> On Dec 13, 2018, at 8:10 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie>
> wrote:
>
> Was just adding code for this and I noticed that the draft says
> a server: "SHOULD pad the Certificate message, via padding at
> the record layer, such that its length equals the size of the
> largest possible Certificate (message) covered by the same ESNI
> key."
"Largest possible" is not always a knowable target. One often does
not know anything about the sizes of the other potential certificate
chains in advance of serving such a chain. Far more sensible would
be to add random padding whose size is commensurate with the size of
the certificate message.
I would generate a random nibble, and count the first $k$
non-zero bits. Then $1 + k$ times add independently
random([0, N/2]) bytes of padding to an $N$ byte message,
giving an additional $~N$ bytes on average, but occasionally
up to $2.5N$ additional bytes.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
