Skip to content

Design an in-handshake retry for trust anchor IDs #53

@davidben

Description

@davidben

This is better figured out post-adoption, but if we could do the retry in-handshake, rather than on a new connection, it would be easier for clients to deploy because the retry could be done inside the TLS stack.

Possible directions:

  1. Add a new message, somewhere after the ServerHello, to trigger an extra roundtrip under handshake encryption.
  2. Use HelloRetryRequest. The challenge is that ECH did not opt to encrypt HelloRetryRequest, so that might leak information about the target service. We could potentially define some way to start encrypting that.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions