Hiya,
On 07/01/2023 15:46, John Mattsson wrote:
My current understanding is that draft-ietf-tls-esni should require that the server MUST NOT reuse a key shares. Unless I miss something I suggest adding that and one or two of the above figures to the draft. An alternative solution would be to extend the ECH encryption to also cover ServerHello. If I understand ECH correctly, the ServerHello is still unencrypted.
I'd support adding a requirement that key shares not be re-used, either as a general thing or in an ECH-specific manner.
- As a main goal of ECH is to hide the server name, I think the draft should explicitly mention padding of the server certificate message. Some web servers are using very large certificate messages. If padding is not used, they can be identified with a quite high probability just by looking at the size.
I agree, but thought we'd discussed that before and had added some text (can check later). FWIW, my openssl fork defaults in s_server to padding the certificate, certificateverify and encryptedextensions messages to multiples of #define'd values. I'd support adding some guidance for server libraries as to what to do there in general. (OpenSSL supports such padding via a callback that application servers can set but IIRC doesn't do such padding by default today.) Cheers, S.
OpenPGP_0x5AB2FAF17B172BEA.asc
Description: OpenPGP public key
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
