> But let me ask a question meanwhile - how often does HRR > actually happen and could we not just let ECH fail in a > bunch of situations that would otherwise require all this > new complexity? >
One way HRR is used is in case the client's and server's cipher suite preferences don't intersect. This feature is an essential part of TLS, as there's no a priori reason why the client and server will initially advertise overlapping preferences. (They usually do, hence the claim that HRR is rare.) I don't think aborting the handshake instead of HRR is an acceptable solution, as this would mean there are deployments with which TLS couldn't be used. Chris P.
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
