Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread 涛叔
Hi, Ben, > On Oct 13, 2022, at 22:35, Ben Schwartz > wrote: > > On Thu, Oct 13, 2022 at 8:58 AM Marwan Fayed > > wrote: > ... >> There are really only two ways to populate the outer-SNI. One way is a >> fixed name that easily identifies the content oper

Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Rob Sayre
On Thu, Oct 13, 2022 at 2:59 PM Christian Huitema wrote: > Of course, competent filters and censors would just switch > to checking IP addresses, but some may not be that competent, and the > number of IP addresses to analyze may end up to be very large. But > mostly, saying nothing feels better

Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Christian Huitema
On 10/13/2022 5:57 AM, Salz, Rich wrote: I am curious why you think they will be left behind. ECH support is coming to open source TLS stacks, and many DNS servers are already able to allow custom RRsets. There is a tension between privacy and concentration. Privacy mechanisms like ECH wo

Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Salz, Rich
TL;DR: I suggest you consider hosting a side meeting at IETF 115 in London. >**Short setup**: There is more attention than ever on Internet operations from non-Internet governance and, in this context, it is possible that ECH presents a greater risk to the Internet than benefit,

Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Stephen Farrell
I agree with what Ben said, but in particular this: On 13/10/2022 15:35, Ben Schwartz wrote: I do think we have a lot to learn about the operational challenges of deploying ECH, but our discussion about that should be driven by technical reports from deployments, not speculation about political

Re: [TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Ben Schwartz
On Thu, Oct 13, 2022 at 8:58 AM Marwan Fayed wrote: ... > There are really only two ways to populate the outer-SNI. One way is a > fixed name that easily identifies the content operator, e.g. > ‘operator-ech.com’. In that case, the number of packets with the fixed > outer SNI is sufficiently extr

[TLS] 115 Proposal - ECH, server-side deploy risks and trade-offs

2022-10-13 Thread Marwan Fayed
Hi WG, First and most importantly the purpose of this post is to ask: (a) If there is appetite to have the following discussion on ECH within tls-wg and, if so, then (b) if a slot might be scheduled at IETF 115 to present some slides to discuss. The questions and concerns below are uniquely or mos