Warning: mysqli::__construct(): (HY000/1203): User howardkn already has more than 'max_user_connections' active connections in D:\Inetpub\vhosts\howardknight.net\al.howardknight.net\includes\artfuncs.php on line 21
Failed to connect to MySQL: (1203) User howardkn already has more than 'max_user_connections' active connectionsPath: ...!news.mixmin.net!sewer!alphared!2.eu.feeder.erje.net!feeder.erje.net!feeds.news.ox.ac.uk!news.ox.ac.uk!earthli!nntp.terraraq.uk!.POSTED.tunnel.sfere.anjou.terraraq.org.uk!not-for-mail From: Richard Kettlewell Newsgroups: comp.misc Subject: Re: [LINK] Calling time on DNSSEC? Date: Thu, 05 Dec 2024 08:46:37 +0000 Organization: terraraq NNTP server Message-ID: References: <67464f37@news.ausics.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Injection-Info: innmantic.terraraq.uk; posting-host="tunnel.sfere.anjou.terraraq.org.uk:172.17.207.6"; logging-data="78793"; mail-complaints-to="usenet@innmantic.terraraq.uk" User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.2 (gnu/linux) Cancel-Lock: sha1:5O+P9V+nxwaHazP3BwikGrDp1NE= X-Face: h[Hh-7npe<v9!1Z&W?r\c.!4DXH5PWpga"ha +r0NzP?vnz:e/knOY)PI- X-Boydie: NO Bytes: 2672 Lines: 28 Grant Taylor writes: > On 12/3/24 23:49, Lawrence D'Oliveiro wrote: >> It can’t be. > > Sure it can. > >> TLS cannot start encryption on HTTP until it gets a cert that >> identifies the server. > > The TLS connection is fully established and fully encrypted *BEFORE* > any HTTP is sent /through/ /the/ /inside/ /of/ /said/ /TLS/ > connection. ESNI and ECH seem to work by publishing a separate provider key. There might be good reasons for that design in the context of TLS though it’s not how I’d have done it, given a clean sheet. In the abstract the purpose of a certificate in TLS-like protocols is to provide the key used to sign the key exchange process. With (EC)DH or ML-KEM there’s no inherent reason that has to be delivered in the unencrypted part of the protocol; it might add another round trip to session setup but so would gathering completely separate keys as in ESNI/ECH, if I’ve understood them correctly. With RSA key exchange that wouldn’t be true, but that’s out of favor for TLS these days anyway. -- https://www.greenend.org.uk/rjk/