I think we should relax this requirement. It's turning out to be hard enough to design ECHO as-is.
If/when we get ECHO fully designed and widely deployed, we can then try to find designs which use the same basic design but are more stealthy. Trying to fix everything at once makes the best the enemy of the good. -Ekr On Sun, Mar 22, 2020 at 9:54 AM Christopher Wood <c...@heapingbits.net> wrote: > One of the original motivating requirements for ECHO (then ENSI) was "do > not stick > out" [1]. This complicates the current ECHO design, as clients must > trial decrypt > the first encrypted handshake message to determine whether a server used > the inner > or outer ClientHello for a given connection. It's also trivial to probe > for ECHO > support, e.g., by sending a bogus ECHO with the same key ID used in a > target client > connection and checking what comes back. > > I propose we remove this requirement and add an explicit signal in SH > that says > whether or not ECHO was negotiated. (This will require us to revisit > GREASE.) > > What do others think? > > Thanks, > Chris (no hat) > > [1] > https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-09#section-3.4 > > _______________________________________________ > TLS mailing list > TLS@ietf.org > https://www.ietf.org/mailman/listinfo/tls >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
