Server reuse of key share leaks the target domain for a given connection

[emanjon]

Related general issue with a suggestion to make client and server reuse SHOULD NOT https://github.com/tlswg/tls13-spec/issues/1285 https://github.com/tlswg/tls13-spec/pull/1286

For ECH I think MUST NOT for server reuse seems motivated.

  Client                         Attacker                   Server

      ClientHello
      + ech         ------>
                                                       ServerHello
                                                       + key_share
                                                   <-------
                                 (intercept)

                                ...

                                 ClientHello      ------->
                                                       ServerHello
                                                       + key_share
                                                  <-------
                                 (compare key shares)

  Figure X: Active attacker identifying server resuing key share

  Client1      Client2           Attacker                   Server

      ClientHello
      + ech         ------>
                                                       ServerHello
                                                       + key_share
                                 (intercept)

                                ...

                 ClientHello
                    ------>      (intercept SNI)
                                                       ServerHello
                                                       + key_share
                                 (compare key shares)

  Figure Y: Passive attacker identifying server resuing key share

[chris-wood]

HPKE already covers the case of ephemeral key reuse, so we don't need to cite anything new in here for client behavior. Identifying servers based on key reuse is something that TLS -- not ECH -- must deal with. So I think we can comfortably close this.