Re: Skipping DNS resolutions with ORIGIN frame from Patrick McManus on 2017-07-18 (ietf-http-wg@w3.org from July to September 2017)

From: Patrick McManus <mcmanus@ducksong.com>
Date: Tue, 18 Jul 2017 12:37:22 +0000 (UTC)
To: Emily Stark <estark@google.com>
Cc: Patrick McManus <mcmanus@ducksong.com>, Nick Sullivan <nicholas.sullivan@gmail.com>, Ilari Liusvaara <ilariliusvaara@welho.com>, Erik Nygren <erik@nygren.org>, Piotr Sikora <piotrsikora@google.com>, Ryan Hamilton <rch@google.com>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <CAOdDvNp-dKW5djfeLd4PK4xOkdEQiftdL-rBhSGnLwOT+RRO-Q@mail.gmail.com>

On Mon, Jul 17, 2017 at 10:40 AM, Emily Stark <estark@google.com> wrote:

> Do you mean literally comes with a single SCT? Or complies with the
> client's CT policy (which might require multiple SCTs)? Is it reasonable to
> assume that all clients implementing ORIGIN will also implement CT?
>

Thanks Emily.

I think you're right that we mean SCT policy. I also wonder if we shouldn't
say something like "if the origin doesn't meet the client's  ct/revocation
requirements it[*] MUST be ignored" rather than having the client do the
DNS lookup.. it seems to me like that could leak some domain names for
little value.

[*] it here means the origin in the origin frame... not blacklisting that
origin from the whole client :)

>

Received on Tuesday, 18 July 2017 12:38:01 UTC