On 5/10/2017 12:04 PM, Viktor Dukhovni wrote: >> On May 10, 2017, at 2:47 PM, Hubert Kario <hka...@redhat.com> wrote: >> >> But in general, I wonder if we didn't approach the SNI from the wrong side - >> as I said, we may not need to encrypt it, we just make sure that client and >> server agree on the virtual host the connection is going to. > They can do that with a name in the clear. If the name is to be hidden > from passive observers, then you do need encryption so that only the > client and server, and not the passive observers, can recover the name. > > Encryption means key agreement, and requires delaying SNI by a round-trip, > or having published DH shares in DNS, which of course also needs privacy > protection for SNI encryption to matter. > > I do believe this was discussed at some length previously. It certainly was. But then the clear text SNI is a gaping privacy hole in TLS, the kind of issue that should keep us awake at night until it is resolved. We need to make sure that we make progress, rather than rehash the old arguments. Maybe we should invest some time and document the various proposals in a draft. I am willing to work on that. Any other volunteers?
-- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
