On Fri, Oct 11, 2019 at 11:03 PM Salz, Rich <rs...@akamai.com> wrote:
> *>*The SNI and the host header often have to match (or at least have a > known mapping), because the origin server might want to prevent domain > fronting. > > > > More likely the CDN. Amazon and Google used to do this but stopped ( > https://www.theverge.com/2018/4/30/17304782/amazon-domain-fronting-google-discontinued). > I don’t see how the origin is involved. > > > > > My goal is to keep the SNI encrypted on the wire from CDN to Origin (I > understand that the SNI is visible to the CDN). > > > > Use DNS entries for the origin then ESNI works. If you follow your “IPv6 > uniquely identifies the origin” assumption, then ESNI is pointless. > Hello, I would like to reiterate the use case: How does a request of the form "username.example.com" get through a CDN to an Origin while leaving the SNI encrypted on the wire? It sounds like you're saying the domain name should change from the CDN to the Origin, but that doesn't seem like something that's automatically supported or interoperable. I also disagree with the argument that ESNI is pointless when “IPv6 uniquely identifies the origin”. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
