Hm, not super thrilled about TLS Encrypted Client Hello requiring the public key to be published to the DNS... We'll really end up with ACME clients that *need* write access to the DNS zone.


Maybe this can be mitigated with proper scoping and expiration of these DNS entries. But we're still ways off a proper widely-supported DNS update protocol.

· · Web · 1 · 0 · 0

@emersion are you sure the ECH public key is the same as the TLS certificate?
I'd expect it to be a separate thing, which you can rotate separately if you want, but I haven't yet seen evidence in either direction...

@wolf480pl my reading of the RFC would suggest that it's the same key, yeah...

@emersion I skimmed through the ECH RFC but haven't found anything saying that, so I'll be grateful for pointers in which part it's written.

@wolf480pl Eh, no, you're right, sounds like it could be different.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!