Follow

Hm, not super thrilled about TLS Encrypted Client Hello requiring the public key to be published to the DNS... We'll really end up with ACME clients that *need* write access to the DNS zone.

· · Web · 2 · 0 · 3

Maybe this can be mitigated with proper scoping and expiration of these DNS entries. But we're still ways off a proper widely-supported DNS update protocol.

Show thread

@emersion are you sure the ECH public key is the same as the TLS certificate?
I'd expect it to be a separate thing, which you can rotate separately if you want, but I haven't yet seen evidence in either direction...

@wolf480pl my reading of the RFC would suggest that it's the same key, yeah...

@emersion I skimmed through the ECH RFC but haven't found anything saying that, so I'll be grateful for pointers in which part it's written.

@wolf480pl Eh, no, you're right, sounds like it could be different.

@emersion Hopefully that would still work with delegated zones so one could still avoid giving whole zones to ACME clients. (I have dedicated zones here for a reason)
Sign in to participate in the conversation
Octodon

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!