On Sun, Jul 16, 2017 at 5:35 PM Ilari Liusvaara <ilariliusvaara@welho.com> wrote: > On Sun, Jul 16, 2017 at 01:18:29PM +0200, Piotr Sikora wrote: > > As mentioned on GitHub [1], where we also discussed this, I believe > > that the "skip DNS" extension makes sense, provided that it's used > > together with CT. > > Unfortunately, certificate extensions have a few problems here: > > - Probably takes a long time for many CAs to support them, or to get > support that allows the extension be requested via CSR, as other > methods are a PITA. I actually don't see this as a particularly high barrier. Only a few high-powered sites that use a multi-CDN strategy are going to need it (assuming it's a "require DNS" extension). They have a lot of leverage over their CAs. > > - It is just as easy to get misissued certificate with this > extension as one without (provoded CA that misisues supports this > extension)! This is why CT is an important requirement. If a CA issues such a cert, it is misissuance will be caught. > - In which case I would want a certificate without this extension? > (the decision weither to actually coalesce or not can be rather > complicated one... Even when it does not involve perverse > incentives, like in that "CDN policy" case in the issue). > > > But if we go that route, then that extension might be a bit more > > generic and perhaps not restricted to the ORIGIN frame, in which case > > the ORIGIN frame draft should re-focus on restricting the scope of the > > origin-set and not bypassing DNS, as suggested by Erik. > > Oh, and with regards with my earlier comment about many servers > mishandling origins, I suppose that if server actually sends an ORIGIN > for given origin, it can actually properly handle that origin. As the > the overwhelmingly most common source of mishandling is default > virtual hosts. > > > [1] https://github.com/httpwg/http-extensions/issues/330 > > > > -Ilari >
Received on Sunday, 16 July 2017 16:05:51 UTC