- From: Martin Thomson <martin.thomson@gmail.com>
- Date: Sat, 15 Jul 2017 03:32:26 +1000
- To: Ryan Hamilton <rch@google.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>, Piotr Sikora <piotrsikora@google.com>
On 14 July 2017 at 23:18, Ryan Hamilton <rch@google.com> wrote: > Before trusting a certificate for a connection, we'd like an assertion from > some other trusted source. This could be: > * On-path presence, for example DNS resolution, or proxy configuration > * A previous assertion from the origin itself (Alt-Svc) > * CT logs, etc. > Without such an assertion, we're not comfortable trusting the connection and > plan to continue consulting DNS when making use of the ORIGIN frame in > Chrome. Hi Ryan, It's good that you are sharing this, but I did want to clarify a few of these points. I get that you believe that DNS resolution is valuable here, but I don't understand your point about "proxy configuration". If you have a proxy configured, you generally don't do the DNS lookup directly, so are you saying that you would allow the coalescing for a CONNECT tunnel? Can you verify that I understand your point about Alt-Svc: if the origin had been previously contacted and Alt-Svc identified an IP address that matches the current IP, then that could be a sufficient signal. Usually Alt-Svc is a name though, so that wouldn't help. Similarly, are you saying that CT could assert something that would cause you to skip the DNS lookup for a name? Or is this list just to make a more general point about raising the bar for gaining the ability to use a name, and not something that is specific to this particular example of DNS lookups? Cheers, Martin
Received on Friday, 14 July 2017 17:32:54 UTC