On Fri, May 30, 2025, at 03:58, David Schinazi wrote: > On Wed, May 28, 2025 at 7:06 PM Martin Thomson <m...@lowentropy.net> wrote: >> I don't think that we can win on the real vs. fake ECH front. Not here. > > Can you elaborate on that? It's possible to differentiate GREASE ECH vs > real ECH when the public_name gives it away, but any deployment that > uses an inconspicuous public_name should be able to achieve > indistinguishability. I see that goal as important because it reduces > the likelihood of ECH blocking, which in turn increases the likelihood > of ECH deployment.
The question is whether there is any value you might prefer go in the inner CH only. As soon as that happens, real/fake distinguishing is trivial. If we accept that you can never put anything in transport parameters that you might like to hide (and go with your more dramatic change to the handshake, which isn't entirely unreasonable) you do salvage that capability. But it means considerable changes in how we negotiate. I'm not saying that we can't, or even that we shouldn't, but it's a relatively big lift that involves latency penalties. Those will make it a hard sell if your only real upside is to save the real/fake ECH indistinguishability. If the point of GREASE ECH is to clear the way for more ECH, we probably don't need to worry too much about the real/fake distinction when that goal is achieved. Obviously, we're a long way from that point, so I remain conflicted on this particular point.
