Re: Skipping DNS resolutions with ORIGIN frame

On Sat, Jul 15, 2017 at 12:47:49PM -0400, Erik Nygren wrote:
> My concerns align with Ryan and Mike's.  My preference would be to remove
> the current language about not consulting DNS from the ORIGIN draft (having
> it focus on restricting scope with hooks for future expansion).
> Separately we can start collaborating on a draft that finds a good set of
> controls to give the balance of security and privacy and performance
> properties.  Alt-Svc (perhaps with an extension attribute?) does seem like
> a good starting point as it gives positive control from an Origin.  The
> other ideas (eg, something CT like) seem intriguing but need more
> exploration.

Let's take four schemes:

1) No checks (beyond usual certificate checks)
2) Require CT qualification (and possibly OCSP).
3) ALT-SVC (not entierely clear to me, but I can guess)
4) Consult DNS

For privacy and speed, 1) and 2) have big advantage over 3) and 4)
(and 3) is even worse than 4) in both)..

For security using standard assumptions, all are very close to one

The main problem with not giving control seems to be servers that have
overly wide certificates and then mishandle requests (through sadly
most servers do mishandle requests).


Received on Saturday, 15 July 2017 18:00:21 UTC