Laid out plans for ECH support

niallor · Jun 25, 2020 · 873a505 · 873a505
1 parent ae01eb3
commit 873a505
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 6 deletions.
diff --git a/docs/ECH.md b/docs/ECH.md
@@ -0,0 +1,39 @@
+# TLS: ESNI support in libcurl and curl
+
+## Summary
+
+**ECH** means **Encrypted Client Hello**, a proposed TLS 1.3
+extension, documented in [this IETF Draft][tlsesni].
+
+ECH support in *libcurl* and *curl* is expected to be implemented in
+the following stages, according to availability of resources.
+
+1. Support in one or more SSL backends.
+
+2. Support for a (set of) *libcurl* option(s) to allow an application
+   to specify an ECH configuration to be used by the backend.
+
+3. Support for *curl* command-line syntax to drive the corresponding
+   *libcurl* option(s).
+
+4. Support in *libcurl* for retrieving an ECH configuration from the DNS
+   using DOH and passing this to the SSL backend.
+
+5. Support in *libcurl* for retrieving and using a full set of service
+   binding parameters from [HTTPS and/or SVCB][dnsopsvcbhttps] records
+   in the DNS.
+
+Resources are currently available for items 1—4 above, and work is in
+progress.
+
+Item 5 is expected to involve significant changes to how *libcurl*
+uses the DNS.
+
+## Progress
+
+Progress will be reported here in due course.
+
+---
+
+[tlsesni]:		  https://datatracker.ietf.org/doc/draft-ietf-tls-esni/
+[dnsopsvcbhttps]: https://datatracker.ietf.org/doc/draft-ietf-dnsop-svcb-https/
diff --git a/docs/ESNI.md b/docs/ESNI.md
@@ -2,9 +2,18 @@
 
 ## Summary
 
-**ESNI** means **Encrypted Server Name Indication**, a TLS 1.3
-extension which is currently the subject of an
-[IETF Draft][tlsesni].
+**ESNI** means **Encrypted Server Name Indication**, a formerly
+proposed TLS 1.3 extension, documented in earlier versions of the
+[IETF Draft][tlsesni], which now documents a more comprehensive
+extension, known as **Encrypted Client Hello** (**ECH**).
+
+**This file is now obsolete**, and will likely be removed in the
+near future.
+
+Implementation of ECH for *libcurl* and *curl* is described in
+[ECH.md](./ECH.md).
+
+---
 
 This file is intended to show the current state of ESNI support in
 **curl** and **libcurl**.

diff --git a/docs/ROADMAP.md b/docs/ROADMAP.md
@@ -19,13 +19,19 @@ DNS-over-TLS
 
  Similar to DNS-over-HTTPS. Could share quite a lot of generic code.
 
-ESNI (Encrypted SNI)
---------------------
+ECH (Encrypted Client Hello), formerly ESNI (Encrypted SNI)
+-----------------------------------------------------------
+
+ IETF TLS WG initially considered specifying a TLS extension for
+ "bare" ESNI.  A different approach was later considered preferable,
+ whereby the entire Client Hello message would be encrypted.
 
  See Daniel's post on [Support of Encrypted
  SNI](https://curl.haxx.se/mail/lib-2019-03/0000.html) on the mailing list.
 
- Initial work exists in https://github.com/curl/curl/pull/4011
+ [Initial work](https://github.com/curl/curl/pull/4011) follows the
+ "bare" ESNI design; refactoring to implement ECH is [work in
+ progress](https://github.com/niallor/curl/tree/ECH-WIP).
 
 thread-safe `curl_global_init()`
 --------------------------------