> Issues and Requirements for SNI Encryption in TLS One issue not covered in this document is SNI encryption from CDNs to Origin servers.
For example, if I use ESNI to make a request to Cloudflare, how does Cloudflare then encrypt the SNI to the origin server? It seems like this use case could be covered by allowing the SNI to be sent alongside a client certificate (something many CDNs provide for). I think an extension accompanying a client certificate would be encrypted, but please correct me if I'm mistaken. These CDN<->Origin connections can usually be served over IPv6, so having the SNI in the ClientHello isn't necessarily as important. thanks, Rob On Tue, Oct 8, 2019 at 3:56 AM <internet-dra...@ietf.org> wrote: > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > This draft is a work item of the Transport Layer Security WG of the IETF. > > Title : Issues and Requirements for SNI Encryption in TLS > Authors : Christian Huitema > Eric Rescorla > Filename : draft-ietf-tls-sni-encryption-08.txt > Pages : 14 > Date : 2019-10-07 > > Abstract: > This draft describes the general problem of encrypting the Server > Name Identification (SNI) TLS parameter. The proposed solutions hide > a Hidden Service behind a fronting service, only disclosing the SNI > of the fronting service to external observers. The draft lists known > attacks against SNI encryption, discusses the current "co-tenancy > fronting" solution, and presents requirements for future TLS layer > solutions. > > In practice, it may well be that no solution can meet every > requirement, and that practical solutions will have to make some > compromises. > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-ietf-tls-sni-encryption/ > > There are also htmlized versions available at: > https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-08 > https://datatracker.ietf.org/doc/html/draft-ietf-tls-sni-encryption-08 > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-ietf-tls-sni-encryption-08 > > > Please note that it may take a couple of minutes from the time of > submission > until the htmlized version and diff are available at tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
