We can use a different codepoint

Next meeting in a week or two.

## Recording

TLS ECH Interim 01-20200903 1700-1
https://ietf.webex.com/recordingservice/sites/ietf/recording/playback/7a102a74107e404c9c357e4283aec4c3