4. Security Considerations
4. Security Considerations
Storing cryptographic keys in files leaves them vulnerable if someone gains read access to the filesystem where they are stored. The same protection mechanisms used for a server's PEM-encoded HTTPS certificate private key should be used for the PEM ECH configuration.
The security considerations of [RFC9848] apply when retrieving an ECHConfigList from the DNS. For clarity, only the ECHConfigList is to be published in the DNS; the private key from an ECH PEM file MUST NOT be published in the DNS.