Hi WG, First and most importantly the purpose of this post is to ask: (a) If there is appetite to have the following discussion on ECH within tls-wg and, if so, then (b) if a slot might be scheduled at IETF 115 to present some slides to discuss. The questions and concerns below are uniquely or most appropriate for the TLS community, but it’s unclear if IETF/wg structures are equipped to ‘host’ the discussion despite relevance and importance.
Given the sensitivities around ECH, perhaps useful to state up-front that this discussion follows from deeply detailed and intense discussions with two of the draft authors, for which and to whom I am immensely grateful. Having said that, mine is a new personality to many in the wg. So, ECH being an understandably sensitive topic, a few (personal) qualifiers before the main discussion: (i) Yes, the purpose of this note is to raise matters related to larger-scale risks to content operators, their end-users, and maybe customers; also (ii) no, none of the discussion suggests that ECH should be halted. **Short setup**: There is more attention than ever on Internet operations from non-Internet governance and, in this context, it is possible that ECH presents a greater risk to the Internet than benefit, if deployed. And as a result, it is possible that servers and content operators *may* have more reasons not to deploy. *Premise*: ECH is designed for (client) privacy (esni-15, Sec. 10/10.1) and not censorship circumvention. (ECH does, of course, affect censorship mechanisms). *Claim*: Deployment and survival of ECH depends squarely on if content operators are willing to absorb large risks associated with any of three possible outcomes related to how the outer-SNI is populated, as follows: There are really only two ways to populate the outer-SNI. One way is a fixed name that easily identifies the content operator, e.g. ‘operator-ech.com’. In that case, the number of packets with the fixed outer SNI is sufficiently extraordinary as to either or both: (a) visibly identify the operator, in which case the trade-off for client privacy is operator exposure; and (b) make it trivially easy for ECH to be blocked, thereby severing many clients from the operator, and the Internet entirely if all operators deploy. This is an ‘anti-goal’. Alternatively, the operator generates a random outer-SNI for each DNS query, in which case ECH becomes _active_ censorship evasion or circumvention, and few-to-no operators could reasonably deploy. In addition, there is an argument to be made that ECH could lead to the loss of some small operators (e.g. universities and bedroom closet servers) that feel forced to move their service to larger providers because ECH offers no additional privacy and squarely leaves small providers behind. I do not think this is the most pressing issue or necessarily valid, but certainly there may be knock-on effects to the health of the Internet ecosystem. There is much more that can be said but -- again, first and foremost -- it would be great to figure out if there is interest in the wg (I’d wager yes), if there is scope for IETF 115 talk on the topic, or if there is some better venue (suggestions welcomed). Thanks and best wishes, --marwan _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
