Closed emanjon closed 9 months ago
HPKE already covers the case of ephemeral key reuse, so we don't need to cite anything new in here for client behavior. Identifying servers based on key reuse is something that TLS -- not ECH -- must deal with. So I think we can comfortably close this.
Related general issue with a suggestion to make client and server reuse SHOULD NOT https://github.com/tlswg/tls13-spec/issues/1285 https://github.com/tlswg/tls13-spec/pull/1286
For ECH I think MUST NOT for server reuse seems motivated.