I agree with Christian. The reason to use the ServerHello.random trick is to make real ECH connections look like connections in which the client sends a dummy ECH extension to a non-ECH server. In particular, this design pattern is needed for property (1).
Property (2) is achievable if the ECH configuration is secret, i.e., if the server is deployed in such a way that it does not reveal it speaks ECH unless the client offers the right configuration. In particular, the server need not publish the ECH config, either via DNS or the ECH retry logic. This won't be feasible for the vast majority of deployments. As I said above, I think ECH should support use cases for which keeping the configuration secret is feasible. The trial decryption mechanism might provide this already, but overall the trial HMAC approach is a much better design. It would be useful if someone from QUICville could chime in on how painful it would be to implement. (It doesn't seem that bad for vanilla TLS.) Chris P.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
