Re: Skipping DNS resolutions with ORIGIN frame

On Sat, Jul 15, 2017 at 06:30:59AM +0000, Patrick McManus wrote:
> Hey Ryan, thanks for the comments.
> On Fri, Jul 14, 2017 at 3:18 PM, Ryan Hamilton <> wrote:
> > . It is crystal clear that saving DNS resolutions represents a real
> > performance win, especially for long-tail users.
> >
> >
> I want to re-emphasize here that I believe a perhaps larger win here is the
> privacy implication of a lookup never made - especially when combined with
> secondary certificates and exported authentiactors (still to come to h2).
> This achieves much of what encrypted SNI could do.
> If we can't get consensus on that I'd prefer some kind of stapled assertion
> that kept the perf and privacy properties of the current draft. I guess
> that could be dnssec though that would certainly limit use for imo limited
> value.. I'm not sure I fully understand what you're thinking of wrt
> expect-ct -does it fit that model?

My understanding of the "CT" idea was to require secondary certificates
to be CT qualified to be used without DNS.

Exported authenticators are capable of both OCSP and SCT stapling (all
three modes for SCTs).


Received on Saturday, 15 July 2017 07:24:05 UTC