Hi, "ECH is not in itself sufficient to protect the identity of the server. The target domain may also be visible through other channels, such as plaintext client DNS queries or visible server IP addresses. However, DoH [RFC8484] and DPRIVE [RFC7858] [RFC8094] provide mechanisms for clients to conceal DNS lookups from network inspection, and many TLS servers host multiple domains on the same IP address. Private origins may also be deployed behind a common provider, such as a reverse proxy. In such environments, the SNI remains the primary explicit signal used to determine the server's identity."
This text only discusses that the identity of the server may be revealed by "other channels". I strongly think the document needs to mention that the identity of the server may also be reveled by the unencrypted information in the ServerHello. In particular a reused KeyShare is problematic. Suggested addition: The identity of the server may also be reveled by the unencrypted information in the ServerHello. Most of the current information in ServerHello is not unique. The exception is KeyShare, which if reused provides a unique identifier of the server. Cheers, John Preuß Mattsson
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
