Hi all, unfortunately I wasn't able to attend the meeting this week, but I had a chance to catch up on youtube ( https://www.youtube.com/watch?v=bQ-Bz60AppI). I wanted to add one more point to the ECH discussion that might be helpful for moving this topic forward.
There were three presentations about the ECH public name, from Nick, Martin, and Jonathan. I think some folks were talking about these presentations as if they're solving the same problem, but to my thinking, Nick's draft would solve a slightly different problem than Martin+Jonathan. Nick's draft is about reachability. Whether a TLS server is reachable via ECH depends on whether the handshakes with ECH clients are treated differently by the network than other handshakes. We say that ECH "doesn't stick out" if it's indistinguishable from some "cover protocol" the network is known to tolerate, which would imply reachability. This is the idea behind GREASE ECH as well as middlebox compatibility mode for TLS 1.3. Both ECH and TLS 1.3 are distinguishable from their cover protocols, but less so than their predecessors (ESNI and early drafts of TLS 1.3 respectively). If I understand Martin+Jonathan's idea correctly, it is mainly about indistinguishability of ECH handshakes across TLS servers. This would be a great property to have, and not just for privacy: If deployed at a large enough scale, I think either mechanism would provide some degree of "fate sharing" in the sense it would be hard to block ECH traffic to one server without blocking ECH traffic to all servers. However I don't think this would imply reachability for the internet as it is today, at least not without some sort of cover protocol. On the other hand, GREASE ECH is already widely deployed. Both properties are nice to have, but we may have to prioritize one over the other. One approach is to make handshakes look like existing handshakes; this is more or less what TLSWG has done so far. Another approach is to make all handshakes look like each other; this is the idea behind pseudorandom cTLS [1]. I'd wager we all would like to build the latter world, but the real world probably looks more like the former. Best, Chris P. [1] https://www.ietf.org/archive/id/draft-cpbs-pseudorandom-ctls-01.html
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
