martinthomson
commented
4 months ago I just checked with NSS and we overwrite the outer values for PSK (identities and binders) with random data. That seems fairly simple to do and it makes the handshake choice harder to distinguish.
Note that we do not hide the length, which might be an issue for identity, but we're already exposed to the length leakage, so fixed-length identities are best in any case.
ekr
dennisjackson
In Watson Ladd's review, he asks:
Should we use RFC 2119 language for the server as well? Right now we only say what the client must do when the server violates the rules.
We do recommend greasing ECH. My sense is that this is on the bubble and we could leave it as-is, but I could be persuaded otherwise.
@davidben @dennisjackson @martinthomson