Hiya,
On 24/08/2022 09:34, 涛叔 wrote:
I am not saying ECH isn't going to work at all. Even most sites need to be deployed behind cloud services, it not means we could design a standard to make it as a requirement.
So let me try see if I understand by trying to re-phrase your concern: the operator of a single web server with a single DNS name and nobody else to help (no CDN, no hoster no split-mode front-end doing ECH) still has to expose their name in the cleartext SNI, even if they publish an HTTPS RR with an ECH public key. Is that about right? If so, I agree that's a limitation of the value one can get from ECH. I think Chris' answer wrt encrypting ALPNs etc is correct, the ECH mechanism does still provide a (perhaps minor) benefit in such cases, and as Ekr says, a client could send a bogus SNI in clear in such a case and things should still work fine if the client gets the right ECH public key. Perhaps it could be worthwhile exploring that last point a bit more than the WG has, with a goal of helping get to the point where turning on ECH could be the norm when putting up any web server, just as interacting with LE is now? I'm not sure that it'd be feasible to depend on DNSSEC in such cases to handle mismatched ECH public keys though. There's also a problem that if some clients GREASE ECH but real uses of ECH don't have the real DNS name as the outer ClientHello SNI, (e.g. the name.invalid case), or make use of the published ECH config_id, one could easily distinguish real uses of ECH vs. GREASE cases which seems a bad outcome too. I could envisage us trying to provide some guidance for such a scenario (maybe like; servers: don't rotate your ECH public key and do enable ECH trial decryption, clients: use a random config_id when not GREASEing if outer SNI == inner SNI). And I guess that might help a bit to move the overall ecosystem towards ECH being the norm, even if the operator of that isolated web server won't get much real benefit from ECH. Cheers, S.
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
