Hi folks, We[*] wrote up some proposed changes for draft-ietf-tls-esni that we'd like the group's thoughts on. The goal is to make ESNI more robust and eliminate a bunch of deployment risks. The PRs are linked below:
https://github.com/tlswg/draft-ietf-tls-esni/pull/124 https://github.com/tlswg/draft-ietf-tls-esni/pull/125 The first tries to make ESNI more robust. It introduces the notion of a "public name" which gives the client an authenticated signal to retry with new keys or without ESNI at all. This mitigates DNS/server mismatches (a concern on each key rotation), and partial rollouts or rollbacks (a concern when first enabling it, plus some scenarios with TLS-terminating middleboxes). The second recommends clients to send GREASE ESNI extensions when they do not have cached ESNIKeys available. This better meets the "Do not stick out" goal. The server behavior in the first PR gives us this for free. Details are in the PRs. (The two PRs were originally written up together. I split them in two based on some feedback, but since they touch the same text, the GREASE PR includes the robustness PR. If the WG wishes to go with one but not the other, the text and details can be adjusted accordingly.) Thoughts? David [*] Steven and I wrote the text itself, with input from Adam, Ben, and Brad, all CC'd.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
