- From: Nick Sullivan <nicholas.sullivan@gmail.com>
- Date: Sun, 16 Jul 2017 10:15:26 +0000
- To: Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>
- Cc: Patrick McManus <mcmanus@ducksong.com>, Piotr Sikora <piotrsikora@google.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
- Message-ID: <CAOjisRzXZd1Nn2JCPhNMJUsNqsxy07ZTVozt3L2or+9wnz+r=w@mail.gmail.com>
There is merit to both sides. Requiring DNS adds a weak second factor for routing decisions, which is useful in multi-CDN situations, or extra-broad certificates, where you want to prevent a CDN from routing extra traffic via ORIGIN. On the other hand, skipping DNS is a big step forward for both performance and privacy, it basically solves the encrypted SNI issue. The question we should ask is: who should make the determination of whether or not the user agent should check DNS given an origin frame? This discussion shows there is no consensus that the answer is that the ORIGIN proposal makes this explicit. Given differing views from browser representatives, the answer might be that it's up to the user agent to decide. However, server operators don't seem too happy about dealing with divergent client behaviors, so it doesn't seem that letting the UA decide is feasible. I think the answer that makes sense is to allow the site owner decide if content for its domain should require a DNS check or not. Martin Thomson was on to something with his certificate extension idea in the Github discussion. The policy around the requirement for DNS can be set in the certificate. How do people feel about adding a certificate extension with a meaning along the lines of "require DNS"? Site owners with multi-CDN setups could give such a cert to third parties they want to handle direct traffic, but not be able to coalesce into an existing connection. Alternatively there could be a "skip DNS" extension, which tells the browser that the site owner has delegated routing from DNS to the cert holder, and that DNS checks are superfluous. Thoughts? Nick On Sat, Jul 15, 2017 at 8:04 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sat, Jul 15, 2017 at 12:47:49PM -0400, Erik Nygren wrote: > > My concerns align with Ryan and Mike's. My preference would be to remove > > the current language about not consulting DNS from the ORIGIN draft > (having > > it focus on restricting scope with hooks for future expansion). > > > > Separately we can start collaborating on a draft that finds a good set of > > controls to give the balance of security and privacy and performance > > properties. Alt-Svc (perhaps with an extension attribute?) does seem > like > > a good starting point as it gives positive control from an Origin. The > > other ideas (eg, something CT like) seem intriguing but need more > > exploration. > > Let's take four schemes: > > 1) No checks (beyond usual certificate checks) > 2) Require CT qualification (and possibly OCSP). > 3) ALT-SVC (not entierely clear to me, but I can guess) > 4) Consult DNS > > > For privacy and speed, 1) and 2) have big advantage over 3) and 4) > (and 3) is even worse than 4) in both).. > > For security using standard assumptions, all are very close to one > another. > > > The main problem with not giving control seems to be servers that have > overly wide certificates and then mishandle requests (through sadly > most servers do mishandle requests). > > > > -Ilari > >
Received on Sunday, 16 July 2017 10:16:07 UTC