* How does a request of the form "username.example.com<https://urldefense.proofpoint.com/v2/url?u=http-3A__username.example.com&d=DwMFaQ&c=96ZbZZcaMF4w0F4jpN6LZg&r=4LM0GbR0h9Fvx86FtsKI-w&m=ujs6Lkbc_IGTiuLdcDk8syhWP1v9lNpztl9OxZuCvas&s=hBGHuzwfs66lIYRw2lkpneJu72vkeC9m5HH46EJ0i3c&e=>" get through a CDN to an Origin while leaving the SNI encrypted on the wire?
The CDN needs to see the decrypted SNI. If the CDN and origin share the ESNI keys, the CDN can just pass the original ESNI value along. If the CDN and origin do not share ESNI keys, then the CDN will have to re-encrypt. If that is an issue you haven’t explained why or I missed. * It sounds like you're saying the domain name should change from the CDN to the Origin, but that doesn't seem like something that's automatically supported or interoperable. I guess it depends on the CDN. I said that’s how my employer works, you said CloudFlare doesn’t work that way, and I didn’t quite understand what Watson said. :) * I also disagree with the argument that ESNI is pointless when “IPv6 uniquely identifies the origin”. Can you explain why?
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
