Due to the existence of GREASE ECH, for requests made by clients that have implemented ECH but do not have a suitable ECH Config, the server always fails to decrypt and can choose to send retry config. Why not treat this an opportunity to upgrade Plaintext Hello to ECH(if certificate verification succeed), but require the client to ignore it? Will this lead to a possible vulnerability? At present, the initial distribution of ECH Config can only be done through DNS. Can't it uses methods similar to mentioned earlier to remind clients of potential upgrades?
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
