On Tue, Oct 17, 2023 at 12:32 PM David Benjamin <david...@chromium.org> wrote:
> > > Server-side protection against [clients adjusting HRR predictions on > fallback] is not effective. Especially when we have both servers that > cannot handle large ClientHello messages and servers that have buggy HRR. > > I think the discussion about buggy HRR is a red herring. > I agree with almost everything in the email except for this part. It's even worse than HRR, isn't it? The initial ClientHello will fail if spread across too many packets on some implementations, and then a new ClientHello will be sent using X25519 unless you want to lose customers. The client won't get an HRR back on the first try, the stuff just breaks (it's their bug, but it must be dealt with). But, if the DNS says it should work, it should be ok to fail there. The trustworthiness of this hint must also be weighed with ECH. So, if you're using SVCB with this idea and ECH, it seems pretty reasonable to me. thanks, Rob
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls