Re: Skipping DNS resolutions with ORIGIN frame from Nick Sullivan on 2017-07-18 (ietf-http-wg@w3.org from July to September 2017)

From: Nick Sullivan <nicholas.sullivan@gmail.com>
Date: Tue, 18 Jul 2017 10:37:30 +0000
To: Daniel Stenberg <daniel@haxx.se>, Emily Stark <estark@google.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Piotr Sikora <piotrsikora@google.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAOjisRwE-spnRsV4tj+sbObtYUHioE2g7+7ELyM_zja_Ph4PvA@mail.gmail.com>

Daniel,

If the client doesn't send the "SCT" or "OCSP Stapling" support, then the
server can't send them. What if the requirement for OCSP Stapling and CT
Qualification was contingent on the client sending that extension? If the
client supports CT and/or OCSP, then the server must send them for the
client to accept the ORIGIN. If the client does not advertise support for
these features, then they're not mandatory for the client to accept ORIGIN.

Nick

On Mon, Jul 17, 2017 at 7:28 PM Daniel Stenberg <daniel@haxx.se> wrote:

> On Mon, 17 Jul 2017, Emily Stark wrote:
>
> > Is it reasonable to assume that all clients implementing ORIGIN will also
> > implement CT?
>
> I think that's a stretch. It is easy to see how supporting ORIGIN can be an
> obvious benefit to a lot of libraries and tools (ie non-browsers) that
> want to
> coalesce/reuse connections better and that might very well be implemented
> without doing CT or at least independently of it.
>
> --
>
>   / daniel.haxx.se
>

Received on Tuesday, 18 July 2017 10:38:10 UTC