Another important scenario that is closely related to multi-cdn is how to
safely enable and disable ESNI, as well as how to handle cases where not
all CDNs in a multi-CDN setup have ESNI turned on. As some examples:
* A site is using a CDN that has ESNI enabled. As part of switching off of
that
Here's a PR on one way to skin this cat.
https://github.com/ekr/draft-rescorla-tls-esni/pull/104/files
I hope to work this into a PR.. my first attempt wasn't very readable, but
>>> I'll try again tomorrow.
>>>
>>> -P
>>>
>>>
>>>
___
TLS mailing list
TL
I think Mike mentioned the one keying record; I was suggesting multiple keying
records. But perhaps the one key record is a key-wrapping key? Need to think
about that a bit.
___
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
Hey Nick,
On Tue, Oct 23, 2018 at 8:45 PM Nick Sullivan wrote:
> This line of commentary describes one instance of a more general situation
> that is unrelated to the multi-provider case: what happens when you connect
> to a server that doesn't know the ESNI key you're using? This can even
> hap
This line of commentary describes one instance of a more general situation
that is unrelated to the multi-provider case: what happens when you connect
to a server that doesn't know the ESNI key you're using? This can even
happen on a single provider due to DNS caching issues, for example.
The two
Definitely agree this is something that needs to be addressed..
As Mike notes, the fundamental issue is that there are 2 pieces of
information that are statefully related (the key and address) but obtained
statelessly from each other and can therefore come from un-coordinated
sources. 2 CDNs are c
I think perhaps we need to take a step back and explain something that might
not be well-known outside the community of CDN’s and their customers. It is
not uncommon for (admittedly larger) origins to use multiple CDN’s, and to
switch among them. This can be done on a per-request basis, because
