Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connectionsPath: ...!news.mixmin.net!sewer!alphared!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!earthli!nntp.terraraq.uk!.POSTED.tunnel.sfere.anjou.terraraq.org.uk!not-for-mail
From: Richard Kettlewell
Newsgroups: comp.misc
Subject: Re: [LINK] Calling time on DNSSEC?
Date: Thu, 05 Dec 2024 08:46:37 +0000
Organization: terraraq NNTP server
Message-ID:
References: <67464f37@news.ausics.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Injection-Info: innmantic.terraraq.uk; posting-host="tunnel.sfere.anjou.terraraq.org.uk:172.17.207.6";
logging-data="78793"; mail-complaints-to="usenet@innmantic.terraraq.uk"
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux)
Cancel-Lock: sha1:5O+P9V+nxwaHazP3BwikGrDp1NE=
X-Face: h[Hh-7npe<v9!1Z&W?r\c.!4DXH5PWpga"ha
+r0NzP?vnz:e/knOY)PI-
X-Boydie: NO
Bytes: 2672
Lines: 28
Grant Taylor writes:
> On 12/3/24 23:49, Lawrence D'Oliveiro wrote:
>> It can’t be.
>
> Sure it can.
>
>> TLS cannot start encryption on HTTP until it gets a cert that
>> identifies the server.
>
> The TLS connection is fully established and fully encrypted *BEFORE*
> any HTTP is sent /through/ /the/ /inside/ /of/ /said/ /TLS/
> connection.
ESNI and ECH seem to work by publishing a separate provider key. There
might be good reasons for that design in the context of TLS though it’s
not how I’d have done it, given a clean sheet.
In the abstract the purpose of a certificate in TLS-like protocols is to
provide the key used to sign the key exchange process. With (EC)DH or
ML-KEM there’s no inherent reason that has to be delivered in the
unencrypted part of the protocol; it might add another round trip to
session setup but so would gathering completely separate keys as in
ESNI/ECH, if I’ve understood them correctly.
With RSA key exchange that wouldn’t be true, but that’s out of favor for
TLS these days anyway.
--
https://www.greenend.org.uk/rjk/