RE: draft-nottingham-httpbis-origin-frame

Thinking about this further, it seems like one way to make this work is presenting a copy of the DNS SEC record. That would mean the server can demonstrate that, somewhere in the DNS, the name in question validly resolves to its IP even if that's not the case from the client's location.  This would be analogous to https://datatracker.ietf.org/doc/draft-shore-tls-dnssec-chain-extension/, in which the server presents the DNS SEC records at the TLS layer which prove the validity of the cert used in the same exchange.

I'm envisioning a scenario where a server possesses many certs, but uses a distinct IP for each cert to cope with non-SNI clients. No client would ever be served any of the other IP is for a given name, but they all reach, if not identical, at least equivalent endpoints. I'm afraid my knowledge of DNSSEC is sufficiently limited that I don't know whether a never-served record can still be signed and validated. Anyone else?

-----Original Message-----
From: Mark Nottingham [mailto:mnot@mnot.net] 
Sent: Monday, March 14, 2016 4:18 PM
To: Patrick McManus <pmcmanus@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Subject: Re: draft-nottingham-httpbis-origin-frame

Hi Patrick,

> On 15 Mar 2016, at 4:40 AM, Patrick McManus <pmcmanus@mozilla.com> wrote:
> 
> I support draft-nottingham-httpbis-origin-frame for wg adoption, if it were to be put forward.

OK. I've had it on hold for a while, looking for more interest, so thanks for speaking up. 

I was also holding off because of our workload, but I think we can take on another draft or two. I've already talked to Barry about this one, so I'll do a CfA shortly.


> I think it is a little unclear on whether or not it intends to include the use case of advertising origins that are covered by the traditional notion of authoritative (i.e. certificate checks, key pin, et al) but not necessarily overlapping DNS. I guess, upon reading, that it doesn't mean to include that - but I think it should.
> 
> The DNS restriction of 7540 is really about sane routing of requests to the right server by getting an opt-in that indicates configuration. Its not really about security - DNS is not really part of the security model.
> 
> Its a reasonable bootstrap, but DNS is rather imperfect for this signal; as much as we like to imagine a single and consistent DNS space that's not the way it translates in practice. Concerns over load balancing are just one of many reasons why a strict application of 7540 might not allow for coalescing where it was actually setup and desired. This seems as likely as the 421 case that motivates the draft. Both could be addressed.
> 
> The origin frame is a place to put a strong signal that this established connection is suitable for the following set of origins no matter what the clients view of the DNS. (subject to certificate rules, of course). Indeed it would have the interesting property of removing the need to resolve DNS for the client for matching origins which is a definite additional performance win too even in cases where the DNS does overlap.

That seems reasonable (acknowledging Martin's concern there too). I think this is something that's in-scope for discussion if we adopt.


> Plausibly these extension frames could get fairly big. It would seem easy enough to define them as optionally compressed (with the header compression state) in the presence of a settings ack of the extension (and a flag bit).

True, but I'm not sure using the HPACK state would help; straight gzip or similar might be better. Again, something to discuss.


> As an aside, it probably makes sense at this time (different document) to add (back) the extension for including more certs serialized into the connection to allow more origins to be advertised

Yes, that's been something lurking over the horizon for a while. It's good to see Mike's already working on it, and I'd encourage him to submit, so we can track it.

Cheers,


--
Mark Nottingham   https://www.mnot.net/

Received on Thursday, 17 March 2016 23:50:56 UTC