The IESG has approved the following document: - 'PEM file format for ECH' (draft-farrell-tls-pemesni-13.txt) as Proposed Standard
This document has been reviewed in the IETF but is not the product of an IETF Working Group. The IESG contact person is Paul Wouters. A URL of this Internet-Draft is: https://datatracker.ietf.org/doc/draft-farrell-tls-pemesni/ Technical Summary Encrypted ClientHello (ECH) key pairs need to be configured into TLS servers, that can be built using different TLS libraries, so there is a benefit and little cost in documenting a file format to use for these key pairs, similar to how RFC7468 defines other PEM file formats. Working Group Summary This was an AD sponsored draft, but the TLS WG was made aware and had no issues with the document being published. Document Quality There are many implementations of this file format, which are listed and updated at https://defo.ie/ , but include: Produced/consumed by OpenSSL ECH feature branch – https://github.com/openssl/openssl/tree/feature/ech Bash script to produce using BoringSSL’s `bssl’: – https://github.com/defo-project/ech-dev-utils/blob/nginx-pr/scripts/bssl2pem.sh lighttpd: Jan 2025, just OpenSSL, partly done by me, partly by maintainer – https://github.com/lighttpd/lighttpd1.4/commit/29da0e9861638e21c1cebdc354c68c347eaab0b2 and subsequent PRs freenginx: Sep 2025, same 3 libraries, implementation by maintainer, not me – https://freenginx.org/ Part of 1.29.2 release 2025-09-23 apache2 httpd: Sep 2025, just OpenSSL, upstreamed, not released – https://github.com/apache/httpd/commit/0c9cd095ce9081fd225f0da7787419e80de7c701 haproxy: Oct 2025, just OpenSSL, merged upstream (2025-10-30) – https://github.com/haproxy/haproxy/issues/1924#issuecomment-3438011449 – https://github.com/haproxy/haproxy/commit/dba4fd248a13fb0f3135619b14e3cf20b6674d10 part of haproxy 3.3-dev11 nginx: PR under discussion, BoringSSL or Op Personnel The Document Shepherd for this document is Sean Turner. The Responsible Area Director is Paul Wouters. _______________________________________________ IETF-Announce mailing list -- [email protected] To unsubscribe send an email to [email protected]
