>This will impact the effectiveness and accuracy of outbound traffic filtering
Can you prove this is bad? Not trolling, sincerely concerned we're renavigating discussions that date back to when Ethereal became Wireshark and folks got grumpy they'd have to plug a PSK in to look at things -- often because they were looking at things they had no warrant or cause to examine, paired with inept analysts who'd be stymied by something as simple as Asking Jeeves how to plug said password in to view the traffic as if it was clear.
Not speaking for new23d but many corporations are required per their own compliance documentation to make a best effort to block access to known malware and sanctioned sites. If they are unable to do so via their corporate firewalls such as PAN and Fortigate and the like, then they will have to disable ECH and possibly DoH in their networks until other options are in place such as MiTM proxies and those are not always an option due to cost or other compliance conundrums. Intercepting personal traffic to banks, etc... varies by AUP and company/employee agreements, corporate risk acceptance, requirements.
Now speaking just for myself, the moment OpenSSL, HAProxy, NGinx and Apache support ECH I am turning it on everywhere. I have been waiting a long time for it.
Can you prove this is bad? Not trolling, sincerely concerned we're renavigating discussions that date back to when Ethereal became Wireshark and folks got grumpy they'd have to plug a PSK in to look at things -- often because they were looking at things they had no warrant or cause to examine, paired with inept analysts who'd be stymied by something as simple as Asking Jeeves how to plug said password in to view the traffic as if it was clear.