> On Dec 13, 2018, at 8:10 AM, Stephen Farrell <stephen.farr...@cs.tcd.ie> > wrote: > > Was just adding code for this and I noticed that the draft says > a server: "SHOULD pad the Certificate message, via padding at > the record layer, such that its length equals the size of the > largest possible Certificate (message) covered by the same ESNI > key."
"Largest possible" is not always a knowable target. One often does not know anything about the sizes of the other potential certificate chains in advance of serving such a chain. Far more sensible would be to add random padding whose size is commensurate with the size of the certificate message. I would generate a random nibble, and count the first $k$ non-zero bits. Then $1 + k$ times add independently random([0, N/2]) bytes of padding to an $N$ byte message, giving an additional $~N$ bytes on average, but occasionally up to $2.5N$ additional bytes. -- Viktor. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls