I read the doc. I’m a little dumb, but I think a more expanded ladder diagram for Figure 2 would have helped me.
The basic process is query DNS, get the SNI record value, and use that as the SNI value when connecting to the domain, right? But I’m not sure of the interaction of CNAME entries here. Do you keep the SNI value in the first, or does cname-chasing erase/override the initial value? And does this really provide much additional privacy? Can’t the attacker/repressor also do DNS queries and figure it out? There should probably be some text around that issue.
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
