> I'm not sure what you are implying might be impossible. Are you suggesting > that it might be impossible to get a name for which you could get a > certificate?
No. I'm implying that if we don't allow clients to authenticate client-facing servers with an IP-based certificate, ECH won't be possible in cases where the client-facing server doesn't have a name. > On Apr 20, 2021, at 6:40 PM, Martin Thomson <m...@lowentropy.net> wrote: > > On Wed, Apr 21, 2021, at 11:30, Carrick Bartle wrote: >> This does sound unusual. That said, if this sort of set-up is possible >> (which presumably it is), it seems unfortunate to make ECH impossible >> in that scenario. > > I'm not sure what you are implying might be impossible. Are you suggesting > that it might be impossible to get a name for which you could get a > certificate? If that could be shown to be impossible (or even just quite > hard) under some reasonable set of conditions, then I might change my > position. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
