Hey Ryan, thanks for the comments. On Fri, Jul 14, 2017 at 3:18 PM, Ryan Hamilton <rch@google.com> wrote: > . It is crystal clear that saving DNS resolutions represents a real > performance win, especially for long-tail users. > > I want to re-emphasize here that I believe a perhaps larger win here is the privacy implication of a lookup never made - especially when combined with secondary certificates and exported authentiactors (still to come to h2). This achieves much of what encrypted SNI could do. My first question is would you be ok with just loosening the draft language a little bit.. i.e. instead of saying must not consult DNS, define this in a way that it is the client's decision. As I've said before, I don't think the DNS is providing any real value here now that ORIGIN is playing the role of traffic routing. Indeed it is creating a privacy cost - so I'm eager to get it out of the loop. If we can't get consensus on that I'd prefer some kind of stapled assertion that kept the perf and privacy properties of the current draft. I guess that could be dnssec though that would certainly limit use for imo limited value.. I'm not sure I fully understand what you're thinking of wrt expect-ct -does it fit that model? -Patrick
Received on Saturday, 15 July 2017 06:31:45 UTC