Hiya, On 28/02/2019 01:41, Eric Rescorla wrote: > I think you're misunderstanding the scenario here: we have two CDNs A and > B, and some switching service in front, so that when you lookup example.com, > you get a CNAME to A or B, and then you get the ESNIKeySet
(ESNIKeySet is a type you've just invented I guess?) > for A or B as > the case may be. So you're not going to get both ESNIKeys values. Yes, that's not the model I had in mind. I don't recall that having been written down but maybe I missed it. (Where should I look?) The model I had in mind was where the hidden site has it's own DNS operator but >1 CDN/front-site with each of those having a private ESNI value. (And if there's some front-end DNS cleverness, it'd kick in when the CNAME from #137 is being chased down.) Cheers, S. PS: I nonetheless maintain my points about the current ESNIKeys structure - it's over generic and over complex and these PRs can only make that worse:-)
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
