The current design involves publishing information for a multitude of
Well, s/involves/allows/ is maybe more accurate but that's a nit-pick...
ECHConfigList values and multiple target names (and ports). It is not obvious
that it is safe to have one origin speak for multiple others in this way or
what conditions might be necessary to have that happen safely. If there is a
validation process involved, that might work. The process in S6 is too loose
for me to be confident in that being sufficient.
That's fair. What's defined now supports (hourly) ECH key rotation for
the set of test servers I have on different ports of the same VM. In
that case, there's a different http server implementation listening on
each port, which I guess would be an extremely unlikely production
configuration, but OTOH, it seems right to be able to support that odd
case. And I think if we can support that odd case, then we'll also be
ok for more likely production cases.
The text says that the ZF must validate the keys by trying to connect to every instance listed in the endpoints. Does that need to be made more explicit? What's missing from that validation?
Part of @martinthomson's review
Quoting from the mail:
Well, s/involves/allows/ is maybe more accurate but that's a nit-pick...
That's fair. What's defined now supports (hourly) ECH key rotation for the set of test servers I have on different ports of the same VM. In that case, there's a different http server implementation listening on each port, which I guess would be an extremely unlikely production configuration, but OTOH, it seems right to be able to support that odd case. And I think if we can support that odd case, then we'll also be ok for more likely production cases.