One of the original motivating requirements for ECHO (then ENSI) was "do
not stick
out" [1]. This complicates the current ECHO design, as clients must
trial decrypt
the first encrypted handshake message to determine whether a server used
the inner
or outer ClientHello for a given connection. It's also trivial to probe
for ECHO
support, e.g., by sending a bogus ECHO with the same key ID used in a
target client
connection and checking what comes back.
I propose we remove this requirement and add an explicit signal in SH
that says
whether or not ECHO was negotiated. (This will require us to revisit
GREASE.)
What do others think?
Thanks,
Chris (no hat)
[1]
https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-09#section-3.4
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
