On 23/10/2019 17:13, Ben Schwartz wrote: > On the topic of radical suggestions, here's another one: > https://github.com/tlswg/draft-ietf-tls-esni/pull/186
How about a variant like this (which is maybe close to your most recent email, not quite sure): Names < N octets: pad those to N. Names >= N octets: hash those and pad to N. With N ~=64 I think that'd be ok, assuming we do some checking that N covers a sufficient percentage of names in real use. I think the WG could easily make the case that if some web site really does need/want to hide in the crowd, they just better not try do that with a gigantic DNS name. Cheers, S. > > In brief, this replaces the variable-length name with a fixed-length > hash, plus some accommodations to allow *.example.com, > *.*.example.com, etc. > > My hope is that this design would work in the architecture described > by Watson, while saving ~220 bytes in each ClientHello. > > One interesting feature of this design is that it doesn't require each > wildcard domain to publish any unique DNS record. Instead, all > third-level wildcard customers can share a configuration, all > fourth-level wildcard customers can share a configuration, etc. This > distinction is not visible in the TLS handshake, so the anonymity set > is not reduced. > > On Wed, Oct 23, 2019 at 10:53 AM Watson Ladd <[email protected]> wrote: >> >> On Wed, Oct 23, 2019 at 7:35 AM Bill Frantz <[email protected]> wrote: >>> >>> A perhaps radical suggestion: >>> >>> Make the server name field fixed length e.g. 256 bytes. Longer >>> server names are not supported and clients MUST NOT send them. >>> (Both client and server can't use them because they won't fit in >>> the fixed length field.) >> >> The limit of server name in DNS is 260 bytes, so that limit already >> exists. No reason to shorten it elsewhere! >> -- >> "Man is born free, but everywhere he is in chains". >> --Rousseau. >> >> _______________________________________________ >> TLS mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/tls >> >> _______________________________________________ >> TLS mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/tls
0x5AB2FAF17B172BEA.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
_______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
