Re: [TLS] Dropping "do not stick out" from ECHO

Hiya,

I was wondering what I wanted to say about this, until...

On 22/03/2020 22:16, Eric Rescorla wrote:
> I think we should relax this requirement. It's turning out to be hard
> enough to design ECHO as-is.
> 
> If/when we get ECHO fully designed and widely deployed, we can then try to
> find designs which use the same basic design but are more stealthy.
> 
> Trying to fix everything at once makes the best the enemy of the good.

Yeah, that's about right. Well said.

I very much like the idea of working on a more-stealthy
mode later.

I think we might be able to go even further in terms
of simplifying ECHO in various ways that can make it
easier to implement and deploy now without affecting
the security properties/analysis. (I think I've whined
about those on the list before but can regurgitate if
useful:-)

Cheers,
S.

> 
> -Ekr
> 
> 
> On Sun, Mar 22, 2020 at 9:54 AM Christopher Wood <caw@heapingbits.net>
> wrote:
> 
>> One of the original motivating requirements for ECHO (then ENSI) was "do
>> not stick
>> out" [1]. This complicates the current ECHO design, as clients must
>> trial decrypt
>> the first encrypted handshake message to determine whether a server used
>> the inner
>> or outer ClientHello for a given connection. It's also trivial to probe
>> for ECHO
>> support, e.g., by sending a bogus ECHO with the same key ID used in a
>> target client
>> connection and checking what comes back.
>>
>> I propose we remove this requirement and add an explicit signal in SH
>> that says
>> whether or not ECHO was negotiated. (This will require us to revisit
>> GREASE.)
>>
>> What do others think?
>>
>> Thanks,
>> Chris (no hat)
>>
>> [1]
>> https://tools.ietf.org/html/draft-ietf-tls-sni-encryption-09#section-3.4
>>
>> _______________________________________________
>> TLS mailing list
>> TLS@ietf.org
>> https://www.ietf.org/mailman/listinfo/tls
>>
> 
> 
> _______________________________________________
> TLS mailing list
> TLS@ietf.org
> https://www.ietf.org/mailman/listinfo/tls
> 

Re: [TLS] Dropping "do not stick out" from ECHO

Attachment: 0x5AB2FAF17B172BEA.asc

Attachment: signature.asc