After reading all the discussion I posted an -02 which takes out all
mention of ESNI. Here's why.
The most important issue is process. ESNI is currently described only in
an early I-D which will not turn into an RFC for a long time. If I
reference it, this draft will be stuck behind ESNI, also for a long time.
If I don't, this draft should be able to progress quickly. Once it's
published, if you want to add an ESNI clause, you can do so by expert
review, no RFC needed.
More substantively, I would be surprised if any MTA ever implements ESNI
because it makes no sense for mail. On the web, different hostnames lead
to different web sites, and clients expect the name in the TLS cert to
match the hostname in the request. In mail, we've never expected the name
of the MTA to match the domain of the recpient, and it is quite normal for
a million different domains to point their MXes at the same host with the
same name, e.g. aspmx.l.google.com.
If you don't want your SNI to give anything away, you just do what mail
systems have done all along, use the same MX names for everyone. There's
no problem for ESNI to solve and certainly no reason to go to the effort
to put all the ESNI glop in the DNS.
John Levine, johnl(_at_)taugh(_dot_)com, Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail. https://jl.ly
ietf-smtp mailing list