On Thu, Mar 12, 2026 at 10:19 AM Ben Schwartz <[email protected]> wrote:
> Thanks for the answers. Some minor notes: > > ------------------------------ > *From:* Nick Sullivan <[email protected]> > > *>*> If Proxywerks is serving other origins from the same IP addresses, > and wants them to be indistinguishable from ECHConfig Foo to an attacker, > why doesn't it just give those other origins ECHConfig Foo too? > > > In practice, some customers disable ECH for various compatibility, > policy, or operational reasons. > > Would such customers be willing to share an IP address with Signed > ECHConfig? If they have opted out of ECH, it seems likely to me that they > are not willing to be part of this "alias set", regardless of the technical > mechanism. > The answer is yes. Some providers let customers change TLS behavior, including ECH, while reserving dedicated IPs for materially different pricing or service tiers. > > ... > > > The claim is narrower: TLS should not > unnecessarily preserve an easy SNI-based classifier when that > classifier can be removed. > > I do quibble with this: we should not be writing RFCs based on a general > principle of this kind, even if it sounds like a worthy principle. We > should also know of some class of deployments that we believe would be > willing to deploy the new design and able to benefit from it. > Perhaps my co-authors can speak to this. > > --Ben >
_______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
