On Sat, Dec 15, 2018 at 12:01 PM Viktor Dukhovni <ietf-d...@dukhovni.org> wrote:
> > > > On Dec 15, 2018, at 8:08 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > > > I don't see any point in considering the variant with the easy > > active attack though; > > For the record the easy MiTM attack requires on-path TCP termination, > only discloses the SNI name, and the full handshake then fails. It > looks to me like the same happens with the current draft when the > fronting key_share is not DNSSEC-validated. As I said in my response to Nico, it depends on the threat model. If your concern is the local network (which is quite common), then DoH addresses the issue. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
