On 8/24/2022 9:03 AM, Stephen Farrell wrote:
Hiya,
On 24/08/2022 16:36, 涛叔 wrote:
I can't agree with you.
FWIW, I agree with ekr. I don't think the scheme
you outlined works, nor would it be a good basis
for changes to ECH. (Sorry;-)
The proposal to use "fake DNS names" like
"c01e7ce0b61c6b1e8f5f3392a306a847.com" can be trivially defeated by
censors. They can detect that the DNS name is invalid, and then add a
configuration rule to "block invalid domain names".
Taoshu, the problem that you are trying to solve is really hard, see RFC
8744. Most of the practical solutions are in the "cat and mice" category
-- the mice invent a new trick, and escape the cat for a while until the
cat gets smarter, and then the mice have to invent something else.
Putting a fake domain name in the SNI is one such trick: it will work
for a while, and then it won't. It is probably not a good idea for the
mice to try publish their new trick as an RFC -- the cat would just get
smarter sooner.
-- Christian Huitema
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
